Configure Benchmarks for Assessment

---

Introduction

To assess your target systems against certain CIS Benchmarks, additional configuration is required. This guide covers the steps to configure all the assessments requiring additional setup.

• Database
• Docker
• Kubernetes
• Amazon Elastic Kubernetes Service (EKS)
• Azure Kubernetes Service (AKS)
• Google Kubernetes Engine (GKE)
• Apache Tomcat Assessment
• VMware ESXi Assessments
• Red Hat OpenShift Container Platform Assessment

Database Assessments

Assessing against Database Benchmarks in CIS-CAT Pro Assessor v4 uses a JDBC connection mechanism. The required JDBC connection strings can be entered in one of the following ways:

• On the command line as an interactive value.
• In a pop-up box via the GUI.
• In an assessor-cli.properties file to set a single value for a single assessment.
• In a configuration XML file when assessing multiple databases.

Database Assessments and Host Operating System

Many Database Benchmarks analyze the database settings and host system of the database. CIS-CAT Pro Assessor will collect information from the host system to compare to the Benchmark's recommended values.

Info

Review the CIS-CAT Pro Assessor Coverage Guide for a general list of operating systems that are supported.

Interactive Value Summary

Database	Interactive Value	Expected Format
Microsoft SQL Server	xccdf_org.cisecurity_value_jdbc.url	jdbc:sqlserver://<serverName<\instanceName><:portNumber>><;property=value<;property=value>>
Mongo (3.6 only)	xccdf_org.cisecurity_value_jdbc.url	fileLocation value of /etc/mongod.conf - this default value must be used
Oracle MySQL	xccdf_org.cisecurity_value_jdbc.url	jdbc:mysql://<host>:<port>/<database>?<key1>=<value1>&<key2>=<value2>...
	xccdf_org.cisecurity_value_repl.user	userName (default value is repl)
Oracle	xccdf_org.cisecurity_value_jdbc.url	jdbc:oracle:thin:[username]/[password]@[hostname]:[port]:[SID] OR jdbc:oracle:thin:[username]/[password]@//[hostname]:[port]/[service_name]
	xccdf_org.cisecurity_value_listener.ora	{env:ORACLE_HOME}/network/admin/listener.ora
PostgreSQL	xccdf_org.cisecurity_value_jdbc.url	jdbc:postgresql://<host>:<port>/<database>?<key1>=<value1>&<key2>=<value2>...

Microsoft SQL Server

Microsoft SQL Server database support is implemented using the Microsoft JDBC driver.

Format

The format of the Microsoft JDBC URL for Microsoft SQL Server is:

jdbc:sqlserver://[serverName[\instanceName][:portNumber]][;property=value[;property=value]]

Note

jdbc:sqlserver:// is required. It is the subprotocol and is constant.

Properties

Property	Required/Optional	Description
serverName	Optional	The address of the server to connect to. This address can be a DNS or IP address, or it can be localhost or 127.0.0.1 for the local computer. If not specified in the connection URL, the server name must be specified in the properties collection.
instanceName	Optional	The instance to connect to on serverName. If not specified, a connection to the default instance is made.
portNumber	Optional	The port to connect to on serverName. The default is 1433. If you are using the default, you do not have to specify the port, nor its preceding colon ( : ), in the URL.
property	Optional	One or more option connection properties. For more information, refer to Setting the connection properties. Any property from the list can be specified. Properties can only be delimited by using the semicolon ( ; ), and they can't be duplicated.

Info

Review the official Microsoft resource for more information about supported connection properties

Connection

Connect to Microsoft SQL Server database in any of the following ways:

• Basic Connection
• Windows Authentication
• SQL Server Authentication
• Integrated Security
• Dynamic Ports

In the examples below, a Microsoft SQL Server database instance with the following information will be used:

Information	Value
Server Name	CIS-SERVER
Database Name	TestDB
Database Port	1433
Windows Domain	WIN-DOMAIN
Windows Domain User/Password	jsmith/qw3rty
SQL Server Database User/Password	db_user/db_pass
Instance Name	TestInstance

Basic Connection

Connect to the default database on the local computer by using a username/password:

jdbc:sqlserver://localhost;user=MyUserName;password=*****;

Windows Authentication

Windows Authentication Mode allows connections to a SQL Server instance through a Microsoft Windows account. Establish connections by supplying a domain account.

The following JDBC connection string would be valid for establishing a connection using the example information:

jdbc:sqlserver://CIS-SERVER:1433;databaseName=TestDB;domain=WIN-DOMAIN;user=jsmith;password=qw3rty;instanceName=TestInstance;

Windows Authentication Mode may also be used against databases running on machines not joined to a domain (i.e., standalone servers). When authenticating with Microsoft Windows accounts to standalone servers, replace the computer name with the domain.

For example, if the name of the standalone server is SQLSERVER, the JDBC connection string would look as such:

jdbc:sqlserver://CIS-SERVER:1433;databaseName=TestDB;domain=SQLSERVER;user=jsmith;password=qw3rty;instanceName=TestInstance;

SQL Server Authentication

SQL Server Authentication enables connections to a database instance with a trusted SQL Server account. SQL Server authenticates by checking if the account has been set up and the password matches one previously recorded for that user.

The following JDBC URLs would be valid for establishing a connection using the example information:

jdbc:sqlserver://CIS-SERVER:1433;databaseName=TestDB;user=db_user;password=db_pass;instanceName=TestInstance;

or

jdbc:sqlserver://CIS-SERVER:1433;databaseName=TestDB;user=jsmith;password=qw3rty;instanceName=TestInstance;

Integrated Security

The JDBC driver supports the use of Type 2 integrated authentication on Windows operating systems by using the integratedSecurity connection string property.

Requirements

To use integrated security, the Microsoft SQL Server JDBC driver requires at least an additional .dll file

CIS-CAT Pro includes the mssql-jdbc_auth-<version>-<arch>.dll 64-bit file in the misc folder of the CIS-CAT build directories. Place the .dll files in the bin directory of the 64-bit Java Runtime Environment (JRE) utilized to execute CIS-CAT Pro Assessor. CIS-CAT Pro does not support 32-bit Java when assessing a Windows environment.

Info

Find additional information regarding the .dll file in the Microsoft article Connecting with integrated authentication On Windows.

Example

jdbc:sqlserver://CIS-SERVER:1433;integratedSecurity=true;

Dynamic Ports

CIS-CAT Pro supports remote and local assessments when dynamic ports are configured.

Requirements

• CIS-CAT Pro Assessor resides on the database host machine for local assessment
• The Microsoft SQL Server named instance option is utilized as opposed to default instance
• SQL Server Browser enabled
• UDP 1434 (SQL Server Browser) and sqlserver.exe opened on firewall

When assessing remote hosts in the cloud, the below additional requirements are needed:

• Ports 49,152 to 65,535 opened as the dynamic port could be any where in that range. Ensure this is in line with your organizational security policies or utilize a static port.
• UDP 1434 must be opened in the security group

Example

Modify the connection string by replacing the Server Name with localhost like the below example when completing a local assessment:

jdbc:sqlserver://localhost;databaseName=TestDB;user=jsmith;password=qw3rty;instanceName=TestInstance;

Mongo 3.6 Database

The MongoDB 3.6 Benchmark requires one interactive value to supply the location of a configuration XML file for assessment.

Note

MongoDB 4 and 5 Benchmark versions will not prompt users for this value as they are hardcoded to look for the configuration file in the default location.

Property

Property	Value
MongoDB config file location	/etc/mongod.conf

Warning

The default value specified below must not change.

Verify Configuration File

Connect to the MongoDB instance using MongoDB client with valid username/password and execute this command:

db.runCommand( { getCmdLineOpts: 1 } )

The response will contain MongoDB running configuration file location:

"config" : "/user/data/mongod.conf",

Oracle Database

The Oracle JDBC driver can connect to Oracle database instances using either the SID (System Identifier) or Service Name.

Connect with SID

When connecting to an Oracle database using the SID, the format of the JDBC connection string is:

jdbc:oracle:thin:[username]/[password]@[hostname]:[port]:[SID]

For example:

jdbc:oracle:thin:sys as sysdba/pa55w0rd!@servername:1521:ORCL

Connect with Service Name

When connecting to an Oracle database using the Service Name, the format of the JDBC connection string is:

jdbc:oracle:thin:[username]/[password]@//[hostname]:[port]/[service_name]

For example:

jdbc:oracle:thin:sys as sysdba/pa55w0rd!@//servername:1521/SERVICE_NAME

Note

If your organization has followed guidance in Appendix 7 of the CIS Benchmark, make the appropriate modifications to the named user above.

Properties of Oracle JDBC Connection Strings

Property	Description
username	A valid username of an account that can connect to the database instance. This user should have sufficient privileges to SELECT from the various tables and views indicated in the specific Oracle Benchmark or be granted SYSDBA privileges.
password	The credentials for the specified username to connect to the database instance.
hostname	The name of the server (or its IP address) hosting the database.
port	The port number on which the database is listening. By default, Oracle databases are configured to listen on port 1521.
SID	The database SID.
Service Name	The database Service Name.

listener.ora Interactive Value

The interactive value listener.ora is utilized in the assessment process to support Recommendations in section 2.1 of the Oracle Database Benchmarks. The default for this value is {env:ORACLE_HOME}/network/admin/listener.ora. If this the path to the listener.ora has been changed, provide the correct path in a configuration XML file or when the GUI requests it.

Oracle MySQL Database

Oracle MySQL database support is implemented using the MariaDB JDBC driver.

Format

The format for the MariaDB JDBC connection string for MySQL is:

jdbc:mysql://<host>:<port>/<database>?<key1>=<value1>&<key2>=<value2>...

Properties

Property	Required	Description
host	Required	The name of the server (or its IP address) hosting the database.
port	Required	The port number on which the database is listening. By default, Oracle databases are configured to listen on port 1521.
database	Required	The database name.

Optional Parameters

Property	Required	Description
user	Optional	A valid username of account that can connect to the database instance.
password	Optional	The credentials for the specified user to connect to the database instance. CIS-CAT does not support the use of "&" (ampersand) for this database type.
useSSL	Optional	Force the usage of SSL on the connection.
trustServerCertificate	Optional	When using SSL, will not verify the server's certificate.
serverSslCert	Optional	Server's certificate in DER form, or server's CA certificate. Can be used in one of three forms: - Full path to certificate: serverSslCert=/path/to/cert.pem - Relative to current classpath: serverSslCert =classpath:relative/cert.pem: - Verbatim DER-encoded certificate string, starting with ------BEGIN CERTIFICATE-----

An additional interactive value is xccdf_org.cisecurity_value_repl.user. This is the replication user, if utilized.

Example

Consider a MySQL database instance with the following information:

Information	Value
Server Name	CIS-SERVER
Database Name	TestDB
Database Port	3306
Username	db_user
Credentials	db_pass

When configuring the JDBC connection string in CIS-CAT Pro Assessor, the above information would yield:

jdbc:mysql://CIS-SERVER:3306/TestDB?user=db_user&password=db_pass

MySQL 8 - Remote Assessment Requirements

The Assessor must either connect to the host of the database or reside on the same machine as the database.

When connecting to a remote host where the database to be assessed resides, grant the permissions below in addition to what a root admin user (utilized in the connection string) may have.

Grant to the db_user (username) used in the connection string:

• Grant PROCESS

  GRANT PROCESS ON *.* TO '<db_user>'@'<hostname or IP>';
  

• Grant SELECT on mysql database

  Grant SELECT on mysql.* TO '<db_user>'@'<hostname or IP>';
  

• Grant SELECT on tables: audit_log_filter, slave_master_info, component, user

  GRANT SELECT ON mysql.<table> TO '<db_user>'@'<hostname or IP>';
  

Info

Review the full set of connection properties/optional URL parameters supported by MariaDB.

PostgreSQL Database

CIS-CAT Pro Assessor has implemented support for assessments against PostgreSQL database instances using the PostgreSQL JDBC driver.

Format

The format for the PostgreSQL JDBC connection string is:

jdbc:postgresql://<host>:<port>/<database>?<key1>=<value1>&<key2>=<value2>...

Properties

Property	Required	Description
host	Required	The name of the server (or its IP address) hosting the database.
port	Required	The port number on which the database is listening. By default, Oracle databases are configured to listen on port 1521.
database	Required	The database name.

Optional Parameters

Property	Required	Description
user	Optional	A valid username of account that can connect to the database instance.
password	Optional	The credentials for the specified user to connect to the database instance. CIS-CAT does not support the use of "&" (ampersand) for this database type.
ssl	Optional	A boolean value (true/false), to force the usage of SSL on the connection.

Example

Consider a PostgreSQL database instance with the following information:

Information	Value
Server	CIS-POSTGRESQL
Database	PostgreSQL-DB
Database Port	5432 (default)
Username	db_user
Credentials	db_pass

When configuring the JDBC connection string in CIS-CAT Pro Assessor, the above database instance would yield:

jdbc:postgresql://CIS-POSTGRESQL:5432/PostgreSQL-DB?user=db_user&password=db_pass

If CIS-CAT Pro Assessor is connecting to PostgreSQL on the default port (5432), the port can be omitted from the connection string:

jdbc:postgresql://CIS-POSTGRESQL/PostgreSQL-DB?user=db_user&password=db_pass

To force the database connection to require SSL, the connection string would look like:

jdbc:postgresql://CIS-POSTGRESQL/PostgreSQL-DB?user=db_user&password=db_pass&ssl=true

Info

Find the full set of connection properties/optional URL parameters supported by PostgreSQL at PostgreSQL JDBC Driver

---

Docker Assessment

The Docker Benchmark can be run locally on a system with the Docker engine installed or run remotely as long as the system hosting the Docker engine allows an SSH connection.

Follow the Linux or MacOS session configuration guidance for specifics on assessing with this Benchmark.

---

Kubernetes Assessment

Assessing against the Kubernetes Benchmark works like any other Linux Benchmark assessment. CIS Benchmark consensus has determined that best practice should allow for remote connection with with the host only through SSH.

CIS Kubernetes v1.20 Benchmarks v1.0.0+ highly recommend remote assessments. The Recommendations in version v1.7.0 require segmentation of worker and master nodes, which would not be running on the same system.

Note

CIS Kubernetes version 1.6.1 have introduced profile levels specific to the master and worker nodes. Use the profile that is representative of your configuration.

Examples

Execute an assessment on command line on a local machine where Kubernetes exists using interactive mode:

./Assessor-CLI.sh -i

Execute an assessment on command line on a local machine where Kubernetes exists using the relative path to the Benchmark file, selecting a specific profile by name:

./Assessor-CLI.sh -b benchmarks/CIS_Kubernetes_V1.20_Benchmark_v1.0.0.xml

Execute an assessment on command line on local machine where Kubernetes exists using information found in a saved configuration XML file.

./Assessor-CLI.sh -cfg /CIS/kubernetes_assessment-configuration.xml

Sample configuration file for a local assessment with HTML report generation:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<configuration xmlns="http://cisecurity.org/ccpa/config">
<sessions test="false">
    <session id="Kube1">
        <type>ssh</type>
        <tmp_path/>
    </session>
</sessions>
<assessments quiet="false">
    <benchmark profile="Level 1" session-ref="Kube1" xccdf="/CIS/CIS-CAT_Software/CIS-CAT-Assessor-v4.18.0/Assessor/benchmarks/CIS_Kubernetes_V1.20_Benchmark_v1.0.0.xml"/>
</assessments>
<reports html="true">
    <reports_dir>/CIS/CIS-CAT_Software/CIS-CAT-Assessor-v4.18.0/Assessor/reports</reports_dir>
</reports>
</configuration>

---

Amazon Elastic Kubernetes Service (EKS) Assessment

Assessing with the Amazon Elastic Kubernetes Service (EKS) Benchmark requires the use of the AWS CLI to authenticate and connect to the EKS cluster.

This Benchmark will authenticate and target a specific cluster with AWS CLI, and then submit kubelet and kubectl commands to the cluster to perform the assessment. The commands are present within the Benchmark content.

Note

This Benchmark is available for Linux operating systems through local assessment only as local AWS CLI and Kubernetes commands are used to perform the assessment.

Requirements

Authentication

• Authentication method selected
  • AWS CLI authentication
  • Kubernetes AWS IAM Authenticator

Installation

• (If AWS CLI authentication selected) AWS CLI installed
  • Latest version of AWS CLI v2 recommended
  • If AWS CLI v1 utilized, version 1.16.156+ required
• kubectl installed
• CIS-CAT Pro Assessor v4 bundle extracted locally on a Linux environment

Configuration

• Configure aws-auth.yml with authentication
• Kubeconfig file pointed to desired EKS cluster
• Port 8080 (and any other needed ports) opened

Configure AWS CLI Authentication

To authenticate, AWS CLI must have a user or role configured. No IAM permissions are needed for the assessment itself, only to authenticate.

The user or role must be granted the eks:DescribeCluster permission, which is utilized for the update-kubeconfig command to target the specific cluster for assessment.

Configure Kubernetes Role Based Access Control (RBAC) System

The AWS CLI permissions are used for authentication only. All permissions for interacting with your Amazon EKS cluster’s Kubernetes API is managed through the native Kubernetes Role Based Access Control (RBAC) system.

Info

See AWS's article How do I provide cluster access to other IAM users and roles after I create a cluster in Amazon EKS? for more information.

The following roles are required to allow CIS-CAT Pro Assessor v4 to submit kubelet and kubectl commands to the cluster for automated assessments.

Default Cluster Role	Default Cluster Role Binding	Description
system:kube-controller-manager	system:kube-controller-manager user	Allows access to the resources required by the controller manager component. The permissions required by individual controllers are detailed in the controller roles.
system:kubelet-api-admin	None	Allows full access to the kubelet API.

Add User or Role to aws-auth.yml File

Adding a user or role to the aws-auth.yml file is required only when the user/role performing the assessment is not a cluster creator as creators are granted system:masters permissions.

1. Determine whether permissions will be applied to a user or role.
2. Make note of the user or role ARN selected.
3. Login as the administrator of the cluster (only cluster admin can perform below commands).
4. Edit aws-auth file with the command:

kubectl edit -n kube-system configmap/aws-auth

5. Add either a user OR role to aws-auth.yml file.

Note

Only one addition is required, user or role.

6. Save and exit the file.

Info

See AWS's article Understand Amazon EKS created RBAC roles and users for more information on users and roles.

Prepare the Environment and AWS CL

1. Ensure that CIS-CAT Pro Assessor is extracted locally on a server (EC2 or another server) that has access to the EKS cluster servers.
2. Ensure security groups provide access to port 8080 from the server where CIS-CAT Pro Assessor locally resides. Other ports may also need to be opened depending on each organization’s specific configuration.
3. Point AWS CLI to the desired EKS cluster for assessment using the following command, where the name value of the cluster being assessed is the variable:

aws eks update-kubeconfig --name <Target Cluster Name>

Info

For additional information on configuring required Linux environment variables, see Running Amazon EKS Benchmark Assessments.

Use AWS IAM Authenticator

If you are unable to utilize AWS CLI v1.16.156 or later, you can utilize the AWS IAM Authenticator instead.

Info

Review AWS documentation for downloading and preparing the AWS IAM Authenticator.

Once the AWS IAM Authenticator is downloaded and installed, manually prepare the kubeconfig file, which is automatically created as part of AWS CLI, but must be created manually when using the authenticator.

Info

Refer to Connect kubectl to an EKS cluster by creating a kubeconfig file for guidance.

Set Environment Variables

Prior to assessing against this Benchmark, you must also set several environment variables through the CLI.

• Run the following command to set these environment variables:

# For each EKS Cluster in each region;
export CLUSTER_NAME=<your cluster name>
export REGION_CODE=<your region_code>
aws eks describe-cluster --name ${CLUSTER_NAME} --region ${REGION_CODE} --query 'cluster.logging.clusterLogging'

Example method for executing an Amazon Elastic Kubernetes Service (EKS) assessment

Execute an assessment on the command line:

./Assessor-CLI.sh -b benchmarks/CIS_Amazon_Elastic_Kubernetes_Service_(EKS)_Benchmark_v1.0.1-xccdf.xml`

Note

Ensure the local session type is being used.

---

Azure Kubernetes Service (AKS) Assessment

Assessing with the Azure Kubernetes Service (AKS) Benchmark requires the use of the Azure CLI to authenticate and connect to the AKS cluster.

The AKS Benchmark authenticates and targets a specific cluster with Azure CLI, and then submits kubelet and kubectl commands to the cluster to perform the assessment. The required commands are present within the Benchmark content.

This Benchmark runs on Linux operating systems and supports local assessment only as local gcloud CLI and Kubernetes commands are used to perform the assessment.

Requirements

Authentication

• Authentication method selected
  • Azure CLI authentication
  • Azure role-based access control for Kubernetes

Installation

• (If Azure CLI authentication selected) Azure CLI installed
  • Latest version of Azure CLI, version 2.24.0 or later
• kubectl installed
• CIS-CAT Pro Assessor v4 bundle extracted locally on a Linux environment

Configuration

• Azure Kubernetes Services Cluster User role assigned
• Kubeconfig file pointed to desired AKS cluster
• Port 8080 (and any other needed ports) opened

Configure Azure CLI Authentication

To authenticate, Azure CLI must have the Azure Kubernetes Services Cluster User role assigned to, at minimum, the –assignee.

• Execute the following to assign the role:

az role assignment create \
--assignee $ACCOUNT_ID \
--scope $AKS_CLUSTER \
--role "Azure Kubernetes Service Cluster User Role"

Prepare the Environment and Azure CLI

1. Ensure CIS-CAT Pro Assessor is extracted locally on a server or workstation that has access to the AKS cluster servers.
2. Ensure security groups provide access to port 8080 from the server where CIS-CAT Pro Assessor locally resides. Other ports may also need to be opened depending on each organization’s specific configuration.
3. Point Azure CLI to the desired AKS cluster for assessment using the following command, where the name value of the cluster being assessed is the variable:

az aks get-credentials -g MyResourceGroup -n MyManagedCluster

Example method for executing an Azure Kubernetes Service (AKS) assessment

Execute an assessment on the command line:

./Assessor-CLI.sh -b benchmarks/CIS_Azure_Kubernetes_Service_(AKS)_Benchmark_v1.1.0-xccdf.xml`

Note

Ensure the local session type is being used.

---

Google Kubernetes Engine (GKE) Assessment

Assessing with the Google Kubernetes Engine (GKE) Benchmark requires the use of the gcloud CLI to authenticate and connect to the GKE cluster.

The Google GKE Benchmark will authenticate and target a specific cluster with gcloud CLI, and then submit kubelet and kubectl commands to the cluster to perform the assessment. The commands are present within the Benchmark content.

This Benchmark runs on Linux operating systems and supports local assessment only as local gcloud CLI and Kubernetes commands are used to perform the assessment.

Requirements

Authentication

• Authentication method selected
  • Google Cloud Platform (GCP) CLI authentication
  • Kubernetes GCP IAM Authenticator

Installation

• (If GCP CLI authentication selected) Latest version of gcloud CLI installed
• kubectl installed
• CIS-CAT Pro Assessor v4 bundle extracted locally on a Linux environment

Configuration

• Kubeconfig file pointed to desired GKE cluster
• local session type used
• Port 8080 (and any other needed ports) opened

Info

Review official Kubernetes documentation to assist in configuration.

Configure gcloud CLI Authentication

GCP IAM defines what actions you are allowed to take on GCP (e.g., create Cloud Storage Buckets and deploy an App Engine app). Kubernetes Roles define permissions you have within a single cluster. Some GCP IAM roles actually propagate down to the GKE clusters running in that project. For example, the GCP IAM role Kubernetes Engine Developer grants edit access to every cluster in the projects assigned to the role.

Because Kubernetes does not have the concept of users, GKE will rely on GCP IAM permissions for user authentication (who you are). However, you should rely as much as possible on Kubernetes Roles for authorization (what you are allowed to do). We will grant minimal roles on the GCP IAM side that can be used to identify yourself to a cluster. The GKE cluster will decide what you are allowed to do, based on the Kubernetes Role.

GKE Authentication

GKE manages authentication with gcloud with the OAuth2/OpenID connect method.

The minimal set of permissions you need on the GCP IAM side are the following:

• container.apiServices.get
• container.apiServices.list
• container.clusters.get
• container.clusters.getCredentials

Info

Specifics of this method is available on the Kubernetes website.

Configure Kubernetes Role Based Access Control (RBAC) System

The gcloud CLI permissions are used only for authentication. All permissions for interacting with your Google GKE cluster’s Kubernetes API is managed through the native Kubernetes Role Based Access Control (RBAC) system.

Info

Refer to The Ultimate Security Guide to RBAC on Google Kubernetes Engine for further information on RBAC.

The following roles are required to allow CIS-CAT Pro Assessor to submit kubelet and kubectl commands to the cluster for automated assessments.

Default Cluster Role	Default Cluster Role Binding	Description
system:kube-controller-manager	system:kube-controller-manager user	Allows access to the resources required by the controller manager component. The permissions required by individual controllers are detailed in the controller roles.
system:kubelet-api-admin	None	Allows full access to the kubelet API.

Prepare the Environment and gcloud CLI

1. Ensure CIS-CAT Pro Assessor is extracted locally on a server or workstation that has access to the GKE cluster servers.
2. Ensure security groups provide access to port 8080 from the server where CIS-CAT Pro Assessor locally resides. Other ports may also need to be opened depending on each organization’s specific configuration.
3. Run the following command to verify that kubectl can access the cluster node you wish to assess:

kubectl get nodes

Example method for executing a GKE Assessment

Execute an assessment on the command line:

./Assessor-CLI.sh -b benchmark/CIS_Google_Elastic_Kubernetes_Service_(GKE)_Benchmark_V1.2.0-xccdf.xml

Note

Ensure the local session type is being used.

---

Apache Tomcat Assessment

The Apache Tomcat Security Configuration Benchmark provides prescriptive guidance and assessment capability for Apache Tomcat versions running on Linux.

Requirements

There are approximately 15 checks in the Tomcat 9 Benchmark that verify scenarios surrounding the username that has been created for the Tomcat 9 installation.

For more accurate assessment of these checks, ensure your Tomcat instance meets the following requirements:

• User named tomcat_admin
• Group name exists with name of tomcat
• tomcat group has ownership of Tomcat files and directories
• tomcat_admin is a member of tomcat group
• Connection to the host of the Tomcat application

Note

For remote assessments, it is necessary to ensure there is a connection (session) to the host machine where the Tomcat instance resides.

Interactive Values

The Benchmark requires two environment variable input values to inform the assessment process. The interactive environmental environment variables specify the CATALINA_HOME and CATALINA_BASE paths.

• The path for CATALINA_HOME should point to the location of the common information.
• The path for CATALINA_BASE should point to the directory where all the instance-specific information is held. In the case of a single instance, this path may be the same at the path for CATALINA_HOME.

These values are specified in the xccdf files as:

xccdf_org.cisecurity_value_tomcat.base
    Default value = /opt/tomcat/

xccdf_org.cisecurity_value_tomcat.home
    Default value = /opt/tomcat/

Example Configuration XML File for Tomcat Assessment

An example configuration file with specified profile and HTML report generation:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<configuration xmlns="http://cisecurity.org/ccpa/config">
    <starting_dir>C:\CIS\CIS-CAT_Software\Releases\CIS-CAT-Assessor-v4.18.0\Assessor</starting_dir>
    <sessions test="false">
        <session id="1523-MKUN">
            <type>local</type>
            <tmp_path>C:\Users\mk\AppData\Local\Temp</tmp_path>
        </session>
    </sessions>
    <assessments gui="true" quiet="false">
        <benchmark profile="Level 1" session-ref="1523-MKUN" xccdf="benchmarks\CIS_Apache_Tomcat_9_Benchmark_v1.1.0-xccdf.xml">
            <interactive_values>
                <value id="xccdf_org.cisecurity_value_tomcat.base">/opt/tomcat/</value>
                <value id="xccdf_org.cisecurity_value_tomcat.home">/opt/tomcat/</value>
            </interactive_values>
        </benchmark>
    </assessments>
    <reports csv="false" html="true" no-arf="true" npr="false" txt="false">
        <reports_dir>C:\CIS\CIS-CAT_Software\Releases\CIS-CAT-Assessor-v4.18.0\Assessor\reports</reports_dir>
    </reports>
</configuration>

---

VMware ESXi Assessments

Assessing against the VMware ESXi Benchmark requires use of a connection string to connect to the ESXi/vSphere host. The connection string can be entered on the command line, or set in in advance in the assessor-cli.properties file or a configuration XML file.

Note

This Benchmark has been tested on Microsoft Windows operating systems only. Other operating systems are not guaranteed to provide optimal results.

Requirements

• Assessed machine is a Microsoft Windows OS
• VMware PowerCLI 6.5.1+ installed
• PowerShell installed
  • VMware.VimAutomation.Core module required as cmdlets for managing vSphere are needed
  • LanguageMode not configured to ConstrainedLanguage

How to verify LanguageMode Configuration

When Assessor is configured with ConstrainedLanguage, its functions will be blocked as CIS-CAT PowerShell scripts will not be able to be dot-sourced.

Verify LanguageMode using this command:

PS> $ExecutionContext.SessionState.LanguageMode

PowerCLI Versions

Older versions of PowerCLI will receive a warning printed in the assessor-cli.log when older, deprecated versions are encountered.

• A version comparison result of 2 indicates that the version check has failed. A failure to connect and execute commands will result in "unknown" assessment results, indicating that CIS-CAT Pro Assessor was unable to collect the system's state information.
• A version comparison result of -1, indicates that the version check resulted in an "unrecognized format." Since the version cannot fully be determined, analyze the accuracy of the results.

Connection Strings

• Multiple connection strings can be placed in a configuration XML file or entered individually on the command line.
• One string can be placed in the assessor-cli.properties file.

• If the connection string is not defined in either file, the CLI will prompt the user to enter the information. The format of this connection string is user/password@host:

  root/qu3rty@192.168.41.60
  

Assessment Duration

The VMware Benchmark executes 40 to 60 commands to collect state information. In cases where particular settings are not configured on the VM, the Assessor will attempt to collect state information up to the max wait time. If unsuccessful, the assessor will continue to the next check.

The default max wait time is set to 30 seconds (30000ms) in the assessor-cli.properties file. The esxi.max.wait property value can be modified to serve organizational requirements.

Connections and Certificates

It is required to utilize a local session type for VMWare ESXi assessments.

If the Assessor is unable to connect to the ESXi host, find details on the issue in the assessor-cli.log, if generated.

In case of certificate errors, the Assessor will set the InvalidCertificateAction parameter to Ignore for the duration of the assessment session (i.e., the certificate validity is ignored, and the connection proceeds).

Execute Single VMware Assessment

Execute a single assessment on command line with connection string specified for the VMware ESXi:

Assessor-CLI.bat -b benchmarks\CIS_VMware_ESXi_6.7_Benchmark_v1.1.0.xml -D xccdf_org.cisecurity.benchmarks_value_esxi.connection=root/password@192.168.41.60

Execute Mulitple VMware Assessments

Execute multiple assessments on command line on the local machine using information found in a configuration XML file:

Assessor-CLI.bat -cfg C:\CIS\vmware_assessment-configuration.xml

Below is an example of a configuration XML file with multiple VMware assessments, specified profiles, and HTML report generation:

<configuration xmlns="http://cisecurity.org/ccpa/config">
<starting_dir>C:\CIS\CIS-CAT_Software\CIS-CAT-Assessor-v4\Assessor</starting_dir>
<sessions test="false">
    <session id="vmware1">
        <type>local</type>
        <tmp_path/>
    </session>
    <session id="vmware2">
        <type>local</type>
        <tmp_path/>
    </session>
</sessions>
<assessments quiet="false">
    <benchmark profile="Level 1 (L1) - Corporate/Enterprise Environment (general use)" session-ref="vmware1" xccdf="C:\CIS\CIS-CAT_Software\Assessor-v4\Assessor\benchmarks\CIS_VMware_ESXi_6.7_Benchmark_v1.1.0-xccdf.xml">
        <interactive_values>
            <value id="xccdf_org.cisecurity.benchmarks_value_esxi.connection">root/password@192.168.41.60</value>
        </interactive_values>
    </benchmark>
    <benchmark profile="Level 1 (L1) - Corporate/Enterprise Environment (general use)" session-ref="vmware2" xccdf="C:\CIS\CIS-CAT_Software\Assessor-v4\Assessor\benchmarks\CIS_VMware_ESXi_6.7_Benchmark_v1.1.0-xccdf.xml">
        <interactive_values>
            <value id="xccdf_org.cisecurity.benchmarks_value_esxi.connection">root/password@192.168.41.50</value>
        </interactive_values>
    </benchmark>
</assessments>
<reports html="true">
    <reports_dir>C:\CIS\CIS-CAT_Software\Assessor-v4\Assessor\reports</reports_dir>
</reports>
</configuration>

!!! note The type element should be set to local even though the connection will not physically be local.

Report Results

Configuration assessment result files for VMware ESXi will be prefaced with the ESXi host's hostname (or IP address) for easier identification. The preface will automatically be applied for every configuration assessment report generated.

---

Red Hat OpenShift Container Platform Assessment

The Assessor will execute using OpenShift CLI (oc). OpenShift CLI is the preferred and most secure method of running the commands for OpenShift Benchmark assessments.

Requirements

• OpenShift CLI 9 (oc) installed

• Logged in to OpenShift CLI (oc login) with active Red Hat account

  • Refer to Red Hat's documentation to get started with OpenShift CLI (oc).

• CIS-CAT Pro Assessor v4 bundle extracted locally

• If using a sessions.properties file or configuration XML file, ensure that the session type is local.

Note

SSH is disabled so remote connections are not possible

Example

./Assessor-CLI.sh -b benchmarks/CIS_RedHat_OpenShift_Container_Platform_v4_Benchmark_v1.1.0.xml`