Hi,
We are trying to get CIS benchmark policy scanning to work. We are using shared credential and the credential is local admin on the server. When we run the scan the the authentication shows as successful and the scan shows “Completed successfully” but the scan does not evaluate any rules. All results show N/A.
Anyone run into this issue.
Are you running the full CIS template?
Also how many assets are you running this against and what are the OS of them?
There’s roughly 500 policies within the CIS template so you’re definitely going to have a ton of N/A columns when looking at the policy page. However the actual scan results of the scan should only list the policies that were actually ran and tell you the pass/fail for them.
Could you show a sanitized screenshot of the scan results for that specific scan?
Hi John,
Thanks for your response
Number of Assets :1
OS : Windows Server 2016
CIS template selected : 1 (CIS Microsoft Windows Server 2016 Member Level 1)
The result shows 302 total rules for that template.
Policy Result summary:
Number of Rules Run: 302
Number of rules pass: 0
Number of rules Fail: 0
Not Applicable: 301
Unscored:1
Hope that helps. Just trying to get to work so that we can exapand it.
So I just ran a full CIS against my small site to see which one sticks and I’m assuming the one I have in the screenshot is the one you’re referring to.
Typically speaking if you get the results that you’re getting it’s either because the credentials don’t have enough permission OR you’re using the wrong scan template against the wrong platform.
Take a screenshot of the credential level like this
Yes! That is the policy I am using.
The server is Windows Server 2016 Standard Edition.
Can’t find any other policy that I should be using.
The credentials are local admin on the server.
The server also has a R7 Agent on it. Not sure if that matters.
The agent makes no difference in this scenario but I do notice that you’re getting Credential Success but not Credential Success with Admin. I would scan again with a different set of credentials. It’s very possible that this is a permission issue.
Hi,
I do a lot of policy scanning. Maybe you can look at the actual policy and confirm a few things. For the policies, there are normally levels. Level one, Level two, and Security. Then there are system differences. Are you using Member Server or Domain Controller? And then check your template in the Administration section. Your template will need to have right policy selected in the Policy manager section. Hope that helps.
I ran into a similar issue. To get Credential Success with Admin, we learned the admin account could not be nested. Once we made that change, I got the expected result.
Do I have to target a specific group of assets containing my domain controller for my scheduled CIS Windows 2019 domain controller policy scan, or it smart enough to only run the policy against 2019 domain controllers?
I wish I could use the query builder os.type ‘domain controller’ to build an asset group from.
I have received an answer from our custom success manager who spoke to an R7 engineer. If creating and maintaining an asset group for policy scanning a subset of assets is too much to maintain, we can apply a policy rule to a policy scan template as a scheduled scan within a site. The policy scan template will only be processed on target assets that match the system OS/role of the policy rule (e.g. CIS) and all other assets in the site will be ignored.
Per R7 support:
- The CIS benchmark does not distinguish between domain controller and non domain controller servers.
- If a group contains assets from other sites, it would be unable to scan those.
Hi there,
I’m fairly new to the Rapid7 world. Would you happen to if reporting on a CIS level 2 benchmark also includes the settings on the CIS level 1 benchmark as well in the report by default? I have CIS level 2 assigned in my scan template but when I look at the result generated through this query, I see level one policy settings included in the result but I don’t want them included since I already customized the Level 2 policy to suite my environment.
Thanks