Review the left-hand navigation for technical documentation on each individual API Endpoint
Developed by a global community of cybersecurity professionals, CIS Benchmarks are a collection of best practices for securely configuring IT systems, software, networks, and cloud infrastructure
CIS offers programmatic access to Benchmark export files via the SecureSuite API
What files are available?
PDF (Benchmarks in a human readable format)
SCAP (Only available for Benchmarks that include automated assessment content)
SCAP XCCDF + OVAL (.zip) - SCAP bundle including XCCDF, OVAL, CPE, SCE and DataStreams
DataStream (.xml) - SCAP standard collection format
Intermediate Formats (Benchmark data in a machine readable format intended to be more easily converted than SCAP)
XCCDF+AE Intermediate Format (.xml) – XCCDF, including any available Artifact Expressions (AE)
YAML (.yaml) - XCCDF+AE in YAML format
JSON (.json) - XCCDF+AE in JSON format
What files are included in the SCAP bundle?
XCCDF.xml - The XCCDF acronym stands for Extensible Configuration Checklist Description Format. As the name suggests, the language is used to describe security checklists. These files contain benchmark recommendations
OVAL.xml - The OVAL acronym stands for Open Vulnerability and Assessment Language. OVAL is declarative language for making logical assertions about the state of system. These files work in conjunction with the xccdf.xml to help define what is collected from the system using standard OVAL.
CPE-OVAL.xml and CPE-DICTIONARY.xml - The Common Platform Enumeration (CPE) serves to identify IT platforms and systems using unequivocally defined names. These files exist for only specific platform benchmarks and they help the assessment tool check if the target platform is right for the benchmark. If it isn’t, the assessment may give a warning or produce no results.
SCE - The Script Check Engine: SCAP extension to allow script execution from SCAP policy. It allows you to make your scripts interoperable with your security policy. This directory exists only if a specific benchmark references attached scripts. The referenced scripts are included in your export.
COLLECTION.xml – This is a DataStream file and it is a format that packs these other SCAP components, above, into a single file. Think, XCCDF, OVAL, CPE and SCE all in one place.
CIS-CAT Pro Assessor
CIS-CAT Pro Assessor is a Java-based tool that scans against a target system’s configuration settings and reports the system’s compliance to the corresponding CIS Benchmark.
CIS-CAT Pro Assessor typically scans in just a few minutes, saving users hours of tedious manual configuration review.
Both CIS-CAT Pro and CIS-CAT Lite are available programmatically via the API
CIS offers Build Kits for certain technologies to assist with remediation and assist in the automation of hardening systems.
For a subset of Benchmarks, you can download CIS Build Kits programmatically from the API
All resources available from the API are made available as soon as they are released
This community is a place to seek guidance, share experience or information between users. If you need further assistance, follow the link to the Support Portal.