CIS Benchmarks

Implement and audit CIS security benchmarks.

When to Use This Skill

Use this skill when:

• Assessing security compliance
• Implementing security baselines
• Meeting regulatory requirements
• Hardening systems to standards

Assessment Tools

OpenSCAP

# Install
apt install openscap-scanner scap-security-guide

# Run CIS benchmark scan
oscap xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_cis \
  --results results.xml \
  --report report.html \
  /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml

Lynis

# Install
apt install lynis

# Run audit
lynis audit system

# Generate report
lynis audit system --report-file /tmp/lynis-report.dat

InSpec

# cis-profile/controls/ssh.rb
control 'cis-ssh-1' do
  impact 1.0
  title 'Ensure SSH root login is disabled'
  
  describe sshd_config do
    its('PermitRootLogin') { should eq 'no' }
  end
end

control 'cis-ssh-2' do
  impact 0.7
  title 'Ensure SSH password authentication is disabled'
  
  describe sshd_config do
    its('PasswordAuthentication') { should eq 'no' }
  end
end

# Run InSpec
inspec exec cis-profile -t ssh://user@target

Kubernetes CIS

# kube-bench
docker run --rm -v /etc:/etc:ro -v /var:/var:ro \
  aquasec/kube-bench:latest run --targets node

# Check specific sections
kube-bench run --targets master --check 1.1,1.2

Remediation Workflow

workflow:
  1_scan:
    - Run automated assessment
    - Generate baseline report
    
  2_analyze:
    - Review findings
    - Identify false positives
    - Prioritize by risk
    
  3_remediate:
    - Apply fixes
    - Document exceptions
    - Verify changes
    
  4_validate:
    - Re-run assessment
    - Confirm remediation
    - Generate compliance report

Best Practices

• Baseline before hardening
• Document exceptions
• Automate assessments
• Track compliance over time
• Regular re-assessment
• Version control configurations

Related Skills

• linux-hardening - Linux security
• vulnerability-scanning - Security scanning