CIS Benchmarks – How to Apply on Operating Systems?

by Davoud Teimouri · Published 03/06/2023 · Updated 05/06/2023

Stupid security guys! They only know concepts and has no technical knowledge about their technical field. They just read some documentations. But most important steps of having security is applying configuration and reviewing current configuration. Also, they have no idea that what are they doing on servers and client. CIS benchmarks are reference for hardening most popular operating systems, but you cannot apply the desired configurations in large scale of servers or clients without using some tools.

On This Post:

What’s CIS Benchmark?

CIS (Center for Internet Security) Benchmarks are a set of industry-standard best practices and guidelines that security professionals. Organizations use to secure various computer systems and networks. The Center for Internet Security develops these benchmarks in collaboration with experts from government, academia, and security vendors. They provide detailed configuration recommendations and security settings for a wide range of operating systems, applications, and devices.

The benchmarks aim to improve security by outlining specific security configurations and settings that organizations should implement. They help protect systems against known vulnerabilities and common attack vectors. The benchmarks cover topics such as operating system hardening, network security, access control, logging and monitoring, and more.

Organizations can enhance their security posture by implementing the step-by-step instructions and recommendations provided in the CIS Benchmarks. By doing so, they can reduce the attack surface and comply with industry best practices and regulatory requirements.

It’s important to note that the CIS Benchmarks are regularly updated. Update to address emerging threats, new vulnerabilities, and changes in technology. To access the most up-to-date benchmarks for specific systems or applications, it is advisable to consult the official CIS website at https://www.cisecurity.org/.

Should We Apply All CIS Benchmark Configurations?

I go with big NO. Because some security configurations have impact on your services, and you can customize configurations or ignore some of them. But applying configurations and testing services is the best way to find the answer.

Applying configurations and impact on services is one of challenges and may be not the biggest challenge.

Applying CIS Benchmarks on Operating Systems

When you are working with some idiot managers, the biggest challenge would be applying configurations on large-scale of servers or clients.

They didn’t allow to use Active Directory or some endpoint management software because of some reasons that I still don’t understand.

How can we solve this big challenge in large-scale environments?

Using Scripts for Applying CIS Benchmarks

Unix-Like operation systems such as Linux supporting scripting languages and Bash Script is most popular in Linux. Also, Windows has own scripting language which is very powerful.

you can hire some guys to prepare scripts by PowerShell for Windows and by Bash Script in Linux. Then apply configurations on servers and clients.

Microsoft Active Directory is very useful for applying configurations as GPOs but what about other operating systems or the configurations which not supporting by GPO.

Using Configuration Management Tools and Automation Tools for Applying CIS Benchmarks

Your guys should study about automation tools such as Ansible, Chef, Puppet and SaltStack or other automation and configuration management tools.

You can use own scripts or profiles for applying configurations on operating systems or use scripts or profiles which provided by others.

Applying CIS Benchmarks by Using CIS Build Kits

CIS Build Kits are automated, efficient, repeatable, and scalable resources. They can be applied via the group policy management console in Windows, or through a shell script in Linux (Unix,*nix) environments. They can be tailored (customized) to an organization’s particular use case. Combined with the use of other CIS SecureSuite resources, Build Kits reduce the time to implement.

You can download sample CIS Build Kits for free. If you want to access full Build Kits, you have to pay per year for CIS SecureSuite Members.

Third-Party Software for Applying CIS Benchmarks

Center for Internet Security provides own software suite for security compliance. CIS Configuration Assessment Tool (CIS-CAT) compares the actual configuration settings of target systems to the secure configuration settings recommended in security automation content, primarily the CIS Benchmarks. CIS-CAT can understand content that conforms with Security Content Automation Protocol (SCAP).

Also, you can use CIS CSAT. The CIS Controls Self Assessment Tool (CIS CSAT) enables organizations to assess and track their implementation of the CIS Critical Security Controls (CIS Controls) – a prioritized set of consensus-developed security best practices used by enterprises around the world to defend against cyber threats.

Lynis is another tool for auditing, system hardening, compliance testing. It’s available for most Unix-Like operating systems.

CIS Benchmarks are available as other format such as XML, OVAL, and XCCDF. You can also use other third-party software such as OpenSCAP or Red Hat Satellite for assessment, measurement, and enforcement of security baselines.

You must pay for download customized CIS benchmarks from CIS Workbench.

Hardened Images

Most popular operating systems images are available as hardened images, and you can deploy hardened images on cloud computing platforms. There is no need to additional configurations. They are available from major cloud computing platform marketplaces like AWS, Azure, Google Cloud Platform, and Oracle Cloud.

Conclusion

Most of our cybersecurity guys have no good technical knowledge about their duties. That was based on my experiences, but I don’t know about cybersecurity or IT security guys in other organizations.

In our company, they are looking for anything to hardening and they couldn’t write script for applying hardening on Windows Server (Workgroup) and Linux as well.

Anyway, by knowing CIS Benchmarks and solutions for applying them on operating systems or other software, you can help your team to make more secure your environment and also simplify managing and reviewing large-scale servers about hardening configurations.