CIS-CAT Pro Dashboard User's Guide

Introduction

CIS-CAT Pro Dashboard is a companion application for CIS-CAT Pro Assessor. The application features a database back end for storing target system individual assessment results. Using CIS-CAT Pro Dashboard is a great way to visualize assessment results. Dashboards show configuration assessment results over time with the ability to drill down to individual results. Navigate from a high level graphical overview of environmental compliance with CIS Benchmarks to individual assessment results that produce a compliance score. When viewing these individual assessment results, create exceptions for certain rules along with a reason for the exception. This will remove the rule from compliance scoring as long as the exception is active, but provide supporting evidence for auditors as to why the rule was excepted. The application also offers a Remediation Report, for an operator only concerned with "failure" results of a given assessment and a Complete Results Report, to provide auditors with the complete assessment results of a given endpoint, or group of end points. Users can also view CIS-CAT assessment results through the lens of the CIS Controls with the Controls View of assessment Results. CIS-CAT Pro Dashboard provides users with the capability to Tag target systems (endpoints) in order to group them together for aggregation onto these new dashboards and reports. This guide is intended to assist CIS Members with deployment, configuration, and use of the Dashboard application.

Deployment

CIS-CAT Pro Dashboard is a companion application to CIS-CAT Pro Assessor. CIS-CAT collects and evaluates system characteristics as described by the CIS Benchmark content. CIS-CAT traditionally provided assessment results in various report formats, including HTML, XML, CSV, and plain text. CIS-CAT can now upload its assessment results to the web-based Pro Dashboard application using a REST API. CIS-CAT Pro Dashboard will import these XML document-based results into its application database. This section describes how to configure the web application in your environment, as well as how to configure CIS-CAT to send assessment results to the Pro Dashboard application.

CIS-CAT Pro Dashboard Deployment

See here for Linux: CIS-CAT Pro Dashboard Deployment

See here for Windows: CIS-CAT Pro Dashboard Deployment

User Administration

CIS-CAT Pro Dashboard leverages spring security to manage authentication and access rights for application users. Within the application an administrator can create new users, create new user roles, assign multiple user roles to each user, and assign access rights to various functionality to those roles. This section describes how to administer CIS-CAT Pro Dashboard users and security.

Users

To create a new User in CIS-CAT Pro Dashboard you need to log in as an administrator.

Login as an administrator. (NOTE: By default the user: admin, with the password: @admin123 has ROLE_ADMINISTRATOR and ROLE_BASIC_USER) Navigate to the Administration -> User Management -> User menu item. This will navigate to the User List.

  • Creating a New User - On the user list, click the New User button. On the create user screen, you enter a first and last name for your user, required unique username, a password. The password must adhere to this format: at least one letter, number, and special character: !@#$%^&, and be between 8 and 64 characters in length. By default all users will have ROLE_BASIC_USER and ROLE_USER roles.
  • Note that the password you enter is temporary. The user will be asked to change the password during their initial login.
  • View an existing User - To view an existing user simply click on the users row in the table, this will navigate to the User view page. From there you can see the various details about the user, as well as edit or delete the user.
  • Editing an existing user - Once you've clicked on an existing user and navigate to the view page, you can edit that user by selecting the edit button. On the edit page you can change the user's first and last name, expire the user's password, enable/disable their account, or change their user roles
  • Deleting a user - Once you've navigated to the User view page you can delete a user by selecting the delete button. A confirmation message will appear to allow you to insure you want to delete the user. Once you click "yes", the user will be deleted

NOTE: If LDAP is integrated with CCPD, user creation is no longer accessible from the user list. Once the user is authenticated against LDAP from CCPD, roles and user properties such firstname, lastname and email will be imported from LDAP. If the user doesn't exist in CCPD (based on username), a user account will be created on the fly, and granted with basic user roles (ROLE_BASIC_USER and ROLE_USER) by default, plus additional LDAP Roles. With LDAP integration, when you edit a user, only enable/disable account is accessible. Password and user properties are managed from LDAP.

Roles

Roles in CIS-CAT Pro Dashboard are assigned to users, and allow access to functionality. The role section is used for creating new roles, but you will need to add them to users and to Functional Areas in order for them to control access meaningfully.

NOTE: when creating a new role, you must prefix the name you chose with "ROLE_", otherwise the role will be unrecognizable to spring security.

A specific Role which has significance in a CIS-CAT Pro Assessor/Dashboard hybrid environment is the "ROLE_API" role. This role is built in to an out-of-the-box CIS-CAT Pro Dashboard deployment and must exist in order to use CIS-CAT to upload results to the Dashboard application. Once a user is assigned the "ROLE_API" role, the User's information page will display a button labeled "Generate CIS-CAT Authentication Token".

Clicking the button will open a dialog box where the user is required to enter the "ROLE_API" user's credentials. Once that user has been re-authenticated, the token is generated and displayed on the page. That token can now be incorporated into CIS-CAT, as per the instructions below, under "Import CIS-CAT Results - CIS-CAT Import"

Security Functional Areas

Functional Areas are groups of functionality that are assigned to Roles to give them meaning. Each functional area covers a specific group of functionality within CIS-CAT Pro Dashboard. By default there is: Reports, Dashboards, Target Systems, System Administration, API, and Developer. These roles individually encompass the functionality within the menu options at the top of the CIS-CAT Pro Dashboard Application.

Functional Areas can be administered through the Roles interface. When you select a Role from the Role List, you are taken to the show Role page. Here you can add/delete users access to this role, and you can add/delete functional areas that this role allows access to.

System Settings

There are a variety of configuration items that can be customized via System Settings. To modify these values you can navigate to the System Settings via the administration menu:

This will navigate you to the System Settings List, where you can modify the values of the settings:

Setting Name Description Values
legacy.sourceDir path to a directory that the dashboard uses in file processing after uploads a valid path on the application server
legacy.processedDir path to a directory that the dashboard stores successfully imported xml files in a valid path on the application server
legacy.errorDir path to a directory where the dashboard stores xml files that failed to import correctly a valid path on the application server
legacy.processedRetentionNumber The amount of files that will be retained in the legacy.processedDir folder. The directory will be purged down to this number after each new upload. any integer greater than 0
primarySystemIdentifierType the type of identifier that will be used for target systems every where targets are listed in the Dashboard Application. See the Primary Identifier Type section of this document for more details. System Identifier Types
vulnerabilityFailuresOnly When importing vulnerability reports, if this is true, the system will only import failures, which will improve performance and save space. true or false
vulnerabilityWarningAge The number of days old a vulnerability has to be before the warning is displayed on the vulnerability report. See the Vulnerability Report section of this document for more details. Integer number of days
vulnerabilityHighThreshold The CVSS score that will categorize vulnerabilities as High on the report and in the dashboard. Scores above this value will be considered High Impact The default value is 7 number between 0-10
vulnerabilityLowThreshold The CVSS score that will categorize vulnerabilities as Low on the report and in the dashboard. Scores below this value will be considered Low Impact. The default value is 4 number between 0-10
displayDBNameInPrimary Display the Database Name target system identifier in the target system Primary ID. For target systems with Database Benchmark results. true or false
alert.lowScoreThreshold Threshold for producing the "Low Score Alert" when test results are imported. Default is 80. number between 0-100
admin.password.expirationDays The number of days before a users password will expire number of days
admin.maximumFailedLogonAttempts The number of failed login attempts before an account is locked. number
dashboard.height The number of pixels in the height of the dashboard graphs. number
dashboard.width The number of pixels in the width of the dashboard graphs. number
testResult.score.high The percentage score for a group of recommendations that will have the group appear in green on the assessment results, indicating high compliance number between 0-100
testResult.score.medium The percentage score for a group of recommendations that will have the group appear in yellow on the assessment results, indicating moderate compliance number between 0-100
testResult.score.low The percentage score for a group of recommendations that will have the group appear in orange on the assessment results, indicating poor compliance. Scores below this will appear in red, indicating very poor compliance. number between 0-100
alert.diffScoreThreshold Threshold for producing the "Test Result Diff Alert" when test results are imported and when the score goes down compared to the previous score (same machine/benchmark/profile). The value is the score difference between the 2 test results. Default is 0. A percentage between 0-100
controls.version.default Set your preferred CIS Controls default view. CIS Controls version
delete.assessment.start.time Sets the start time that a job will begin processing a permanent delete of flagged report(s). A routine database backup process is recommended. Both the start and end time must be set with whole integers ranging from 0 to 23. A setting of any other value, such as -1, will disable the job. A whole integer from 0 to 23
delete.assessment.end.time Sets the end time that a job will stop processing a permanent delete of flagged report(s). A routine database backup process is recommended. Both the start and end time must be set with whole integers ranging from 0 to 23. A setting of any other value, such as -1, will disable the job. A whole integer from 0 to 23

Logging In/User Profile

When a user first navigates to CIS-CAT Pro Dashboard, they are asked to log into the system. If a user account has been created for that user, they will initially be asked to reset their password following a successful login.

Once the user configures their password, they are asked to re-login using those new credentials. Once logged in with updated credentials, the user is taken to the "Overview" Dashboard view. In the top right-hand corner of the application now resides the display of the logged-in user's username:

Clicking on the username, a menu will appear, showing the user options for controlling their user account, such as editing their user profile, or logging out of the application:

Click on the Profile link to navigate to the user's profile:

The User's profile screen shows account and role information, as assigned by an administrator. From this screen, an individual user may change their password, or edit those profile fields to which they have access to change. Clicking the Change Password button opens a dialog box allowing the user to enter and confirm new credentials to be used when logging in to CIS-CAT Pro Dashboard:

Validations exist when users change their credentials. The passwords entered must match, the new password must be between 8 and 64 characters in length, and must include at least one uppercase letter, one lowercase letter, a numeric character, and at least one special character, such as "!@#$%^&" Clicking the Edit Profile button from the user's profile opens a dialog allowing the user to make changes to their information. This information is limited because many user changes should only be performed by an administrator, such as editing user roles or activating/deactivating a user's account.

Making changes to this dialog and clicking Save will update the user's information.

The user profile screen also features a list of Alerts that the user is currently subscribed to, as a well as why they are subscribed to that alert type:

From this list users can choose to opt out of any of the alert types that they are receiving.

NOTE: If LDAP is integrated with CCPD, "change password" and "edit profile" buttons are no longer available as well as some user account properties. Password and profile attributes (firstname, lastname, email) are managed and retrieved from LDAP.

User Favorites

Clicking on the username, a menu will appear, showing the user options for controlling their user account, such as editing their user profile, user favorites or logging out of the application:

Click on the Favorites link to navigate to the user favorites:

Users can maintain a list of preferred benchmarks and target systems.

In this page, you can add/delete favorite benchmarks as well as favorite target systems.

In Benchmark view (Dashboards), you can select benchmarks from your list of favorite benchmarks that you would like to see results for. This is the same for Target System view.

User Inbox

The User Inbox contains all of the alerts/tasks assigned to the user. Simply click on the Inbox item on the menu bar to navigate to the inbox:

The bubble next to the Inbox will indicate how many unread messages you have.

The inbox features serveral views, which can be navigated to using the tabs on the left hand side:

  • Inbox - has all new alerts and tasks that have not been deleted or completed. Unread messages will appear in white with bold text. You can also toggle between all inbox messages, or just the unread messages. This contains all alert types, except Tasks
  • My Tasks - contains tasks. You can toggle between open and closed tasks. Closed tasks already have had their action(s) completed and no longer require work by the user.
  • Trash - contains deleted messages

Clicking on the messages in any of the lists will pop up a dialog displaying the message. Clicking on the delete button in the list will move the message to the trash folder.

Sending Manual Alerts

You can send a custom alert to any user or group of users in the system by clicking the Send button:

This will open the manual alert dialog, from here you can select the recipients you want and add a title and message to the alert:

When complete click "Send" and your message will go to the inbox's of the selected recipients.

Alert Types - There are several different types of messages that you can receive in your inbox:

  • Task - A task has an action that you need to perform in order to close it. When you open a Task, there will always be one or more Actions you can take to close the task. These will appear in the "My Tasks" tab.
  • Alert - An alert informs you of a system event directly related to you, such as the completion of an upload you initiated.
  • Event - An event informs you of an occurrence in the system that you need to be informed of.
  • Manual - A manual message was sent directly to you by another user.

Alert Management

In the Administration menu there is an option for Alerts.

This will navigate to the alert list, where you can select an alert to bring up the show Alert page where alerts can be managed.

The important feature of this page is the configurable recipient list. This shows all the users that are configured to receive the alert, why they are, either directly, by a role they have assigned, or by a tag they have assigned. Users can then use the Receiving Users, Receiving Roles, and Receiving Tags list to manage who will receive an alert.

The Recipient list also shows which users have opted out of the alert type.

NOTE: A user will only receive one instance of an alert, even if they are included in the recipient list by multiple criteria. i.e. if they have a tag and a role that include them in the recipient list, they will still only recieve one alert.

Primary Identifier Type

When assessment results are imported, CIS-CAT Pro Dashboard creates a new target system to represent the assessed endpoint. Subsequent imports for the target will be associated with the same target system. The assessment results has several different identifier types that are imported. By default, target systems within CIS-CAT Pro Dashboard are primarily identified by hostname. This means, where ever you see a target system in a list, or a search result, the identifier you see is the hostname. The primary identifier however can be configured, either at the CIS-CAT Pro Dashboard application level or on each individual target system.

To change the primary identifier type at the CCPD Application level, navigate to the system settings menu administrative menu option:

Once on the System Settings page, find the "primarySystemIdentifierType" option:

Click on the edit action to bring up the Primary System Identifier Type dialog:

Select the ID type from the drop down, then chose the option you would like to for existing data:

  • Leave Existing values. - this option will leave all the existing target systems as they are. Going forward, new systems that are imported will receive the new primary ID type.
  • Change Primary Only. - This will change the primary identifier type on target systems whose primary ID is the same as the the current default system primary ID type. Targets whose primary ID is set to other types will remain unchanged.
  • Change All. - This will change all of the existing primary ID types to the new type, regardless of system level customization.

NOTE: If a target system does not have an identifier of the new primary identifier type, then the Change Primary Only and Change All options will leave the existing primary identifier on that target system.

Custom Identifier types

CIS-CAT Pro Dashboard has several identifier types that are imported with test results: hostname, fqdn, ip4, ip6, and MAC Address. An organization can add custom identifier types via the System Identifier Type Administrative menu option:

Once on the System Identifier Type screen you can add additional types:

The Display value is what the ID type will appear like on screen, the code is a backend value for using the identifier in code.

Once this type is in the system, you can the begin assigning them to target systems via the Add Identifier button on the Target System Screen:

The add identifier dialog allows you to select a type, enter a value, and determine whether this is the primary Identifier for this specific target system:

A target system must always have one and only one primary identifier. As such, if you assign an identifier as primary, all other identifiers marked primary will be marked as non-primary automatically.

You can pass a custom identifier in to the CCPD from the CIS-CAT Pro Assessor by using the system.identifier.ciscat.primary argument.

  1. First you need to follow the steps above to create a custom identifier type with a code of: ciscat.primary. The display value can be whatever you want. If you want this to be used to identify the target everywhere in the CCPD application, then mark this type as primary.
  2. Open the "cis-cat-centralized-ccpd.sh" script in a text editor. Line 115 of the script indicates the AUTHENTICATION_TOKEN for upload to CCPD. Add a line after that, adding:

    PRIMARY_IDENTIFIER='<Primary_Identifier>'
    

    Replace the <Primary_Identifier> indicator with the actual identifier to be passed to CCPD.

  3. Navigate to the configuration of the "CISCAT_CMD" variable. It looks like this:

    CISCAT_CMD="$JAVA_HOME/bin/java -Xmx768M -jar $CISCAT_DIR/CISCAT.jar $CISCAT_OPTS"
    

    Add an additional indicator to set the property:

    CISCAT_CMD="$JAVA_HOME/bin/java -Xmx768M -jar $CISCAT_DIR/CISCAT.jar $CISCAT_OPTS -D system.identifier.ciscat.primary=$PRIMARY_IDENTIFIER"
    
  4. This will configure the same identifier for all systems that execute via this script. If each system requires a distinct primary identifier, an environment variable should be set up on each machine so it can then be referenced in the "cis-cat-centralized-ccpd.sh" script:

    PRIMARY_IDENTIFIER=$ENV_VAR_IDENTIFIER
    

System Integrations

CIS-CAT Pro Release alerts

After establishing a connection with CIS WorkBench, CIS-CAT Pro Dashboard will check CIS WorkBench daily at 5PM for the availability of a new release of CIS-CAT Pro.

If a new CIS-CAT Pro release is available, the following alert will appear in the inbox:

The alert provides the bundle title, version, description, hashes, and release date.

The alert provides a link to download directly the latest bundle.

Connection Error Alerts

Error alerts will appear in the inbox when the connection between CIS-CAT Pro Dashboard and CIS WorkBench is not successful.

See below examples of potential alerts you might receive:

  1. SecureSuite membership status changed:

  2. CIS WorkBench Api client cannot be found:

Importing CIS-CAT Assessor Results

In-Application Import

Importing CIS-CAT Assessor results using the CIS-CAT Pro Dashboard user interface assumes that a user has executed a CIS-CAT assessment and produced the Asset Reporting Format (ARF) results. Once an ARF has been generated in CIS-CAT and saved to the designated reports location, open a web browser and log into the Dashboard application. From the main navigation bar, select Reports -> Assessment Results List.

The "Assessment Results List" page will be displayed. Click the "Import Assessment Results" button. A file selection dialog will open, allowing the user to browse to the saved reports location and select the CIS-CAT-generated ARF or XML report.

Click "Upload" to start the import process. Note that the import processes asynchronously, so the user will see a message indicating that the report upload has begun. This process can take up to a few minutes to complete.

This process is asynchronous, so after you start the import you can navigate away from the Assessment Results list. When the import process is complete you will receive one or two of the following alerts:

  • Successful Import - when the import is finished, the user who requested the upload will receive an alert that their report was successfully uploaded. If the upload was initiated via the CIS-CAT Assessor API upload, or the Legacy method, this alert will not be generated
  • Failed Import - similar to the successful import alert, the requesting user will receive this alert if the import process fails.
  • Low Score Alert - if the score of a report imported by any method is below the system wide threshold, the users on the recipient list for the low score alert will receive an alert. By default, the low score threshold is 80%. This theshold can be configured by lowScoreThreshold System Setting.

CIS-CAT Import

Importing Asset Report Format (ARF) results from CIS-CAT assumes that the CIS-CAT Deployment instructions have been completed. The end result of that configuration is that a user has been created in CIS-CAT Pro Dashboard, been assigned to the "ROLE_API" role, and an authentication token has been generated.

Once generated, that authentication token must be added to the CIS-CAT properties file in order for automated upload to function.

CIS-CAT Pro Assessor v3

ciscat.properties:

# Allow for an authentication token to be generated in "CIS-CAT Pro Dashboard", allowing upload of
# generated ARF reports to the new database application.
ciscat.post.parameter.ccpd.token=m9i0o2lrqno60dlq49qlln6gqrj2l7kt

CIS-CAT Pro Assessor v4

assessor-cli.properties:

# Allow for a "bearer" token to be generated in CIS-CAT Pro Dashboard, allowing upload of
# generated ARF reports to the new database application.
ciscat.post.parameter.ccpd.token=m9i0o2lrqno60dlq49qlln6gqrj2l7kt

Save the property file and execute CIS-CAT.

Graphical User Interface (GUI)

When executing the CIS-CAT GUI, users will select a benchmark and profile, and subsequently be navigated to the "Report Output Options" screen. To upload reports to CIS-CAT Pro Dashboard, a user may select EITHER the XML results or the Asset Report Format to be generated. At the bottom of the "Report Output Options" screen, click the button to "POST Reports to URL". When clicked, a dialog box will open allowing users to select the URL to which the generated report is uploaded.

NOTE: The CIS-CAT Pro Dashboard API is "resource-based" and, as such, only a specific URL pattern can be entered. This pattern will always end with "/api/reports/upload". For example, if the context URL for a member's CIS-CAT Pro Dashboard deployment is http://myapp.example.com/CCPD, the URL for reports upload will always be http://myapp.example.com/CCPD/api/reports/upload.

Command Line User Interface (CLI)

To enable the CIS-CAT Command Line to import results directly into CIS-CAT Pro Dashboard the following options are used:

-arf : This option indicates that CIS-CAT will generate the Asset Reporting Format (ARF) results
-n   : This option indicates that CIS-CAT should NOT generate the HTML report
-u   : This option allows users to specify the URL to which ARF reports will be uploaded.  This is the CIS-CAT Pro Dashboard URL
-ui  : This optional argument allows users to ignore any certificate warnings/errors when connecting to the CIS-CAT Pro Dashboard URL

For example, assessing and uploading the Windows 7 Benchmark would look like:
> CIS-CAT.bat -b benchmarks\CIS_Microsoft_Windows_7_Benchmark_v3.0.0-xccdf.xml -arf -n -u http://myapp.example.org/CCPD/api/report/upload -ui

Legacy Data Import

To help facilitate organizations migrating from static CIS-CAT dashboards and reporting to storing assessment results in CIS-CAT Pro Dashboard, a legacy data import process has been developed. This process is configured as a recurring job running in the background of a CIS-CAT Pro Dashboard installation. Users are required to configure 3 folder locations:

  1. The "Legacy" Folder: This folder will be the location for all CIS-CAT XML results to be placed, as the staging area for results waiting to be imported into CIS-CAT Pro Dashboard
  2. The "Legacy Processed" Folder: This folder will be the location for all CIS-CAT XML results which have been successfully imported into CIS-CAT Pro Dashboard from the staging area.
  3. The "Legacy Error" Folder: This folder will be the location for any CIS-CAT XML results which were not successfully imported into CIS-CAT Pro Dashboard.

These folder locations are set in the application's System Settings using the following properties: legacy.sourceDir, legacy.processedDir, and legacy.errorDir.

Target Systems

Creation Target Systems represent endpoints in your environment that have assesment data within CIS-CAT Pro Dashboard. There are several ways to create target systems within the application:

  1. Import - The section above describes the import of CIS-CAT data processes. The assessment results produced by CIS-CAT relate to a specific Target System. On import, CIS-CAT Pro Dashboard will check the existing target systems to see if the relevant Target already exists within in the system. If not, CIS-CAT Pro Dashboard will create a new Target System and associate the imported assessment result with that new Target. If the Target System already existed, based on the Hostname identifier, the application will associate the imported result with the existing Target.
  2. Online Entry - From the main application menu bar, users can navigate to the Target Systems List:

Once there, you can select the "New Target System" button, which will open the creation dialog:

Simply enter the Hostname and click Add Target, this will create a new target system.

v1.1.3 Data Conversion

v1.1.3 of the CIS-CAT Pro Dashboard introduced a new data model for storing configuration and vulnerability assessment results. The new model significantly reduces the number of records stored in the database on import and offers performance improvements to many aspects of assessment processing: import, export, and delete. Assessments that existed in CCPD implementations prior to the release of v1.1.3 will not be converted automatically. The conversion process can be long and intrusive if the implementation has many reports. Existing reports can be left as is, but will continue to have the same performance characteristics as they previously had. In order to take advantage of the new data model, these reports must be converted. This can be achieved on a one off basis from the Target Systems Configuration Assessment or Vulnerability Assessment Tab:

Pre-v1.1.3 reports will have their Converted Column set to "No". In order to convert them, select the Convert Action from the Actions column. The report will convert asynchronously and be available in a few minutes.

For a more system wide approach to conversion you can use the new system settings auto.convert.start.time and auto.convert.end.time. By default, these will both be -1, but if you set the to an hour between 0-23 (0 being midnight) the system will automatically convert as many reports as it can in the time frame specified. For example, if you set the start time to 22 and the end time to 6, the system would convert assessments between the hours of 10pm and 6am each night, until all of the existing assessments were converted.

All assessments imported after the implementation of v1.1.3 will come into the system utilizing the new data model, they will be shown as converted throughout the application.

Difference report

The user can compare two Configuration Assessment Results and generate a Difference report. The report highlights configuration changes (rules status and scores), for example when some rules were passing, and are now failing. This feature is accessible from the Target System page:

Click on brings the following options:

  • Compare with immediate previous result for same profile - If applicable, the selected Assessment Result will be compared to the immediate previous Assessment Result for the same target system, benchmark version and profile.

  • Compare with any other results - This option forwards the user to an intermediate search page. The user can search and select the Assessment Result to compare with.

Then the user is redirected to the Security Configuration Assessment Difference Report page:

Difference report alert

An alert can be sent during the import process if the score of the uploaded Assessment result went down compared to the previous one (same machine/benchmark/profile).

To receive this alert, the user needs to add recipients to the testResultDiff Alert from the Alert List:

As well as setting the alert.diffScoreThreshold threshold from the System Setting List. The threshold is set to zero by default which means the alert will be sent if any score changes are detected when the score goes down:

For more details about how to manage Alerts, please refer to Alert Management section of this guide.

Assessment Deletion

Both Configuration and Vulnerability Assessments can be deleted from their respective tabs on the Target System. Each row in the Assessment Lists now has a Delete Action in the Actions column. When clicked, you will be prompted to confirm you would like to delete, then on confirmation the individual result will be deleted:

Group Target Systems with Tags

CIS-CAT Pro Dashboard allows you to group target systems by assigning user-defined tag names that best fit your organization. A tag name could represent a region, a department, internal/external ownership, functional use, operating systems, etc. Once a tag name has been assigned to a target system, you have the option of creating CIS Benchmark exceptions or utilizing the graphical display of tagged systems in the Dashboard - Tag View.

Regularly reviewing target systems, for example, by organizational departments or geographical locations helps you focus remediation efforts in the right places.

Assign Tag to a Single Target System

To tag an existing target system individually, navigate to Target Systems in the menu, locate the desired system, and click on the target system's primary identifier in the "Target Primary ID" column.

From within the target system's individual screen, create a new tag by entering a unique string, select an existing tag, or click the "x" on any tag to remove it from the system.

The "Tags" field is available only to users with ROLE_ADMIN. Modifying tag assignment currently affects Benchmark exception application.

Assign Tags to Multiple Target Systems

Navigate to Target Systems - Search screen to add or remove tags to multiple target systems based on the searched result set and the selection boxes. Enter target system criteria and press the Search button. Once search results are present, select the "Add/Remove Tags" button. Enter tags to apply or remove from the selected systems in your result set and select "Apply."

The "Add/Remove Tags" button is available only to users with ROLE_ADMIN. Modifying tag assignment currently affects Benchmark exception application.

Both the Add and Remove Tags field feature an autocomplete functionality with a list of tags that already exist.

Tags will be applied or removed from the selected systems in the original result set. Upon selecting "Apply," a refreshed result screen based on the existing criteria is presented.

Searching

Once tagged, use individual tags, or logical combinations of tags to search for a specific set of end points. Utilize the include/exclude tags field that offer an "AND" or "OR" operator applicable to the tag fields only. Search directly by Primary ID or IPv4 Range.

  • Target Primary ID - Search by Target Primary ID is case insensitive. Use % as a wildcard character.

  • IPv4 Range - Use the IPv4 Range fields to search by minimum or maximum IPv4 or both. The fields need to have a valid IPv4 value (0.0.0.1 to 255.255.255.255), and will return a warning if not valid.

  • Include Tags - type into the include tags list the tags you would like to see in the search results. i.e. if you would like to see target systems with the "PCI" tag, simply type it in the box and click search.

  • "and" operator by default the "and" operator is selected. This means that if you type multiple tags into the Include Tags box, the resulting systems would need to contain ALL of the tags in the Include Tags box. i.e. If you typed in "PCI" and "Workstation" all systems with BOTH of those tags would be returned. If a system only contained the "PCI" tag, it would not be returned.

  • "or" operator - The "or" operator can be selected using the available radio button. When selected, if you type multiple tags into the Include Tags box, the resulting systems would need to contain ANY of the tags listed in the Include Tags box. i.e. if you typed in "PCI" and "Workstation" all systems with EITHER of those tags would be returned. If a system only contained the "PCI" tag, it would be in the result set.

  • Exclude Tags - type into the Exclude tags list the tags that you do not want in your search results. This is useful if there were particular tags you would like excluded from your search. i.e. Say you wanted to see all of your Servers that did not deal with PCI. You could type the "Server" tag into the Include Tags box and "PCI" into the Exclude Tags box.

Assess a Target System

To assess a target system from within CIS-CAT Pro Dashboard, ensure that CIS-CAT Pro Assessor v4 Service Integration procedures have been executed. The assessment features currently only support a remote assessment.

Pre-Requisites:

  • Installation of CIS-CAT Pro v4 Service
  • CIS-CAT Pro Dashboard v1.1.11+
  • CIS-CAT Pro v4 Service has been configured and started
  • CIS-CAT Pro Assessor v4 Service Integration steps have been followed
  • CIS-CAT Pro Dashboard is able to communicate with CIS-CAT Pro Assessor v4 Service system
    • Verify that benchmark data is returned by entering <assessor-service url>/benchmarks in the Dashboard’s system’s browser
  • Assessed target system is configured for remote assessment (WinRM setup, SSH enabled, etc.)
  • Assessed target system is able to communicate with CIS-CAT Pro Assessor v4 Service host system

Steps:

  1. Navigate to a single target system via the Target Systems menu
  2. Search for the desired target system to assess
  3. Select the link for the desired target system in the Target Primary ID column
  4. Select Assess
  5. Enter the required information
  6. Select Start Assessment to begin an assessment or Cancel to clear and close the form
  7. Correct missing, required information if necessary

All values entered in the modal are the same values expected in the CIS-CAT Pro Assessor v4 sessions.properties or assessor-config.xml files. See the CIS-CAT Pro Assessor v4 User’s Guide for detailed information on each of the below values. The target system to be assessed must be configured to accept a remote connection and must be able to communicate with the system that hosts CIS-CAT Pro Assessor v4 Service.

None of the below information will be stored in the supporting database. It is highly recommended that CIS-CAT Pro Dashboard and CIS-CAT Pro Assessor v4 Service communicate using an HTTPS protocol due to the sensitive nature of the data transferred.

  • Username: username with elevated privileges as a root or sudo for ssh or member of Administrator's group
  • Password: the credentials for the above username
  • Target System Type: remote connection type to the target system
  • Port: The port number on which the communication takes place between Assessor v4 and the target system. Auto populates with recommended remote ports.
  • IP Address / Hostname: Primary active IP Address or hostname that designates the location of the target system.
  • Temporary File Path: Optional. If specified, directory must exist on target system and above user must have read/write ability. If not specified, the default temp folder will be used.
  • Benchmark: Supported benchmarks for dashboard orchestration. See Assessor Service guide for more information on supported benchmarks.
  • Profile: List of profiles related to the selected benchmark.

Once the Start Assessment button has been selected, the below message confirms that the assessment request was sent to CIS-CAT Pro Assessor v4 Service. Status can be tracked in the Job Status screen.

The below error message may be received if communication to CIS-CAT Pro Assessor v4 Service is interrupted. To troubleshoot, navigate to the CIS-CAT Pro Assessor v4 Service host and verify the status of the service.

Job Status Screen

The Job Status screen (Reports menu) lists only assessments requested from within the CIS-CAT Pro Dashboard. The latest assessments will appear at the top of the list.

  • Job ID: Sequential, system generated number used to help identify requests.
  • Target Primary ID: The Primary ID for the target system where an assessment was requested.
  • Benchmark and Profile: The name of the benchmark and profile used for the evaluation of the target system.
  • Status: Shows the life cycle of the request.
    • Pending: Assessor confirmed receipt of assessment request, waiting for CIS-CAT Pro Assessor v4 to start assessment activity.
    • In Progress: Assessment activity has started.
    • Error: Assessment could not start or encountered an error and could not finish. Hover over Error to learn more about the problem.
    • Assessment Complete: The assessment has completed. This status does not represent viewing status in the Dashboard. The report may be in the process of uploading if Assessor Service has been configured to POST reports to Dashboard via the API. If the API has not been configured to POST to Dashboard or there is an issue uploading, then the report will not be viewable in the Dashboard.
  • Requested By: The username that requested the assessment.
  • Start Date: The date and time of when the assessment was requested.
  • End Date: The date and time an assessment report was generated.

The screen can be manually refreshed by selecting the Job Status menu item or by selecting the “Refresh” link near the top of the results. A total count of requests and time of last screen refresh appears at the top of the results.

Note: The date and time for these fields are based off of the location of the server that host CIS-CAT Pro Dashboard.

Errors in the Job Status Screen

Error Message Potential Cause Solution
An unknown error occurred. - Username was incorrect
- Password was incorrect
- User does not have admin or sudo permissions
- Wrong IP or domain name of system
- Unsupported Benchmark selected
- Verify username and password and privilege to run scan on target system
- Verify CIS-CAT log for more detail on error
- Only use the unchanged Benchmarks delivered with the application
An XML file was parsed, but contained an invalid signature. - The signature in the benchmark file is not valid. To invalidate the signature, simply modify the XCCDF in some way (e.g., open it and add some extra text to the title of the benchmark). - Only use the unchanged Benchmarks delivered with the application
Could not find requested assessment content - The selected Benchmark was removed from the Benchmark directory in Assessor v4 Service just before assessment ran - Do not remove the Benchmarks from the Benchmark directory once an assessment has been requested
CIS-CAT Pro Assessor encountered invalid assessment content. - The Assessor parsed the assessment file requested to be run, but could not determine what type of assessment it is for (e.g., benchmark or vulnerability assessment).
- For Benchmark assessments, the root of the benchmark file should be or .
- For OVAL Definitions or Vulnerability assessments, the root of the file should be .
- Only use the unchanged Benchmarks delivered with the application
An XML file was parsed but XML Schema validation errors. An XML file has schema validation errors. This exit code is used when validating the schema for the Benchmark file requested to be run. - Only use the unchanged Benchmarks delivered with the application
Could not parse an XML file required for assessment. - The assessment content (e.g., benchmark file) contains XML formatting errors. For example, an end tag for an element does not match the start tag. - Only use the unchanged Benchmarks delivered with the application

Reports

CIS-CAT Pro Dashboard reports provide a variety of views of CIS-CAT Assessment Results. An individual Test Results Report provides the same view as the legacy HTML report from CIS-CAT, with some enhanced features, including a controls based view, and the ability to create exceptions for specific rules. The remediation report provides a list of only the latest failed results for a target or group of targets. The intent is for a remediator to print this report and use it to manually remediate misconfigurations on the target. The complete Results Report will give an abbreviated version of the complete results for a system. This is intended for an auditor to get a full picture of CIS compliance for a specific target or set of targets.

Assessment Results

The individual test results report provides a complete picture of a given Target System's compliance with a CIS benchmark at a single point in time. This report was designed to mimic the functionality of the HTML version of the CIS-CAT Security Configuration Assessment Results report.

Navigation - there are several ways to navigate to the Test Results Report. Under the reports menu, you can click the Assessment Results List menu item. From the list, you can select the individual assessment result that you would like to view. You can also navigate to an individual target system, and listed in the Results box are all of the benchmarks for which the current target has results stored in the database. Clicking one of the benchmarks, will open the list of all the results for that target and that benchmark, from there you can select an individual result. Finally you can Navigate to the individual benchmarks, there is a results section which contains all the results in that system for that particular benchmark.

  1. Results View - the results view shows the test result in the same structure as the original benchmark. The results for each recommendation are organized into the groups the same way as the benchmark. Each group and subgroup is scored individually as a tally of all the rules contained within. This is a dynamic version of the old CIS-CAT HTML report. Users can also manage Exceptions to rules from this view (see below).

  2. CIS Controls View - in this view, the recommendations and results are presented in the CIS Benchmarks structure. The general grouping is determined by the individual consensus communities. This view mirrors the traditional CIS-CAT HTML report, with each group having rule totals and scoring information, as well as the actual evidence from the assessment.

    The controls view takes the same set of results, and using mapping metadata from the recommendations in the benchmark, reorganizes the rules into CIS Controls View. In this view, CIS Controls and Subcontrols as they relate to a recommendation are listed. This view is useful in identifying which recommendations represent or support a CIS Control. If no recommendation has been mapped to that control, clicking on it will simply provide more information about that particular control/subcontrol.

    Change the CIS Controls version displayed by selecting a different version in the "CIS Controls Version" dropdown on the top of the page.
    Below is an example of the CIS Controls View screen:

    The number in the bracket, for example [6] for CIS Control 2, indicates the count of Recommendations mapped to a specific CIS Controls version (V7.0 here). Absence of a number in the brackets means that no recommendations have been mapped to this CIS Control for this CIS Benchmark. Also not all Benchmarks will be mapped to a CIS Control. Only the latest CIS Benchmark versions will be mapped to the latest version of CIS Controls (V7.0 here). You can verify from the CIS website which benchmark is mapped to which CIS Controls version(s).

  3. Exceptions View - the exceptions view lists all exceptions that apply to the recommendations in this benchmark. An exception can be associated with a single test result either by applying directly to that target system, applying to a tag that the target system has, or by being a global exception. This view provides a complete list of exceptions applying to the test result.

Vulnerability Report

After running a vulnerability assessment in CIS-CAT Pro Assessor, you can import the results into the CIS-CAT Pro Dashboard using any of the methods used to import assessment results (CIS-CAT Upload, Legacy folder, Import button in CCPD). To import a result from within CCPD, navigate to the target system you have a vulnerability result for. From the Results History List, open the Vulnerability Reports accordion and click the import button:

This is an asynchronous process and you will be notified when the import is complete. Once complete you will see the result in the Vulnerability Reports accordion of the Results History List:

Clicking on a row in the list will bring you to the Vulnerability Report:

The top of the report contains some information about the target system assessed and the vunerability definitions that were assessed. Opening the High, Medium, or Low accordions below will show you details about the vulnerabilities found:

From the individual vulnerability you can add exceptions. This functions exactly like the exceptions on a configuration assessment report. A user can create an exception, it is then approved/rejected by an administrator and goes into effect. At which point it can be end dated by an administrator. Please read the Exceptions section for more details.

Vulnerabilities can also issue an age warning. By default if a vulnerability on a system is over 90 days old, the vulnerability will appear differently in the report:

You see now that the color is different and it has the Oldest Failure Date showing in the title.

To configure the vulnerability age warning threshold, navigate to the System Settings menu in the administration menu. From there choose the vulnerabilityWarningAge setting:

You can then enter the amount of days old you would like vulnerabilities to be before the warning appears on the report:

You can also configure the High/Medium/Low thresholds in the system settings. These categories are based on CVSS Scores. By default, the low threshold is 4.0, and the high threshold is 7.0. This means any found vulnerability with a CVE that has a CVSS base score of 7.0 or more, will be categorized as High on the report and in the Vulnerability Reports list. To configure these thresholds you can change the vulnerablityHighThreshold and/or the vulnerabilityLowThreshold in the System Settings.

Remediation Report

The remediation report is designed to allow an operator to have a list of failure results, as well as the remediation steps to fix the failure. An operator can take this report, follow the remediation steps, and bring a target system or target systems into compliance. To generate this report navigate to the Remediation report from the CIS-CAT Pro Dashboard Reports menu. The first step is to chose the target systems you want included in the report. First, use the search criteria to get a list of target systems, and the latest result for each benchmark.

You can then use the "Selected" checkboxes to choose which Assessment Results you would like to appear on the report. Once you have the correct results you select the "Remediation Report" button and the report will be generated.

The report lists the target system, the benchmark, the rule number and title, and the remediation steps for each failed result. Users can then utilize the buttons in the upper right side of the screen to export the report in a variety of formats.

Complete Results Report

The complete results report will give you a full view of a target system or group of target systems compliance accross multiple CIS benchmarks. Similar to the Remediation Report, you search for target systems, select the ones you would like to see complete results for, then generate the report.

The complete report lists the Target System, Benchmark, Rule Number and Title, as well as the overall pass fail result of each individual rule.

Delete Multiple Configuration Reports

Getting started with CIS Benchmark adoption often involves an analysis period. During the analysis phase, reports may be imported to Dashboard, but users may not desire to store results for a long period of time. Multiple reports can now be selected and removed from the CIS-CAT Pro Dashboard's database. This, in turn, will remove report scores from overall averages displayed in the graphical dashboard views.

The report delete process begins by selecting desired reports in the "Assessment Results Search" screen. On confirmation, the selected reports are flagged for deletion. Once flagged, the flagged reports are removed from all averages in the Dashboard and can no longer be searched. The final purge will occur during the hours specified in system settings. The delete button and system settings are available to users with ROLE_ADMIN.

It is highly recommended that a routine database backup process is in place, as the deletion process is permanent.

Select Reports for Deletion

Navigate to “Assessment Results Search” in the “Reports” menu.

Enter desired criteria, and press “Search”. The “Delete Report” button is available to Dashboard users with an admin role. View the reports by selecting “View”.

Select the reports desired for removal from the database using the checkbox to the left of each report and select the “Delete Report” button. Confirm the delete by selecting “Delete” once more.

Configure Final Report Delete Run Time

Navigate to "Systems Settings" and locate the delete.assessment.start.time and delete.assessment.end.time. Only whole integers ranging from 0 to 23 will enable to final purge job to run successfully. For example, if the process should run between the hours of 5 p.m. and 11 p.m., then enter 17 as the delete.assessment.start.time and 23 as the delete.assessment.end.time. For jobs that should run between 11 p.m. and 5 a.m. the next morning, configure the delete.assessment.start.time to 23 and the delete.assessment.end.time to 5. A setting of any other value in either setting such as -1, will disable the job.

Exceptions

The recommendations in CIS Benchmarks are just that, recommendations. Every recommendation does not necessarily apply to every organization or every target system within an organization. CIS-CAT Pro Dashboard provides functionality to create "exceptions" to specific rules or groups of rules on a per machine, global, or by tag basis. This allows CIS-CAT to continue to assess the target system against the rules, but when viewing the Test Results Report within CIS-CAT Pro Dashboard, the rule will not negatively impact the targets compliance scoring. When creating the exception, you can also provide a rationale for why the rule is being excepted. This provides information to an auditor as to why the rule is not being scored.

  • Creation

    • Rule Exception - To create a rule exception simply navigate to the rule you would like to except in the Test Results Report. Within the rule is the Exceptions section. If there are no existing exceptions, you will simply see an "Add Exception" button. If exceptions already exist for the rule, they will be displayed in a table, along with the "Add Exception" button.
      Click this button, and the exception creation dialog will be displayed:

      By default the start date is set to the end time of the assessment report that you are currently viewing, this would make an exception you create apply to this specific report, as well as any assessments that post date this report. You can modify the date to apply to any time period you like. Also required on this dialog is a rationale, you must enter the reason you are creating an exception for this rule. By default, any exception created will apply only to the target system that you are currently reviewing results for. You can also check the global checkbox to make the exception apply to all target systems in your environment. You can also enter any number of tags into the tag checkbox, the exception will then apply to any target system that has any of the entered tags. These are different ways to scope the exception.

    • Group Exception - To create a group exception, navigate to the group you would like to except in the Test Results Report and click on "Add Group Exception" button.

    • Vulnerability Exception - To create a vulnerability exception, navigate to the individual vulnerability you would like to except in the Vulnerability Report and click on "Add Exception" button. For more details please read the Vulnerability Report section.

  • Approval - Once an exception is created it must be approved by a user with ROLE_ADMIN. On creation, an exception will enter pending status, and, by default, a task will be created for all users with ROLE_ADMIN and sent to their user Inbox. This task will allow the administrators to review the exception request and accept or reject the exception. If the exception is approved, it will take effect for the time period and targets specified. If it is rejected, it will be ignore. Either way, the user who requested the exception will be notified of the result via an alert sent to their user inbox.

  • End Date - Exceptions are not meant to be permanant. As such, CIS-CAT Pro Dashboard provides the ability to end date an exception when it is no longer needed. To end date an exception, you simply need to click on it in the exception table for the rule. this will bring up the end date dialog. you can enter any end date you would like, then click save. The Exception will now be end dated and on

  • Viewing Configuration Assessment Exceptions (Rule and Group Exceptions) - there are several ways to view rule or group exceptions in the application:
    • Exception List on Test Results - described above, there is a tab on each test result showing all the exceptions that apply to that system
    • Target System Configuration Assessment Exceptions List - on each target systems view page in Configuration Assessments tab, there is a list of exceptions that apply to that target.
    • Configuration Assessment Exception Search - in the report menu there is a Configuration Assessment Exception Search option which allows users to search for exceptions by: Primary ID, benchmark, date range, type, or tag. Searching by hostname will return all exceptions associated with that target system, even if they are associated by tag or by being global.
  • Viewing Vulnerability Exceptions - there are several ways to view vulnerability exceptions in the application:
    • Target System Vulnerability Exceptions List - on each target systems view page in Vulnerability Assessments tab, there is a list of exceptions that apply to that target.
    • Vulnerability Exception Search - in the report menu there is a Vulnerability Exception Search option which allows users to search for exceptions by: Primary ID, date range, or tag. Searching by hostname will return all exceptions associated with that target system, even if they are associated by tag or by being global.

Dashboard

The CIS-CAT Pro Dashboard application's dashboard views provide a high level overview of organizational compliance with CIS Benchmarks. There are several views, which comprise different aggregation levels which produce a graph that represents compliance over time. The default views show all of the compliance results for the aggregation group selected, i.e. "Overview" is all of your target systems for all benchmarks, The "Benchmark View" is by benchmark, the "Tag View" is all systems with a specific tag or set of tags. Each point on the graph is an average score for the month. Each of the points can be clicked to "drill-down" into the Monthly view. This view has a point for each day in the selected month that has results. Each of these points can be clicked on to drill down to that specific day, which will display points for each time you have an assessment result. The points on the daily view will take you straight to the individual assessment result that produced the score. This way you can navigate from a very high level view of your compliance data, all the way to the details, the individual assessment reports that comprise the high level graphical information.

Overview

The overview contains a fully aggregated view of all endpoints across all benchmarks:

Benchmark View

The benchmark view has results aggregated by benchmark. You can select any number of benchmarks from your list of favorite benchmarks that you would like to see results for. Each benchmark selected will be represented by a separate line on the graph. This allows you to compare compliance against various CIS Benchmarks. In this view, you can also add/delete favorite benchmarks.

Target System View

The target system view has the results aggregated by individual target system. The default target system view is the Multiple Target System view, which allows you to select many target systems from your list of favorite target systems and compare their aggregated results. In this view, you can also add/delete favorite target systems.

Target System Search View

Click on "Switch to Search View" link to navigate to Target System Search View. This view allows you to search many target systems by criteria and compare their aggregated results.

Target System by Benchmark View

If you only select a single target system, you can switch to the single target system view. This will allow you to select the benchmarks that have assessment results for the selected target system and compare the benchmark compliance for just a single target. This allows you to see potentially which benchmarks are reducing the compliance score for a single system.

Tag View

The tag view allows you to aggregate compliance results for a group of target systems with the same tag, or with multiple tags. Each tag entered will be represented by a single line, so that you could compare results accross multiple tags.

Vulnerability View

The tag view allows you to aggregate vulnerability results for all target systems with vulnerability reports. Each set of bars represents the average of the high, medium, and low CVSS scored vulnerabilities detected in the given time period (monthly, daily, single day).

"Reference" Data Administration

Users assigned (currently) the ROLE_CIS user role are granted access to application views which allow for the import and viewing of assessment resources, such as Data Stream Collections, XCCDF Benchmarks, OVAL Definitions, and CPE Dictionaries.

In general, CIS content will be delivered using one of four structures:

  1. XCCDF 1.1 (Legacy): A single-file format consisting of a benchmark XCCDF, containing CIS' proprietary embedded check language (ECL). When importing legacy XCCDF 1.1 content, simply navigate to the "Benchmarks" list page (shown below) and complete the "Import" workflow.
  2. XCCDF 1.2 "data-stream": A 2-or-4-file format consisting of a benchmark XCCDF, an OVAL Definitions file, and optionally, a CPE Dictionary and CPE OVAL Definitions file. When importing XCCDF 1.2 information as part of a 4-file bundle of assessment content, first proceed to the CPE Dictionary import, followed by the CPE OVAL Definitions import, the OVAL Definitions import, and conclude with the XCCDF Benchmark import workflow.
  3. SCAP 1.2 "data-stream collection": A single file format which acts as a sort-of "envelope" containing components representing the XCCDF, OVAL, CPE Dictionary, and CPE OVAL files. The SCAP 1.2 "data-stream collection" import workflow simply involves navigating to the "Data Stream Collections" list, and subsequently importing the appropriate file.
  4. OVAL Definitions & OVAL Variables: A 2-file format in which the OVAL Variables file contains variable values to be used by the evaluation of the OVAL Definitions. Importing an OVAL Definitions/Variables combination must begin with the import of the OVAL Variables file, followed by the OVAL Definitions file import. Also, OVAL Results content may need to be imported into CIS-CAT Pro Dashboard. OVAL Results information can include Vulnerability Assessment results produced from the CIS-CAT desktop application.

CPE Dictionaries

To import a CPE Dictionary XML file, simply navigate to Collections --> OVAL --> CPE Dictionary:

Once navigated to the CPE Dictionary List screen, click on the "Import CPE Dictionary" button to display the file upload dialog. Find and select the appropriate "-cpe-dict.xml" file and click the "Upload" button. The CPE Dictionary will be imported into the CIS-CAT Pro Dashboard database and displayed for the user.

OVAL Variables

To import an OVAL Variables XML file, simply navigate to Collections --> OVAL --> OVAL Variable:

Once navigated to the OVAL Variables List screen, click on the "Import OVAL Variables" button to display the file upload dialog. Find and select the appropriate "-variables.xml" file and click the "Upload" button. The OVAL Variables will be imported into the CIS-CAT Pro Dashboard database and displayed for the user.

OVAL Definitions

To import an OVAL Definitions XML file, simply navigate to Collections --> OVAL --> OVAL Definition:

Once navigated to the OVAL Definitions List screen, click on the "Import OVAL Definintions" button to display the file upload dialog. Find and select the appropriate "-oval.xml" or "-cpe-oval.xml" file and click the "Upload" button. The OVAL Definitions will be imported into the CIS-CAT Pro Dashboard database and displayed for the user.

OVAL Results

To import an OVAL Results XML file, simply navigate to Collections --> OVAL --> OVAL Result:

Once navigated to the OVAL Results List screen, click on the "Import OVAL Results" button to display the file upload dialog. Find and select the appropriate OVAL Results file (such as CIS-CAT produced Vulnerability Assessment results XML) and click the "Upload" button. The OVAL Results will be imported into the CIS-CAT Pro Dashboard database and displayed for the user. Note that, depending on the size of the OVAL Results file, this import could take several minutes to complete, albeit asynchronously.

Benchmarks

To view a Benchmark, simply navigate to Collections --> Benchmarks or Supporting Data --> Benchmarks List. There is also a link to the Benchmark in the Security Configuration Assessment Results view.

View

Once navigated to the Benchmarks List screen, the list of previously-imported benchmarks will be displayed in a table format:

Each entry in the table represents a unique benchmark XCCDF document. Benchmarks are uniquely identified by their internal ID and version number. Therefore, there may be multiple instances of the CIS Debian Linux 8 benchmark, but with different version numbers, such as 1.0.0, 2.0.0, or 3.0.0. Assessment results imported into CIS-CAT Pro Dashboard are associated with a specific version of a benchmark.

Once a user selects a benchmark to view, he/she is taken to the benchmark home page:

  1. General - the General tab display a description of the selected benchmark, the version number, and additional information such as status or style. The CIS Controls version selected in the CIS Controls Version dropdown will be the version displayed in Recommendations/CIS Controls View. By clicking on the dropdown, the user can change the CIS Controls version presented.

  2. Profiles - this is the list of Profiles for the selected benchmark. Select the header section bars to reveal additional information such as profile description or recommendations.

  3. Recommendation - this view gives access to the 3 following tabs:

    Results View - the results view shows the list of recommendations organized into the groups. Each group is expandable to display any sub-groups or recommendations contained within:

    Note the description, rationale, remediation, impact statements, any references, and any mapped CIS Controls are also displayed to the user. Also note that the benchmark content remains in a read-only state. CIS-CAT Pro Dashboard is merely a repository for already assessed information. Benchmark tailoring is beyond the scope of CIS-CAT Pro Dashboard.

    CIS Controls View - in this view, the recommendations are presented in the CIS Benchmarks structure. The general grouping is determined by the individual consensus communities.
    The controls view takes the same set of results, and using mapping metadata from the recommendations in the benchmark, reorganizes the rules into CIS Controls View. In this view, CIS Controls and Subcontrols as they relate to a recommendation are listed. This view is useful in identifying which recommendations represent or support a CIS Control. If no recommendation has been mapped to that control, clicking on it will simply provide more information about that particular control/subcontrol.

    Change the CIS Controls version displayed by selecting a different version in the "CIS Controls Version" dropdown on the General tab.
    Below is an example of the CIS Controls View screen:

    The number in the bracket, for example [6] for CIS Control 2, indicates the count of Recommendations mapped to a specific CIS Controls version (V7.0 here). Absence of a number in the brackets means that no recommendations have been mapped to this CIS Control for this CIS Benchmark. Also not all Benchmarks will be mapped to a CIS Control. Only the latest CIS Benchmark versions will be mapped to the latest version of CIS Controls (V7.0 here). You can verify from the CIS website which benchmark is mapped to which CIS Controls version(s).

    Exceptions View - the exceptions view lists all exceptions that apply to the recommendations in this benchmark. An exception can be associated with a single test result either by applying directly to that target system, applying to a tag that the target system has, or by being a global exception. This view provides a complete list of exceptions applying to the test result.

  4. Results - this is the list of Security Configuration Assessment Results for the selected benchmark.

Data Stream Collections

To import a SCAP 1.2 Data Stream Collection XML file, simply navigate to Collections --> Data Stream Collection:

Supporting Data

Benchmarks List To access to a Benchmark, simply navigate to Supporting Data --> Benchmarks List or Collections --> Benchmarks. There is also a link of the Benchmark in the Security Configuration Assessment Results view.

For more details about the Benchmark view, please refer to Benchmarks section of "Reference" Data Administration sub-menu.

CIS Controls

CIS Controls information will be supplied with the initial version of the CIS-CAT Professional application/database. This initial data load will contain information regarding the 20 Controls and each respective sub-control. Users may access controls information by selecting the "CIS Controls" sub menu item, in the "Supporting Data" menu of the application:

Once navigated to the "CIS Controls List", users can see the list of supported CIS Controls versions:

in the Default column indicates the user's preferred CIS Controls default view.
The CIS Controls tab of the Benchmark and Security Configuration Assessment Results views will display the default CIS Controls version per user's configured setting in the System Settings.

The user can change his preferred CIS Controls version by editing controls.version.default System Setting value in System Settings view.

By clicking on a CIS Controls version, users have the ability to view information for each individual control:

View

Once a user navigates to the list of the 20 Controls, he/she may click on any individual control to display specific information about that control, including the control description, objective, and list of applicable sub-controls:

For each control, any number of sub-controls may be listed. Users can click on each individual sub-control to display a dialog box containing information about the sub-control:

NVD Vulnerability Data

In order to support the CIS-CAT Assessor vulnerabilty reports, CIS-CAT Pro Dashboard requires CVE and CVSS data from the National Vulnerability Database (NVD). In order to insert/update/or view the NVD data you need to go to the "Vulnerability List" menu option in the Supporting Data menu:

The vulnerability list will display your current vulnerability data by year and month:

Selecting any individual month will navigate to the Monthly CVE View. This page will list all the CVE's published that specific month and year:

Clicking any of the entries will bring up all the data about that specific CVE in the CVE Dialog. This dialog also contains an NVD link which will navigate directly to the CVE entry on the NVD website:

From the top of the Vulnerabilities List, you can navigate to the search, where you can search for a specific CVE by ID or keywords from the CVE Summary:

Again, clicking on the CVE ID will bring up the CVE Dialog.

There are several ways to import the NVD data into your dashboard instance:

  • Update NVD Data via Direct NIST Connectivity - Direct internet connectivity required, a proxy will not work. Use the Update CVEs button from the Vulnerability list page. On button selection, a direct connection to NIST NVD is made and the latest JSON NVD version will update the database storage with the current CVE definitions. The update is completed with an asyncronous process. Depending on environment factors, the process could take some time to import the thousands of CVE definitions. One Dashboard Inbox alert will be present upon completion.
  • Update NVD Data via Import - Internet connectivity not required. Manually download most recent JSON vulnerability feed from NVD. Move the files to the Legacy folder on the supporting Dashboard machine or use the Import Vulnerability Feed button from the Vulnerability list page to manually select the files. The import is completed with an asyncronous process. A Dashboard Inbox alert will be present for each completely imported file.

Note: Import of NVD feeds in XML format is no longer supported. Please use the JSON format.

Trouble Shooting and Support

For CIS support, enter a support request at our online support portal.

Start a discussion on the CIS-CAT Discussion Group, (login required). These discussions are a great way for members to use their experience to support each other.