by Cody Dumont
July 25, 2023
When dealing with compliance regulations, each organization can face a variety of potential risks. Without having a full understanding of an organization’s risk exposure, critical systems and data will be at risk for attacks or data leakage. The Center for Internet Security (CIS) developed a series of best practice benchmarks for a variety of applications, operating systems, servers, and databases used within organizations today. Each benchmark contains recommended security settings designed to harden systems and applications from attack while maintaining overall system functionality. The components in these dashboards present a summary of results gathered from CIS compliance scans using the CIS Benchmarks.
Tenable has been certified by CIS to perform a wide variety of platform and application audits based on the best practice consensus benchmarks developed by CIS. Tenable submits example test cases for all of the criteria within each unique benchmark, and then submits our results to CIS personnel for official certification. Tenable has developed audit files based on the CIS Benchmarks tested on systems, and has been approved and certified by CIS staff members.
When performing managed scans with Tenable.sc, some CIS audits require additional patch audits and vulnerability checks. Any additional requirements for completing an audit using the CIS Benchmarks will be included within the audit file description text. In some cases, multiple scans may be required, as Tenable provides both Level 1 and Level 2 audit checks. Level 1 checks provide minimum settings recommendations, and are generally considered safe to apply to most systems. Level 2 checks include recommendations for complex or highly secure environments, and can lead to reduced functionality of systems within the network.
Information presented within these dashboards includes a summary of CIS audit checks currently supported by Tenable. Results will highlight one of three severity levels that will provide valuable information analysts can use to harden systems within the enterprise. The informational severity level is considered “Passed”, indicating that the configuration setting matches the expected result of the audit check. Results assigned a medium severity must be evaluated by an analyst to determine whether the results are accurate or not. When an audit check fails, the severity is set to high, indicating that the collected result and the expected result do not match. Each failure should be reviewed, fixed, and re-scanned to ensure that the system has been secured properly. Using these benchmarks will help to assess the effectiveness of existing security controls on systems, and provide the critical context needed to strengthen an organization's security posture.
If needed, audit files can be modified to an organization’s specific requirements. Additional information on how to edit audit files can be found within the “Nessus Compliance Checks” document in the Support Portal.
These dashboards are available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The dashboards can be easily located in the Tenable.sc Feed under the category Compliance & Configuration Assessment. The dashboard requirements are:
- Tenable.sc 5.2.0
- Nessus 8.6.0
- CIS Audit Files
- Compliance Data
In order to maintain the overall security of systems and data within the enterprise, organizations must have an effective and repeatable way to measure compliance results. Tenable Tenable.sc helps organizations obtain results using the CIS Benchmarks by measuring compliance in real time, providing an accurate assessment of an organization’s security posture. By prioritizing remediation actions of misconfigured systems, the organization can maximize their investment in compliance reporting and system hardening efforts. With more supported technologies than any other vendor, Tenable assists organizations in obtaining the most comprehensive view of the network and the intelligence needed to assess and protect systems using CIS compliance standards.
There are 3 dashboards with over 40 individual components. As with all dashboards in Tenable.sc, individual components can be rearranged, edited, or removed to focus on the components of interest. To edit or delete a component, click on the Gear menu in the upper-right title area of a component and select the appropriate menu item. Components can be rearranged using drag and drop. To change the visual display of the entire dashboard, for example from 3 columns to 2 columns or 1 column, from the Options menu select Edit Dashboard and select a layout style.
The following dashboards are available:
- CIS Audit Summary (Networking and Applications): This dashboard provides the components for application servers (Apache, MongoDB, Oracle, RDMS), networking or container based services (Cisco, Docker, Kubernetes, Palo Alto, VMwareESXi) and other similar benchmarks.
- CIS Audit Summary (Microsoft): This dashboard provides the components for all Microsoft benchmarks, including servers, workstation, and various other applications.
- CIS Audit Summary (Linux Benchmarks): This dashboard provides the components for AlmaLinux, Rocky Linux, Amazon Linux, CentOS, Debian, Fedora, HP-UX, macOS, NGINX, RedHat, SUSE, and other similar operating systems.