wodle name="cis-cat"Permalink to this headline

Configuration options of the CIS-CAT wodle.

Warning

CIS-CAT is not installed by default. It is a proprietary software that you have to obtain for using this module.

OptionsPermalink to this headline

Main optionsPermalink to this headline

Main options

Allowed values

disabled

yes, no

timeout

A positive number (seconds)

java_path

Any valid path

ciscat_path

Any valid path

ciscat_binary

CIS-CAT.sh, CIS-CAT.BAT, Assessor-CLI.sh, Assessor-CLI.bat

content

N/A

Scheduling optionsPermalink to this headline

Scheduling options

Allowed values

scan-on-start

yes, no

interval

A positive number + suffix

day

A day of the month

wday

A day of the week

time

A time of the day [hh:mm]

In the CIS-CAT integration section are shown some cases of using these options.

disabledPermalink to this headline

Disables the CIS-CAT wodle.

Default value

no

Allowed values

yes, no

timeoutPermalink to this headline

Timeout for each evaluation. In case the execution takes longer than the specified timeout, it stops.

Default value

1800

Allowed values

A positive number (seconds)

java_pathPermalink to this headline

Define where Java is located. If this parameter is not set, the wodle will search for the Java location in the default environment variable $PATH.

Default value

$PATH

Allowed values

Any valid path.

Warning

For this field, it can be set as a full path or a relative path. Whether you specify a relative path, it concatenates with the ThreatLockDown installation path. ciscat_path has the same behavior.

ciscat_pathPermalink to this headline

Define where CIS-CAT is located.

Default value

wodles/ciscat

Allowed values

Any valid path.

ciscat_binaryPermalink to this headline

Define which CIS-CAT Binary is selected.

Default value

CIS-CAT.sh (UNIX) or CIS-CAT.BAT (Windows)

Allowed value

CIS-CAT.sh, CIS-CAT.BAT, Assessor-CLI.sh, Assessor-CLI.bat

contentPermalink to this headline

Define an evaluation. At present, you can only run assessments for XCCDF policy files.

Attributes

type

Select content type.

path

Use the specified policy file.

timeout

Timeout for the evaluation (in seconds).

Use of this attribute overwrites the generic timeout.

profile

Select profile.

Note

The path attribute can be filled in with the whole path where the benchmark files are located, or with a relative path to the CIS-CAT tool location.

scan-on-startPermalink to this headline

Run evaluation immediately when service is started.

Default value

yes

Allowed values

yes, no

intervalPermalink to this headline

The interval between CIS-CAT executions.

Default value

1d

Allowed values

A positive number that should contain a suffix character indicating a time unit, such as, s (seconds), m (minutes), h (hours), d (days), w (weeks), M (months)

The interval option is conditioned by the following described options day, wday and time. If none of these options are set, the interval can take any allowed value.

dayPermalink to this headline

Day of the month to run the CIS-CAT scan.

Default value

n/a

Allowed values

Day of the month [1..31]

Note

When the day option is set, the interval value must be a multiple of months. By default, the interval is set to a month.

wdayPermalink to this headline

Day of the week to run the CIS-CAT scan. This option is not compatible with the day option.

Default value

n/a

Allowed values

Day of the week:
  • sunday/sun

  • monday/mon

  • tuesday/tue

  • wednesday/wed

  • thursday/thu

  • friday/fri

  • saturday/sat

Note

When the wday option is set, the interval value must be a multiple of weeks. By default, the interval is set to a week.

timePermalink to this headline

Time of the day to run the scan. It has to be represented in the format hh:mm.

Default value

n/a

Allowed values

Time of day [hh:mm]

Note

When only the time option is set, the interval value must be a multiple of days or weeks. By default, the interval is set to a day.

Example of configurationPermalink to this headline

<wodle name="cis-cat">

  <disabled>no</disabled>
  <timeout>1800</timeout>
  <wday>monday</wday>
  <time>04:00</time>
  <interval>2w</interval>
  <scan-on-start>yes</scan-on-start>

  <java_path>/usr/bin</java_path>
  <ciscat_path>wodles/ciscat</ciscat_path>
  <ciscat_binary>CIS-CAT.sh</ciscat_binary>

  <content type="xccdf" path="benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml">
    <profile>xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server</profile>
  </content>

</wodle>