What is CIS-CAT?
CIS-Configuration Assessment Tool (CAT) is a host-based configuration assessment tool that compares the configuration of a target system to the secure configuration settings recommended in the CIS Benchmarks. The tool provides a conformance report ranging from 0 – 100 with remediation steps for noncompliant settings.
There are two versions of CIS-CAT: CIS-CAT Lite, our free version of the tool, and CIS-CAT Pro, an enterprise-level tool available to CIS SecureSuite Members.
What’s the difference between CIS-CAT Pro and CIS-CAT Lite?
CIS-CAT Lite is a limited, free version of our configuration assessment tool meant to let users test out the application’s functionality. CIS-CAT Lite provides assessment coverage for four platforms: Windows 10, Google Chrome, Mac OS, and Ubuntu. CIS-CAT Pro, available through CIS SecureSuite Membership, has coverage for 85+ CIS Benchmarks and includes additional functionality such as CIS Benchmark customization and multiple reporting formats. CIS-CAT Pro may be operated using the graphical user interface (GUI) or the command-line interface (CLI), while CIS-CAT Lite is limited to the GUI option.
CIS-CAT Pro users can also download CIS-CAT Pro Dashboard, an integrated application which provides insights into assessment reports over a period of time.
How does CIS-CAT work?
CIS-CAT is a java-based application which quickly compares target system’s configuration settings to the settings recommended in the CIS Benchmarks: secure configuration guidelines for over 100 technologies. After downloading and executing CIS-CAT Pro or CIS-CAT Lite, the program will assess the configuration of the target system(s) against the chosen CIS Benchmark recommendation and provide a conformance report ranging from 0-100.
How can I access and utilize CIS-CAT?
To access CIS-CAT Lite, download it here.
To access CIS-CAT Pro, your organization must be a CIS SecureSuite Member. Members can download CIS-CAT Pro from our community platform, CIS WorkBench. Log in to CIS WorkBench with your work email address (registration required) and click on the “Downloads” tab. Here, you’ll find the most recent version of CIS-CAT Pro pinned at the top of the page and available for download. The CIS-CAT Pro Bundle includes both CIS-CAT Pro Assessor and CIS-CAT Pro Dashboard. You may also download the CIS-CAT Pro Assessor tool and CIS-CAT Pro Dashboard separately.
Why is CIS-CAT a Java-based application?
To support the broadest possible portability, CIS-CAT is a Java application and requires Java Runtime Environment (JRE) v1.6 or later. CIS-CAT and its JRE can reside on a target system or on any network drive or removable drive that has network access to the target system being assessed.
What if my CIS-CAT report is not 100% compliant?
A passing score is based on your organization’s requirements and policies. If your organization can implement all of the security settings without negatively impacting your business applications or end users then they should all be implemented. However, successfully implementing every security setting may be considered unrealistic for most organizations.
After a CIS-CAT report is produced and all applicable security recommendations have been implemented according to your organization’s requirements, it is recommended to include an exception report to document the justification as to why some recommendations were not applied. CIS-CAT Pro users may also customize these recommendations to meet organizational requirements by altering content in the XCCDF file of a particular CIS Benchmark.
Does CIS-CAT Pro support remote systems?
CIS-CAT Pro is a host-based configuration assessment tool that runs locally from the system that is attempting to be assessed. Centralized workflows are available for Windows and Linux systems that do not require CIS-CAT or Java be installed on the systems being assessed. Complete documentation with step by step instructions are available through our CIS-CAT User’s Guide which can be downloaded on CIS WorkBench (registration required; CIS WorkBench is free to join). If your environment encompasses a Linux/Unix based scheduling tool, this type of workflow should implement successfully.
Remote assessment capability for CIS-CAT Pro is on the roadmap for 2017.
Can content for CIS-CAT Pro be customized?
Yes, the content that CIS-CAT Pro uses can be customized. Modifications to the content can be completed through the XML content such as the XCCDF or OVAL files in the Benchmarks folder of the CIS-CAT Pro Bundle. Customizations of a benchmark could range from turning on or off a recommendation or tailoring a recommendation to properly align with your organization, such as password length. Upon saving the file with the alterations, the assessment will then run against the new modifications and the CIS-CAT report will produce results in correspondence with the changes made.
What if the benchmark I am looking for is not available in CIS-CAT Pro?
Unfortunately, if the benchmark you are looking to assess against is not available in CIS-CAT Pro, the assessment and documentation will have to be manual.
If you would like to see other benchmarks included in CIS-CAT Pro, please provide us this feedback in your annual CIS SecureSuite Member survey. CIS product offerings are built and continuously improved through the requests and support of member and community participation.
Can CIS-CAT Pro be used to audit mobile device configurations?
CIS-CAT Pro is not currently built to assess mobile device configurations. CIS Benchmarks are available for download through CIS WorkBench for various mobile platforms and can be audited, configured and remediated manually.
I have run CIS-CAT Pro and identified my areas of improvement. Now what?
CIS has developed remediation kits in an effort to save our members time and effort when remediating failed settings or recommendations identified in the CIS-CAT Pro report. Instead of manually remediating each failed setting, CIS remediation kits contain automated content to streamline this process.
For Windows, this automated content takes the form of group policy objects (GPOs), available to CIS SecureSuite Members via CIS WorkBench. Upon being downloaded, the GPOs can be unzipped and imported in your group policy management console. Customizations can also be made as the GPOs are not read-only. You can continue by applying the GPO to the appropriate organizational units or individual machines and push the configuration policy out. The chosen domain members will be reconfigured to be in compliance with the recommended settings in the benchmark.
A batch tool that allows your organization to run and import the group policy objects on a stand alone machine is also available. CIS SecureSuite Members can find this tool on the CIS WorkBench downloads page.
For UNIX and LINUX environments, our remediation kits take the form of basic shell scripts that can be run through your machine or a corresponding tool of your preference. These scripts can be run on the appropriate CIS Benchmark profile intended to be configured against; then the script will execute and apply the secure benchmark settings. We recommend reviewing the README files accompanying the scripts as they contain content that cannot be remediated by the automated shell script, such as portioning file systems or limiting root access.