Benchmark Assessment Tools
The CIS Security Benchmarks Division offers a variety of tools for assessing compliance with CIS Benchmarks.
- The CIS-CAT Benchmark Assessment Tool
- Other Assessment Tools
CIS offers its Security Benchmark Members the CIS Configuration Assessment Tool (CIS-CAT)—A Java-based tool that compares the configuration of target IT systems to CIS Benchmarks and reports conformance scores on a scale of 0-100.
CIS-CAT is a SCAP-validated FDCC Scanner.
CIS-CAT gives IT and security professionals a fast, detailed assessment of target systems' conformance to CIS Benchmarks. By discovering any lack of conformance to CIS Benchmarks, CIS-CAT offers enterprises a powerful tool for analyzing and monitoring the security status of information systems and the effectiveness of internal security processes.
CIS does offer a 30 day trial of the tool for enterprises considering CIS Security Benchmarks Membership. Please contact us if you are interested.
Using CIS-CAT, CIS Security Benchmarks Members can:
- Routinely assess the configuration of production systems compared to the CIS Benchmarks and internal security policies;
- Provide dashboard reporting capability;
- Create standard configuration images for hardening systems prior to deployment;
- Improve security awareness by comparing the security of "out-of-the-box" systems and hardened systems; and
- Assess and monitor multiple systems simultaneously by integrating CIS-CAT with system management utilities.
CIS-CAT is a host-based configuration assessment tool. It includes both a command-line interface (CLI) and a graphical user interface (GUI). To support the broadest possible portability, CIS-CAT is a Java application and requires JRE v1.5 or later.
CIS-CAT and its JRE can reside on a target system or on any network drive or removable drive that has network access to the target system being assessed.
CIS-CAT currently supports the following Benchmarks:
- Apache Tomcat 5.5-6.0 Benchmark v1.0.0
- Apple OSX 10.5 Benchmark v1.1.0
- Apple OSX 10.6 Benchmark v1.0.0
- CentOS Linux 6 Benchmark v1.0.0
- Debian Linux Benchmark v1.0.0
- HP-UX 11i Benchmark v1.4.2
- IBM AIX 4.3-5.1 Benchmark v1.0.1
- IBM AIX 5.3-6.1 Benchmark v1.1.0
- IBM AIX 7.1 Benchmark v1.1.0
- MIT Kerberos 1.10 Benchmark v1.0.0 (OVAL XML also available)
- Microsoft Internet Explorer 10 Benchmark v1.0.0 (OVAL XML also available)
- Microsoft SQL Server 2008 R2 Database Engine Benchmark v1.0.0 (OVAL XML also available)
- Microsoft SQL Server 2012 Database Engine Benchmark v1.0.0 (OVAL XML also available)
- Microsoft Windows 2003 MS DC Benchmark v3.1.0
- Microsoft Windows 2008 Server Benchmark v2.1.0 (Domain Joined) (OVAL XML also available)
- Microsoft Windows 2008 R2 Server Benchmark v2.1.0 (Domain Joined) (OVAL XML also available)
- Microsoft Windows 2012 Server Benchmark v1.0.0 (Domain Joined) (OVAL XML also available)
- Microsoft Windows XP Benchmark v3.1.0 (OVAL XML also available)
- Microsoft Windows 7 Benchmark v2.1.0 (Domain Joined) (OVAL XML also available)
- Microsoft Windows 8 Benchmark v1.0.0 (Domain Joined) (OVAL XML also available)
- Mozilla Firefox 3 Benchmark v1.0.0
- Oracle Database 9i-10g Benchmark v2.0.1
- Oracle Database 11g Benchmark v1.0.1
- Solaris 2.5.1-9 Benchmark v1.3.0
- Oracle Solaris 10 Benchmark v5.1.0
- Oracle Solaris 11 Benchmark v1.1.0
- Oracle Solaris 11.1 Benchmark v1.0.0
- RedHat Enterprise Linux 4 Benchmark v1.0.5
- RedHat Enterprise Linux 5 Benchmark v2.1.0
- RedHat Enterprise Linux 6 Benchmark v1.2.0
- Slackware Linux 10.2 Benchmark v1.1.0
- SUSE Linux Enterprise Server 9 Benchmark v1.0.0
- SUSE Linux Enterprise Server 10 Benchmark v2.0.0
- SUSE Linux Enterprise Server 11 Benchmark v1.0.0
- VMware ESX 3.5 Benchmark v1.2.0
- VMware ESX 4.1 Benchmark v1.0.0
CIS-CAT can read customized input files to allow members to compare the configuration of their systems with both the CIS Benchmarks and their customized configuration policies. This feature is enabled by user modification of the Benchmark XCCDF files.
The following CIS-CAT tutorials are available:
- Downloading & Running CIS-CAT to Measure Benchmark Compliance (7 minutes)
- Assessing Multiple Systems with CIS-CAT
- Features of the CIS-CAT Dashboard
CIS-CAT has been awarded NIST Security Content Automation Protocol (SCAP 1.0) Validation as a Federal Desktop Core Configuration (FDCC) Scanner. SCAP 1.2 Validation Testing is currently in-progress. It supports the following content distributed from the NIST FDCC Repository:
- FDCC for Windows XP
- FCCC for Vista
Details are available the NIST Web site.
The CIS-CAT Assessment Tool is available only to CIS Security Benchmarks Members. Members can download CIS-CAT from the CIS Members Web site.
CIS does offer a 30 day trial of the tool for enterprises considering CIS Security Benchmarks membership. Please contact us if you are interested.
To learn about becoming a Member, click here.
CIS-CAT User's Guide (PDF)
CIS-CAT Data Sheet (PDF)
In addition to CIS-CAT, CIS also distributes four other assessment tools:
- Router Assessment Tool (RAT)
CIS RAT assesses target devices for conformance with the CIS Benchmarks for Cisco Router IOS and Cisco PIX firewalls. The installation package for the tool includes benchmark documents (PDF) for both Cisco IOS and Cisco ASA, FWSM, and PIX security settings.
- Apache Benchmark Tool
The Apache Benchmark Tool assesses target systems for conformance with the CIS Benchmark for Apache Web Servers.
NOTE: The Apache Benchmark Tool does not reflect the latest CIS Apache Benchmark. An new, updated version of the tool is under development. Until the new version is released, the Apache Benchmark Tool will remain an unsupported tool.
- Oracle 8i Benchmark Tool
The Oracle 8i Benchmark Assessment Tool operates on both Windows, Linux, and Sparc Solaris platforms and evaluates Oracle 8i instances against CIS Oracle 8i Benchmark v1.2.0.
NOTE: The Oracle 81 Benchmark Tool does not reflect the latest CIS Oracle Benchmark. An new, updated version of the tool is under development. Until the new version is released, the Oracle 81 Benchmark Tool will remain an unsupported tool.
- UNIX Assessment Tools
The UNIX Assessment Tools are script-based tools that evaluate Solaris, FreeBSD, and HP-UX systems.
NOTE: The UNIX Assessment Tools do not reflect the latest CIS Benchmark guidance for their respective platform. New, updated version of these tool are under development. Until the new version is released, the UNIX Assessment Tools will remain unsupported.
Click "Join Project" under the Router Assessment Tool Project here to get involved.
CIS-CAT is the only software tool that CIS currently supports.