Graphical User Interface (GUI)

---

Introduction

The CIS-CAT Pro Assessor Graphical User Interface (GUI) is an intuitive and user-friendly application to assess target systems. The GUI offers a basic scan to assess your local system and an advanced scan to assess any combination of remote and local systems.

Info

The GUI is available for Microsoft Windows and Mac only. The GUI does not support initialization from a network location. CIS-CAT Pro Assessor must reside on a machine's local drive for the GUI's functions and content to run successfully.

This guide covers:

• Run GUI
• Get Started with the GUI
• Basic Scans
• Advanced Scans
• Assessment Options
• Configuration Assessment
• Console Assessment Results

Run GUI

1. Go to the extracted Assessor folder.
2. Run the Assessor-GUI as a user with administrator privileges (Windows) or user with sudo privileges (Mac).

You will land on the Welcome screen, which is where you start performing configuration assessments.

Get Started with GUI

To give you a general sense of how to assess with the GUI, here are brief walkthroughs of the assessment options:

Basic Scan

Assess your local system only.

1. On the Welcome screen, select Basic.
2. On Benchmarks screen, select Benchmarks to scan against and change the temporary path.
3. On Assessment Options screen, select various configuration options, including report output formats and logging options.
4. Run the assessment.
5. On Configuration Assessment screen, view assessment progress in real-time and the generated reports once the assessment is finished.

Advanced Scan

Assess any combination of local or remote target systems.

Add remote or local target systems

Add and configure all the target systems to assess.

1. On the Welcome screen, select Advanced and then Add remote or local target systems.
2. Configure a target system.
3. On the Target Systems screen, manage the target systems to be assessed.
4. On Assessment Options screen, select various configuration options, including report output formats and logging options. 5. Run the assessment.
6. On Configuration Assessment screen, view assessment progress in real-time and the generated reports once the assessment is finished.

Load a configuration or session file

Load pre-configured target systems or sessions to use for assessment. This option is especially useful if you need to assess the same target systems regularly.

1. On the Welcome screen, select Advanced and then Load.
2. Upload the configuration or sessions file.
3. On the Target Systems screen, manage the target systems to be assessed.
4. On Assessment Options screen, select various configuration options, including report output formats and logging options. 5. Run the assessment.
6. On Configuration Assessment screen, view assessment progress in real-time and the generated reports once the assessment is finished.

Basic Scan

• On the Welcome screen, select Basic to start.

You will move to the Benchmarks screen.

Benchmarks

Select Benchmarks to assess your local system against.

Actions

• Automatic Benchmark Selection
• Add Benchmark
• Delete Benchmark
• Change Temporary Path
• Go to Assessment Options

Automatic Benchmark Selection

When running local assessments, the GUI will detect some Microsoft Windows operating systems and automatically select the compatible Benchmark.

Automatic Benchmark selection works with the following Windows operating systems:

• 10 Enterprise
• 11 Enterprise
• Server 2012r2
• Server 2012
• Server 2016
• Server 2019
• Server 2022

Note

Intune Windows 10 and 11 have the same operating system as Microsoft Windows 10 and 11 workstation. The Assessor will auto-select the Enterprise Benchmark.

How do I disable automatic Benchmark selection?

In config/assessor-cli.properties, change the gui.auto.detect.benchmark property value to false. Refer to Configure Assessor Properties File for more details.

Add Benchmark

Add Benchmarks for your local system to be assessed against. The available Benchmarks can be found in the benchmarks folder.

1. From Available, select a Benchmark.
2. Select a profile.
3. Select Add.

Tip

Alternatively, double-click a profile to add the Benchmark.

4. (For Benchmarks requiring an interactive value) Enter the value and select OK.

Tip

Select Test Connection to test the interactive value.

The Benchmark will be added to the Selected list.

Adding custom Benchmarks

Custom Benchmarks can be added if the requisite files are in the benchmarks folder. Restart the application if files are added while its running.

Delete Benchmark

• From Selected, select a Benchmark and then Delete.

Change Temporary Path

Assessments require read/write access to a temporary folder. The system's default temporary folder will be used unless you change the temporary path.

1. Select Change Temporary Path.

2. Enter the path or select Browse and choose the directory.

Go to Assessment Options

• After you have finished choosing Benchmarks, select Next to move on to the Assessment Options screen.

Advanced Scan

1. Select Advanced.

2. Select one of the options:

• Add remote or local target systems
• Load a configuration or sessions file

Add remote or local target system

Select this option to begin adding one or many targets for assessment.

Note

When remotely scanning a target system for Windows, Unix/Linux, ensure you have configured your endpoint to allow a successful communication between the CIS-CAT Pro host and the target.

Configure Target System

1. In Target System Name, enter a unique, descriptive name for the target system.

Note

This name cannot be edited later.

2. From the Target System Type dropdown, select the session type of the host system. 3. Complete the fields according to the selected session type:

• Windows
• Linux
• Local
• NetworkXML
• Networktxt

Note

Ensure you have set up target systems for assessment.

Windows

• Target System Protocol for WinRM: Select HTTP - no certificate or HTTPS - with certificate.
• Port: Enter the port number on which communication occurs between the Assessor and target system.
• Username: Enter the username of a user with administrator privileges.
• Password (Optional): Enter the password of the above user.
• IP Address/Hostname: Enter the primary active IP address or hostname designating the location of the target system.
• Temporary Path (Optional): Select Browse to identify a different destination directory from the default. The above user must have read/write access to the designated directory.

Linux

• Port: Enter the port number on which communication occurs between the Assessor and target system.
• Username: Enter the username of a user with sudo privileges.
• Password (Optional): Enter the password of the above user.
• Private key file: Select Browse to identify the private key file.
• IP Address/Hostname: Enter the primary active IP address or hostname designating the location of the target system.
• Temporary Path (Optional): Select Browse to identify a different destination directory from the default. The above user must have read/write access to the designated directory.

Local

• Temporary Path (Optional): Select Browse to identify a different destination directory from the default. The above user must have read/write access to the designated directory.

NetworkXML

For assessing network device configuration files in XML format.

• Configuration file: Select Browse to identify the config file.

Networktxt

For assessing network device configuration files in txt format.

• Configuration file: Select Browse to identify the config file.

4. Add or Delete Benchmarks.

Tip

Select Test Connection to test the interactive value.

5. Select Save to finish and move on to the Target Systems screen.

Load a configuration or sessions file

Use an .xml or .PROPERTIES file with the correct schema to load pre-configured assessments or sessions respectively.

1. In the Configuration file or Sessions file field, enter the path to the file or select Browse and choose the file.
2. (If file is encrypted) Enter the password and select OK.

Note

The file's contents are decrypted only in memory. The configuration file will remain encrypted and unaltered.

3. Select Next to move on to the Target Systems screen.

Target Systems

Manage target systems for assessment.

Actions

• Add Target System
• Edit Target System
• Delete Target System
• Test Connections to Targets
• Go to Assessment Options

Add Target System

1. Select Add.

2. Configure the target system.

Edit Target System

1. Select a target system and then Edit.

2. Re-configure the target system.

Delete Target System

• Select a target system and then Delete.

Test Connection to Targets

• Select Test connection(s) to Targets to ensure session connections can be established with your target systems.

Tip

If there are issues, review the exit codes and troubleshoot accordingly.

Go to Assessment Options

• After you have finished configuring target systems, select Next to move on to the Assessment Options screen.

Assessment Options

Configure report output options, logging options, and configuration output options.

Report Output Options

Define the report formats and output.

Info

Defaults can be set in the assessor-cli.properties file.

Actions

• Select Report Formats
• Set Report Destination Folder
• Set Report Destination POST URL
  • Ignore SSL Certificate Warnings

Select Report Formats

Configuration assessment results can be exported as a report in any of these formats: HTML, CSV, Text, ARF XML, or JSON. The report will be available in the selected formats after the assessments finish.

• Select any combination of the report formats.

Set Report Destination Folder

Define the folder where the reports will be generated.

• Enter the path to the folder or select Browse and choose the folder.

Pre-configure the Report Destination Folder

When automatic operating system detection is enabled, it is possible to pre-set specific share file locations based on the detected operating system. In the assessor-cli.properties file, update the relevant default report output property (e.g., gui.default.report.output.windows10) to the desired folder path.

Set Result Destination POST URL

Note

Before using this feature, you must authenticate with an API token generated by the CIS SecureSuite Platform.

Define the Result Destination POST URL to upload assessment results directly to a CIS SecureSuite Platform instance.

• Enter the destination URL of the CIS SecureSuite Platform instance in the following format:

https://your-server/securesuite/api/reports/upload

When a value is entered into this field, the GUI will attempt to validate the destination. If the validation is successful, a message will display noting the success. If the validation is not successful, an "Unable to connect" error message will appear and provide possible solutions to the issues.

Ignore SSL Certificate Warnings

When uploading results to a CIS SecureSuite Platform instance, you can ignore SSL certificate warnings.

• Select the Ignore SSL Certificate Warnings checkbox to enable this feature.

Logging Options

Logging options allow you to enable/disable logging and set the granularity of the log messages. Logs are generated in the logs folder.

Set Logging Preference

• From the dropdown, select a logging option.

Info

For support issues, select Write log messages with a level of WARN, ERROR, or INFO and attach the log to a technical support ticket.

Log Levels

Log Level	Description
WARN	Unexpected behavior happened inside the application, but it is continuing its work and the key business features are operating as expected.
ERROR	One or more functionalities are not working.
INFO	An event happened. It is purely informative and can be ignored during normal operations.
DEBUG	For events considered to be useful during software debugging when more granular information is needed.
TRACE	For step by step execution of the code that can be ignored during the standard operation, but may be useful during extended debugging sessions.

Configuration Output Options

Configuration output options allow you to save your configuration as an XML file for later use. Configuration XML files allow you to customize and run multiple sessions, assessments, interactive values, user properties, and reporting options.

Save Configuration File

1. Select the Save configuration file checkbox.

2. Select Save as.

3. Select a directory and enter a name for the file.

4. Select Save to finish.

Encrypt Configuration File

To protect sensitive data, encrypt your configuration file. When loading the configuration file, users will be prompted to enter the encryption password you have defined.

1. Select the Save configuration file checkbox.

2. Select the Encrypt configuration file checkbox.

3. Enter an encryption password and re-enter it to confirm.

Note

To help ensure passwords including special characters are processed correctly, enclose your password in quotation marks (e.g., "password").

Once the assessment is run, an encrypted copy of the source file is created and written to the config folder. The copy preserves the plaintext source file for possible future updates and functions as a backup if the encryption password is forgotten or lost. The name of the encrypted file will start with enc_ followed by the source file's name. You can remove the plaintext copy of the file from the director.

Run Assessment

Once you have finished configuring the target systems and assessment options, you are ready to run the assessment.

1. On the Assessment Options screen, select Next.
2. Select Start Assessment.

Starting the assessment will take you to the Configuration Assessment screen.

Configuration Assessment

Track assessment progress and view reports.

View Assessment Progress and Results

View the real-time progress of each assessment. Each step represents a distinct part of the assessment process.

At the end of each configuration assessment, the GUI will display the assessment results summary and score.

The results will include a few more entries than results displayed on the HTML report. The result terminology presented on the console is inline with xccdf specifications.

Value	Included in Scoring?	Description
Not Applicable	No	The rule(s)/check(s) were not applicable to the target. This typically occurs when the wrong benchmark is selected for the platform (i.e., platform mismatch).
Not Checked	No	The recommendation was not evaluated as there are no rule/check properties.
Not Selected	No	This recommendation was not part of the profile selected for the configuration assessment.
Informational	No	The recommendation cannot be fully automated and requires manual evaluation. This is the same result that is displayed as Manual on the HTML report.

Reports

View the assessment reports by target system.

View HTML

Note

The HTML format must have been selected to use this feature.

• Select the report and then View HTML.

Show Reports Folder

By default, all reports are generated in the reports folder.

• Select Show reports folder to open report.

Tip

The destination folder of your reports can be modified before you run the assessment.

Platform Mismatch

If a Benchmark has been selected that does not match the operating system being assessed, a platform mismatch error will trigger.

Determine if the correct Benchmark was selected for the target system. If the Benchmark selected was correct, turn off this platform check in the assessor-cli.properties file by setting the ignore.platform.mismatchproperty value to true.

Note

CIS strongly recommends that you only temporarily change the ignore.platform.mismatch.