Installation and License Management¶
Introduction¶
Install CIS-CAT Pro Assessor v4 and manage your SecureSuite license.
Minimum Requirements¶
Verify that your system meets or exceeds the following requirements for running CIS-CAT Pro Assessor v4.
System Requirements¶
- Multi-core processor
- 2GB or more of RAM
- 500GB of free disk space
- Administrator privileges (for local assessments)
Linux Requirements¶
- Linux builds with embedded Java MUST ensure that the
jrefolder of the build has appropriate read and execute permissions in order for the assessment process to function
Windows Requirements¶
- 64-bit
Host Systems¶
We recommend that no other application requiring a JRE exists on the Assessor's host server. Install CIS-CAT Pro Assessor v4 on a host system separate from your host systems for the CIS SecureSuite Platform.
Multiple installations of CIS-CAT Pro Assessor on separate host systems aren't an issue. You may utilize versions of CIS-CAT Pro Assessor with or without embedded JRE per the appropriate operating system.
Java Requirements¶
Java is required for operation of CIS-CAT. Versions of CIS-CAT are available with embedded Java that is utilized at run time.
With the release of Assessor v4.46 on Sep. 30, 2024, the embedded Java was updated to Amazon Corretto v8.432.06.1. Java.Corretto is a no-cost, multi-platform, production-ready distribution of the Open Java Development Kit (OpenJDK).
Requirements for Assessor Versions without Embedded Java¶
If a version of CIS-CAT is selected that doesn't include the embedded JRE, the following requirements apply:
- JRE or JDK installed on CIS-CAT host machine.
- Stable version 8 or 11 (Java 17 is NOT supported) of JRE or JDK (free openJDK also supported) present on host or accessed via network share.
- Non-stable or proprietary Java builds may work in certain environments, however CIS Technical Support cannot assist troubleshooting issues.
- Some Members have experienced issues with proprietary Java versions and headless Java versions.
- 64-bit Java recommended for faster performance.
- OpenJDK (free and open-source) implementations are supported. We have found this website easy to navigate. The official source is OpenJDK.
- Java versions 9+ will receive “WARNING: An illegal reflective access operation has occurred”. This can be ignored and will not halt the assessment.
Secure Setup Recommendations¶
- The system that CIS-CAT Pro Assessor is installed on should be up to date on updates and follow CIS Benchmark guidelines.
- The Assessor distribution ZIP file should be downloaded only from CIS Workbench and validated against the checksums provided.
- CIS-CAT Pro Assessor should be installed only on the system accessible by the user who is designated to run the application.
- Ensure that access to CIS-CAT Pro Assessor and its directories are strictly limited to those with administrator privileges, and only those who need to access it (i.e., follow principle of least privilege).
Download CIS-CAT Pro Assessor v4¶
CIS-CAT Pro Assessor v4 is available only to CIS SecureSuite Members.
To learn more about becoming a CIS SecureSuite Member, visit our website.
1. Log in to CIS WorkBench.
2. Go to Downloads.
3. Select Download CIS-CAT Pro.
4. Select your Assessor bundle.
Below are the possible download bundles:
| Operating System |
Interface Type |
Java | Requires Host Installed JRE |
Description | Downloaded File Name Example |
|---|---|---|---|---|---|
| Microsoft Windows | with GUI | with | No | Includes a graphical interface and supports command line (CLI) activities. Embedded Java 8 Runtime Environment included and utilized for all Microsoft Windows assessments. Centralized scripts utilize the embedded Java | CIS-CAT-Assessor-windows-GUI-jre-v4.24.0.zip |
| Microsoft Windows | without GUI | with | No | No graphical interface. Supports command line (CLI) activities. Embedded Java 8 Runtime Environment included and utilized for all Microsoft Windows assessments. Centralized scripts utilize the embedded Java | CIS-CAT-Assessor-windows-jre-v4.24.0.zip |
| Microsoft Windows | without GUI | without | Yes | Supports command line (CLI) activities, no graphical interface. Requires an installed JRE on the CIS-CAT host. | CIS-CAT-Assessor-windows-v4.24.0 |
| Linux | without GUI | with | No | Designed for Linux ONLY operating systems. Includes only shell scripts for tool operation on Linux. Centralized scripts utilize the embedded Java. MUST ensure that the jre folder of the build has appropriate read and execute permissions in order for the assessment process to function. The embedded Java is only suitable for Linux OS, not MacOS. | CIS-CAT-Assessor-linux-jre-v4.24.0 |
| Linux | without GUI | without | Yes | Designed for Linux and MacOS operating systems. Includes only shell scripts for tool operation on Linux. Requires an installed JRE on the CIS-CAT host. | CIS-CAT-Assessor-linux-v4.24.0 |
| MacOS | without GUI | with | No | Designed for MacOS operating systems. Includes only shell scripts for tool operation MacOS. The embedded Java is only suitable for MacOS. MacOS users wishing for embedded Java must utilize this version. | CIS-CAT-Assessor-mac-jre-v4.24.0 |
| MacOS | with GUI | with | No | Designed for MacOS operating systems. Includes a graphical interface and supports command line (CLI) activities. Embedded java 8 runtime environment (JRE) included and utilized for all assessments. The embedded Java is only suitable for MacOS. | CIS-CAT-Assessor-mac-GUI-jre-v4.24.0 |
| MacOS | without GUI | without | Yes | Designed for MacOS operating systems. Includes only shell scripts for tool operation on MacOS. Requires an installed JRE on the CIS-CAT host. | CIS-CAT-Assessor-mac-v4.24.0 |
Note
MacOS users must utilize the Linux version without embedded Java as the embedded Java is not suitable for MacOS.
5. Select Download Selection to finish.
Download and Apply SecureSuite License¶
To unlock full feature and content access for CIS-CAT Pro Assessor v4, Members must download and apply their organization’s SecureSuite license.
1. Log in to CIS WorkBench.
2. Go to Downloads.
3. Select Download License.
4. Select Download.
Note
If the file doesn't download, ensure that JavaScript is unblocked on your browser.
5. Navigate to the downloaded files and extract/unzip the contents.
6. Open the folder where the extracted file was stored, and copy the license.xml into the license folder of CIS-CAT Pro Assessor v4.
Changing License File Location
Override the license file location by changing the value of the ciscat.license.filepath property in the assessor-cli.properties file.
See example of where the files should be placed within the CIS-CAT folder structure.
Info
For additional installation guidance for MacOS, refer to this Knowledge Base article.
CIS-CAT Assessor Lite Restrictions¶
If a valid license is not in your designated license folder, CIS-CAT Pro Assessor v4 will provide CIS-CAT Lite functionality.
Verification Method¶
CIS-CAT Assessor v4 validates licenses at the beginning of each command execution performed from the GUI or command line.
The license will attempt to validate against a CIS-hosted location via SSL port 8883 first. If the host machine is unable to validate online, CIS-CAT will validate the license from the key that is present in the designated license folder.
The method utilized to validate the license will be present in assessor-cli.log when producing an INFO level log.
License Renewal¶
Your license file will expire when your SecureSuite Membership expires. Once your SecureSuite Membership renewal has been processed, a new license file bundle will be available on WorkBench. Download the new license and move it to your designated license folder, replacing your outdated one.