Customize Benchmarks

Cloudhouse Guardian (Guardian) provides a list of Center for Internet Security (CIS) Benchmarks that can be applied to a node or node group to ensure that they are compliant with the parameters stipulated by the CIS. However, the checks stipulated by the CIS may not be compliant with your individual requirements. As such, Guardian provides the option to customize your benchmarks by excluding certain checks within a benchmark and modifying the values for parameter-based checks on a per node group basis. The following topic describes how to modify checks within industry benchmarks by either excluding individual checks, whole sections, or by modifying values in parameter-based checks.

Exclude a Benchmark Check from a Node Group

Once a benchmark has been assigned to a node group, you can begin to ascertain what checks may or may not be required and customize the CIS benchmark by excluding individual checks for certain node groups. The following process assumes that the benchmark in question has already been assigned to a node group.

Note: For more information on how to add a benchmark to a node group, see Add Benchmark / Policy to Node Group.

To exclude a benchmark check from a node group, complete the following steps:

  1. Navigate to the Benchmarks tab (Control > Benchmarks). The list of public CIS benchmarks are displayed.

  2. Select the benchmark you want to customize. The benchmark is then displayed with the complete list of checks included.

    Tip: Click on the description of a check to display more details in a side panel. Here, a list of Involved Node Groups are displayed, listing each of the groups that are assigned to the benchmark. Exclude any of the node groups from the individual check by deselecting the corresponding check box.

  3. In the Node Groups drop-down menu, locate the node group that you want to exclude the checks from.

  4. Then, click the Settings button (Settings button as shown in the Guardian user interface.) and select Exclude checks.

  5. Click the Enabled button () to exclude a check from the selected node group. The button will then display the Excluded button () once the change has registered.

    1. Additionally, you can click to Disable All Checks and then work backwards by enabling individual checks, or sections of checks, one at a time.

      Tip: When getting started with a new benchmark, it can be beneficial to disable most checks to start with and then incrementally enable individual checks to confirm that they pass, instead of enabling them all by default. This method can prevent unnecessary data being returned each time the benchmark is run.

  6. Once you've excluded (or enabled) the required checks, click Done excluding checks for [node group] to save your changes.

Next, you can run the benchmark against the node group to see what checks are passing and failing. For more information, see Run Benchmark.

Modify a Benchmark Parameter for a Node Group

In addition to excluding benchmark checks, you can also modify a parameter within a benchmark check to further customize your benchmarks according to your individual node group's needs.

Note: Checks that have a modifiable parameter will be listed with a button labeled Modify X value(s).

To modify a benchmark parameter for a node group, complete the following steps:

  1. In the Benchmarks tab, select the benchmark you want to modify. The benchmark is then displayed with the complete list of checks included.

  2. Click the Modify X value(s) button to display the value (or values) eligible for modification.

  3. Click on the Check Title for the relevant parameter to display the parameter settings in a side panel. Here, the list of node groups currently assigned to each check is displayed.

  4. Click the Modified Values field next to the required node group to display the Modify values for [parameter] side panel. Here, you can modify the value in the field according to your needs.

    Tip: If a value has not been modified, the Modified Values field is displayed as 'Default'. If a check has an existing modification you can click to Undo Modification or enter a new value.

  5. Once complete, click to Save your changes.

Once you have customized benchmarks to meet your needs, you can schedule benchmarks to be executed against a set of nodes in your environment. For more information, see Schedule Benchmark Reports.