What is CIS-CAT?
CIS-Configuration Assessment Tool (CAT) is a configuration assessment tool that compares the configuration of target systems to the secure configuration settings recommended in machine-readable content, provided the content conforms with Security Content Automation Protocol (SCAP). The tool is designed to primarily assess against CIS Benchmark configuration recommendations. The tool provides a conformance report ranging from 0 – 100 with remediation steps for noncompliant settings.
There are three versions of CIS-CAT: CIS-CAT Lite, our free version of the tool, CIS-CAT Pro Assessor v3, performs assessments over local or a shared internal network, and CIS-CAT Pro Assessor v4, performs assessments remotely on some systems. CIS-CAT Pro v3 and v4 are enterprise-level tools available to CIS SecureSuite Members.
Which version of CIS-CAT Pro Assessor is right for me?
CIS will continue to support CIS-CAT Pro Assessor v3. We encourage you to use the version that works best for you.
- Graphical User Interface (GUI) vs. Command Line Interface (CLI): CIS-CAT Pro v4 is only available through the CLI. Once in the command line application, you have the options of using the interactive mode, which walks you through each step. Open the command line as an admin and type “-i” to try this method. If you prefer a more graphical interface, you’ll want to stick with CIS-CAT Pro v3 for now.
- CIS Benchmark coverage: CIS-CAT Pro v4 is a standards-based application focused on vendor-supported technology platforms where OVAL coverage is available. Some Benchmarks available in CIS-CAT Pro v3 are not OVAL based or are no longer vendor-supported, and therefore, are not supported in v4. See the CIS-CAT Pro supported Benchmarks for the most up-to-date information regarding platform coverage.
- CIS Controls™ Assessment Module: CIS-CAT Pro v4 offers a semi-automated way to measure your organization’s application of CIS Controls Implementation Group 1 in Windows 10 environments, assessing these Sub-Controls via a combination of scripts and survey questions.
What’s the difference between CIS-CAT Pro and CIS-CAT Lite?
CIS-CAT Lite is a limited, free version of our configuration assessment tool meant to let users test out the application’s functionality. There are 2 versions of CIS-CAT Lite. CIS-CAT Lite v3 has a GUI and focuses on local assessments while CIS-CAT Lite v4 is a command line application and allows users to try the remote assessment capability. Each version of Lite supports assessment coverage that may include Windows 10, Google Chrome, Mac OS, and Ubuntu . The versions offered with each CIS-CAT Lite version will change periodically. CIS-CAT Lite v4 also introduces the Controls Assessment Module. Review the full list of comparisons between the versions of Lite and Pro.
How does CIS-CAT work?
CIS-CAT is a Java-based application which quickly compares target system’s configuration settings to the settings recommended in the CIS Benchmark: secure configuration guidelines for over 100 technologies. After downloading and executing CIS-CAT Pro or CIS-CAT Lite, the program will assess the configuration of the target system(s) against the chosen CIS Benchmark recommendation and provide a conformance report ranging from 0-100.
How can I access and utilize CIS-CAT?
To access CIS-CAT Lite v3 or v4, download it here.
To access CIS-CAT Pro, your organization must be a CIS SecureSuite Member. Members can download CIS-CAT Pro from our community platform, CIS WorkBench. Log in to CIS WorkBench with your work email address (registration required) and click on the “Downloads” tab. Here, you’ll find the most recent version of CIS-CAT Pro pinned at the top of the page and available for download. Members can download CIS-CAT Pro Assessor v3, CIS-CAT Pro Assessor v4, and CIS-CAT Pro Dashboard separately.
What versions of Java do I need for CIS-CAT Pro?
CIS-CAT Pro Assessor v3 requires Java 6 or higher. CIS-CAT Pro Assessor v4 requires Java 8 or higher. CIS-CAT Pro Dashboard requires Java 8. OpenJDK implementations of these Java are also supported. See https://openjdk.java.net/ for information about these free and open-source implementations of Java.
Is using Java with CIS-CAT Pro safe?
The security vulnerabilities reported are not about Java (the programming language). The vulnerabilities typically reported are in the Java Sandbox, which uses a privileged model that permits safe execution of untrusted code, and risks automatic execution of Java Applets in a browser. Oracle uses the "Java" trademark both for the programming language, and the browser plugin that runs applets. CIS-CAT Pro uses the Java language as it offers the broadest possible platform portability. CIS-CAT Pro does not execute code in a browser, which is the source of most Java vulnerabilities.
Why is CIS-CAT a Java-based application?
To support the broadest possible portability, CIS-CAT is a Java application and requires an available Java Runtime Environment (JRE) to execute.
CIS-CAT Pro v3 is a host-based assessment tool (with the exception of Cisco IOS). The application and its JRE must reside on either the target system being assessed, or in a shared network location, to which the target system has network access.
CIS-CAT v4 can also be configured as a host-based assessor, but may also be set up to remotely assess target systems to which it has access via SSH or WinRM. In the remote assessment use-case, CIS-CAT and its JRE can reside together on any machine with access to the target endpoints.
For both CIS-CAT v3 and v4, CIS recommends using the most recent available JRE package for the version being used to execute the tool.
Do I have to buy a Java license to use CIS-CAT Pro?
No. CIS-CAT Pro works with OpenJDK, which is free and available at jdk.java.net. OpenJDK will continue to receive security updates.
What if my organization doesn't allow me to use OpenJDK?
If OpenJDK does not meet your organization's needs, Oracle Java releases can be obtained through My Oracle Support (MOS), and other locations by paying a license fee. For organizations requiring security updates to Java 8, these can be obtained by paying a nominal license fee to Oracle per server.
If I choose to buy a Java license, how do I keep this cost low?
Assessor v4 offers remote scanning providing the benefit of maintaining Java only on a single server. This could help keep the cost of maintaining Java low.
What if my CIS-CAT report is not 100% compliant?
A passing score is based on your organization’s requirements and policies. If your organization can implement all of the security settings without negatively impacting your business applications or end users, then they should all be implemented. However, successfully implementing every security setting may be considered unrealistic for some organizations.
After a CIS-CAT report is produced and all applicable security recommendations have been implemented according to your organization’s requirements, it is recommended to include an exception report to document the justification as to why some recommendations were not applied. CIS-CAT Pro users may also customize these recommendations to meet organizational requirements by using the tailoring functionality available through CIS WorkBench or by manually altering content in the XCCDF file of a particular CIS Benchmark.
Does CIS-CAT Pro support assessment of remote systems?
CIS-CAT Pro v3 remains a host-based configuration assessment tool that runs locally from the system that is attempting to be assessed. Centralized workflows are available for Windows and Linux systems that do not require CIS-CAT or Java be installed on the systems being assessed. Complete documentation is available using our CIS-CAT Pro Assessor v3 User Guide, which can be downloaded on CIS WorkBench (registration required; CIS WorkBench is free to join). If your environment encompasses a Linux/Unix based scheduling tool, this type of workflow should implement successfully.
Can content for CIS-CAT Pro be customized?
Yes, the content that CIS-CAT Pro uses can be customized. Customizations can be managed two ways. Alterations of CIS-CAT Pro content can be made through the tailoring functionality within CIS WorkBench. Modifications to the content can also be completed manually in the XML content such as the XCCDF or OVAL files in the Benchmarks folder of the CIS-CAT Pro Assessor. Customizations of a benchmark could range from turning on or off a recommendation or tailoring a recommendation to properly align with your organization, such as password length. Upon saving the file with the alterations, the assessment will then run against the new modifications and the CIS-CAT report will produce results in correspondence with the changes made.
What if the benchmark I am looking for is not available in CIS-CAT Pro?
If the benchmark you are looking to assess against is not available in CIS-CAT Pro, the assessment and documentation will have to be manual.
We are always looking for technology experts to help us develop content, review recommendations, and test the CIS Benchmarks. If interested, join a community or contact us at Benchmarkinfo@cisecurity.org to inquire about the process. Join the CIS Member Benchmark Wish List Community and post your request.
Why does CIS-CAT Pro Assessor v3 have more CIS Benchmark coverage than CIS-CAT Pro Assessor v4?
CIS-CAT Pro Assessor v4 strives to be a standards-based application focused on vendor-supported technology platforms where OVAL coverage is available. For example, some of the earlier released benchmarks, developed using CIS' proprietary Embedded Check Language (ECL), will not be moved forward into v4 and will eventually be archived due to their age and diminishing relevance. If v3 contains a Benchmark that v4 does not, we encourage you to use v3. Our primary objective in the coming year will be to increase v4’s CIS Benchmark coverage to align with the supported versions of CIS Benchmark content where OVAL coverage exists.
Can CIS-CAT Pro be used to audit mobile device configurations?
CIS-CAT Pro is not currently built to assess mobile device configurations. CIS Benchmarks are available for download through CIS WorkBench for various mobile platforms and can be audited, configured and remediated manually.
I have run CIS-CAT Pro and identified my areas of improvement. Now what?
CIS has developed remediation kits in an effort to save our members time and effort when remediating failed settings or recommendations identified in the CIS-CAT Pro report. Instead of manually remediating each failed setting, CIS remediation kits contain automated content to streamline this process.
For Windows, this automated content takes the form of group policy objects (GPOs), available to CIS SecureSuite Members via CIS WorkBench. Upon being downloaded, the GPOs can be unzipped and imported in your group policy management console. Customizations can also be made as the GPOs are not read-only. You can continue by applying the GPO to the appropriate organizational units or individual machines and push the configuration policy out. The chosen domain members will be reconfigured to be in compliance with the recommended settings in the benchmark.
For UNIX and LINUX environments, our remediation kits take the form of basic shell scripts that can be run through your machine or a corresponding tool of your preference. These scripts can be run on the appropriate CIS Benchmark profile intended to be configured against; then the script will execute and apply the secure benchmark settings. We recommend reviewing the README files accompanying the scripts as they contain content that cannot be remediated by the automated shell script, such as portioning file systems or limiting root access.
What is the CIS Controls Assessment Module?
The CIS Controls Assessment Module is a semi-automated way to measure your organization’s application of CIS Controls Implementation Group 1 in Windows 10 environments, assessing these Sub-Controls via a combination of scripts and survey questions. It runs inside of CIS-CAT Pro Assessor v4, leveraging Assessor’s ability to conduct both local and remote assessments.
What are CIS Controls Implementation Groups?
CIS Controls Implementation Groups are a new concept in V7.1 of the CIS Controls. Organizations self-assess themselves into either group 1, 2, or 3 based on the technical resources and personnel that they have available, as well as the sensitivity and the criticality of the data that the organization handles. The Implementation Groups help prioritize which CIS Sub-Controls they should implement first. There are 43 Sub-Controls in Implementation Group 1, and those are the basic cyber hygiene Sub-Controls and serve as a good starting place for organizations. To find out more about Implementation Groups, visit https://www.cisecurity.org/blog/v7-1-introduces-implementation-groups-cis-controls/.
Is the CIS Controls Assessment Module compatible with CIS-CAT?
Yes, the CIS Controls Assessment Module runs inside of CIS-CAT Pro Assessor v4. Output from the CIS Controls Assessment Module is compatible with all the familiar CIS-CAT Pro Dashboard features, enabling you to view individual assessment results and graphs showing how scores have changed over time.
To access CIS-CAT Pro, your organization must be a CIS SecureSuite Member. Members can download CIS-CAT Pro from our community platform, CIS WorkBench. Log in to CIS WorkBench with your work email address (registration required) and click on the “Downloads” tab. Here, you’ll find the most recent version of CIS-CAT Pro pinned at the top of the page and available for download. Members can download CIS-CAT Pro Assessor v4 and CIS-CAT Pro Dashboard separately.
The Controls Assessment Module for Implementation Group 1 in Windows 10 is also available for free in CIS-CAT Pro Assessor v4 Lite, though the Lite version is not compatible with CIS-CAT Pro Dashboard. To access CIS-CAT Lite, download it here.
Is the Controls Assessment Module compatible with CIS-CAT Pro Assessor v3?
No. The CIS Controls Assessment Module relies on CIS-CAT Pro Assessor v4’s architecture to enable remote assessments. For this reason, the CIS Controls Assessment Module is only available in CIS-CAT Pro Assessor v4.
How do the automated checks work?
The automated checks utilize PowerShell scripts. In the CIS Controls Assessment Module v1.0.2, there are 13 automated Sub-Controls checks. Some of these checks have values that can be customized in the Assessor Properties file.
Why am I failing a particular automated check?
Each automated check is looking for something different. Refer to that check’s “Remediation” section for more information about the check and how to pass it. The “Remediation” section for each check is available in either the HTML output or the CIS-CAT Pro Dashboard output associated with each check. Additionally, the script output for each automated check can be viewed in the HTML output file by expanding the “Show Rule Result XML” under that check and looking between the <out> and </out> tags.
Will I need to change my PowerShell settings so that the CIS Controls Assessment Module can run?
You should not need to change your PowerShell settings. It is important to note that when calling PowerShell scripts, CIS-CAT Assessor invokes the script with an “-ExecutionPolicy bypass” temporarily bypassing the PowerShell execution policy for just the run of each of these scripts, without changing the system’s overall PowerShell Execution Policy. Additionally, the Unblock-File PowerShell command will be run against the scripts when CIS-CAT Assessor calls them; this will result in the CIS Controls Assessment Module scripts remaining unblocked/trusted even after running the CIS Controls Assessment Module. These scripts are only designed to read configuration data from target systems. The use of the “-ExecutionPolicy bypass” and “Unblock-File” are meant to contribute to a smoother user experience, but it is important that you consider any policy and security implications for your organization prior to running the CIS Controls Assessment Module.
How do the survey questions work?
The non-automated Sub-Controls are assessed via survey questions. These are a series of 30 yes/no questions, one for each of the non-automated Sub-Controls. Answers to these survey questions can be saved in the Assessor Properties file (assessor-cli.properties), and these saved answers will be used for each assessment. If the organization changes its implementation status for a Sub-Control (i.e., implements a new Sub-Control), the corresponding saved answer can be updated in the Assessor Properties file and that new answer will be used for future assessments.
Alternatively, a question can be set to be answered interactively in the Assessor Properties file (by commenting out its answer line). This will result in the question being asked in the Assessor command prompt, once for each machine in the assessment. The user can enter a ‘y’ or ‘n’ for each of these questions, and these entered values will be used for the interactive questions rather than saved values from the Properties file.
Survey questions are yes/no. Affirmative answers can be provided with “y” or “yes” (case insensitive) and will result in a PASS for that Sub-Control check. Anything not recognized as an affirmative answer (yes), will be treated as a negative answer (no) and will result in a FAIL for that Sub-Control check.
Why aren’t all of the Sub-Controls automated?
Some Sub-Controls are more procedural in nature and don’t really lend themselves to being automated. For example, many of the Organizational Sub-Controls in CIS Controls 17 - 20 fall into this category. The CIS Controls Assessment Module uses survey questions so that organizations can still track their implementation of these Sub-Controls.
Why am I failing all of the survey questions?
The default saved answer for all survey questions is set to “no”; you should adjust these answers in the Assessor Properties file to reflect your organization’s implementation status for each Sub-Control survey question.
How do I run the CIS Controls Assessment Module?
You can assess Windows 10 endpoints using the CIS Controls Assessment Module in much the same way that you perform other assessments via the command line using supporting sessions and configuration files.
Which profiles are available in the CIS Controls Assessment Module?
The CIS Controls Assessment Module has 3 profiles available:
- Automated checks only
- Survey questions only
- Automated checks and survey questions
Where can I find out more about using the CIS Controls Assessment Module?
More information is available in the CIS Controls Assessment Module User Guide at https://ccpa-docs.readthedocs.io/en/latest/. Additionally, more information about how to use CIS-CAT Pro Dashboard is available at https://cis-cat-pro-dashboard.readthedocs.io/en/latest/.
How can I contribute to the development of the CIS Controls Assessment Module?
We welcome you to join the CIS Controls Assessment Module community on CIS WorkBench: https://workbench.cisecurity.org/communities/92. There you can start a discussion, ask questions, and make comments or suggestions to help shape the future of the CIS Controls Assessment Module.
Want to learn more?
Join our next webinar to see CIS-CAT demonstrated by a developer See Webinar Details
Still have questions? Contact us