CIS Benchmarks

Implement and audit CIS security benchmarks.

When to Use This Skill

Use this skill when:

• Assessing security compliance

• Implementing security baselines

• Meeting regulatory requirements

• Hardening systems to standards

Assessment Tools

OpenSCAP

Install

apt install openscap-scanner scap-security-guide

Run CIS benchmark scan

oscap xccdf eval
--profile xccdf_org.ssgproject.content_profile_cis
--results results.xml
--report report.html
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml

Lynis

Install

apt install lynis

Run audit

lynis audit system

Generate report

lynis audit system --report-file /tmp/lynis-report.dat

InSpec

cis-profile/controls/ssh.rb

control 'cis-ssh-1' do impact 1.0 title 'Ensure SSH root login is disabled'

describe sshd_config do its('PermitRootLogin') { should eq 'no' } end end

control 'cis-ssh-2' do impact 0.7 title 'Ensure SSH password authentication is disabled'

describe sshd_config do its('PasswordAuthentication') { should eq 'no' } end end

Run InSpec

inspec exec cis-profile -t ssh://user@target

Kubernetes CIS

kube-bench

docker run --rm -v /etc:/etc:ro -v /var:/var:ro
aquasec/kube-bench:latest run --targets node

Check specific sections

kube-bench run --targets master --check 1.1,1.2

Remediation Workflow

workflow: 1_scan: - Run automated assessment - Generate baseline report

2_analyze: - Review findings - Identify false positives - Prioritize by risk

3_remediate: - Apply fixes - Document exceptions - Verify changes

4_validate: - Re-run assessment - Confirm remediation - Generate compliance report

Best Practices

• Baseline before hardening

• Document exceptions

• Automate assessments

• Track compliance over time

• Regular re-assessment

• Version control configurations

Related Skills

• linux-hardening - Linux security

• vulnerability-scanning - Security scanning