by Josef Weiss
January 14, 2016
Tenable Network Security has been certified by the Center for Internet Security (CIS) to perform a wide variety of Unix, Windows and application audits based on the best practice consensus benchmarks developed by CIS. These best practice benchmarks contain recommended security settings designed to harden servers and applications against attack while still maintaining operational ease of use.
As defined by the Center for Internet Security, CIS Security Benchmarks programs provide well-defined, unbiased, and consensus-based industry best practices to help organizations assess and improve their security. Resources include secure configuration benchmarks, automated configuration assessment tools and content, security metrics, and security software product certifications. The Security Benchmarks program is recognized as a trusted, independent authority that facilitates the collaboration of public and private industry experts to achieve consensus on practical and actionable solutions. Because of the reputation, our resources are recommended as industry-accepted system hardening standards and are used by organizations in meeting compliance requirements for FISMA, PCI, HIPAA, and other security requirements.
The CIS Linux and Unix dashboard is designed to display the overall compliance status of the network based on Tenable's certified Center for Internet Security (CIS) Linux and UNIX Configuration Benchmark audits. The dashboard can be used with all of Tenable's CIS-certified Linux and UNIX audits with minor modifications. For best results when using multiple CIS audits, ensure the results are separated into different repositories.
A key component of the CIS Linux and Unix dashboard is the CIS Benchmark Section Compliance component, located in the top left of the dashboard. The CIS Benchmark Section Compliance component breaks down the overall percentages for configuration checks into their respective benchmark sections. The sections may be correlated to the table of contents and configuration check references contained within the CIS PDF benchmark guides.
The dashboard and its components are available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Compliance.
The dashboard requirements are:
- Tenable.sc 4.8.2
- Nessus 8.5.1
Tenable.sc Continuous View (CV) provides continuous network monitoring, vulnerability identification, risk reduction, and compliance monitoring. Tenable.sc CV is continuously updated with information about advanced threats, zero-day vulnerabilities, and new types of regulatory compliance configuration audits. Tenable.sc CV allows for the most comprehensive and integrated view of network health.
The dashboard contains the following components:
- CIS Linux and UNIX - Audit Warnings - The Audit Warnings indicators trigger if one or more vulnerabilities are found to exist. Common checks included are: Duplicate UID/GID, Inactive User Account, and Unsupported OS. Indications can be customized to highlight specific CIS Linux and Unix vulnerabilities as the organization sees fit.
- CIS Linux and Unix - Missing OS Patch Totals by Severity - The Missing OS Patch Totals component displays missing patches by all severity levels, and for all date ranges. Additional filters may be added to this component if filters for a specific date range are required.
- CIS Linux and UNIX - Benchmark Section Compliance - The Benchmark Section Compliance component breaks down the overall percentages of configuration checks into their respective benchmark sections, which are reflected in the table of contents and configuration check references in CIS PDF benchmark guides.
- CIS Linux and Unix - Top Ten Configuration Checks by Total Fails – The Top Ten Configuration Checks by Total Fails component shows the top ten most frequent configuration controls that have failed the CIS compliance validation audit. The table is sorted by the total number of systems that have failed the assessment.
- CIS Linux and Unix - Subnet Summary – The Subnet Summary chart provides analysts with a subnet-level view of CIS audits. The bar chart tracks three severity levels: Informational, Medium, and High. When an audit scan finds a setting within compliance, then the plugin is marked as informational severity. When a compliance check fails, the plugin is flagged as high severity. Plugins marked with a medium severity require a manual review of the plugin output to determine whether the check passed or failed. The top ten subnets with Linux and Unix CIS checks are represented in this chart.