HTML Report¶
Introduction¶
HTML reports are the most detailed report output of a single configuration assessment. This guide explains the information provided in HTML reports for users to better protect their target systems.
The HTML report is separated into four sections:
Info
For our example, we have used a CIS Ubuntu Linux 18.04 LTS Benchmark configuration assessment.
Summary¶
The Summary section provides an overall view of each section within the Benchmark that contributes to the overall score.
Recommendations are organized into categories and sub-categories. Each recommendation, when included in the CIS-CAT Pro automated assessment process, may consist of one or more "checks" or "tests". For a recommendation to reach an overall "Pass" result, all checks/tests must result in a "Pass".
The summary is separated into a few columns. An explanation of each column can be found in the table below.
The totals in each highlighted major section in the Tests area are composed of the next level heading counts respective to each section.
| Header Section | Test Result Type | Value |
|---|---|---|
| Tests | Pass | Count of checks or tests meeting the criteria specified by the recommendation. |
| Tests | Fail | Count of checks or tests not meeting the criteria specified by the recommendation. |
| Tests | Error | Count of checks or tests that resulted in an error. |
| Tests | Unknown | Count of checks or tests where CIS-CAT was unable to determine if the criteria of the test was met. |
| Tests | Manual | Count of recommendations that cannot be fully automated and require manual evaluation. |
| Scoring | Score | Count of recommendations with a result of "pass" in a given section. |
| Scoring | Max | Total count of recommendations that could result in a pass or fail. |
| Scoring | Percent | Percent of recommendations passed in a given section ((Score/Max)*100) |
Some CIS Benchmark recommendations may not be supported for automation in CIS-CAT. This can result in differences occurring between the CIS Benchmark PDF recommendations identified as “Automated” and the CIS-CAT report. An “Automated” recommendation means that the CIS Benchmark Community has determined that this recommendation can potentially be fully assessed to a pass/fail state by a configuration assessment tool. In cases where CIS-CAT does not support a given “Automated” recommendation, it will be reported as “Manual” in the CIS-CAT report.
Note
This area will result in multiple zeros when the selected Benchmark does not match the selected target system's operating system and ignore.platform.mismatch=false. The command line console will show the results as "Not Applicable" where, for example, a Windows Benchmark was selected to scan a Linux platform. The command line console will also show "The checklist does not match the target platform." If ignore.platform.mismatch=true, the report may show a combination of failed results and 0 results in the same scenario.
Profiles¶
The Profiles section shows the available profile selections when performing an automated assessment.
Profiles represent a pre-defined set of recommendations tailored to a particular security level. All Benchmark recommendations are associated with at least one profile.
The intent of the Level 1 profile Benchmark is to reduce your organization's attack surface while keeping endpoints usable and not hindering business functionality.
The Level 2 profile is an extension of the Level 1 profile, including all Level 1 recommendations with additional recommendations. The Level 2 profile is considered to be a more "defense in depth" posture, intended for environments where security is paramount. The recommendations associated with the Level 2 profile can have an adverse effect on your organization if not implemented appropriately or without due care.
We recommend downloading and reviewing the published version of the CIS Benchmark that coordinates with the machine readable assessment content to determine the best profile to utilize with each target system. Consult with organizational security policy to determine whether Level 1 or Level 2 is the best fit.
Regardless of which level profile you plan to use, we recommend applying CIS Benchmark guidance in a test environment first to determine potential impacts.
Assessment Results¶
All rules with at least one automated check or test will be included in this section. Some CIS Benchmark Recommendations cannot be reliably automated, thus requiring careful manual review.
All scored recommendations currently have a weight of 1. This is reflected in the column titled "w".
Possible values are listed in the below table:
| Value | Included in Scoring? | Description |
|---|---|---|
| Pass | Yes | The target system or component state satisfied all the conditions of the check(s)/rule(s) for the recommendation. |
| Fail | Yes | The target system or component state did not satisfy at least one condition of the check(s)/rule(s) for the recommendation. |
| Error | Yes | The assessor checking engine encountered a system error and could not complete the test. The status of the target's compliance is not certain. |
| Unknown | Yes | Assessor was unable to collect, interpret, or evaluate against the check/rule conditions associated with the recommendation. |
| Manual | No | This recommendation cannot be fully automated and requires manual evaluation. On CIS Benchmarks, a recommendation is deemed important during the consensus process but cannot be fully and reliably verified without organizational manual verification. Corresponds to xccdf terminology of "Informational". |
Assessment Details¶
The Assessment Details section consists of the following:
| Section Name | Description |
|---|---|
| Description | Provides additional information regarding the recommendation. |
| Rationale | Articulates the reason the recommendation is made. May include the threat model addressed by the recommendation. |
| Remediation | Steps used to correct a target system resulting in a score of "Fail". |
| Impact | States unexpected, adverse consequences that may occur by implementing the recommendation. |
| Assessment | Shows the scanned target system's state information that was collected and the benchmark expected conditions for a passing score. |
| References | May include CCE (Common Configuration Enumeration) identifiers or URLS to documentation supporting the recommendation. |
| CIS Controls | If applicable, represents the CIS Control that this recommendation supports. The CIS Control represented will be the latest available at the time the CIS Benchmark version was made available. Not all recommendations within a Benchmark can be mapped to a CIS Control. The CIS Controls version 7 on this report maps to all CIS Controls 7 series. |
To view the XCCDF constructs, click the Show Rule Result XML link below the "Assessments" section. This information is primarily used for debugging purposes.
Report Customization¶
For organizations looking to customize the style of their HTML reports, you can substitute the custom graphics on the HTML report cover page and edit the custom cascading style sheets (CSS) applied to the entire HTML report.
Customize Report¶
1. Save the custom graphics or CSS files to Assessor/custom.
Note
Make sure to remember the names of the files to later reference in the assessor-cli.properties file.
2. Go to the config folder and open assessor-cli.properties in any text editor.
3. Edit the relevant properties to use your custom graphics/CSS:
| Property | Data Type | Description |
|---|---|---|
custom.html.coverpage.background |
string |
The name of the graphics file to be used as the HTML report's cover page background. |
custom.html.coverpage.logo |
string |
The name of the graphics file to be used as the HTML report's cover page organizational logo. |
custom.html.coverpage.subtitle.background |
string |
The name of the graphics file to be used as the HTML report's cover page subtitle background. |
include.default.html.coverpage.footer |
true/false |
Specifies whether or not the default footer is displayed on the cover page of the HTML report. If this property is not set or is commented out, true will be used for this property. If you want to display a custom graphic for the cover page footer, utilize the custom.html.coverpage.footer property. |
custom.html.coverpage.footer |
string |
Specifies the name of the graphics file to be generated as the footer of the HTML cover page. Note that default cover page footer covers an area of approximately 725x64 px. |
custom.html.css |
string |
The name of the .css file which overrides the HTML report's styling. |
4. Save the file to finish.