Skip to content

CIS Benchmarks

Benchmarks in Nanitor have their origin in the Center for Internet Security, called hereafter CIS. CIS is a non-profit organization that issues security guidelines to secure the IT infrastructure for organizations all over the world. These security guidelines are called benchmarks and are published for all kinds of operation systems, Cloud infrastructure platforms, and mobile devices. A complete list of supported systems can be found on the CIS website. Every single benchmark has lots of subsidiary benchmarks. E.g. the benchmark for Apple macOS has a benchmark for each version of the Apple macOS (e.g. Apple macOS 10.15) and each of those benchmarks can (and usually has) a set of versions (e.g. Apple macOS 10.15 version 1.3.0).

Each benchmark consists of several hundred pages containing configuration requirements. All requirements have:

  • An explanation of why the requirement is set. It is somehow listing the possible risks attached to this benchmark (Rationale)
  • Guideline on how to check that the configuration setting exists (Audit)
  • Guideline on how to fix the misconfiguration issue (Remediation)
  • The level (Profile Applicability) of where it applies (Level 1, Level 2, or Level 3). The higher the level the more detailed the configuration issue is
  • The CIS control version the configuration requirement refers to. In CIS control versions lower than Version 8 these are called sub-controls and from Version 8 onwards they are called safeguards
  • Optional if applies: The impact a remediation could cause
  • Optional if applies: A link that provides more detailed information

An example of a benchmark requirement from CIS:

Sample of a benchmark requirement from CIS

How does Nanitor deal with benchmarks

One of the greatest benefits of Nanitor is that you don't need to deal with the hundreds of benchmarks issued by CIS and the hassle of following up on updates or new versions. Nanitor keeps track of the available benchmarks as well as different versions and extracts from the benchmarks an actionable list of items that are well manageable. The available benchmarks from Nanitor follow the same sub-level structure from CIS (e.g. Apple macOS 11.0). That means that Nanitor deals with one benchmark instead of the different versions issued by CIS. The numbering scheme that Nanitor follows matches the numbering scheme from CIS.

Occasionally Nanitor supplements certain CIS benchmarks, adding new rules they feel are missing, or duplicating a particular rule to provide their own spin on it. These additional rules have a P or N suffix to the rule number. A 'P' indicates this is a rule that has been tweaked to be more helpful to those going for PCI-DSS compliance, while the 'N' indicates a custom Nanitor rule.

Some rules are not feasible to implement automatic checks for, so for the sake of completeness those are included but they can not be added to the baseline nor do they do anything other than to be a source of information and reference. We refer to these rules as manual rules.

All benchmarks are updated regularly and new ones are added to Nanitor. The benchmarks are handled centrally in the Nanitor Hub and are pushed to the Nanitor customers' servers once a change has been made.

Benchmarks are automatically detected by the Nanitor clients (by desktop agents or collectors). As such it is important to keep the Nanitor clients up to date! Refer to the documentation on how to list and update outdated agents or how to update the Nanitor collectors. From the list of Assets under the Inventory menu, you can filter for assets that have no benchmarks and/or have updated agents.

sample asset inventory As a best practice, you should check on those items on a regular basis. A non-tracked or wrongly-tracked device is a potential security risk.

What benchmarks are supported

A complete list of supported benchmarks can be found here.

Benchmarks in Nanitor

All benchmarks can be viewed inside the Nanitor server from the administration section. Select System Management and Benchmarks. This will reveal a list of benchmarks available inside Nanitor. The list contains additional information on the Revision number (handled by Nanitor) when the benchmark was first issued by Nanitor and a description of the benchmark from CIS.

Benchmarks in Nanitor

You can also find benchmarks in the organization settings

Organization setting screenshot

image-20230110165754393

Here you can also overwrite the priority rating for each benchmark.