{"id":13468506,"url":"https://github.com/finalduty/cis-benchmarks-audit","last_synced_at":"2025-03-26T05:31:09.594Z","repository":{"id":39848921,"uuid":"99171917","full_name":"finalduty/cis-benchmarks-audit","owner":"finalduty","description":"Simple command line tool to check for compliance against CIS Benchmarks","archived":false,"fork":false,"pushed_at":"2024-05-03T01:19:01.000Z","size":371,"stargazers_count":248,"open_issues_count":8,"forks_count":81,"subscribers_count":12,"default_branch":"main","last_synced_at":"2024-10-29T22:56:33.208Z","etag":null,"topics":["audit","centos","centos7","cis","cis-benchmark","compliance","hardening"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/finalduty.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-08-03T00:10:32.000Z","updated_at":"2024-10-13T12:50:48.000Z","dependencies_parsed_at":"2024-03-28T03:24:31.691Z","dependency_job_id":"6293c727-1d83-4b30-b009-2085ac8709e5","html_url":"https://github.com/finalduty/cis-benchmarks-audit","commit_stats":null,"previous_names":["finalduty/cis_benchmarks_audit"],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/finalduty%2Fcis-benchmarks-audit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/finalduty%2Fcis-benchmarks-audit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/finalduty%2Fcis-benchmarks-audit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/finalduty%2Fcis-benchmarks-audit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/finalduty","download_url":"https://codeload.github.com/finalduty/cis-benchmarks-audit/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245597240,"owners_count":20641861,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit","centos","centos7","cis","cis-benchmark","compliance","hardening"],"created_at":"2024-07-31T15:01:12.444Z","updated_at":"2025-03-26T05:31:08.816Z","avatar_url":"https://github.com/finalduty.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# CIS Benchmarks Audit\n\u003cp\u003e\n  \u003ca href=\"https://github.com/finalduty/cis-benchmarks-audit/tags\"\u003e\n    \u003cimg alt=\"Latest version\" src=\"https://img.shields.io/github/v/tag/finalduty/cis-benchmarks-audit?include_prereleases\u0026label=latest\u0026logo=python\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/finalduty/cis-benchmarks-audit/actions/workflows/ci-tests.yaml\"\u003e\n    \u003cimg alt=\"GitHub Actions\" src=\"https://github.com/finalduty/cis-benchmarks-audit/actions/workflows/ci-tests.yaml/badge.svg\"\u003e\n  \u003c/a\u003e\n\n  \u003ca href=\"http://creativecommons.org/licenses/by-nc-sa/4.0/\"\u003e\n    \u003cimg alt=\"License\" src=\"https://img.shields.io/badge/License-CC%20BY--NC--SA%204.0-lightgrey.svg\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://codecov.io/gh/finalduty/cis-benchmarks-audit\"\u003e\n    \u003cimg src=\"https://codecov.io/gh/finalduty/cis-benchmarks-audit/branch/main/graph/badge.svg?token=BAFVN48B40\"/\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://www.codefactor.io/repository/github/finalduty/cis-benchmarks-audit/badge\"\u003e\n    \u003cimg alt=\"CodeFactor\" src=\"https://www.codefactor.io/repository/github/finalduty/cis-benchmarks-audit/badge\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/psf/black\"\u003e\n    \u003cimg alt=\"Code style: black\" src=\"https://img.shields.io/badge/code%20style-black-000000.svg\"\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\nThis repo provides an unofficial, standalone, zero-install, zero-dependency, Python 3 script which can check your system against published CIS Hardening Benchmarks to offer an indication of your system's preparedness for compliance to the official standard.\n\n\n### How do I use this?\n#### Download:\n\n    curl -LO https://raw.githubusercontent.com/finalduty/cis_benchmarks_audit/main/cis_audit.py \u0026\u0026 chmod 750 cis_audit.py\n\n#### Run\n```\n#usage: cis_audit.py [-h] [--level {1,2}] [--include INCLUDES [INCLUDES ...]]\n                    [--exclude EXCLUDES [EXCLUDES ...]]\n                    [-l {DEBUG,INFO,WARNING,CRITICAL}] [--debug] [--nice]\n                    [--no-nice] [--no-colour]\n                    [--system-type {server,workstation}] [--server]\n                    [--workstation] [--outformat {csv,json,psv,text,tsv}]\n                    [--text] [--json] [--csv] [--psv] [--tsv] [-V] [-c CONFIG]\n\nThis script runs tests on the system to check for compliance against the CIS Benchmarks. No changes are made to system files by this script.\n\noptional arguments:\n  -h, --help            show this help message and exit\n  --level {1,2}         Run tests for the specified level only\n  --include INCLUDES [INCLUDES ...]\n                        Space delimited list of tests to include\n  --exclude EXCLUDES [EXCLUDES ...]\n                        Space delimited list of tests to exclude\n  -l {DEBUG,INFO,WARNING,CRITICAL}, --log-level {DEBUG,INFO,WARNING,CRITICAL}\n                        Set log output level\n  --debug               Run script with debug output turned on. Equivalent to --log-level DEBUG\n  --nice                Lower the CPU priority for test execution. This is the default behaviour.\n  --no-nice             Do not lower CPU priority for test execution. This may make the tests complete faster but at the cost of putting a higher load on the server. Setting this overrides the --nice option.\n  --no-colour, --no-color\n                        Disable colouring for STDOUT. Output redirected to a file/pipe is never coloured.\n  --system-type {server,workstation}\n                        Set which test level to reference\n  --server              Use \"server\" levels to determine which tests to run. Equivalent to --system-type server [Default]\n  --workstation         Use \"workstation\" levels to determine which tests to run. Equivalent to --system-type workstation\n  --outformat {csv,json,psv,text,tsv}\n                        Output type for results\n  --text                Output results as text. Equivalent to --output text [default]\n  --json                Output results as json. Equivalent to --output json\n  --csv                 Output results as comma-separated values. Equivalent to --output csv\n  --psv                 Output results as pipe-separated values. Equivalent to --output psv\n  --tsv                 Output results as tab-separated values. Equivalent to --output tsv\n  -V, --version         Print version and exit\n  -c CONFIG, --config CONFIG\n                        Location of config file to load\n\nExamples:\n    \n    Run with debug enabled:\n    ./cis_audit.py --debug\n        \n    Exclude tests from section 1.1 and 1.3.2:\n    ./cis_audit.py --exclude 1.1 1.3.2\n        \n    Include tests only from section 4.1 but exclude tests from section 4.1.1:\n    ./cis_audit.py --include 4.1 --exclude 4.1.1\n        \n    Run only level 1 tests\n    ./cis_audit.py --level 1\n        \n    Run level 1 tests and include some but not all SELinux questions\n    ./cis_audit.py --level 1 --include 1.6 --exclude 1.6.1.2\n\n```\n\n### Example Results\n```\n# ./cis-audit.sh --include 5.2\n[00:00:01] (✓) 14 of 14 tests completed \n\n CIS CentOS 7 Benchmark v2.2.0 Results \n---------------------------------------\nID      Description                                                Scoring  Level  Result  Duration\n--      -----------                                                -------  -----  ------  --------\n\n5       Access Authentication and Authorization\n5.2     SSH Server Configuration\n5.2.1   Ensure permissions on /etc/ssh/sshd_config are configured  Scored   1      Pass    33ms\n5.2.2   Ensure SSH Protocol is set to 2                            Scored   1      Pass    5ms\n5.2.3   Ensure SSH LogLevel is set to INFO                         Scored   1      Pass    6ms\n5.2.4   Ensure SSH X11 forwarding is disabled                      Scored   1      Pass    4ms\n5.2.5   Ensure SSH MaxAuthTries is set to 4 or less                Scored   1      Pass    9ms\n5.2.6   Ensure SSH IgnoreRhosts is enabled                         Scored   1      Pass    5ms\n5.2.7   Ensure SSH HostbasedAuthentication is disabled             Scored   1      Pass    5ms\n5.2.8   Ensure SSH root login is disabled                          Scored   1      Fail    8ms\n5.2.9   Ensure SSH PermitEmptyPasswords is disabled                Scored   1      Pass    5ms\n5.2.10  Ensure SSH PermitUserEnvironment is disabled               Scored   1      Pass    8ms\n5.2.11  Ensure only approved ciphers are used                      Scored   1      Pass    16ms\n5.2.12  Ensure only approved MAC algorithms are used               Scored   1      Pass    45ms\n5.2.13  Ensure SSH Idle Timeout Interval is configured             Scored   1      Fail    15ms\n5.2.14  Ensure SSH LoginGraceTime is set to one minute or less     Scored   1      Pass    11ms\n5.2.15  Ensure SSH access is limited                               Skipped  1              \n5.2.16  Ensure SSH warning banner is configured                    Scored   1      Pass    6ms\n\nPassed 13 of 15 tests in 1 seconds (1 Skipped, 0 Errors)\n```\n\n### Supported Versions\nOS|Benchmark Versions|Python Version\n---|---|---\nCentOS 7|3.1.2|3.6\n\n\n### Caveats\n#### Terms of Use\nUse of the CIS Benchmarks are subject to the [Terms of Use for Non-Member CIS Products](https://www.cisecurity.org/terms-of-use-for-non-member-cis-products)\n\n\n#### CentOS 7 \u0026 Python 3\nWhilst this repo intends to follow a zero dependency approach, it is not practical to support Python 2.7, which is what is installed by default on CentOS 7. You can however easily install Python 3.6 via yum, which I hope is ok for your environment:\n```\n$ sudo yum install python3 -y\n```\n\n### Disclaimer\nThis is not a replacement for a full audit and a passing result from this script does not necessarily mean that you are compliant (but it should give you a good idea of where to start).  \n\n_No warranty is offered and no responsibility will be taken for damage to systems resulting from the use of this tool._\n\n### License\nThis work is licensed under a [Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License][cc-by-nc-sa].\n\n[![CC BY-NC-SA 4.0][cc-by-nc-sa-image]][cc-by-nc-sa]\n\n[cc-by-nc-sa]: http://creativecommons.org/licenses/by-nc-sa/4.0/\n[cc-by-nc-sa-image]: https://licensebuttons.net/l/by-nc-sa/4.0/88x31.png\n[cc-by-nc-sa-shield]: https://img.shields.io/badge/License-CC%20BY--NC--SA%204.0-lightgrey.svg\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffinalduty%2Fcis-benchmarks-audit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffinalduty%2Fcis-benchmarks-audit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffinalduty%2Fcis-benchmarks-audit/lists"}