What is CIS-CAT?
CIS-Configuration Assessment Tool (CAT) is a configuration assessment tool that compares the configuration of target systems to the secure configuration settings recommended in machine-readable content, provided the content conforms with Security Content Automation Protocol (SCAP). The tool is designed to primarily assess against CIS Benchmark configuration recommendations. The tool provides a conformance report ranging from 0 – 100 with remediation steps for noncompliant settings.
There are three versions of CIS-CAT: CIS-CAT Lite, our free version of the tool, CIS-CAT Pro Assessor v3, performs assessments over local or a shared internal network, and CIS-CAT Pro Assessor v4, performs assessments remotely on some systems. CIS-CAT Pro v3 and v4 are enterprise-level tools available to CIS SecureSuite Members.
Which version of CIS-CAT Pro Assessor is right for me?
CIS will continue to support CIS-CAT Pro Assessor v3. We encourage you to use the version that works best for you. Both v3 and v4 require an accessible Java Runtime Environment (JRE). CIS-CAT Pro Assessor v3 requires 1.6 or later, while CIS-CAT Pro Assessor v4 requires 1.8 or later.
- Graphical User Interface (GUI) vs. Command Line Interface (CLI): CIS-CAT Pro v4 is only available through the CLI. If you prefer a more graphical interface, you’ll want to stick with CIS-CAT Pro v3 for now.
- CIS Benchmark coverage: At release, CIS-CAT Pro v4 can be used with a selection of more than 60 CIS Benchmarks. See theCIS-CAT Pro supported Benchmarks for the most up-to-date information regarding platform coverage.
What’s the difference between CIS-CAT Pro and CIS-CAT Lite?
CIS-CAT Lite is a limited, free version of our configuration assessment tool meant to let users test out the application’s functionality. CIS-CAT Lite provides assessment coverage for four platforms: Windows 10, Google Chrome, Mac OS, and Ubuntu. CIS-CAT Pro, available through CIS SecureSuite Membership, has coverage for 85+ CIS Benchmarks and includes additional functionality such as CIS Benchmark customization and multiple reporting formats. CIS-CAT Pro may be operated using the graphical user interface (GUI) or the command-line interface (CLI), while CIS-CAT Lite is limited to the GUI option. CIS-CAT Lite is based on CIS-CAT Pro Assessor v3, the host-based application.
CIS-CAT Pro users can also download CIS-CAT Pro Dashboard, an integrated application which provides an analysis platform for assessment reports over a period of time.
How does CIS-CAT work?
CIS-CAT is a java-based application which quickly compares target system’s configuration settings to the settings recommended in the CIS Benchmarks: secure configuration guidelines for over 100 technologies. After downloading and executing CIS-CAT Pro or CIS-CAT Lite, the program will assess the configuration of the target system(s) against the chosen CIS Benchmark recommendation and provide a conformance report ranging from 0-100.
How can I access and utilize CIS-CAT?
To access CIS-CAT Lite, download it here.
To access CIS-CAT Pro, your organization must be a CIS SecureSuite Member. Members can download CIS-CAT Pro from our community platform, CIS WorkBench. Log in to CIS WorkBench with your work email address (registration required) and click on the “Downloads” tab. Here, you’ll find the most recent version of CIS-CAT Pro pinned at the top of the page and available for download. Members can download CIS-CAT Pro Assessor v3, CIS-CAT Pro Assessor v4, and CIS-CAT Pro Dashboard separately.
What versions of Java do I need for CIS-CAT Pro?
CIS-CAT Pro Assessor v3 requires Java 6 or higher. CIS-CAT Pro Assessor v4 requires Java 8 or higher. CIS-CAT Pro Dashboard requires Java 8.
Is using Java with CIS-CAT Pro safe?
The security vulnerabilities reported are not about Java (the programming language). The vulnerabilities typically reported are in the Java Sandbox, which uses a privileged model that permits safe execution of untrusted code, and risks automatic execution of Java Applets in a browser. Oracle uses the "Java" trademark both for the programming language, and the browser plugin that runs applets. CIS-CAT Pro uses the Java language as it offers the broadest possible platform portability. CIS-CAT Pro does not execute code in a browser, which is the source of most Java vulnerabilities.
Why is CIS-CAT a Java-based application?
To support the broadest possible portability, CIS-CAT is a Java application and requires an available Java Runtime Environment (JRE) to execute.
With CIS-CAT version 3 configured as a host-based assessment tool, the application and its JRE must reside on either the target system being assessed, or in a shared network location, to which the target system has network access. CIS-CAT version 3’s JRE requirement is version v1.6 or higher.
CIS-CAT version 4 can also be configured as a host-based assessor, but may also be set up to remotely assess target systems to which it has access via SSH or WinRM. In the remote assessment use-case, CIS-CAT and its JRE can reside together on any machine with access to the target endpoints. CIS-CAT version 4’s JRE requirement is version 1.8 or higher.
For both CIS-CAT version 3 and version 4, CIS recommends using the most recent available JRE package for the version being used to execute the tool.
Do I have to buy a Java license to use CIS-CAT Pro?
No. CIS-CAT Pro works with OpenJDK, which is free and available at jdk.java.net. OpenJDK will continue to receive security updates.
What if my organization doesn't allow me to use OpenJDK?
If OpenJDK does not meet your organization's needs, Oracle Java releases can be obtained through My Oracle Support (MOS), and other locations by paying a license fee. For organizations requiring security updates to Java 8, these can be obtained by paying a nominal license fee to Oracle per server.
If I choose to buy a Java license, how do I keep this cost low?
Assessor v4 offers remote scanning providing the benefit of maintaining Java only on a single server. This could help keep the cost of maintaining Java low.
What if my CIS-CAT report is not 100% compliant?
A passing score is based on your organization’s requirements and policies. If your organization can implement all of the security settings without negatively impacting your business applications or end users, then they should all be implemented. However, successfully implementing every security setting may be considered unrealistic for some organizations.
After a CIS-CAT report is produced and all applicable security recommendations have been implemented according to your organization’s requirements, it is recommended to include an exception report to document the justification as to why some recommendations were not applied. CIS-CAT Pro users may also customize these recommendations to meet organizational requirements by using the tailoring functionality available through CIS WorkBench or by manually altering content in the XCCDF file of a particular CIS Benchmark.
Does CIS-CAT Pro support remote systems?
CIS-CAT Pro v3 remains a host-based configuration assessment tool that runs locally from the system that is attempting to be assessed. Centralized workflows are available for Windows and Linux systems that do not require CIS-CAT or Java be installed on the systems being assessed. Complete documentation is available using our CIS-CAT Pro Assessor v3 user's guide, which can be downloaded on CIS WorkBench (registration required; CIS WorkBench is free to join). If your environment encompasses a Linux/Unix based scheduling tool, this type of workflow should implement successfully.
Can content for CIS-CAT Pro be customized?
Yes, the content that CIS-CAT Pro uses can be customized. Customizations can be managed two ways. Alterations of CIS-CAT Pro content can be made through the tailoring functionality within CIS WorkBench. Modifications to the content can also be completed manually in the XML content such as the XCCDF or OVAL files in the Benchmarks folder of the CIS-CAT Pro Assessor. Customizations of a benchmark could range from turning on or off a recommendation or tailoring a recommendation to properly align with your organization, such as password length. Upon saving the file with the alterations, the assessment will then run against the new modifications and the CIS-CAT report will produce results in correspondence with the changes made.
What if the benchmark I am looking for is not available in CIS-CAT Pro?
Unfortunately, if the benchmark you are looking to assess against is not available in CIS-CAT Pro, the assessment and documentation will have to be manual.
If you would like to see other benchmarks included in CIS-CAT Pro, please provide us this feedback in your annual CIS SecureSuite Member survey. CIS product offerings are built and continuously improved through the requests and support of member and community participation.
Why does CIS-CAT Pro Assessor v3 have more CIS Benchmark coverage than CIS-CAT Pro Assessor v4?
CIS-CAT Pro Assessor v4 strives to be a standards-based application focused on vendor-supported technology platforms where OVAL coverage is available. For example, most older benchmarks developed using CIS' proprietary Embedded Check Language (ECL) will not be moved forward into v4 and will eventually be archived due to their age and diminishing relevance. If v3 contains a Benchmark that v4 does not, we encourage you to use v3. Our primary objective in the coming year will be to increase v4’s CIS Benchmark coverage to align with the supported versions of CIS Benchmark content where OVAL coverage exists.
Can CIS-CAT Pro be used to audit mobile device configurations?
CIS-CAT Pro is not currently built to assess mobile device configurations. CIS Benchmarks are available for download through CIS WorkBench for various mobile platforms and can be audited, configured and remediated manually.
I have run CIS-CAT Pro and identified my areas of improvement. Now what?
CIS has developed remediation kits in an effort to save our members time and effort when remediating failed settings or recommendations identified in the CIS-CAT Pro report. Instead of manually remediating each failed setting, CIS remediation kits contain automated content to streamline this process.
For Windows, this automated content takes the form of group policy objects (GPOs), available to CIS SecureSuite Members via CIS WorkBench. Upon being downloaded, the GPOs can be unzipped and imported in your group policy management console. Customizations can also be made as the GPOs are not read-only. You can continue by applying the GPO to the appropriate organizational units or individual machines and push the configuration policy out. The chosen domain members will be reconfigured to be in compliance with the recommended settings in the benchmark.
For UNIX and LINUX environments, our remediation kits take the form of basic shell scripts that can be run through your machine or a corresponding tool of your preference. These scripts can be run on the appropriate CIS Benchmark profile intended to be configured against; then the script will execute and apply the secure benchmark settings. We recommend reviewing the README files accompanying the scripts as they contain content that cannot be remediated by the automated shell script, such as portioning file systems or limiting root access.
Want to learn more?
Join our next webinar to see CIS-CAT demonstrated by a developer See Webinar Details
Still have questions? Contact us