This guide shows you how to modify checks within industry benchmarks by either disabling individual checks, whole sections or by modifying values in parameter-based checks.
Where can I find Benchmarks?
Navigating to Control > Policies will display a list of all custom policies you have created in your account and all public benchmarks. To view only benchmarks, click the “Public” filter in the left panel.
By clicking on the name of a benchmark you can view the Description, Background and Remediation of the original benchmark document.
Since benchmark customization can be done per node group, you must first assign the benchmark to a node group to start editing and disabling checks.
Adding a Benchmark to a Node Group
You can assign a benchmark to a node group either from the benchmarks list page via the Add to Node Group action, or from the benchmark details page via the Add Node Group button in the Node Groups section of the left panel.
Disabling a Benchmark Check
Once a benchmark has been assigned to a node group, you can start customizing. Locate the benchmark you want to edit in the Benchmarks list under Control > Policies. Then click into the benchmark to see the list of checks defined in the benchmark. You can click on the description of a particular check to bring up the details panel on the right. At the bottom of the panel is a list of node groups this benchmark is assigned to under Involved Node Groups. You can configure whether this check is run by toggling the checkbox next to the associated node group.
The example below shows the togglable checkbox for enabling or disabling the 1.1.1 check of this particular benchmark on all nodes in the Windows Production Nodes node group.
Disable Multiple Checks and Whole Sections
Groups of checks, or even whole sections of these benchmarks, can be enabled and disabled via the enable/disable overlay. To enter enable/disable mode, locate the node group on the left panel and click on the gear icon. Select Disable checks from the gear menu.
Each section, subsection and check should either have a green check mark or a crossed eye next to it. Clicking these icons allow you to enable or disable an individual check, or that particular section or subsection. You can disable all checks by clicking the Disable All Checks button.
When finished, click the Done disabling checks for Node Group button. Remember, enabled and disabled checks are applicable per node group, so you will need to navigate to each node group to customize your enabled and disable checks.
When getting started with a new Benchmark, a good way to "ease in" is to start by disabling all checks. Then, you can gradually enable certain sections or subsections, prove that those checks pass, then continue to enabling further sections. This way, you can tailor your checks to focus on the items that are important to you, and avoid getting overwhelmed by data that you're not as interested in. For example, many benchmarks have a subsection on user security and access control - this is a great first section to enable, and provides you with a look at how your Benchmark results will be displayed.
Modifying a Benchmark Parameter
You can also modify a parameter within a particular benchmark check on a per node group basis. Checks that have a modifiable parameter will be listed with a button labelled Modify N value(s).
Clicking this button will display the value or values able to be modified. You can then click on a parameter’s title or value to bring up the parameter’s settings against each assigned node group in the right panel. If a value has not been modified it will display “Default”, otherwise you can click on the corresponding value to modify it.
Once you have customized Benchmarks to meet your needs, you can schedule benchmarks to be excuted against a set of nodes in your environment. For more information around scheduling benchmark reports, please view our guide on How to Schedule Benchmark Reports.