Benchmark Audit Tools
CIS offers a variety of audit tools for assessing compliance with CIS Benchmarks.
The CIS-CAT Benchmark Audit Tool
CIS offers its members the CIS Configuration Audit Tool (CIS-CAT)—A Java-based tool that compares the configuration of target IT systems to CIS Benchmarks and reports conformance scores on a scale of 0-100. CIS-CAT is a SCAP-validated FDCC Scanner.
CIS-CAT gives IT and security professionals a fast, detailed assessment of target systems' conformance to CIS Benchmarks. By discovering any lack of conformance to CIS Benchmarks, CIS-CAT offers enterprises a powerful tool for analyzing and monitoring the security status of information systems and the effectiveness of internal security processes.
Click image to enlarge.
A CIS-CAT Report Summary tallying the scores for the various sections of a Benchmark. Benchmark rules may produce a pass (P), fail (F), or error (E). Rules flagged as i are informational only. See the Users Guide for more information about Benchmark scoring.
Capabilities
Using CIS-CAT, CIS Members can:
- Routinely audit the configuration of production systems compared to the CIS Benchmarks and internal security policies.
- Create standard configuration images for hardening systems prior to deployment.
- Improve security awareness by comparing the security of "out-of-the-box" systems and hardened systems.
- Audit and monitor multiple systems simultaneously by integrating CIS-CAT with system management utilities.
Click image to enlarge.
A CIS-CAT Checklist reporting the specific items on which the target system passed or failed a Benchmark conformance test with the relevant CIS Benchmark. Items are marked as pass (P), fail (F), or not scored for this target system (?). The 1.0 indicates a Benchmark rule weighting; currently all Benchmark rules have the same rating, which is 1.0.
Technical Details
CIS-CAT is a host-based configuration assessment and audit tool. It includes both a command-line interface (CLI) and a graphical user interface (GUI). To support the broadest possible portability, CIS-CAT is a Java application and requires JRE v1.5 or later.
CIS-CAT and its JRE can reside on a target system or on any network drive or removable drive that has network access to the target system being assessed.
CIS-CAT currently supports the following Benchmarks:
- Apache Tomcat Benchmark v1.0.0
- Apple OSX 10.5 Benchmark v.1.0.0
- Debian Linux Benchmark v1.0.0
- HP-UX 11i Benchmark v1.4.2
- IBM AIX 4.3-5.1 Benchmark v1.0.1
- Microsoft Windows 2003 MS DC Benchmark v2.0.0
- Microsoft Windows XP Benchmark v2.0.1
- Microsoft Windows Server 2008 Benchmark v1.0.0
- Microsoft Windows 7 Benchmark v1.0.0
- Mozilla Firefox Benchmark v1.0.0
- Oracle Database 11g Benchmark v1.0.1
- Oracle Database 9i-10g Benchmark v2.0.1
- RedHat Enterprise Linux 4 Benchmark v1.0.5
- RedHat Enterprise Linux 5.0-5.1 Benchmark v1.1.2
- Slackware Linux 10.2 Benchmark v1.1.0
- Solaris 10 1106-10 0807 Benchmark v4.0.0
- Solaris 10 Benchmark v2.1.3
- Solaris 2.5.1-9 Benchmark v1.3.0
- SUSE Linux Enterprise Server 10 Benchmark v2.0.0
- SUSE Linux Enterprise Server 9 Benchmark v2.0.0
- VMware ESX 3.5 Benchmark v1.2.0
CIS-CAT can read customized input files to allow members to compare the configuration of their systems with both the CIS Benchmarks and their customized configuration policies. This feature is enabled by user modification of the Benchmark XCCDF files.
SCAP Validation as an FDCC Scanner
CIS-CAT has been awarded NIST Security Content Automation Protocol (SCAP) Validation as a Federal Desktop Core Configuration (FDCC) Scanner. It supports the following content distributed from the NIST FDCC Repository:
- FDCC for Windows XP
- FCCC for Vista
Details are available the NIST Web site.
Availability
The CIS-CAT Audit Tool is available only to CIS Members. Members can download CIS-CAT from the CIS Members Web site.
To learn about becoming a CIS Member, click here.
For More Information about CIS-CAT
CIS-CAT User's Guide (PDF)
CIS-CAT Data Sheet (PDF)
Other Audit Tools
In addition to CIS-CAT, CIS also distributes four other audit tools:
- Router Audit Tool (RAT)
CIS RAT assesses target devices for conformance with the CIS Benchmarks for Cisco Router IOS and Cisco PIX firewalls. The installation package for the tool includes benchmark documents (PDF) for both Cisco IOS and Cisco ASA, FWSM, and PIX security settings.
NOTE: CIS RAT is out of date with the current CIS Cisco Benchmarks. A new, updated version of the tool is under development. Until the new version is released, RAT will remain an unsupported tool.A new Beta Version of RAT is available! Click "Join Project" under the Router Audit Tool Project here to get involved.
- Apache Benchmark Tool
The Apache Benchmark Tool assesses target systems for conformance with the CIS Benchmark for Apache Web Servers.
NOTE: The Apache Benchmark Tool does not reflect the latest CIS Apache Benchmark. An new, updated version of the tool is under development. Until the new version is released, the Apache Benchmark Tool will remain an unsupported tool. - Oracle 8i Benchmark Tool
The Oracle 8i Benchmark Audit Tool operates on both Windows, Linux, and Sparc Solaris platforms and evaluates Oracle 8i instances against CIS Oracle 8i Benchmark v1.2.0.
NOTE: The Oracle 81 Benchmark Tool does not reflect the latest CIS Oracle Benchmark. An new, updated version of the tool is under development. Until the new version is released, the Oracle 81 Benchmark Tool will remain an unsupported tool. - UNIX Audit Tools
The UNIX Audit Tools are script-based tools that evaluate Solaris, FreeBSD, and HP-UX systems.
NOTE: The UNIX Audit Tools do not reflect the latest CIS Benchmark guidance for their respective platform. New, updated version of these tool are under development. Until the new version is released, the UNIX Audit Tools will remain unsupported.
CIS-CAT is the only software tool that CIS currently supports.