Dashboard Use Case

CIS-CAT Pro Dashboard best fits a single, small to medium size enterprise with a moderate amount of configuration result data. Defining “moderate” data amount depends on how many endpoints an organization has and how often those results are imported into the Dashboard. Dashboard is not designed for “big data” where organizations wish to import reports from, for example, 10,000 endpoints. We recommend seeking other data viewing tools specializing in big data handling should your organization need to view consolidated data for 1,000’s of endpoints. Members importing less than 1,000 reports monthly to a single Dashboard instance may have a better performance experience. For example, when an organization has 10,000 reports already stored in the database, additional imports will be slower. Members are encouraged to consider how Dashboard can best be utilized to support configuration state viewing and remediation efforts.

Some Members have found that multiple Dashboard installations representing each domain within their organization works well. There is no license limit to installing instances of Dashboard. However, CIS tests the Dashboard with the single enterprise with moderate data in mind.

Main Features

• View average configuration assessment score in graphical format by:
  • Overall systems
  • CIS Benchmark
  • Tagged systems
• Drill down to individual configuration assessment results
• View assessments results by CIS Critical Security Controls
• Navigate from a high level graphical overview of environmental compliance with CIS Benchmarks to individual assessment results that produce a compliance score
• Perform on-demand, remote configuration assessment against a single, remote target system
• Create exceptions to failed results and rescore overall averages
• Custom tag systems for easier exception application or overall compliance average grouping in graphical format

Network architecture for CIS-CAT Pro Assessor and CIS-CAT Pro Dashboard centralized scan integration in a Windows environment

Requirements

Traffic and Ports

• Port 3306 is available for Maria database installation
• Traffic allowed on port 8080 (HTTP) and 443(HTTPS)
  • As needed, if installed on AWS, AWS security group must allow traffic on port 8080/443
  • As needed, add an inbound rule in Windows firewall
• If HTTPS communication protocol selected, traffic allowed on 443

Steps

• Prepare for Installation
• License
• Installation Destination
• Email (Optional Custom Option)
• Active Directory – LDAP/S (Optional Custom Option
• Communication Protocol – HTTP(S) Setup
• Set Database Password
• Final
• Login to Dashboard

Remote Assessments Steps – WinRM

Check and if necessary configure firewall rules to allow for incoming WinRM (TCP 5985) and SMB (TCP 445) from your CIS-CAT Server system.

Allow and confirm remote access to the machine for management with the command;

winrm quickconfig

On CIS-CAT Server system

Add the assessment target IP address to WinRM trusted hosts with this command;

Set-Item WSMan:\localhost\Client\TrustedHosts -Value 192.168.41.165

Run the CIS-CAT Pro Assessor GUI

Select Advanced > Add remote or local target system

Fill out the Information to the required fields;

Select the correct Benchmark and Profile for the Target system and click Add

Click Save

Click Test connection(s) to Targets and you should see output with a line saying Test Successful

Click on Next > Select a Report Output option > Next > Start Assessment

Troubleshooting Steps

On the Target system

Check to make sure WinRM is enabled and running on port 5985;

winrm enumerate winrm/config/listener

Check that SMB2 is running;

Get-SmbServerConfiguration | Select EnableSMB2Protocol

On the CIS-CAT server:

Check that the target system IP is in Trusted Hosts;

Get-Item WSMan:\localhost\Client\TrustedHosts

Check to see you can connect to the target host IP on ports 5985 and 445;

Test-NetConnection -ComputerName 192.168.41.165 -Port 5985 -InformationLevel Detailed

Test-NetConnection -ComputerName 192.168.41.165 -Port 445 -InformationLevel Detailed

Check to see you can connect to the target host IP on the WinRM service;

Test-WSMan -computername 192.168.41.165 -credential Administrator -Authentication negotiate

Centralized Assessor Workflow for Windows Steps

Implementation Steps

1. Create directory C:\CIS

2. Create directory C:\CIS\Reports

3. Open file explorer > right click on C:\CIS directory > Properties > Sharing > Share > Select the appropriate users > Share > Done > Apply. Make a note of the Network Path for later

4. Extract CIS-CAT-Assessor-v4.18.0.zip to C:\CIS\ directory

5. Extract your downloaded license.zip file to CIS\Assessor\license\ directory

6. Copy C:\CIS\Assessor\misc\Windows\cis-cat-centralized.bat to C:\CIS\

7. Copy C:\Program Files\Java directory to C:\CIS\ and rename it to Java64

8. Copy C:\Program Files (x86)\Java directory to C:\CIS\

9. Change the directory name of C:\CIS\Java64\jre.version.number\ to C:\CIS\Java64\jre\

10. Change the directory name of C:\CIS\Java\jre.version.number\ to C:\CIS\Java\jre\

11. Open C:\CIS\cis-cat-centralized.bat in a text editor and in the line SET NetworkShare= replace NETWORK_SHARE with the Network Path from step 3 e.g. \\hostname\CIS

Open a CMD prompt as Administrator and run C:\CIS\cis-cat-centralized.bat

Videos