From 3ef9e40bd817f183d4e90a6c81fd8ba7a158b59c Mon Sep 17 00:00:00 2001
From: catherineluse <catherine.luse@gmail.com>
Date: Wed, 18 Dec 2019 22:54:11 -0700
Subject: [PATCH] Update security docs for Rancher v2.4

---
 content/rancher/v2.x/en/security/_index.md    | 31 ++++++++-
 .../v2.x/en/security/security-scan/_index.md  | 64 +++++++++++++++++++
 2 files changed, 93 insertions(+), 2 deletions(-)
 create mode 100644 content/rancher/v2.x/en/security/security-scan/_index.md

diff --git a/content/rancher/v2.x/en/security/_index.md b/content/rancher/v2.x/en/security/_index.md
index 913927b32ed..123a516aca2 100644
--- a/content/rancher/v2.x/en/security/_index.md
+++ b/content/rancher/v2.x/en/security/_index.md
@@ -20,6 +20,29 @@ weight: 7505
 </tr>
 </table>
 
+Security is at the heart of all Rancher features. From integrating with all the popular authentication tools and services, to an enterprise grade [RBAC capability,]({{<baseurl>}}/rancher/v2.x/en/admin-settings/rbac) Rancher makes your Kubernetes clusters even more secure.
+
+On this page, we provide security-related documentation along with resources to help you secure your Rancher installation and your downstream Kubernetes clusters:
+
+- [Running a CIS security scan on a Kubernetes cluster](#running-a-cis-security-scan-on-a-kubernetes-cluster)
+- [Guide to hardening Rancher installations](#rancher-hardening-guide)
+- [The CIS Benchmark and self-assessment](#the-cis-benchmark-and-self-assessment)
+- [Third-party penetration test reports](#third-party-penetration-test-reports)
+- [Rancher CVEs and resolutions](#rancher-cves-and-resolutions)
+- [Security Tips and Best Practices](#security-tips-and-best-practices)
+
+### Running a CIS Security Scan on a Kubernetes Cluster
+
+_Available as of v2.4_
+
+Rancher leverages [kube-bench](https://github.com/aquasecurity/kube-bench) run a security scan to check whether Kubernetes is deployed according to security best practices as defined in the CIS (Center for Internet Security) Kubernetes Benchmark.
+
+The  CIS Kubernetes Benchmark is a reference document that can be used to establish a secure configuration baseline for Kubernetes.
+
+When Rancher scans a cluster, it generates a report showing the results of each test, including the number of passed, skipped, and failed tests. The report also includes guidance on how to configure the cluster so that the failing tests will pass.
+
+For details, refer to the section on [security scans.]({{<baseurl>}}/rancher/v2.x/en/security/security-scan)
+
 ### Rancher Hardening Guide
 
 The Rancher Hardening Guide is based off of controls and best practices found in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/) from the Center for Internet Security. The hardening guide provides prescriptive guidance for hardening a production installation of Rancher v2.1.x, v2.2.x and v.2.3.x. See Rancher's [Self Assessment of the CIS Kubernetes Benchmark](#cis-benchmark-rancher-self-assessment) for the full list of security controls.
@@ -28,7 +51,7 @@ The Rancher Hardening Guide is based off of controls and best practices found in
 - [Hardening Guide for Rancher v2.2.x with Kubernetes 1.13]({{< baseurl >}}/rancher/v2.x/en/security/hardening-2.2/)
 - [Hardening Guide for Rancher v2.3.x with Kubernetes 1.15]({{< baseurl >}}/rancher/v2.x/en/security/hardening-2.3/)
 
-### CIS Benchmark Rancher Self-Assessment
+### The CIS Benchmark and Self-Assessment
 
 The benchmark self-assessment is a companion to the Rancher security hardening guide. While the hardening guide shows you how to harden the cluster, the benchmark guide is meant to help you evaluate the level of security of the hardened cluster.
 
@@ -39,7 +62,7 @@ Because Rancher and RKE install Kubernetes services as Docker containers, many o
 - [CIS Kubernetes Benchmark 1.4.1 - Rancher 2.2.x with Kubernetes 1.13]({{< baseurl >}}/rancher/v2.x/en/security/benchmark-2.2/#cis-kubernetes-benchmark-1-4-1-rancher-2-2-x-with-kubernetes-1-13)
 - [CIS Kubernetes Benchmark 1.4.1 - Rancher 2.3.x with Kubernetes 1.15]({{< baseurl >}}/rancher/v2.x/en/security/benchmark-2.3/#cis-kubernetes-benchmark-1-4-1-rancher-2-3-x-with-kubernetes-1-15)
 
-### Third Party Pen Test Reports
+### Third-party Penetration Test Reports
 
 Rancher periodically hires third parties to perform security audits and penetration tests of the Rancher 2.x software stack. The environments under test follow the Rancher provided hardening guides at the time of the testing. Results are posted when the third party has also verified fixes classified MEDIUM or above.
 
@@ -62,3 +85,7 @@ Rancher is committed to informing the community of security issues in our produc
 | [CVE-2019-13209](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13209) |  The vulnerability is known as a [Cross-Site Websocket Hijacking attack](https://www.christian-schneider.net/CrossSiteWebSocketHijacking.html). This attack allows an exploiter to gain access to clusters managed by Rancher with the roles/permissions of a victim. It requires that a victim to be logged into a Rancher server and then access a third-party site hosted by the exploiter. Once that is accomplished, the exploiter is able to execute commands against the Kubernetes API with the permissions and identity of the victim. Reported by Matt Belisle and Alex Stevenson from Workiva. | 15 Jul 2019  |   [Rancher v2.2.5](https://github.com/rancher/rancher/releases/tag/v2.2.5), [Rancher v2.1.11](https://github.com/rancher/rancher/releases/tag/v2.1.11) and [Rancher v2.0.16](https://github.com/rancher/rancher/releases/tag/v2.0.16) |
 | [CVE-2019-14436](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14436) |  The vulnerability allows a member of a project that has access to edit role bindings to be able to assign themselves or others a cluster level role granting them administrator access to that cluster. The issue was found and reported by Michal Lipinski at Nokia. | 5 Aug 2019  | [Rancher v2.2.7](https://github.com/rancher/rancher/releases/tag/v2.2.7) and [Rancher v2.1.12](https://github.com/rancher/rancher/releases/tag/v2.1.12) |
 | [CVE-2019-14435](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14435) |  This vulnerability allows authenticated users to potentially extract otherwise private data out of IPs reachable from system service containers used by Rancher. This can include but not only limited to services such as cloud provider metadata services. Although Rancher allow users to configure whitelisted domains for system service access, this flaw can still be exploited by a carefully crafted HTTP request. The issue was found and reported by Matt Belisle and Alex Stevenson at Workiva. | 5 Aug 2019  | [Rancher v2.2.7](https://github.com/rancher/rancher/releases/tag/v2.2.7) and [Rancher v2.1.12](https://github.com/rancher/rancher/releases/tag/v2.1.12) |
+
+### Security Tips and Best Practices
+
+Our [best practices guide]({{<baseurl>}}/rancher/v2.x/en/best-practices/management/#tips-for-security) includes basic tips for increasing security in Rancher.
\ No newline at end of file
diff --git a/content/rancher/v2.x/en/security/security-scan/_index.md b/content/rancher/v2.x/en/security/security-scan/_index.md
new file mode 100644
index 00000000000..6848f75f25a
--- /dev/null
+++ b/content/rancher/v2.x/en/security/security-scan/_index.md
@@ -0,0 +1,64 @@
+---
+title: Security Scans
+weight: 1
+---
+
+_Available as of v2.4_
+
+Rancher can run a security scan to check whether Kubernetes is deployed according to security best practices as defined in the CIS (Center for Internet Security) Kubernetes Benchmark.
+
+The  CIS Kubernetes Benchmark is a reference document that can be used to establish a secure configuration baseline for Kubernetes.
+
+When Rancher scans a cluster, it generates a report showing the results of each test, including the number of passed, skipped, and failed tests. The report also includes guidance on how to configure the cluster so that the failing tests will pass.
+
+To check clusters for CIS Kubernetes Benchmark compliance, the security scan leverages [kube-bench,](https://github.com/aquasecurity/kube-bench) an open-source tool from Aqua Security.
+
+When Rancher scans a cluster hosted in a managed Kubernetes provider such as GKE, EKS, or AKS, only worker nodes can be scanned.
+
+### About the Generated Report
+
+Each scan generates a report can be viewed in the Rancher UI and can be downloaded in CSV format.
+
+The version of the [benchmark](https://www.cisecurity.org/benchmark/kubernetes/) that is used depends on the cluster's Kubernetes version. 
+
+Each test in the resport is identified by its corresponding section of the benchmark. For example, if a cluster fails test 1.3.6, you can look up the description and rationale for the benchmark section 1.3.6 in the benchmark itself, or in Rancher's [hardening guide for the Kubernetes version that the cluster is using.]({{<baseurl>}}/rancher/v2.x/en/security/#rancher-hardening-guide)
+
+Similarly, for information how to manually audit the test result, you could look up section 1.3.6 in Rancher's [self-assessment guide for the corresponding Kubernetes version.]({{<baseurl>}}/rancher/v2.x/en/security/#the-cis-benchmark-and-self-assessment)
+
+### Prerequisites
+
+To run security scans on a cluster and access the generated reports, you must be an [Administrator]({{<baseurl>}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) or [Cluster Owner.]({{<baseurl>}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/)
+
+### Running a Scan
+
+1. From the cluster view in Rancher, click **Tools > CIS Scans.**
+1. Click **Run Scan.**
+
+**Result:** A report is generated and displayed in the **CIS Scans** page. To see details of the report, click the report's name.
+
+### Skipping a Test
+
+1. From the cluster view in Rancher, click **Tools > CIS Scans.**
+1. Click the name of the report that has tests you want to skip.
+1. A **Skip** button is displayed next to each failed test. Click **Skip** for each test that should be skipped.
+
+**Result:** The tests will be skipped on the next scan.
+
+To re-run the security scan, go to the top of the page and click **Run Scan.**
+
+### Un-skipping a Test
+
+1. From the cluster view in Rancher, click **Tools > CIS Scans.**
+1. Click the name of the report that has tests you want to un-skip.
+1. An **Unskip** button is displayed next to each skipped test. Click **Unskip** for each test that should not be skipped.
+
+**Result:** The tests will not be skipped on the next scan.
+
+To re-run the security scan, go to the top of the page and click **Run Scan.**
+
+### Deleting a Report
+
+1. From the cluster view in Rancher, click **Tools > CIS Scans.**
+1. Go to the report that should be deleted.
+1. Click the **Ellipsis (...) > Delete.**
+1. Click **Delete.**
\ No newline at end of file