Assessor returns "Manual" / "Not Checked" / "Not Applicable" or "Unknown" results for some Recommendations

Product Name

CIS-CAT Pro Assessor v4

Product Version

v4.x.x+

Date

Jan 31, 2024

Problem

When running a Benchmark assessment in CIS-CAT Pro Assessor, some Recommendation items are returned as “Manual”, “Not Checked”, “Not Applicable” or “Unknown” instead of the expected Pass / Fail results.

Solution

For “Manual” Results

Not all Recommendations contained in each CIS Benchmark are supported for automatic evaluation by CIS-CAT Pro Assessor. In some cases, this is due to technical limitations (when no script or command is available to audit the item reliably), and in others the particular automation logic (referred to as Artifacts) has not yet been implemented by the Benchmark development team, but may be part of a future Benchmark update.

These non-verifiable entries are marked as “Manual” in the HTML report, indicating that the system administrator / owner will have to manually check whether the CIS Benchmark Recommendation has been applied. Manual results are excluded from the scoring process and do not affect the “Pass” percentage value.

The recommended approach for Manual items is to open the corresponding Benchmark Recommendation page on CIS WorkBench, then following the “Audit Procedure” and “Remediation Procedure” sections:

(Example from the CIS VMware ESXi 7 Benchmark v1.3.0, Recommendation 1.1)

Note that in some cases, a Recommendation’s “Assessment Status” will display as “Automated” on CIS WorkBench, but may not include any corresponding Artifacts to facilitate automated assessment (indicated by a “No artifacts listed” line near the end of the page).

These Recommendations will also be reflected as “Manual” in the CIS-CAT Pro Assessor report file.

For “Not Checked” / “Not Applicable” / “Not Selected” Results

These return values can be observed in the Console Assessment Results data for a CIS-CAT Pro Assessor run, and indicate the following:

Not Checked and Informational are functionally the same as “Manual” in the HTML report - no method currently exists for Assessor to verify the system settings.
Not Selected pertains to Recommendations that are not part of the selected Profile; for example, L2-only items when an L1 Profile is used for the assessment.
Not Applicable indicates a platform mismatch; ensure that the correct Benchmark has been selected for the target system & OS. A list of supported Benchmarks is available in the Assessor documentation.

For “Unknown” Results

A failure to connect and / or execute commands will result in "Unknown" assessment results, indicating that CIS-CAT Pro Assessor was unable to collect the system's state information.

Below are a few common causes and their associated resources:

For Windows assessments, the required PowerShell version is not installed, or set to an incorrect Language Mode or Execution Policy.
- https://ciscat-assessor.docs.cisecurity.org/en/latest/Configuration%20Guide/#remote-setup-microsoft-windows
- What to do when getting unknown or false failures in Windows CIS-CAT Assessment
For Linux assessments, the /tmp directory used by default for the temporary assessment files has the NOEXEC flag set, preventing script execution.
- What to do if you are getting too many "unknown" results on a Linux scan
For ESXi assessments, VMware PowerCLI is not installed, or the scan is not run as “Local”.
For Cisco assessments, the selected user does not have the required privileged EXEC permissions.

Should you require additional assistance, please contact CIS Product Support.

Keywords; Assessor Manual Not Checked Not Applicable Report

Content by Label

Page:

Feature Enhancement Requests for CIS Products

Center for Internet Security®

Privacy Policy