Skip to content

Prepare Target Systems for Assessment

Introduction

CIS-CAT Assessor v4 supports local, remote, network/centralized, and exported configuration file assessments. Depending on the type of assessment, you many need to prepare the endpoints, files, or network before they can be assessed.

This guide covers preparing the following endpoints for assessment:

Windows

Unix/Linux/OSX

Unix/Linux

Network Devices

Windows - Remote

Windows remote assessment utilizes the SMB protocol for file manipulation and Windows Remote Management (WinRM) for process execution during a remote assessment. CIS-CAT Pro Assessor also uses PowerShell to execute assessment steps for Microsoft Windows technologies.

When a connection is established to the endpoint, an ephemeral temporary directory is created to host scripts required for the collection of system characteristics. On assessment completion, the temporary directory is deleted.

Requirements

  • PowerShell 5.1+ installed
  • PowerShell LanguageMode is not configured to ConstrainedLanguage
    • ConstrainedLanguage mode blocks assessor actions as CIS-CAT PowerShell scripts cannot be dot-sourced
    • Verify LanguageMode using this command: PS> $ExecutionContext.SessionState.LanguageMode
  • 64-bit
PowerShell Version Requirement

Assessments for CIS Benchmark recommendations referring to PowerShell transcription states require PowerShell v5.1+. This version is not natively installed on some older versions of Microsoft systems like Microsoft Windows 10 Release 1511 and Server 2008 R2 SP1. Refer to Microsoft's PowerShell documentation for more information.

Considerations

CIS Microsoft Windows Benchmarks

Certain CIS Microsoft Windows Benchmarks are designed for systems in an Active Directory domain-joined environment using Group Policy. The CIS Benchmark will verify registry settings set by Group Policy.

Local policy settings are stored in different registry settings than Group Policy settings, so assessments for standalone systems will have many Fail results even where values match the CIS Benchmark recommended value.

If your target system is not domain-joined, however, consider using the appropriate Stand-alone Windows Benchmarks.

Risk and Remote Assessment with Microsoft Windows

CIS recommends utilizing domain accounts when performing remote assessments.

CIS Benchmark Level 1 profiles permit remote assessment while CIS Benchmark Level 2 profiles are designed for more restrictive environments and are conducive to local assessments. If selecting to remotely assess endpoints on either profile, the risk must be accepted as part the organizational security policies. Use the Level 1 policies or tailor Level 2 policies as needed to perform remote scanning.

CIS recommends connecting via WinRM with HTTP or HTTPS. Connecting over HTTP, while it does come with some risk as any remote connections do, can now happen securely with a change to Assessor v4.13.0+. The latest Assessor allows for encryption over HTTP. Connecting via HTTPS requires additional configuration for certificate setup but is secure.

Info

Read about WinRM security in this official Microsoft document to help your organization decide the best protocol.

Group Policy

To enable WinRM and SMB more efficiently and persistently on many endpoints, utilize Group Policy to establish the endpoint configuration.

In standalone (non-domain) environments, Local Group Policy Objects can be set. Be aware that Group Policy may take precedence and assessments will not have optimal results for systems that are not domain joined.

Info

Consult the official Microsoft site for your distribution of Microsoft Windows on how to set Local Group Policy (e.g., Windows 10).

Authentication to the Remote Endpoint

Authentication to remote Windows endpoints can be established with either local or domain accounts.

Domain Authentication

Domain authentication must be in the following format:

ciscatuser@example.org

CIS-CAT Pro Assessor accesses the administrative shares on the remote host. These shares are only accessible for users that are a part of the Administrators group (or similar group with administrator privileges) on that host, or are configured as domain administrators.

Local Authentication

Authentication can also be done using the local administrator account, although we strongly recommended against doing so.

To authenticate using a local administrator account, you'll have to disable Microsoft's UAC (User Account Control) restrictions on networks. This mechanism helps prevent against "loopback" attacks and local malicious software running remotely with administrative rights.

The following security risks should be considered:

  • You will disable the setting Apply UAC restrictions to local accounts on network logons. This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Disabling these restrictions deviates from a CIS Benchmark Level 1 recommendation.
  • You will enable the setting LocalAccountTokenFilterPolicy, allowing local accounts to have full administrative rights when authenticating via network logon.
  • Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems

Basic Endpoint Setup

The basic setup is best fit for testing. However, since CIS Benchmarks are intended for domain-joined environments, organizations will often have Group Policy that overrides local policy.

Assumptions for Basic Setup

  • Connection established using HTTP protocol (over port 5985)
  • Authentication utilizes local account with administrator privileges
  • No Group Policy

Steps

1. Enable WinRM Manually.
2. Review WinRM Configuration Settings.
3. Disable UAC Remote Restrictions.

Enable WinRM Manually

1. Run Command Prompt as an administrator.
2. Enter winrm quickconfig.

What does winrm quickconfig do?
  • Enables WinRM on port 5985 and open SMB on port 445.
  • Starts the Windows Remote Management service
  • Configures an HTTP listener
  • Creates exceptions in the Windows Firewall for the WinRM service.

3. At confirmation prompt, enter Y and select the Enter key.
4. At second confirmation prompt, enter Y and select the Enter key.

Review WinRM Configuration Settings

  • Enter winrm get winrm/config/winrs to review the WinRM configuration settings.

If you experience errors running an assessment over WinRM (e.g., out-of-memory errors), you may need to update the default MaxMemoryPerShellMB configuration setting in order to increase the maximum amount of memory available. The following command updates this setting to 1 GB (1024 MB):

winrm set winrm/config/winrs @{MaxMemoryPerShellMB="1024"}
Disable UAC Remote Restrictions

1. Open Registry Editor.
2. Navigate to HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Policies > System.
3. (If a LocalAccountTokenFilterPolicy registry entry doesn't exist) Create the registry entry:

   A. Go to Edit > New and select DWORD (32-bit) Value.

   B. Enter LocalAccountTokenFilterPolicy and select ENTER.

4. Right-click LocalAccountTokenFilterPolicy and select Modify.
5. In Value data, enter 1 and select OK.
6. Exit Registry Editor.

In Windows domain environments, this setting can be configured through Group Policy; however, the Group Policy Object is not a standard policy and must be downloaded and installed separately. Generally, if an environment has installed the Microsoft Security Compliance Manager (SCM), the GPO is included there and can be exported.

Note

If this group policy setting is not available, it may need to be downloaded and imported into the GPMC. The administrative template (ADMX) files can be downloaded from the Microsoft Download Center or the Microsoft article How to create and manage the Central Store for Group Policy Administrative Templates in Windows.

Advanced Endpoint Setup

If required by organizational policy, remote connections for Microsoft Windows endpoints using WinRM over HTTPS protocol is also possible.

Assumptions

  • Connection established using HTTPS protocol (over port 5986)
  • Authentication utilizes local account credentials that has administrator privileges
  • Group Policy Used

Create Group Policy Object

1. Open Group Policy Management Console.
2. Create a new Group Policy Object to set the WinRM services. 

Computer Configuration\Policies\Administrative Templates\Windows 
Components\Windows Remote Management (WinRM)\WinRM Service

Enable and Configure WinRM

1. Right-click Allow remote server management through WinRM and select Edit.
2. Select Enabled. This setting manages whether WinRM automatically listens on the network for requests.
3. Enter an asterisk in either the IPv4 or IPv6 filter. The asterisk indicates to the service to listen on all available IP addresses on the computer. When an asterisk is used, other ranges in the filter are ignored.

On the IPv4 and IPv6 filters

If the filter is left blank, the service does not listen on any addresses. The service listens on the addresses specified by the IPv4 and IPv6 filters. The IPv4 filter specifies one or more ranges of IPv4 addresses, and the IPv6 filter specifies one or more ranges of IPv6 addresses. If specified, the service enumerates the available IP addresses on the computer and uses only addresses that fall within one of the filter ranges.

4. Select Apply to finish.

Authentication with Local Administrator Account

Note

If this group policy setting is not available, it may need to be downloaded and imported into the GPMC. The administrative template (ADMX) files can be downloaded from the Microsoft Download Center or the Microsoft article How to create and manage the Central Store for Group Policy Administrative Templates in Windows.

1. Go to Computer Configuration > Policies > Administrative Templates > SCM: Pass the Hash Mitigations.
2. Right-click Apply UAC restrictions to local accounts on network logons and select Edit.
3. Select Disabled.
4. Select Apply to finish.

Run PowerShell Script to Open Ports and Configure Firewall

1. Open PowerShell.
2. Run the following PowerShell script from the Assessor bundle:

\Assessor\setup\CISCAT_Pro_Assessor_v5_Firewall_SMB_WinRM.ps1.

Establish HTTPS Listener

1. In PowerShell, execute the following command to verify if a certificate thumbprint exists for the remote host:

PS C:\Windows\system32> Get-childItem cert:\LocalMachine\My\ | Select-String -pattern HOSTNAME

Note

In these commands, assume HOSTNAME is the DNS name of the remote Windows host.

If a certificate exists on the system, the command will yield results similar to the following:

[Subject]
   CN=HOSTNAME

 [Issuer]
   CN=HOSTNAME

 [Serial Number]
   527E7AF9142D96AD49A10469A264E766

 [Not Before]
   5/23/2011 10:23:33 AM

 [Not After]
   5/20/2021 10:23:33 AM

 [Thumbprint]
   5C36B638BC31F505EF7F693D9A60C01551DD486F

2. (If no valid certificate) Execute the CISCAT_Pro_Assessor_v5_SelfSignedCertificate.ps1 script to create a self-signed certificate: 

\Assessor\setup\CISCAT_Pro_Assessor_v5_SelfSignedCertificate.ps1
Script Location

You can find the script in the setup folder of the Assessor v4 bundle.

3. Configure the HTTPS listener with one of the following options:

  • For Windows Server 2012 and higher, HTTPS listeners may be created without needing to know the hostname or thumbprint. Use the following winrm command to configure the HTTPS listener:
winrm quickconfig -transport:https -force
  • Alternatively, manually create the HTTPS WinRM listener:
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="HOSTNAME"; CertificateThumbprint="THUMBPRINT"}

Where HOSTNAME is either the DNS name (e.g., WINSERVER1) or FQDN (e.g., winserver1.domain.com) of the remote host, and THUMBPRINT is the certificate thumbprint found in PowerShell, for example 5C36B638BC31F505EF7F693D9A60C01551DD486F

Windows - Centralized

Use a centralized deployment method to assess a population of Microsoft Windows targets in an automated manner without installing CIS-CAT or the Java Runtime Environment (JRE) on each target.

  • CIS-CAT Host

CIS-CAT Host is the server where the CIS-CAT bundle, Java Runtime Environment (JRE), and reports are placed. Targets within the Workstations Group will access these resources to perform a self-assessment using CIS-CAT.

  • Workstation Group

The Workstation Group represents a population of Microsoft Windows targets to be assessed with CIS-CAT. The Domain Administrator will create a Group Policy that causes devices in this group to invoke CIS-CAT via a Scheduled Task. In order to maintain a secure configuration of the CIS Host Server, authenticated users should only be allowed to execute the centralized script files: cis-cat-centralized.bat and cis-cat-centralized-ccpd.bat.

Bandwidth Considerations

Throughout the deployment and testing of the CIS-CAT Centralized workflow, bandwidth utilization can reach approximately 300 MB of data for each machine invoking CIS-CAT. This bandwidth utilization is the cost of invoking CIS-CAT over the network.

Prerequisites

  • All targets must be joined to an Active Directory Domain
  • All targets must have read access to the CIS-CAT Share hosted off of the CIS Host Server

Setup Steps

Perform the following steps to cause the Workstations Group to execute the CIS-CAT instance on the CIS Host Server.

1. Create CIS Share on host server.
2. Prepare CIS-CAT Pro Assessor for share folder.
3. Confirm the Directory.
4. Apply folder permissions.
5. Update cis-cat-centralized.bat (not using Dashboard) or Update cis-cat-centralized-ccpd.bat (API to Dashboard) .
6. Validate install.
7. Configure Scheduled Task via Group Policy.

Create and Configure CIS Share Folder on Host Server

Share permissions on the CIS folder should grant the Authenticated Users group the ability to both read and change information in the folder.

1. Create a folder on the CIS Host Server (e.g., CIS Share).
2. Right-click the CIS folder and select Properties.
3. Go to the Sharing tab and select Advanced Sharing.

4. Select Permissions.

5. Select the Authenticated Users group and then the Allow checkboxes for Change and Read.

6. Select Apply to finish.

Prepare Assessor for Shared Folder

1. On the CIS Host Server, unzip the CIS-CAT Assessor v5 bundle within the CIS folder.
2. Move the Assessor folder to the root of the CIS folder.
3. Go to Assessor\misc\Windows and move cis-cat-centralized.bat or cis-cat-centralized-ccpd.bat to the root of the CIS folder.

Which script should I use?

cis-cat-centralized.bat is for those who will write the assessment reports to the CIS Host Server
cis-cat-centralized-ccpd.bat is for those who will configure the centralized script to send the assessment reports directly to a CIS-CAT Pro Dashboard (CCPD).

If you're using a version of CIS-CAT that has embedded Java (contains the jre folder), then CIS-CAT is ready to use. Skip to the next stage of the setup process.

If you're using a version of CIS-CAT without embedded Java, there are a few more steps to complete:

4. Create the following directories beneath the CIS folder:

  • Java
  • Java64
  • Reports

5. Go to where Java is installed.

Tip

By default, Java is located at %ProgramFiles%\Java.

7. Copy the 32-bit JRE that applies to the targets you will be evaluating, such as jre1.8.0_201, to the Java folder created above.
8. Copy the 64-bit JRE that applies to the targets you will be evaluating, such as jre1.8.0_201, to the Java64 folder created above.

Verify Directory Structure

The resulting directory structure should be as follows:

CIS
    CIS\Assessor
    CIS\cis-cat-centralized.bat or cis-cat-centralized-ccpd.bat
    CIS\Java
    CIS\Java64
    CIS\Reports

Note

If using the embedded Java, then CIS\Java and CIS\Java64 folders are not necessary.

Apply Permissions

1. Right-click the file or folder and select Properties.

Tip

Refer to Required Permissions by File/Folder for a list of all the permissions that must be granted.

2. Go to the Security tab and select Edit.
3. Select Authenticated Users and then, depending on the necessary permissions for the file or folder, select the Allow and Deny checkboxes.

4. Select Apply to finish.

Required Permissions by File/Folder
File/Folder Permissions
CIS Permissions on the shared folder
CIS\cis-cat-centralized.bat or CIS\cis-cat-centralized-ccpd.bat (file) Read & Execute
CIS\Assessor (folder) List Folder Contents and Read & Execute
CIS\Java (folder) Read & Execute
CIS\Java64 (folder) Read & Execute
CIS\Reports (folder) List Folder Contents and Write

Warning

Write, Modify, Read and Execute permissions on the above resources should be limited to only the users necessary for the CIS Host Server to function.

Update cis-cat-centralized.bat

If you want to write the assessment reports to the CIS Host Server, modify the cis-cat-centralized.bat file as directed in this section.

Tip

If you want to send the assessment reports directly to a CIS-CAT Pro Dashboard (CCPD), skip this section and go to the Update cis-cat-centralized-ccpd.bat section, instead.

1. Right-click cis-cat-centralized.bat and select Edit.
2. For NetworkShare, enter the fully qualified domain name or IP address of the CIS-CAT Host Server. 

SET NetworkShare=\\1.2.3.4\CIS

3. (Only if NOT using embedded Java) For JavaPath and JavaPath64, set the path to the Java and Java64 folders you created. 

SET JavaPath=Java\jre
SET JavaPath64=Java64\jre

4. For JavaMaxMemory, enter the maximum amount of memory CIS-CAT will allocate for execution. 

SET JavaMaxMemoryMB=2048

Note

The default is 2048 MB. When executing with 32-bit versions of the JRE, set to a maximum of 1024 MB. This value may need to be lower depending on other processes running on the machine. 64-bit JRE’s may allocate as much memory as is required, limited by the available memory of machines invoking CIS-CAT.

5. For CisCatPath, enter the location, relative to the network share, of the installed version of CIS-CAT. For example, the value below indicates \\NETWORK_SHARE\CIS\Assessor as the location to which reports are written.

SET CisCatPath=Assessor

6. For ReportsPath, enter the location, relative to the network share, of the folder to which CIS-CAT reports are written. For example, the value below indicates \\NETWORK_SHARE\CIS\Reports as the location to which reports are written.

SET ReportsPath=Reports

7. For CISCAT_OPTS, enter the reporting formats for your assessment results.

SET CISCAT_OPTS=-html -txt -csv
  • -html indicates generation of the CIS-CAT XML report.
  • -txt indicates generation of the CIS-CAT Text report.
  • -csv indicates generation of the CIS-CAT CSV report.
  • -narf indicates that CIS-CAT should NOT generate an Asset Reporting Format (ARF) report.

8. (Optional) For AUTODETECT, enter 1 to enable or 0 to disable auto-detection of the operating system of the target system being assessed.

SET AUTODETECT=1

Enabling auto-detection will cause this script to detect the following:

  • Which CIS Windows Benchmark to run
  • Which Benchmark profile to select
  • Which JRE to leverage (32- or 64-bit). Defaults to 32-bit

9. Save the file.

Next, you should validate the installation.

Configuration Note

The cis-cat-centralized.bat script sets local environment variables denoting file system paths and folder names. The tool has been enhanced to now handle spaces in file paths.

Near line 780 of the cis-cat-centralized.bat script, the following code section illustrates the configuration of the CIS-CAT command-line for execution.

Put all the options together and form the CIS-CAT command-line

SET FULL_CISCAT_CMD=%mJavaPath%\bin\java.exe -Xmx%JavaMaxMemoryMB%M -jar %mCisCatPath%\Assessor-CLI.jar %CISCAT_OPTS% -b %mCisCatPath%\benchmarks\%Benchmark%

ECHO      Benchmark:    %Benchmark%
ECHO     Profile(s):    %Profiles%
ECHO.
ECHO Starting Assessment(s)...
FOR %%P IN (%Profiles%) DO (
    ECHO  + %FULL_CISCAT_CMD% -p "%%P" -r "%mReportsPath%"
    ECHO  + Running Profile %%P...
    ECHO.
    ECHO [[ CIS-CAT ASSESSMENT START ]]
    IF %DEBUG%==1 ECHO CMDLINE = %FULL_CISCAT_CMD% -p "%%P" -r "%mReportsPath%" >> %DebugLogFile%
    %FULL_CISCAT_CMD% -p "%%P" -r "%mReportsPath%" 
    ECHO [[  CIS-CAT OUTPUT END  ]]
    ECHO.
)

When spaces are included in any path names for environment variables, they must be surrounded with quotes to enable the full path to be discovered, for example:

SET FULL_CISCAT_CMD=”%mJavaPath%\bin\java.exe” -Xmx%JavaMaxMemoryMB%M -jar “%mCisCatPath%\CISCAT.jar” -a 
-s %CISCAT_OPTS% -b “%mCisCatPath%\benchmarks\%Benchmark%”

Update cis-cat-centralized-ccpd.bat

If you want to send the assessment reports directly to a Dashboard or SecureSuite Platform instance, update the cis-cat-centralized-ccpd.bat file.

1. Right-click cis-cat-centralized-ccpd.bat and select Edit.
2. For NetworkShare, enter the fully qualified domain name or IP address of the CIS-CAT Host Server. 

SET NetworkShare=\\1.2.3.4\CIS

3. (Only if not using embedded Java) For JavaPath and JavaPath64, update the paths to point to the Java script will automatically point to the jre folder with the embedded Java.

SET JavaPath=Java\jre
SET JavaPath64=Java64\jre

Note

The 32-bit and 64-bit JRE paths are those installed in step 4 under the Create and Configure CIS Share on the CIS Hosting Server section above.

4. For JavaMaxMemory, enter the maximum amount of memory CIS-CAT will allocate for execution. 

SET JavaMaxMemoryMB=2048

Note

The default is 2048 MB. When executing with 32-bit versions of the JRE, set to a maximum of 1024 MB. This value may need to be lower depending on other processes running on the machine. 64-bit JRE’s may allocate as much memory as is required, limited by the available memory of machines invoking CIS-CAT.

5. For CisCatPath, enter the location, relative to the network share, of the installed version of CIS-CAT:

SET CisCatPath=Assessor

The example above defines \\NETWORK_SHARE\CIS\Assessor as the location to which reports are written.

6. For CPPDUrl, enter the URL for the CIS-CAT Pro Dashboard API to which CIS-CAT assessment reports will be uploaded: 

SET CCPDUrl=http://applications.example.org/CCPD/api/reports/upload

Note

The resource for CIS-CAT Pro Dashboard upload is ALWAYS mapped to the /api/reports/upload location, so the path to the application is all that should be modified here.

7. For CISCAT_OPTS, enter the -nrf and -ui options to ensure only the ARF report file format is generated by the assessment process and SSL certificate warnings/errors are ignored when uploading the generated ARF assessment reports to the designated Dashboard. 

SET CISCAT_OPTS=-nrf -ui

8. For AUTHENTICATION_TOKEN, enter the authentication token generated by an API user in the CIS-CAT Pro Dashboard to which the CIS-CAT assessment reports will be uploaded.

SET AUTHENTICATION_TOKEN=215469412dcw278b742464fd857ce4c7
How do I generate an authentication token?

To integrate the Assessor and Dashboard, follow the instructions at Establish authentication with Assessor section from the Dashboard Deployment guide.

Validate Installation

1. Log in to one of the target systems in the Workstation Group as a user capable of executing commands from an elevated command prompt, such as a domain admin.
2. Execute one of the following commands from an elevated command prompt, depending on which centralized .bat file you intend to use:

  • For cis-cat-centralized.bat

    C:\>\\<CIS_HOST_SERVER>\CIS\cis-cat-centralized.bat

  • For cis-cat-centralized-ccpd.bat

    C:\>\\<CIS_HOST_SERVER>\CIS\cis-cat-centralized-ccpd.bat

Note

Replace with the actual name or IP of the machine configured as the CIS Host Server.

If successful, the above command will run an auto-assessment and result in output similar to the following:

Configure the Scheduled Task via Group Policy

A task should be scheduled to have each target system invoke either the cis-cat-centralized.bat or cis-cat-centralized-ccpd.bat script on a regular basis to run assessments against those systems. The cis-cat-centralized-ccpd.bat script includes additional options to automatically POST assessment reports to the CIS-CAT Pro Dashboard (CCPD).

Various products and tools can be utilized to schedule this task. In a Windows environment, tasks are often scheduled using the Group Policy feature of Windows. For example, refer to an unofficial site or instructions to schedule a task using Group Policy.

Ensure that the user selected to run the task has the highest privilege. When scheduling the task, refer to the fully qualified domain name or IP address of the CIS-CAT Pro Assessor Host Server. See the below example:

/c \\<CISHostServer>\CIS\cis-cat-centralized.bat

Unix/Linux/macOS - Remote

CIS-CAT Pro Assessor assesses remote Unix/Linux/macOS targets via SSH connections. Ensure the target system can be accessed via SSH and that the user connecting to the remote target is either the root user or a user with privileges to execute commands using sudo.

Note

The most secure approach is to disable root login and connect via a privileged user with sudo.

On the Ephemeral Directory

The Assessor will attempt to create an ephemeral directory under the user's home directory. The user's home directory is collected by querying the /etc/passwd file for the logged-in user.

If an error occurs querying /etc/passwd, the ephemeral directory may not be able to be determined. In this case, users must configure a specific location for the ephemeral directory (tmp_path property) in either a session properties file or configuration XML file.

Unix/Linux - Centralized

The centralized assessment method is an in-domain or in-network configuration assessment. In cases where organizational policy restricts use of remote assessments, the centralized method may be a possible solution for configuration assessments. This method also has the benefit of allowing installation of CIS-CAT Pro Assessor v5 and a suitable Java Runtime Environment (JRE) on one network location vs. each target system.

The CIS-CAT Pro Assessor v5 bundle is set up at a centralized file share location (referred to as the CIS Host Server in this document) that is accessible by target computers to be assessed. Either the cis-cat-centralized.sh script or the cis-cat-centralized-ccpd.sh script is prepared on that centralized file share. The target computers then access and run the prepared centralized script to perform a local assessment over the network connection.

Setup Steps

1. Identify the host server where CIS-CAT and a JRE (if not using embedded Java) will reside.
2. Set up the CIS Host Server.
3.(If using a version of CIS-CAT without embedded Java) Prepare JRE subfolders.
4. Modify the appropriate script:

5. Validate the install.

Set Up CIS Host Server

The setup for centralized scanning begins with creating a folder on the network file share location to use as the root of the centralized Assessor.

Note

The instructions use /cis as the root folder, which you can name something else if desired.

1. Create a /cis root folder in the network file share location.
2. Copy the latest CIS-CAT Pro Assessor v5 bundle to /cis and extract it. 

`/cis/Assessor`

3. Go to /cis/Assessor/misc/Unix-Linux and copy the following scripts to your root folder:

  • cis-cat-centralized.sh OR cis-cat-centralized-ccpd.sh
  • detect-os-variant.sh
  • make-jre-directories.sh (not necessary if using the version of CIS-CAT with embedded Java)
  • map-to-benchmark.sh

Which centralized script should I use?

If you want the assessment reports to write to the CIS Host Server, utilize the cis-cat-centralized.bat script. If you want to send the assessment reports as a POST request directly to an instance of CIS-CAT Pro Dashboard (CCPD) or the CIS SecureSuite Platform, use cis-cat-centralized-ccpd.sh.

4. (If not using embedded Java) Create JRE sub-folders by executing one of the following commands in /cis for the selected centralized script:

  • For cis-cat-centralized.sh

    ./cis-cat-centralized.sh --make-jre-directories

  • For cis-cat.centralized-ccpd.sh

    ./cis-cat-centralized-ccpd.sh --make-jre-directories

The default configuration of the CIS Host Server folder structure should now be as follows:

/cis

/cis
/cis/Assessor
/cis/cis-cat-centralized.sh                                       <-- Copied from misc/Unix-Linux
/cis/detect-os-variant.sh                                         <-- Copied from misc/Unix-Linux
/cis/make-jre-directories.sh                                      <-- Copied from misc/Unix-Linux
/cis/map-to-benchmark.sh                                          <-- Copied from misc/Unix-Linux

/cis/jres
/cis/jres/CentOS
/cis/jres/Debian
/cis/jres/Linux
/cis/jres/OSX
/cis/jres/RedHat
/cis/jres/SUSE
/cis/jres/Ubuntu

Note

If you're using a version of CIS-CAT with embedded JRE, the jres folders will not be present.

Prepare JRE Subfolders

Info

This step is necessary only if you're using a version of Assessor without embedded Java.

If your organization has chosen to manage its own Java version, there's an option for the centralized scripts to look for a specific JRE per operating system type. Since some versions of JRE do not operate on some operating systems, the script is designed to allow users to specify a JRE version per operating system.

1. Download the desired version of JRE for each of the operating systems that will be scanned.
2. Copy the appropriate JRE into the according operating system folders (e.g., if scanning a Linux target system, a JRE must be in /cis/jres/Linux).

Set Benchmark Profile

During a configuration assessment, only one profile can be executed per report.

The script contains a variable called SSLF (Specialized Security Limited Functionality). This is a global setting and is mandatory. The variable can be set to 0 or 1. By default, it is set to 0 which correlates to a Level 1 Benchmark profile.

The script can be configured to execute either the Level 1 profile or Level 2 profile (if available). Setting the value to 0 results in CIS-CAT evaluating the Level 1 profile, while setting the value to 1 results in CIS-CAT evaluating the Level 2 profile.

The detect-os-variant.sh script automatically detects the operating system of the target system that is being assessed. Depending on the version of the OS, the map-to-benchmark.sh script assigns the appropriate Benchmark and profile for the assessment.

For Linux distributions the script can detect as a Workstation or Server variant, the script takes care of the profile selection for the level that was selected for the SSLF variable. For distributions with variants the script cannot detect, the script selects the corresponding “Server” profile with the level again set in SSLF variable.

Examples
  • Operating system = RHEL 7, Workstation and SSLF is set to 0
    • Benchmark selected = CIS_Red_Hat_Enterprise_Linux_7_Benchmark
    • Profile selected = Level 1 – Workstation
  • Operating system = Debian 9 and SSLF is set to 1
    • Benchmark selected = CIS_Debian_Linux_9_Benchmark
    • Profile selected = Level 2 – Server

Customize the Default Benchmark and Profiles

By default, the centralized script will assess a target system with the Level 1 profile. This can be customized to be more specific by modifying the appropriate line in the map-to-benchmark.sh script. It is also possible to customize the Benchmark selected for assessment. The profile names must match the Benchmark's profile name.

To produce a text file of Benchmarks and profiles, see the command line option -bi to produce the file.

if [ `expr $_VER \>= 9` -eq 1 ]
then

    BENCHMARK="CIS_Debian_Linux_9_Benchmark_v1.0.0-xccdf.xml"
    PROFILE1="Level 1 - Server"
    PROFILE2="Level 2 - Server"

Define the Locations of Assessor and JRE

Update the values to align with the CIS Host Server folder structure created as it will be accessed from each server.

CISCAT_DIR=/cis/Assessor
JRE_BASE=/network/cis/jres

For example, if the network location is mounted to /network on each server, the values should be:

CISCAT_DIR=/network/cis/Assessor
JRE_BASE=/network/cis/jres

Define Report Output

The desired report output will determine the script you need to use

  • cis-cat-centralized-ccpd.bat
  • cis-cat-centralized.sh

Update cis-cat-centralized-ccpd.bat

If using CIS-CAT Pro Dashboard, modify the cis-cat-centralized-ccpd.bat script to define the location of your installed CIS-CAT Pro Dashboard or CIS SecureSuite Platform and authentication token.

1. For CCPD_URL, enter the CIS-CAT Pro Dashboard API URL or the CIS SecureSuite Platform API URL. This is a location valid only for the API and cannot be browsed.

CCPD_URL=http://<your-server>:<port>/CCPD/api/reports/upload

OR

CCPD_URL=https://<your-server>/SecureSuite/api/reports/upload

On ports

The port is unnecessary when utilizing HTTPS protocol (recommended). For HTTP, port 8080 is the default. It is possible to utilize a port of your choosing, provided proper coordination with CIS-CAT Pro Dashboard setup.

2. For AUTHENTICATION_TOKEN, enter the value generated by CIS-CAT Pro Dashboard or the CIS SecureSuite Platform. 

AUTHENTICATION_TOKEN='<generated-token>'
How to generate your authentication token

To generate the token, please follow the instructions in Establish authentication with Assessor section from the Dashboard Deployment guide.

Update cis-cat-centralized.sh

For REPORTS_DIR, define the network location where the configuration assessment report output should be written: 

REPORTS_DIR=/cis/Assessor/reports

Example

If the network location is mounted to /network on each server, the values should be:

REPORTS_DIR=/network/cis/Assessor/reports

Validate Install

1. Log in to one of the target systems that has access to the CIS Host Server as either a root user or a user capable of executing commands using sudo.
2. Execute one of the following commands, depending on your chosen centralized script file:

  • cis-cat-centralized.sh

    /path/to/cis/cis-cat-centralized.sh

  • cis-cat-centralized-ccpd.sh

    /path/to/cis/cis-cat-centralized-ccpd.sh

Note

/path/to/cis represents the file system path to the CIS Host Server and should be modified as appropriate before running the command.

If successful, the above command will run an auto-assessment on the target system and indicate successful completion of the assessment.

The CIS-CAT assessment reports will be stored in the reports location you specified in the cis-cat-centralized.sh or cis-cat-centralized-ccpd.sh file.

Tip

You can integrate the invocation of the centralized scripts into a task scheduling system such as cron. Configuration of a Unix/Linux-based scheduling tool is beyond the scope of this guide, however.

Network Devices - Configuration File

To assess network devices, CIS-CAT Pro Assessor will create a local session, collecting information from an exported configuration file in .txt or .xml format.

Info

CIS would like to add more automation to CIS Networking Benchmark recommendations. Please join our CIS WorkBench Communities for the specific networking technology on CIS WorkBench and ask how you can help. Example configuration files from organizational implementation can support CIS Benchmark Developers when creating additional automation.

.txt Format

The configuration file for the following network devices must be in .txt format to be assessed:

  • Cisco NX-OS
  • Cisco IOS XE
  • Cisco IOS XR
  • Fortigate
  • HPE-Aruba

.xml Format

The configuration file for the following network devices must be in .xml format to be assessed:

  • Palo Alto
  • Juniper
  • Sophos

Note

To get the configuration file of most network devices, the show-running config command is used. Its output tends to be long, so you can redirect the output to a file in the local writable storage file system or the remote file system.