Configuration Options

CIS-CAT Pro Assessor Integration

CIS-CAT Pro Dashboard is a companion tool to CIS-CAT Pro Assessor. The Dashboard can serve as a central repository for configuration assessment results generated from CIS-CAT Pro Assessor. The Dashboard can also be an way to validate different machines in an easy-to-view way. CIS-CAT Pro Dashboard is designed to import configuration results generated from CIS-CAT Pro Assessor either manually or via an API. Manually imported results must be in XML Asset Reporting Format (ARF) while automated imports do not require a physical file and are imported via a REST API. Consult the CIS-CAT Pro Assessor configuration guide to learn how to automatically configure reports to load into the Dashboard.

Authentication must be established with CIS-CAT Pro Assessor to enable automatic imports via API. Authentication is established with a generated Authentication Token from CIS-CAT Pro Dashboard. By default, Dashboard establishes a user named apiuser which has ROLE_API. The default password for this user is @apiuser123. Other users may be configured with the ROLE_API. Only a user with this role can generate the token.

To generate the token, login as an administrator, navigate to setting > user management and select api user. Select Generate CIS-CAT Authentication button.

Place the generated token in the assessor-cli.properties file for the Assessor that will post to the Dashboard. This file is located in the config folder of the CIS-CAT Pro Assessor. See the Assessor Configuration Guide for more information.

If utilizing a self-signed certificate for HTTPS configuration, SSL warnings may need to be ignored. At your discretion, you may:

  • From the GUI, select "Ignore SSL Warnings" check box
  • For CLI commands, utilized -ui. See reporting options in the CIS-CAT Pro Assessor Guide.
  • For centralized, see the guide for more information on utilizing the -ui within the script.
  • Contingent on communication protocol selection during installation, the CIS-CAT Pro Dashboard URL for upload purposes will be:
    • HTTP: http://localhost:8080/CCPD/api/reports/upload
    • HTTPS: https://localhost/CCPD/api/reports/upload

API for Assessor Result Import

CIS-CAT Pro Dashboard utilizes an API to upload assessment reports generated by CIS-CAT Pro Assessor. The API utilizes a POST_URL feature. The API can also be called from a script (python, powershell etc...). The API definition can assist organizations, where necessary, in building their own, organization-approved scripts to upload reports into the Dashboard.

Description

  • Url: Contingent on communication protocol selection during installation, the CIS-CAT Pro Dashboard URL will be:
    • HTTP: http://localhost:8080/CCPD/api/reports/upload
    • HTTPS: https://localhost/CCPD/api/reports/upload
  • Method: POST
  • Header:
    'Authorization': 'Bearer=[MY_DASHBOARD_AUTHENTICATION_TOKEN]'
    NOTE: [MY_DASHBOARD_AUTHENTICATION_TOKEN] is the token generated from the Dashboard with the a user assigned with ROLE_API. For more details, please see Establish authentication with Assessor section.
    'Content-type': multipart/form-data
    NOTE: In the below example of the Python script, content-type is automatically generated. There is no need to specify it.
  • POST Data Params:
    'ciscat-report': String content of the XML report generated by the Assessor
    'report-name': A given name of the report. For example, the name can follow the Assessor naming convention as following: hostname_benchmark-timestamp-ARF.xml.
  • Responses code:
    200: Assessment report successfully uploaded
    400: Unexpected failure with details on response status message
    401: Assessment failed to upload because of an Authentication Failure. Please ensure your authentication token is correct.
    500: Assessment failed to upload with details on response status message

Example of Python script:

Below is a script to upload of a single report into the Dashboard:

Assuming Hostname_CIS_Microsoft_Windows_10_Enterprise_Release_1803_Benchmark-20190805T135433Z-ARF.xml is the name of the report file generated by CIS-CAT Pro Assessor and located in ./reports directory.
The generated token is eertaa2pg2h7vb3ms97kdjebakr22v15 and the Dashboard URL is https://mydashboard/CCPD/api/reports/upload

import sys
import json
import requests
import http
import datetime

print(str(datetime.datetime.today()) + " *********************** Start dashboard upload script ***********************")

apiHeaders = {'Authorization': 'Bearer=eertaa2pg2h7vb3ms97kdjebakr22v15'}

with open('./reports/Hostname_CIS_Microsoft_Windows_10_Enterprise_Release_1803_Benchmark-20190805T135433Z-ARF.xml', 'rb') as f:
    filecontent = f.read()
requests.post("https://mydashboard/CCPD/api/reports/upload", headers=apiHeaders,  data={'ciscat-report': filecontent ,'report-name':'Hostname_CIS_Microsoft_Windows_10_Enterprise_Release_1803_Benchmark-20190805T135433Z-ARF.xml'})

print(str(datetime.datetime.today()) + " *********************** End dashboard upload script ***********************")

NOTE: In order to troubleshoot authorization/upload issues, SSL certificate verification can be ignored using requests.post(...,verify=False)

CIS WorkBench Integration

Integration to CIS WorkBench has been temporarily disabled in version 3 of Dashboard. This feature will return in 2023 and coordinate with new Dashboard retrieval method in CIS WorkBench.

This feature is an optional service provided to members to receive automatic notifications in the CIS-CAT Pro Dashboard Inbox on new CIS-CAT Pro releases. This option requires a direct internet connection. A connection through a proxy is not supported. Only admin users of Dashboard can configure this connection.

Retrieve the new release using links in the alert message from within CIS-CAT Pro Dashboard without logging directly into CIS WorkBench.

CIS utilizes OAuth 2.0 authorization framework to establish a connection between the two applications.

A one-way API is established from an instance of CIS-CAT Pro Dashboard to CIS WorkBench.

Each connection or integration is unique per Dashboard installation, which allows organizations with multiple instances of Dashboard to establish a communication between CIS-CAT Pro Dashboard and CIS WorkBench.

CIS-CAT Pro Dashboard will check CIS WorkBench daily for the availability of a new release of CIS-CAT Pro. Establishing this connection does not permit CIS to collect any assessment results from your organization.

Establish a connection with CIS WorkBench

Under the settings menu, an option called Systems Integrations is available to users with the admin role.

Select System Integrations menu item:

In System Integrations, select the Connect button:

Select Continue to CIS WorkBench:

Enter CIS WorkBench credentials and select Authorize:

Review the screen and Select Authorize:

The connection is successfully made:

Test connection between CIS-CAT Pro Dashboard and CIS WorkBench

Test button is available to verify the connection between CIS-CAT Pro Dashboard and CIS WorkBench.

When a connection is active, test the connection by pressing Test button:

If successful, a message will show on the screen.

If not, instructions will be provided in an error message.

Disconnect from CIS WorkBench

Select Disconnect:

Select Disconnect again in the popup:

The disconnection is successfully made:

Although your connection is no longer active between CIS-CAT Pro Dashboard and CIS WorkBench, an active API client exists on your organization’s profile on the CIS WorkBench. We keep this API client to allow you to reconnect easily.

However, if you no longer want to utilize the service, please open a ticket at the CIS Support Portal in order to delete the API client.