CIS provides security benchmarks for various platforms such as servers, operating systems, mobile devices, browsers, and so on. There are two ways one can use CIS benchmarks:
- Individually download the benchmark for the required platform from https://www.cisecurity.org/cis-benchmarks/ and then manually verify the configuration as per the benchmark.
- Use an automated tool for assessing the target platform against the CIS benchmark, such as the CIS CAT tool. The CIS CAT tool can be obtained from https://learn.cisecurity.org/cis-cat-landing-page.
The free version of the CIS CAT tool supports the assessment of only a limited number of benchmarks, while the professional version allows assessment of all available CIS benchmarks.
The following screenshot shows the startup screen of the CIS CAT tool:
We select the CIS Google Chrome Benchmark for our assessment. We then need to select Profiles that we need to include in our assessment, as shown in the following screenshot. Level 1 profiles usually have the most important and bare minimum checks that need to be assessed while Level 2 profiles have checks that can be optional as per the context:
Now we select the output format and the location where we want our report to be generated, as shown in the following screenshot:
We can now view the summary of our assessment as and then initiate the scan as shown in the image below.
Once we start the assessment, the CIS CAT tool runs all predefined checks related to Chrome on the target Chrome installation, as shown in the following screenshot:
Once the assessment is complete, the CIS CAT tool shows us which checks passed and which failed, as shown in the following screenshot. Also, a detailed report in HTML format is generated in the preconfigured directory:
