Configure Assessor Properties File¶
Introduction¶
The assessor-cli.properties file allows you to edit properties to customize the default selections and behavior of CIS-CAT Pro Assessor.
This guide covers how to edit the assessor-cli.properties file and explains each property.
Edit Properties File¶
1. Go to <path>\Assessor\config.
2. Open assessor-cli.properties or create and open a copy of it in a text editor.
3. Edit properties.
validate.xml.schema=true
Note
Ensure you remove the pound sign (#) if the property has been commented out.
4. Save the file.
Note
For changes to apply, the CIS-CAT Pro Assessor application must be restarted.
Properties¶
License Files¶
| Property | Data Type | Description |
|---|---|---|
ciscat.integration.config |
string |
Sets the filepath to the dxlclient.config file used for online license verification. The filepath should include the filename and extension. |
ciscat.license.filepath |
string |
Sets the filepath to the license.xml file used for license verification. The filepath should include the filename and extension. |
Define Default GUI Selections¶
| Property | Data Type | Description |
|---|---|---|
gui.auto.detect.benchmark |
true/false |
Determines if GUI should automatically detect the local operating system assessed and provide a suggested Level 1 Benchmark. Supports only local assessments for the following Microsoft Windows: 10 Enterprise, 11 Enterprise, Server 2012r2, Server 2012, Server 2019, Server 2022 |
gui.default.output.format |
string |
Sets the selected output format(s) for the generated reports, e.g., HTML, CSV, TXT, etc. |
gui.default.report.output.location |
string |
Sets the default selected report output destination path, e.g., C:\Users\testuser\Desktop. The path will be set to this value when an operating system supported for auto detection is not defined and/or detected. If this line is uncommented, ensure it contains a valid value else the field will be set to null. |
gui.default.securesuiteURL |
string |
Sets the URL of the CIS SecureSuite Platform for import of results via API. |
gui.default.report.output.windows10 |
string |
Sets the default selected report output destination path for a Microsoft Windows 10 operating system assessment, e.g., C:\Users\testuser\Desktop. The gui.auto.detect.benchmark property must be set to true and this operating system must be detected for this path to be set. Microsoft Windows 11 operating system is not supported, and the gui.auto.detect.benchmark property must be set to false. Due to current Microsoft Windows 11 limitations, CIS-CAT will detect a Microsoft Windows 11 system as a Microsoft Windows 10 system. If this line is uncommented, ensure it contains a valid value else the field will be set to null. |
gui.default.report.output.windows2012 |
string |
Sets the default selected report output destination path for a Microsoft Windows Server 2012 operating system assessment, e.g. C:\Users\testuser\Desktop. The gui.auto.detect.benchmark property must be set to true and this operating system must be detected for this path to be set. If this line is uncommented, ensure it contains a valid value else the field will be set to null. |
gui.default.report.output.windows2012r2 |
string |
Sets the default selected report output destination path for a Microsoft Windows Server 2012 r2 operating system assessment, e.g. C:\Users\testuser\Desktop. The gui.auto.detect.benchmark property must be set to true and this operating system must be detected for this path to be set. If this line is uncommented, ensure it contains a valid value else the field will be set to null. |
gui.default.report.output.windows2016 |
string |
Sets the default selected report output destination path for a Microsoft Windows Server 2016 operating system assessment, e.g. C:\Users\testuser\Desktop. The gui.auto.detect.benchmark property must be set to true and this operating system must be detected for this path to be set. If this line is uncommented, ensure it contains a valid value else the field will be set to null. |
gui.default.report.output.windows2019 |
string |
Sets the default selected report output destination path for a Microsoft Windows Server 2019 operating system assessment, e.g. C:\Users\testuser\Desktop. The gui.auto.detect.benchmark property must be set to true and this operating system must be detected for this path to be set. If this line is uncommented, ensure it contains a valid value else the field will be set to null. |
gui.default.report.output.windows2022 |
string |
Sets the default selected report output destination path for a Microsoft Windows Server 2022 operating system assessment, e.g. C:\Users\testuser\Desktop. The gui.auto.detect.benchmark property must be set to true and this operating system must be detected for this path to be set. If this line is uncommented, ensure it contains a valid value else the field will be set to null. |
Define Behavior when Benchmark Content Fails Validation¶
| Property | Data Type | Description |
|---|---|---|
validate.xml.schema |
true/false |
Configuration of true results in schema validation of benchmark/datastream files. On validation failure, assessment process halts with exit with a code of 500. Configuration of false will not result in formal validation, but errors in the structure will result in an exception. |
Set Schematron Validation Behavior¶
| Property | Data Type | Description |
|---|---|---|
validate.xml.schematron |
true/false |
Controls whether the Assessor will utilize schematron to validate that the OVAL definitions are correctly formed prior to assessment. |
Define Assessor Behavior when Signed Benchmark Content has been Altered¶
| Property | Data Type | Description |
|---|---|---|
exit.on.invalid.signature |
true/false |
Detects alteration in signed benchmark/datastream files prior to assessment. When set to true, and signature is found to be invalid, the assessment process will stop. When set to false, a notification appears if signature is found invalid and assessment continues without intervention. |
Define Behavior when Benchmark does not Match Operating System¶
| Property | Data Type | Description |
|---|---|---|
ignore.platform.mismatch |
true/false |
Use when needed For both true and false when an operating system benchmark is selected, the target system's operating system will be compared to that of the selected benchmark.When set to true and a mismatch is detected, the assessment will continue without intervention but may result in errors or multiple failed results.When set to false and a mismatch is detected, a message "The checklist does not match the target platform" is displayed on the command line. The assessment continues without intervention, and all results will be "Not Applicable" with a score of 0%. |
CIS SecureSuite Platform Parameters¶
| Property | Data Type | Description |
|---|---|---|
ciscat.post.parameter.securesuite.token |
string |
Allows for the inclusion of a CIS SecureSuite Platform-generated bearer token to upload ARF reports. |
ciscat.post.parameter.report.name |
string |
Allows for the customization of the CIS-CAT POST parameter for the report name. To POST assessment reports to the CIS SecureSuite Platform, the value of this property must be set to "report-name". |
ciscat.post.parameter.report.body |
string |
Allows for the customization of the CIS-CAT POST parameter for the report body. To POST assessment reports to the CIS SecureSuite Platform, the value of this property must be set to "ciscat-report". |
ciscat.zip.post.files |
true/false |
Strongly Recommended Allows for assessment reports to be zipped/compressed when they are sent to the CIS SecureSuite Platform via a POST request. |
Set SCE Script Timeout¶
| Property | Data Type | Description |
|---|---|---|
sce.max.wait |
numeric - milliseconds |
This property currently works only for local assessments and requires timeout configuration to be installed and enabled for MacOS or Linux. Sets the Maximum Wait time (time out) in milliseconds for each SCE script to execute. Used mostly when assessing with a Linux or macOS Benchmark. By default, the setting is not active. May reduce overall assessment time where organizations have mounted drives with millions/billions of files that may require collection/evaluation. Should an evaluation of the system state exceed the specified duration, the recommendation result will be Unknown and score as a failure. |
Set VMWare Command Timeout¶
| Property | Data Type | Description |
|---|---|---|
esxi.max.wait |
numeric - milliseconds |
Sets the Maximum Wait time (time out) in milliseconds for each PowerCLI command to execute. Used only when assessing with a VMWare Benchmark. Default value is 30 seconds. May reduce overall assessment time where organizations don't have settings configured on the VM. |
Define CSV Output Header Information¶
| Property | Data Type | Description |
|---|---|---|
include.csv.remediation |
true/false |
Controls whether remediation text is generated in the CSV-formatted assessment report. |
include.csv.headers |
true/false |
Controls whether a row of column headers is generated in the CSV-formatted assessment report. |
include.csv.target_ip |
true/false |
Controls whether the target IP address is generated in the CSV-formatted assessment report. |
include.csv.scoring |
true/false |
Controls whether the overall scoring information is generated in the CSV-formatted assessment report. |
include.csv.rule.scoring |
true/false |
Controls whether individual rule scoring information is generated in the CSV-formatted assessment report. |
Exclude Mounted File Systems from Assessment¶
| Property | Data Type | Description |
|---|---|---|
excluded.filesystems |
string |
Use when needed A comma-delimited list of filesystem names/mount points to exclude from any full-filesystem searches on Linux. Linux assessments where user home directories exist on an auto-mounted, large storage drive, will experience longer assessment duration as some Benchmarks checks will take longer to complete. |
Customize HTML Output Graphics¶
Note
Custom graphics and CSS files must be saved to the custom folder included in your Assessor download.
| Property | Data Type | Description |
|---|---|---|
custom.html.coverpage.background |
string |
The name of the graphics file to be used as the HTML report's cover page background. |
custom.html.coverpage.logo |
string |
The name of the graphics file to be used as the HTML report's cover page organizational logo. |
custom.html.coverpage.subtitle.background |
string |
The name of the graphics file to be used as the HTML report's cover page subtitle background. |
include.default.html.coverpage.footer |
true/false |
Specifies whether or not the default footer is displayed on the cover page of the HTML report. If this property is not set or is commented out, the default value of true will be used for this property. If you want to display a custom graphic for the cover page footer, utilize the custom.html.coverpage.footer property. |
custom.html.coverpage.footer |
string |
The name of the graphics file to be generated as the footer of the HTML cover page. The default cover page footer covers an area of approximately 725x64 px. |
custom.html.css |
string |
The name of the .CSS file which overrides the HTML report's styling. |