How to use the CIS-CAT tool to help secure U-M systems, databases, and applications, and how to report the results to Information Assurance. See CIS-CAT for U-M Systems for information about the UM-specific version of the tool and its recommended uses.
In this document:
- What is CIS-CAT?
- Download and Extract CIS-Cat
- How to Run CIS-CAT with Graphical User Interface (GUI)
- How to Run CIS-CAT from a Command Line
- Submit Your CIS-CAT Results to Information Assurance
- Review Your CIS-CAT Results Yourself
CIS-CAT_Standalones are the UM-customized versions of the Center for Internet Security Configuration Assessment Tool—CIS-CAT. These versions can be used to assess the security of operating systems and software configurations against a template of best practices. Information Assurance (IA) recommends using CIS-CAT in conjunction with the guidance in the Safe Computing Hardening Guides to achieve baseline security for U-M IT systems.
The CIS-CAT tool will run on 32 or 64-bit systems. IA provides a 64-bit version of CIS-CAT that includes the Java Runtime Environment (JRE) required to run it (in case your system does not have JRE or you do not wish to add it). This 64-bit version is customized for use on U-M systems. If you have other systems you would like to scan that require a 32-bit version, check the CIS website for free downloads. IT professionals may also wish to register to use the CIS WorkBench, which allows users to participate in giving feedback or sending tickets directly to CIS.
Note: CIS-CAT scores do not indicate a system meets compliance requirements for any particular classification level of sensitive university ata. You may need to take further security steps required by U-M IT policy, state or federal laws, or contract agreements to secure certain types of data.
Download CIS-CAT for all operating systems, applications, or databases from the CIS-CAT U-M Box folder. Download the version that matches the operating system, application, or database that you wish to scan. Extract the downloaded compressed file to a location that will be available to you while doing the CIS-CAT scanning.
Note: You can run CIS-CAT from any location that will be mounted as a readable and writable drive while scanning if you do not wish to save the tool on the machine you will scan.
- Navigate to the folder where you have saved the expanded CIS-CAT files.
- Execute the command to launch it for the OS you are using:
- Windows operating systems: Right click CIS-CAT.BAT and select Run as Admin
- Mac OS and most Unix/Linux systems:
- Update permissions on the extracted folder and its contents to allow execution. This can be done with the command chmod 755 FOLDERNAME, where FOLDERNAME is the folder you extracted CIS-CAT to.
- Run the CIS-CAT_Mac_Launcher.sh by issuing the command: ./CIS-CAT_Mac_Launcher.sh
- From in the CIS Benchmark drop-down menu, select the benchmark that matches the system or application you are scanning, and click Next.
- From in the Profile(s) drop-down menu, select the profile you want to use, and click Next.
Which profile to use? In most cases, select a Level 1 profile, which is designed to check for a practical level of security that doesn't limit system utility. In some cases, IA may ask you to use the more stringent Level 2 profile.
- Select the format for the reports CIS-CAT will generate. Select XML Report for sending your report to IA. You may also select additional report formats if you wish.
- Change the save location if needed. By default, CIS-CAT will save to the home folder or My Documents space of the user running the scan.
Note: You must choose a save location writeable by the user account under which you run CIS-CAT that is available to the system while scanning.
- If IA has asked you to, select POST Report to URL and enter the URL IA has provided to you.
- Click Next.
- Review the Assessment Summary. If it looks correct, click Start Assessment. If you wish to change any settings, click Go Back and adjust settings as needed.
- When the assessment is done, click View Reports to go to the location you saved the reports in.
If you need to run CIS-CAT from a command line without a GUI, you can use the commands listed below. These commands will also forward your XML output file to IA.
- Mac OS and most Unix/Linux systems:
./CIS-CAT.sh -ui https://ccpd.miserver.it.umich.edu/CCPD/api/reports/upload -b benchmarks/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.xml -p "Level 1" -sr -x -s -a -n
- Windows systems:
.\CIS-CAT.BAT -u https://ccpd.miserver.it.umich.edu/CCPD/api/reports/upload -ui -b benchmarks/ CIS_Microsoft_Windows_10_Enterprise_Release_1709_Benchmark_v1.4.0-xccdf.xml -p "Level 1" -sr -x -s -a -n
Note: You will need to adjust some parameters specific to your situation.For example, choose a benchmark that matches your OS or application/database version. The benchmark .xml files are viewable in the CIS-CAT folder once you have extracted it.
If you are working with IA, such as during a Risk Analysis (RECON), IA will review the results and recommend specific actions to further secure your system if needed.
At UM-Ann Arbor, UM-Dearborn, and UM-Flint
- To submit your results, send them in XML format to email@example.com.
At Michigan Medicine
- Submit your results in XML format via the Health Information and Technology Services (HITS) Customer Service Portal and ask that they be directed to the IA Cybersecurity Risk Management team.
You may wish to review your CIS-CAT results yourself, and if you are not working with IA, you should review the results and plan to remediate weaknesses the CIS-CAT tool finds in your system's security.
If you are reviewing the results yourself, be aware that:
- CIS-CAT may misidentify settings from time to time. If you check a setting and find that it is already set as CIS-CAT recommends (that you have a "false-positive"), report it to CIS so they can continually improve the tool.
- CIS-CAT reports on the settings present on the system and cannot predict when you may handle a security issue through other means. For example, you may have a cycle of patch testing and patching through other means than automatic updates; CIS-CAT will then report a missing auto-updates setting.
Neither of the above issues is cause for concern, as long as you can account for handling the security item(s) in question.
If you have questions or problems related to CIS-CAT, submit a request to IA through the ITS Service Center.