CIS Benchmark Scanning

Utilize CIS Benchmark Scanning to verify your compliance with industry standard security best practices.

What is CIS Benchmark Scanning?

According to CIS Security, CIS Benchmarks are best practices for the secure configuration of a target system.

We support the following CIS Benchmarks:

Windows Windows Server Oracle
Windows 7 Windows Server 2008 Domain Controller Oracle Enterprise Linux 7 Server Level 1
Windows 7 with BitLocker Windows Server 2008 Member Server Oracle Enterprise Linux 7 Server Level 2
Windows 8.1 Windows Server 2008 R2 Domain Controller Oracle Enterprise Linux 7 Workstation Level 1
Windows 8.1 with BitLocker Windows Server 2008 R2 Member Server Oracle Enterprise Linux 7 Workstation Level 2
Windows 10 Windows Server 2012 Domain Controller  
Windows 10 with BitLocker Windows Server 2012 Member Server  
Windows 10 Enterprise v1511 Windows Server 2016 Domain Controller Level 1  
Windows 10 Enterprise v1511 with BitLocker Windows Server 2016 Domain Controller Level 2  
Windows 10 Enterprise v1703 Windows Server 2016 Member Server Level 1  
Windows 10 Enterprise v1703 with BitLocker Windows Server 2016 Member Server Level 2  
Windows 10 Enterprise v1709 CIS Windows Server 2019 Domain Controller  
Windows 10 Enterprise v1803 with BitLocker and NextGen CIS Windows Server 2019 Member Server  
Windows 10 Enterprise v1809 with BitLocker and NextGen    
Windows 10 Enterprise v1903    
Windows 10 Enterprise v1909    
Windows 11 Enterprise    
Windows 11 Enterprise with BitLocker    
Windows 11 Enterprise with BitLocker and NextGen    
NOTE: The Oracle Enterprise Linux benchmarks require a set of SSH credentials, either password or key authentication. The Oracle Enterprise Linux 7​ benchmarks require the "root" user to be used for scanning. All of the Windows benchmarks will require a set of Windows credentials. The user /credential / access requirements for CIS scanning are the same as Patch (authenticated) scanning.

You can run a scan against multiple types of hosts, such as a mix of various Windows clients and servers. However, for reporting, you can only report on one benchmark at a time. For example, only Windows 7 hosts.

Create a CIS Scan

There are a couple of ways to access and use CIS Benchmark Scans. If auto-enabled credentials are being used for the CIS Benchmark scanning, the default CIS Benchmark Scan profile can be used.

  1. Create a new scan policy or copy an already existing one. For more information on creating and running scans, read: Create and Run Scans.
  2. From the navigation menu, select Scans > Scan Policies.
  3. Look for CIS Benchmark Scan, and then select the Copy & edit button. A new window opens.
  4. Rename the Scan Policy to something unique.
  5. Select Credentials from the top tab.
  6. Toggle Compliance Scanning to ON.
  7. Under Select Credentials, select the credentials you want to add.
    8. NOTE: Manage Scan Credentials (Authenticated Scanning) provides more information on Credentials.
  8. If needed, add credentials by selecting + Add Credential.
  9. Complete the rest of the fields as needed.
  10. Select Save, or Add Another (if necessary).

Run a CIS Scan

  1. From the top toolbar, select + New.
  2. Select Scan.The Create New Scan window opens.
  3. Under Policy Options, select Scan Policy.
  4. From the drop-down menu, select the CIS Compliance scan you renamed in step 4 of Create a CIS Scan.
  5. Complete the rest of the settings as needed.
  6. Select Create and run.

The new scan will be added to the Upcoming Scheduled Scans list. From this screen you can edit or delete the scan.