AWS Inspector Reports on CIS Hardened Image®

Product Name

CIS Hardened Image® - AWS

Product Version

n/a

Date

Feb 21, 2024

Problem

We have purchased a CIS Hardened Image. However on running AWS Inspector Host Assessment we found a long list of issues related to CIS Benchmarks.

Background

An Amazon Inspector assessment can run a host assessment for:

  • Common vulnerabilities and exposures

  • Center for Internet Security (CIS) Benchmarks

  • Security best practices for Amazon Inspector

Example

An AWS Inspector assessment is run against a CIS Ubuntu Linux 18.04 LTS Benchmark - Level 1 instance. The AWS Inspector report shows there are 48 High, 1 Medium and 7 Informational Severity Issues detected.

Please see the chart below for an explanation of those AWS Inspector findings;

Count

Severity

Notes

Count

Severity

Notes

48

High

  • 24 are CIS Profile Level 2 recommendations which are not applied to a Level 1 CIS Hardened Image (see item 3 )

  • 2 are not recommendations in the CIS Benchmark (see item 1)

  • 1 is documented as a manual check in the Benchmark (see item 1)

  • 3 are documented by CIS as exceptions to the Benchmark (see item 2)

  • 15 are detected incorrectly in the AWS Inspector report (see item 1)

  • 3 are detected CVE vulnerabilities (see item 4)

1

Medium

  • Not a CIS Benchmark recommendation (see item 1)

7

Informational

  • 3 are CIS Profile Level 2 recommendations which are not applied to a Level 1 CIS Hardened Image (see item 3)

  • 3 are detected incorrectly in the AWS Inspector report (see item 1)

  • 1 is an AWS Security Group issue

 

To further investigate and reconcile those findings you will need to carefully look at the following;

  1. Each CIS Hardened Image has a CIS-CAT Pro Assessor report on the Pass / Fail state of the hardened image according to the specific Benchmark recommendations. That report is in HTML format and is located at /home/CIS_Hardening_Reports/

  2. Each CIS Hardened Image has a exceptions listing for any CIS Benchmark recommendations that have not been applied and a rationale for that exception. That report is in text format and is located at /home/CIS_Hardening_Reports/

  3. CIS Benchmarks can be applied at different profiles (levels) Every CIS Hardened Image specifically states the Benchmark and Profile Level. The HTML report noted in item 1 above will only report on the Profile applied. In this KB example this is Profile 1. To see the full benchmark with all profile levels please join CIS Workbench and you can download a PDF format for the Benchmark in question.

  4. CVE vulnerabilities are addressed by the operating system vendor. Please see the related content KB which has information on how CIS addresses CVE vulnerabilities in our hardened image build process.

Related Content

 


 

Copyright © 2024 Center for Internet Security® Privacy Policy