diff --git a/content/en/os/1.15.x/api/reporting/_index.markdown b/content/en/os/1.15.x/api/reporting/_index.markdown new file mode 100644 index 00000000..dd33b1f1 --- /dev/null +++ b/content/en/os/1.15.x/api/reporting/_index.markdown @@ -0,0 +1,48 @@ ++++ +title = "Reporting" +type = "docs" +description = "Using the Report API to automate operating system-level reporting." ++++ + +Operating systems are complicated; inspecting and reporting data about the OS is a common but tedious task that needs repeating as configurations change. +Manually gathering this data for Bottlerocket has additional complications due to API abstracted settings and indirect access to the host. + +The Bottlerocket report API provides a mechanism to automate operating system-level reporting. +You can run reports that self-evaluate the OS based on the current state of the system compared to known standards. + +## Center for Internet Security (CIS) Benchmark + +You can currently generate reports on your Bottlerocket nodes against two different CIS benchmarks: + +- [Bottlerocket CIS Benchmark](./cis/) +- [Kubernetes CIS Benchmark](./cis-k8s) + +## Running a report + +You will need to be running the [control container](../../concepts/shell-less-host/#control-container) or, alternately, mount the `apiclient` binary and the Bottlerocket API unix socket into a container as well as have the appropriate SELinux permissions. + +First, create an interactive shell session on the control container or container with `apiclient`. +From the shell run: + +```shell +apiclient report +``` + +This will evaluate the current node to a particular report and return the results in a human-readable format. + +If you intend to process the report with some other piece of software, add the flag `-f` with the value of `json` for a JSON representation of the report: + +```shell +# Returns evaluation of the report in JSON format +apiclient report -f json +``` + +## Evaluation Results + +Evaluation of each item on the report will result in one of three outcomes: + +* `PASS`: Evaluated item is in compliance with the benchmark. +* `FAIL`: Evaluated item is not in compliance with the benchmark. +* `SKIP`: The item could not be automatically evaluated. + +## All Available Reports diff --git a/content/en/os/1.15.x/api/reporting/cis-k8s/index.markdown b/content/en/os/1.15.x/api/reporting/cis-k8s/index.markdown new file mode 100644 index 00000000..85c2cf5b --- /dev/null +++ b/content/en/os/1.15.x/api/reporting/cis-k8s/index.markdown @@ -0,0 +1,31 @@ ++++ +title = "K8s CIS Benchmark" +type = "docs" +description = "Generating a Kubernetes CIS Benchmark report" +toc_hide=true ++++ + +The [Kubernetes CIS Benchmark](https://www.cisecurity.org/benchmark/kubernetes) contains a number of security best practices to harden Kubernetes worker nodes. + +{{% alert title="Note" color="success" %}} +The Kubernetes CIS Benchmark contains two levels, however, currently, level 2 only adds one additional check (4.2.8) for worker nodes. The Bottlerocket reporting API cannot automatically evaluate this additional check and therefore the two levels are functionally identical for automatic evaluation purposes. +{{% /alert %}} + +## Examples + +Expanding upon the general instructions to [run a report](../#running-a-report), for the Bottlerocket CIS benchmark use the identifier `cis-k8s`: + +```shell +apiclient report cis-k8s +``` + +Adding the flag `-l` with the value of `2` will evaluate to the Level 2 benchmark. For example: + +```shell +# Returns evaluation of CIS Benchmark Level 2 +apiclient report cis-k8s -l 2 +``` + +## Audit and Remediation + +Refer to the [Kubernetes CIS Benchmark](https://www.cisecurity.org/benchmark/kubernetes) for detailed audit and remediation steps. diff --git a/content/en/os/1.15.x/api/reporting/cis/index.markdown b/content/en/os/1.15.x/api/reporting/cis/index.markdown new file mode 100644 index 00000000..fe41b991 --- /dev/null +++ b/content/en/os/1.15.x/api/reporting/cis/index.markdown @@ -0,0 +1,35 @@ ++++ +title = "Bottlerocket CIS Benchmark" +type = "docs" +description = "Generating a Bottlerocket CIS Benchmark report" +toc_hide=true ++++ + +The [Bottlerocket CIS Benchmark](https://www.cisecurity.org/benchmark/bottlerocket) contains a number of security best practices to harden Bottlerocket worker nodes. +The benchmark contains two levels: + +* **Level 1:** basic guidelines with clear security benefits that do not inhibit the node. +Bottlerocket’s default settings are compliant with level 1. +* **Level 2:** detailed, specific guidance that provide more defence to the node. +This level introduces some trade-offs between functionality and security. + +The report API has built-in tests that allow you to evaluate the state of the node to both Level 1 and Level 2. + +## Examples + +Expanding upon the general instructions to [run a report](../#running-a-report), for the Bottlerocket CIS benchmark use the identifier `cis`: + +```shell +apiclient report cis +``` + +Adding the flag `-l` with the value of `2` will evaluate to the Level 2 benchmark. For example: + +```shell +# Returns evaluation of CIS Benchmark Level 2 +apiclient report cis -l 2 +``` + +## Audit and Remediation + +Refer to the [Bottlerocket CIS Benchmark](https://www.cisecurity.org/benchmark/bottlerocket) for detailed audit and remediation steps. diff --git a/content/en/os/1.15.x/api/reporting/index.markdown b/content/en/os/1.15.x/api/reporting/index.markdown deleted file mode 100644 index a8d0eb17..00000000 --- a/content/en/os/1.15.x/api/reporting/index.markdown +++ /dev/null @@ -1,60 +0,0 @@ -+++ -title = "Reporting" -type = "docs" -description = "Using the Report API to automate operating system-level reporting." -+++ - -Operating systems are complicated; inspecting and reporting data about the OS is a common but tedious task that needs to be repeated as configurations change. -Manually gathering this data for Bottlerocket has additional complications due to API abstracted settings and indirect access to the host. - -The Bottlerocket report API provides a mechanism to automate operating system-level reporting. -You can run reports that self-evaluate the OS based on the current state of the system compared to known standards. - -## Center for Internet Security (CIS) Benchmark - -The [Bottlerocket CIS Benchmark](https://www.cisecurity.org/benchmark/bottlerocket) contains a number of security best practices to harden Bottlerocket worker nodes. -The benchmark contains two levels: - -* **Level 1:** basic guidelines with clear security benefits that do not inhibit the node. -Bottlerocket’s default settings are compliant with level 1. -* **Level 2:** detailed, specific guidance that provide more defence to the node. -This level introduces some trade-offs between functionality and security. - -The report API has built-in tests that allow you to evaluate the state of the node to both Level 1 and Level 2. - -### Evaluating a node to the CIS Benchmark - -You will need to be running the [control container](../../concepts/shell-less-host/#control-container) or, alternately, mount the `apiclient` binary and the Bottlerocket API unix socket into a container as well as have the appropriate SELinux permissions. - -First, create an interactive shell session on the control container or container with `apiclient`. -From the shell run: - -```shell -apiclient report cis -``` - -This will evaluate the current node to the Level 1 benchmark and provide human readable output. - -Adding the flag `-l` with the value of `2` will evaluate to the Level 2 benchmark. For example: - -```shell -# Returns evaluation of CIS Benchmark Level 2 -apiclient report cis -l 2 -``` - -If you intend to process the report with some other piece of software, add the flag `-f` with the value of `json` for a JSON representation of the report: - -```shell -# Returns evaluation of CIS Benchmark Level 2 in JSON format -apiclient report cis -l 2 -f json -``` - -#### Evaluation Results - -Evaluation of each item on the benchmark will result in one of three outcomes: - -* `PASS`: Evaluated item is in compliance with the benchmark. -* `FAIL`: Evaluated item is not in compliance with the benchmark. -* `SKIP`: The item could not be automatically evaluated. - -Refer to the [Bottlerocket CIS Benchmark](https://www.cisecurity.org/benchmark/bottlerocket) for detailed audit and remediation steps. diff --git a/content/en/os/1.15.x/api/settings/autoscaling/_index.markdown b/content/en/os/1.15.x/api/settings/autoscaling/_index.markdown new file mode 100644 index 00000000..dd96f615 --- /dev/null +++ b/content/en/os/1.15.x/api/settings/autoscaling/_index.markdown @@ -0,0 +1,10 @@ ++++ +title="autoscaling" +type="docs" +toc_hide=true +description="Settings related to auto scaling groups (`settings.autoscaling.*`)" ++++ + +[Amazon EC2 Auto Scaling](https://docs.aws.amazon.com/autoscaling/ec2/userguide/auto-scaling-groups.html) settings for `aws-*` variants. + +{{< settings >}} diff --git a/data/settings/1.15.x/autoscaling.toml b/data/settings/1.15.x/autoscaling.toml new file mode 100644 index 00000000..110f090c --- /dev/null +++ b/data/settings/1.15.x/autoscaling.toml @@ -0,0 +1,15 @@ +[[docs.ref.should-wait]] +description = """ +If set to `true`, the node waits until the instance reaches the [`InService` state](https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-lifecycle.html#as-lifecycle-inservice) to join the cluster. +""" +accepted_values = [ + "`true`", + "`false`" +] +note = """ +Only set this value to `true` if the instance is currently (or will be) in an auto scaling group. +""" +default = "`false`" + +[[docs.ref.should-wait.example]] +value = "true" \ No newline at end of file