CIS Policy benchmark scanning

Hi,
We are trying to get CIS benchmark policy scanning to work. We are using shared credential and the credential is local admin on the server. When we run the scan the the authentication shows as successful and the scan shows “Completed successfully” but the scan does not evaluate any rules. All results show N/A.
Anyone run into this issue.

Are you running the full CIS template?
Also how many assets are you running this against and what are the OS of them?

There’s roughly 500 policies within the CIS template so you’re definitely going to have a ton of N/A columns when looking at the policy page. However the actual scan results of the scan should only list the policies that were actually ran and tell you the pass/fail for them.

Could you show a sanitized screenshot of the scan results for that specific scan?

Hi John,
Thanks for your response
Number of Assets :1
OS : Windows Server 2016
CIS template selected : 1 (CIS Microsoft Windows Server 2016 Member Level 1)
The result shows 302 total rules for that template.
Policy Result summary:
Number of Rules Run: 302
Number of rules pass: 0
Number of rules Fail: 0
Not Applicable: 301
Unscored:1
Hope that helps. Just trying to get to work so that we can exapand it.

So I just ran a full CIS against my small site to see which one sticks and I’m assuming the one I have in the screenshot is the one you’re referring to.
Screen Shot 2022-09-09 at 6.17.15 PM

Typically speaking if you get the results that you’re getting it’s either because the credentials don’t have enough permission OR you’re using the wrong scan template against the wrong platform.

Take a screenshot of the credential level like this
Screen Shot 2022-09-09 at 6.22.39 PM

Yes! That is the policy I am using.
The server is Windows Server 2016 Standard Edition.
Can’t find any other policy that I should be using.

image

The credentials are local admin on the server.

image

The server also has a R7 Agent on it. Not sure if that matters.

The agent makes no difference in this scenario but I do notice that you’re getting Credential Success but not Credential Success with Admin. I would scan again with a different set of credentials. It’s very possible that this is a permission issue.

Hi,

I do a lot of policy scanning. Maybe you can look at the actual policy and confirm a few things. For the policies, there are normally levels. Level one, Level two, and Security. Then there are system differences. Are you using Member Server or Domain Controller? And then check your template in the Administration section. Your template will need to have right policy selected in the Policy manager section. Hope that helps.

1 Like

I ran into a similar issue. To get Credential Success with Admin, we learned the admin account could not be nested. Once we made that change, I got the expected result.