Cis Benchmarks Audit

Simple command line tool to check for compliance against CIS Benchmarks
Alternatives To Cis Benchmarks Audit
Project NameStarsDownloadsRepos Using ThisPackages Using ThisMost Recent CommitTotal ReleasesLatest ReleaseOpen IssuesLicenseLanguage
8 days ago1February 27, 2018153gpl-3.0Shell
Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
9 hours ago20apache-2.0Python
Prowler is an Open Source Security tool for AWS, Azure and GCP to perform Cloud Security best practices assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more.
3 days ago10mitPowerShell
HardeningKitty and Windows Hardening settings and configurations
11 hours ago362otherShell
Security automation content in SCAP, Bash, Ansible, and other formats
Linux Baseline710
a month ago16apache-2.0Ruby
DevSec Linux Baseline - InSpec Profile
Ssh Baseline267
a month ago21apache-2.0Ruby
DevSec SSH Baseline - InSpec Profile
Sandworm Guard Js231
3 months ago1February 15, 20239mitJavaScript
Easy auditing & sandboxing for your JavaScript dependencies 🪱
Cis Benchmarks Audit191
a month ago3otherPython
Simple command line tool to check for compliance against CIS Benchmarks
Dod Compliance And Automation101
2 days ago22otherRuby
Security hardening content for VMware solutions to US Department of Defense standards
4 days ago416May 15, 2021gpl-3.0Python
Automation Troubleshooting Framework to validate and report configuration, software installed, etc with bash, python, and your language of choice.
Alternatives To Cis Benchmarks Audit
Select To Compare

Alternative Project Comparisons

CIS Benchmarks Audit

Latest version GitHub Actions License CodeFactor Code style: black

This repo provides an unofficial, standalone, zero-install, zero-dependency, Python 3 script which can check your system against published CIS Hardening Benchmarks to offer an indication of your system's preparedness for compliance to the official standard.

How do I use this?


curl -LO && chmod 750


#usage: [-h] [--level {1,2}] [--include INCLUDES [INCLUDES ...]]
                    [--exclude EXCLUDES [EXCLUDES ...]]
                    [-l {DEBUG,INFO,WARNING,CRITICAL}] [--debug] [--nice]
                    [--no-nice] [--no-colour]
                    [--system-type {server,workstation}] [--server]
                    [--workstation] [--outformat {csv,json,psv,text,tsv}]
                    [--text] [--json] [--csv] [--psv] [--tsv] [-V] [-c CONFIG]

This script runs tests on the system to check for compliance against the CIS Benchmarks. No changes are made to system files by this script.

optional arguments:
  -h, --help            show this help message and exit
  --level {1,2}         Run tests for the specified level only
  --include INCLUDES [INCLUDES ...]
                        Space delimited list of tests to include
  --exclude EXCLUDES [EXCLUDES ...]
                        Space delimited list of tests to exclude
                        Set log output level
  --debug               Run script with debug output turned on. Equivalent to --log-level DEBUG
  --nice                Lower the CPU priority for test execution. This is the default behaviour.
  --no-nice             Do not lower CPU priority for test execution. This may make the tests complete faster but at the cost of putting a higher load on the server. Setting this overrides the --nice option.
  --no-colour, --no-color
                        Disable colouring for STDOUT. Output redirected to a file/pipe is never coloured.
  --system-type {server,workstation}
                        Set which test level to reference
  --server              Use "server" levels to determine which tests to run. Equivalent to --system-type server [Default]
  --workstation         Use "workstation" levels to determine which tests to run. Equivalent to --system-type workstation
  --outformat {csv,json,psv,text,tsv}
                        Output type for results
  --text                Output results as text. Equivalent to --output text [default]
  --json                Output results as json. Equivalent to --output json
  --csv                 Output results as comma-separated values. Equivalent to --output csv
  --psv                 Output results as pipe-separated values. Equivalent to --output psv
  --tsv                 Output results as tab-separated values. Equivalent to --output tsv
  -V, --version         Print version and exit
  -c CONFIG, --config CONFIG
                        Location of config file to load

    Run with debug enabled:
    ./ --debug
    Exclude tests from section 1.1 and 1.3.2:
    ./ --exclude 1.1 1.3.2
    Include tests only from section 4.1 but exclude tests from section 4.1.1:
    ./ --include 4.1 --exclude 4.1.1
    Run only level 1 tests
    ./ --level 1
    Run level 1 tests and include some but not all SELinux questions
    ./ --level 1 --include 1.6 --exclude

Example Results

# ./ --include 5.2
[00:00:01] () 14 of 14 tests completed 

 CIS CentOS 7 Benchmark v2.2.0 Results 
ID      Description                                                Scoring  Level  Result  Duration
--      -----------                                                -------  -----  ------  --------

5       Access Authentication and Authorization
5.2     SSH Server Configuration
5.2.1   Ensure permissions on /etc/ssh/sshd_config are configured  Scored   1      Pass    33ms
5.2.2   Ensure SSH Protocol is set to 2                            Scored   1      Pass    5ms
5.2.3   Ensure SSH LogLevel is set to INFO                         Scored   1      Pass    6ms
5.2.4   Ensure SSH X11 forwarding is disabled                      Scored   1      Pass    4ms
5.2.5   Ensure SSH MaxAuthTries is set to 4 or less                Scored   1      Pass    9ms
5.2.6   Ensure SSH IgnoreRhosts is enabled                         Scored   1      Pass    5ms
5.2.7   Ensure SSH HostbasedAuthentication is disabled             Scored   1      Pass    5ms
5.2.8   Ensure SSH root login is disabled                          Scored   1      Fail    8ms
5.2.9   Ensure SSH PermitEmptyPasswords is disabled                Scored   1      Pass    5ms
5.2.10  Ensure SSH PermitUserEnvironment is disabled               Scored   1      Pass    8ms
5.2.11  Ensure only approved ciphers are used                      Scored   1      Pass    16ms
5.2.12  Ensure only approved MAC algorithms are used               Scored   1      Pass    45ms
5.2.13  Ensure SSH Idle Timeout Interval is configured             Scored   1      Fail    15ms
5.2.14  Ensure SSH LoginGraceTime is set to one minute or less     Scored   1      Pass    11ms
5.2.15  Ensure SSH access is limited                               Skipped  1              
5.2.16  Ensure SSH warning banner is configured                    Scored   1      Pass    6ms

Passed 13 of 15 tests in 1 seconds (1 Skipped, 0 Errors)

Supported Versions

OS Benchmark Versions Python Version
CentOS 7 3.1.2 3.6


Terms of Use

Use of the CIS Benchmarks are subject to the Terms of Use for Non-Member CIS Products

CentOS 7 & Python 3

Whilst this repo intends to follow a zero dependency approach, it is not practical to support Python 2.7, which is what is installed by default on CentOS 7. You can however easily install Python 3.6 via yum, which I hope is ok for your environment:

$ sudo yum install python3 -y


This is not a replacement for a full audit and a passing result from this script does not necessarily mean that you are compliant (but it should give you a good idea of where to start).

No warranty is offered and no responsibility will be taken for damage to systems resulting from the use of this tool.


This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.


Popular Compliance Projects
Popular Hardening Projects
Popular Security Categories
Related Searches

Get A Weekly Email With Trending Projects For These Categories
No Spam. Unsubscribe easily at any time.