Configure Session Properties File¶
Introduction¶
Session properties files allow you to configure local sessions and remote sessions to multiple endpoints. You can then load the file to the GUI or CLI to designate the configured connections to your target systems.
This guide covers:
- Editing the session.properties File
- Local Session Type
- SSH (remote Unix, Linux, or Apple OSX) Session Type
- Windows Session Type
- Network Devices Session Type
- Optional tmp_path Property
Edit Session Properties File¶
1. Go to <path>\Assessor\config.
2. Open session.properties file or create and open a copy of it in a text editor
3. Edit the necessary properties.
Note
The sample session connections are commented out. Ensure you remove the hash (#) for the properties and session connections you need.
4. Save the file.
5. (If Assessor is running) Restart the application for the changes to apply.
Local¶
The local session type is for host-based assessments. Standalone or command-line applications (such as CIS-CAT Pro Assessor CLI) may use local sessions to conduct host-based assessments of Benchmarks.
Required Properties¶
| Property | Description | Value |
|---|---|---|
type |
The type of connection to the endpoint to be assessed. | local |
Example¶
session.1.type=local
SSH¶
The ssh session type represents a connection to a remote Unix, Linux, or Apple OSX endpoint via SSH.
Required Properties¶
| Property | Description | Value |
|---|---|---|
type |
The type of connection to the endpoint to be assessed. | ssh |
host |
Hostname or IP address (v4 or v6) | linux.example.org or 1.2.3.4 |
port |
The port number on which communication takes place. | 22 (default value) |
SSH connections can be authenticated in numerous ways. Depending on the authentication method, use the relevant properties:
username+credusername+identityusername+identity+identity_passphraseif private key file is encryptedusername+identity+credforsudoprivileges
| Property | Description | Value |
|---|---|---|
user |
Username of the account used to log in to the remote endpoint | root or user with sudo privileges |
cred |
Password of the account used to log in to the remote endpoint | Password for user |
identity |
The full filepath to a private key file to be used for authenticating the user to the remote endpoint. |
/home/example/privatekeyfile.ppk |
identity_passphrase |
The credentials required to complete authentication if using an encrypted private key file | Password for private key file |
Examples¶
Configure a remote Linux session using a username/private key:
session.2.type=ssh
session.2.host=ubuntu-test.example.org
session.2.port=22
session.2.user=ec2-user
session.2.identity=/home/myuser/cis/pkey.pem
Configure a remote MacOS session using a username/private key:
session.3.type=ssh
session.3.host=macOS-test.example.org
session.3.port=22
session.3.user=ec2-user
session.3.identity=/Users/ciscatuser/cis/pkey.pem
Windows Session Type¶
The windows session type represents a WinRM connection to a remote Microsoft Windows environment. Both workstations and servers are supported with this connection type and can currently be established using username/password authentication.
Required Properties¶
| Property | Description | Value |
|---|---|---|
type |
The type of connection to the endpoint to be assessed. | windows |
host |
The hostname or IP address (v4 or v6) of the endpoint to which this session will assess | windows.example.org or 1.2.3.4 |
port |
The port number on which communication takes place | HTTP: 5985 HTTPS:5986 |
user |
Username of the account used to login in to the remote endpoint. | Username of Administrator or member of the Administrators group |
cred |
Password of the account used to log in to the remote endpoint. | Password for user |
Examples¶
Configure a remote Windows session using a username/password:
session.4.type=windows
session.4.host=123.255.198.9
session.4.port=5986
session.4.user=Administrator1
session.4.cred=s3cr3t3r!
Configure a remote Windows session using a username, but requiring manual password entry:
session.5.type=windows
session.5.host=100.50.25.75
session.5.port=5986
session.5.user=Administrator1
Network Devices¶
There are two session types for network devices:
networktxtfor configuration files in text formatnetworkxmlfor configuration files in XML format.
CIS-CAT Pro Assessor will create a local session, collecting information from an export configuration file.
Required Properties¶
| Property | Description | Value |
|---|---|---|
type |
The type of connection to the endpoint to be assessed. | networktxt or networkxml |
networkDeviceConfigFile |
The full filepath to an exported configuration text file. Used in conjunction with the networktxt session type. |
C:\example\networkdevice_config.txt |
networkDeviceConfigXmlFile |
The full filepath to an exported configuration XML file. Used in conjunction with the networkxml session type. |
C:\example\networkdevice_config.xml |
Example¶
Configure a network session pointing to an exported text file:
session.6.type=networktxt
session.6.networkDeviceConfigFile=C:\\Path\\To\\Exported-configuration-file.txt
Configure a network session pointing to an exported xml file:
session.7.type=networkxml
session.7.networkDeviceConfigFile=C:\\Path\\To\\Exported-configuration-file.xml
Info
CIS would like to add more automation to CIS Networking Benchmark recommendations. Please join our CIS WorkBench Communities for the specific networking technology on CIS WorkBench and ask how you can help. Example configuration files from organizational implementation can support CIS Benchmark Developers when creating additional automation.
Optional tmp_path Property¶
tmp_path designates a custom temporary directory location for creating the ephemeral directory on the target endpoint. You can use this property with any of the session types.
The ephemeral directory is named ccpa-temp-TIMESTAMP and is created as a sub-folder in the specified directory. For example, if tmp_path is specified as C:\Temp, the ephemeral directory will be created at C:\Temp\ccpa-temp-TIMESTAMP.
If you have entered a value for tmp_path, the directory must already exist on the target endpoint and have write privileges; otherwise, the assessment will exit.
If this property is left blank or excluded, the Assessor will use the default temp folder as defined for the operating system, such as /tmp or C:\Windows\Temp.
Example¶
Configure a session for the local Microsoft Windows host, defining a custom temp folder:
session.8.type=local
# Note that specifying Windows directory paths require a double-backslash "\\" as the path separator
session.8.tmp=C:\\Temp