What is CIS-CAT?
CIS-Configuration Assessment Tool (CAT) is a configuration assessment tool that compares the configuration of target systems to the secure configuration settings recommended in machine-readable content. CIS-CAT can understand content that conforms with Security Content Automation Protocol (SCAP). The tool is designed to primarily assess against CIS Benchmark™ configuration recommendations. The tool provides a conformance report ranging from 0-00. Detailed output reports provide remediation guidance for each CIS Benchmark recommendation.
There are three versions of CIS-CAT:
- CIS-CAT Lite: Our free version produces only HTML and supports a subset of CIS Benchmark assessments.
- CIS-CAT Pro Assessor v3: Performs assessments over a local or shared internal network, and offers a variety of outputs.
- CIS-CAT Pro Assessor v4: Performs assessments over remote and local/shared internal networks. CIS-CAT Pro v3 and v4 are enterprise-level tools available to CIS SecureSuite® Members.
Which version of CIS-CAT Pro Assessor is right for me?
CIS will continue to support CIS-CAT Pro Assessor v3. We encourage you to use the version that works best for you.
- JRE included for GUI: In November 2020, CIS-CAT Pro v4 delivered with a graphical user interface (GUI) for Windows OS that does not require an installation of Java Runtime Environment (JRE). No additional components are necessary for basic, local scans with v4 GUI. A suitable JRE is still required for CLI activities. CIS-CAT Pro v3 requires a JRE for all CLI and GUI use.
- Remote configuration assessment: CIS-CAT Pro v4 offers options to complete a remote assessment through the GUI or command line.
- CIS Benchmark coverage: CIS-CAT Pro v4 is a standards-based application focused on vendor-supported technology platforms where OVAL coverage is available. Some Benchmarks available in CIS-CAT Pro v3 are not OVAL-based or are no longer vendor-supported, and therefore, are not supported in v4. See the CIS-CAT Pro supported Benchmarks for the most up-to-date information regarding platform coverage.
- SCAP 1.2 Validation: CIS-CAT Pro Assessor v3 was awarded NIST Security Content Automation Protocol (SCAP 1.2) Validation as an "Authenticated Configuration Scanner" with the "Common Vulnerabilities and Exposures (CVE) Option" for specific platforms. Details are available on the NIST website. CIS-CAT Pro v4 was built in conformance with SCAP and is evaluating official SCAP 1.3 validation.
- CIS Controls® Assessment Module: CIS-CAT Pro v4 offers a semi-automated way to measure your organization’s application of CIS Controls Implementation Group 1 in Windows 10 environments, assessing these Sub-Controls via a combination of scripts and survey questions.
What’s the difference between CIS-CAT Pro and CIS-CAT Lite?
CIS-CAT Lite is a limited, free version of our configuration assessment tool meant to let users test out the application’s functionality. There are two versions of CIS-CAT Lite, v3 and v4. CIS-CAT Lite v4 is a command line and GUI application and allows users to try the remote assessment capability. The v4 GUI is compatible with use on Windows OS and requires no additional components to execute (embedded JRE in GUI executable). Each version of Lite supports assessment coverage that include Windows 10, Google Chrome, Mac OS (v3 only), Ubuntu, and Controls Assessment (v4 only). The versions offered with each CIS-CAT Lite version will change periodically. Review the full list of comparisons between the versions of Lite and Pro.
How does CIS-CAT work?
CIS-CAT is a Java-based application which quickly compares a target system’s configuration settings to the settings recommended in the CIS Benchmark: secure configuration guidelines for over 100 technologies. After downloading and executing CIS-CAT Pro or CIS-CAT Lite, the program will assess the configuration of the target system(s) against the chosen CIS Benchmark recommendation and provide a conformance report ranging from 0-100.
How can I access and utilize CIS-CAT?
To access CIS-CAT Lite v3 or v4, download it here. Lite does not require a license key. However, features and content are limited.
To access CIS-CAT Pro, your organization must be a CIS SecureSuite Member. Members can download CIS-CAT Pro from our community platform, CIS WorkBench. Log in to CIS WorkBench with your work email address (registration required) and click on the “Downloads” tab. Here, you’ll find the most recent version of CIS-CAT Pro pinned at the top of the page and available for download. Members can download CIS-CAT Pro Assessor v3, CIS-CAT Pro Assessor v4, Assessor v4 Service, and CIS-CAT Pro Dashboard separately.
CIS-CAT Pro Assessor v4 and v4 Service require a license to unlock full features and CIS Benchmark content. See our deployment guide on how to apply your organization's license key. One key is provided per organization.
What versions of Java do I need for CIS-CAT Pro?
Is using Java with CIS-CAT Pro safe?
The security vulnerabilities reported are not about Java (the programming language). The vulnerabilities typically reported are in the Java Sandbox, which uses a privileged model that permits safe execution of untrusted code, and risks automatic execution of Java Applets in a browser. Oracle uses the "Java" trademark both for the programming language and the browser plugin that runs applets. CIS-CAT Pro uses the Java language as it offers the broadest possible platform portability. CIS-CAT Pro does not execute code in a browser, which is the source of most Java vulnerabilities.
Why is CIS-CAT a Java-based application?
To support the broadest possible portability, CIS-CAT is a Java application and requires an available Java Runtime Environment (JRE) to execute.
CIS-CAT Pro v3 is a host-based assessment tool (with the exception of Cisco IOS). The application and its JRE must reside on either the target system being assessed, or in a shared network location, to which the target system has network access.
CIS-CAT v4 can also be configured as a host-based assessor, but may also be set up to remotely assess target systems to which it has access via SSH or WinRM. In the remote assessment use-case, CIS-CAT and its JRE can reside together on any machine with access to the target endpoints.
For both CIS-CAT v3 and v4, CIS recommends using the most recent available JRE package for the version being used to execute the tool.
Do I have to buy a Java license to use CIS-CAT Pro?
No. CIS-CAT Pro works with OpenJDK, which is free and available at jdk.java.net. OpenJDK will continue to receive security updates.
What if my organization doesn't allow me to use OpenJDK?
If OpenJDK does not meet your organization's needs, Oracle Java releases can be obtained through My Oracle Support (MOS), and other locations by paying a license fee. For organizations requiring security updates to Java 8, these can be obtained by paying a nominal license fee to Oracle per server.
If I choose to buy a Java license, how do I keep this cost low?
Assessor v4 offers remote scanning providing the benefit of maintaining Java only on a single server. This could help keep the cost of maintaining Java low.
What if my CIS-CAT report is not 100% compliant?
A passing score is based on your organization’s requirements and policies. If your organization can implement all of the security settings without negatively impacting your business applications or end users, then they should all be implemented. However, successfully implementing every security setting may be considered unrealistic for some organizations.
After a CIS-CAT report is produced and all applicable security recommendations have been implemented according to your organization’s requirements, it is recommended to include an exception report to document the justification as to why some recommendations were not applied. CIS-CAT Pro users may also customize these recommendations to meet organizational requirements by using the tailoring functionality available through CIS WorkBench or by manually altering content in the XCCDF file of a particular CIS Benchmark.
Does CIS-CAT Pro support assessment of remote systems?
Yes! With the release of CIS-CAT v4, remote assessments are now available! Review our CIS-CAT Pro Assessor v4 online documentation. Read our press release. View our webinar. CIS-CAT v4 also supports local and in-network scanning (Centralized) workflows for Windows and Linux.
CIS-CAT Pro v3 remains a host-based configuration assessment tool that runs locally from the system that is attempting to be assessed. Centralized workflows are available for Windows and Linux systems that do not require CIS-CAT or Java to be installed on the systems being assessed. Complete documentation is available using our CIS-CAT Pro Assessor v3 User Guide, which can be downloaded on CIS WorkBench (registration required; CIS WorkBench is free to join). If your environment encompasses a Linux/Unix based scheduling tool, this type of workflow should implement successfully.
Can content for CIS-CAT Pro be customized?
Yes, the content that CIS-CAT Pro uses can be customized. Customizations can be managed two ways. Alterations of CIS-CAT Pro content can be made through the tailoring functionality within CIS WorkBench. Modifications to the content can also be completed manually in the XML content such as the XCCDF or OVAL files in the CIS Benchmarks folder of the CIS-CAT Pro Assessor. Customizations of a CIS Benchmark could range from turning on or off a recommendation or tailoring a recommendation to properly align with your organization, such as password length. Upon saving the file with the alterations, the assessment will then run against the new modifications and the CIS-CAT report will produce results in correspondence with the changes made.
What if the CIS Benchmark I am looking for is not available in CIS-CAT Pro?
If the CIS Benchmark you are looking to assess against is not available in CIS-CAT Pro, the assessment and documentation will have to be manual.
We are always looking for technology experts to help us develop content, review recommendations, and test the CIS Benchmarks. If interested, join a community or contact us at benchmarkinfo <email@example.com> to enquire about the process. Join the CIS Member Benchmark Wish List Community and post your request.
Can CIS-CAT Pro be used to audit mobile device configurations?
CIS-CAT Pro is not currently built to assess mobile device configurations. CIS Benchmarks are available for download through CIS WorkBench for various mobile platforms and can be audited, configured and remediated manually.
I have run CIS-CAT Pro and identified my areas of improvement. Now what?
CIS has developed build kits in an effort to save our Members time and effort when remediating failed settings or recommendations identified in the CIS-CAT Pro report. Instead of manually remediating each failed setting, CIS build kits contain automated content to streamline this process.
For Windows, this automated content takes the form of group policy objects (GPOs), available to CIS SecureSuite Members via CIS WorkBench. Upon being downloaded, the GPOs can be unzipped and imported in your group policy management console. Customizations can also be made as the GPOs are not read-only. You can continue by applying the GPO to the appropriate organizational units or individual machines and push the configuration policy out. The chosen domain members will be reconfigured to be in compliance with the recommended settings in the benchmark.
For UNIX and LINUX environments, our build kits take the form of basic shell scripts that can be run through your machine or a corresponding tool of your preference. These scripts can be run on the appropriate CIS Benchmark profile intended to be configured against; then the script will execute and apply the secure CIS Benchmark settings. We recommend reviewing the README files accompanying the scripts as they contain content that cannot be remediated by the automated shell script, such as portioning file systems or limiting root access.
What is the CIS Controls Assessment Module?
The CIS Controls Assessment Module is a semi-automated way to measure your organization’s application of CIS Controls Implementation Group 1 in Windows 10 and Windows Server environments, assessing these Sub-Controls via a combination of scripts and survey questions. It runs inside of CIS-CAT Pro Assessor v4, leveraging Assessor’s ability to conduct both local and remote assessments.
What are CIS Controls Implementation Groups?
CIS Controls Implementation Groups are a new concept in V7.1 of the CIS Controls. Organizations self-assess themselves into either group 1, 2, or 3 based on the technical resources and personnel they have available, as well as the sensitivity and the criticality of the data that the organization handles. The Implementation Groups help prioritize which CIS Sub-Controls they should implement first. There are 43 Sub-Controls in Implementation Group 1, and those are the basic cyber hygiene Sub-Controls and serve as a good starting place for organizations. To find out more about Implementation Groups, visit https://www.cisecurity.org/blog/v7-1-introduces-implementation-groups-cis-controls/.
Is the CIS Controls Assessment Module compatible with CIS-CAT?
Yes, the CIS Controls Assessment Module runs inside of CIS-CAT Pro Assessor v4. Output from the CIS Controls Assessment Module is compatible with all the familiar CIS-CAT Pro Dashboard features, enabling you to view individual assessment results and graphs showing how scores have changed over time.
To access CIS-CAT Pro, your organization must be a CIS SecureSuite Member. Members can download CIS-CAT Pro from our community platform, CIS WorkBench. Log in to CIS WorkBench with your work email address (registration required) and click on the “Downloads” tab. Here, you’ll find the most recent version of CIS-CAT Pro pinned at the top of the page and available for download. Members can download CIS-CAT Pro Assessor v4 and CIS-CAT Pro Dashboard separately.
The Controls Assessment Module for Implementation Group 1 in Windows 10 and Windows Server is also available for free in CIS-CAT Pro Assessor v4 Lite, though the Lite version is not compatible with CIS-CAT Pro Dashboard. To access CIS-CAT Lite, download it here.
Is the Controls Assessment Module compatible with CIS-CAT Pro Assessor v3?
No. The CIS Controls Assessment Module relies on CIS-CAT Pro Assessor v4’s architecture to enable remote assessments. For this reason, the CIS Controls Assessment Module is only available in CIS-CAT Pro Assessor v4.
How do the automated checks work?
The automated checks utilize PowerShell scripts. In the CIS Controls Assessment Module v1.0.2, there are 13 automated Sub-Controls checks. Some of these checks have values that can be customized in the Assessor Properties file.
Why am I failing a particular automated check?
Each automated check is looking for something different. Refer to that check’s “Remediation” section for more information about the check and how to pass it. The “Remediation” section for each check is available in either the HTML output or the CIS-CAT Pro Dashboard output associated with each check. Additionally, the script output for each automated check can be viewed in the HTML output file by expanding the “Show Rule Result XML” under that check and looking between the <out> and </out> tags.
Will I need to change my PowerShell settings so that the CIS Controls Assessment Module can run?
You should not need to change your PowerShell settings. It is important to note that when calling PowerShell scripts, CIS-CAT Assessor invokes the script with an “-ExecutionPolicy bypass” temporarily bypassing the PowerShell execution policy for just the run of each of these scripts, without changing the system’s overall PowerShell Execution Policy. Additionally, the Unblock-File PowerShell command will be run against the scripts when CIS-CAT Assessor calls them; this will result in the CIS Controls Assessment Module scripts remaining unblocked/trusted even after running the CIS Controls Assessment Module. These scripts are only designed to read configuration data from target systems. The use of the “-ExecutionPolicy bypass” and “Unblock-File” are meant to contribute to a smoother user experience, but it is important that you consider any policy and security implications for your organization prior to running the CIS Controls Assessment Module.
How do the survey questions work?
The non-automated Sub-Controls are assessed via survey questions. These are a series of 30 yes/no questions, one for each of the non-automated Sub-Controls. Answers to these survey questions can be saved in the Assessor Properties file (assessor-cli.properties), and these saved answers will be used for each assessment. If the organization changes its implementation status for a Sub-Control (i.e., implements a new Sub-Control), the corresponding saved answer can be updated in the Assessor Properties file and that new answer will be used for future assessments.
Alternatively, a question can be set to be answered interactively in the Assessor Properties file (by commenting out its answer line). This will result in the question being asked in the Assessor command prompt, once for each machine in the assessment. The user can enter a ‘y’ or ‘n’ for each of these questions, and these entered values will be used for the interactive questions rather than saved values from the Properties file.
Survey questions are yes/no. Affirmative answers can be provided with “y” or “yes” (case insensitive) and will result in a PASS for that Sub-Control check. Anything not recognized as an affirmative answer (yes), will be treated as a negative answer (no) and will result in a FAIL for that Sub-Control check.
Why aren’t all of the Sub-Controls automated?
Some Sub-Controls are more procedural in nature and don’t really lend themselves to being automated. For example, many of the Organizational Sub-Controls in CIS Controls 17-20 fall into this category. The CIS Controls Assessment Module uses survey questions so that organizations can still track their implementation of these Sub-Controls.
Why am I failing all of the survey questions?
The default saved answer for all survey questions is set to “no”; you should adjust these answers in the Assessor Properties file to reflect your organization’s implementation status for each Sub-Control survey question.
How do I run the CIS Controls Assessment Module?
You can assess Windows 10 and Windows Server endpoints using the CIS Controls Assessment Module in much the same way that you perform other assessments via the command line using supporting sessions and configuration files.
Which profiles are available in the CIS Controls Assessment Module?
The CIS Controls Assessment Module has three profiles available:
- Automated checks only
- Survey questions only
- Automated checks and survey questions
Where can I find out more about using the CIS Controls Assessment Module?
More information is available in the CIS Controls Assessment Module User Guide.
How can I contribute to the development of the CIS Controls Assessment Module?
We welcome you to join the CIS Controls Assessment Module community on CIS WorkBench. . There you can start a discussion, ask questions, and make comments or suggestions to help shape the future of the CIS Controls Assessment Module.
Want to learn more?
Join our next webinar to see CIS-CAT demonstrated by a developer. See Webinar Details.
Still have questions? Contact us