5 Replies Latest reply: Oct 13, 2017 10:35 AM by mamisano RSS

Best practice on running CIS scans

nsanders Expert

So what's the recommended way here? My previous experience says to split Vuln scans from Benchmark/Compliance scans and run them separately. Is that recommended in SecurityCenter? If so, are you splitting up scans by OS/Level? Are you creating asset groups for your different OS/type (workstation vs server)? Assuming Scan Zones are going to handle the assignment of scan to scanner, it seems the main bulk here is slicing up the assets into proper Asset Groups and then building a Scan Policy associated with an Audit file for the OS.

 

What does the actual scan policy look like? There's a lot of other options (network scanning, user enumeration, etc) that you likely would not want turned on for a compliance scan. What's recommended here?

  • Re: Best practice on running CIS scans
    mamisano Novice

    Hi Nate, we generally run vscans and compliance scans separately. In fact, we keep the data in separate repositories per past best practices documentation.

     

    Generally I have lumped CIS Ubuntu 14.x and 16.x audit files into a common "Policy Compliance Auditing" policy. You can probably add others like RHEL, Windows, etc too so one scan policy covers them all. The audits have if-then code to detect the OS release and version to determine if it should be used or not. The results will contain a simple "PASS" for audits that don't apply to the system's OS, and full results for the one that does.

     

    In SC 5.x the audit files can be added right from the web interface... similar to how Nessus does it.

     

    From SecurityCenter, go to Scans -> Audit Files -> Add and all the latest audit files will be available.

     

    Regarding scan policy, there is a canned one available.

    Go to Scans -> Policies -> Add, select "Policy Compliance Auditing". Add the audit files you selected earlier and save it.

     

    Run the one policy against your entire infrastructure making sure you provide the necessary admin / root level credentials.