Assessor returns "Manual" / "Not Checked" / "Not Applicable" or "Unknown" results for some Recommendations
Product Name
CIS-CAT Pro Assessor v4
Product Version
v4.x.x+
Date
Jan 31, 2024
Problem
When running a Benchmark assessment in CIS-CAT Pro Assessor, some Recommendation items are returned as “Manual”, “Not Checked”, “Not Applicable” or “Unknown” instead of the expected Pass / Fail results.
Solution
For “Manual” Results
Not all Recommendations contained in each CIS Benchmark are supported for automatic evaluation by CIS-CAT Pro Assessor. In some cases, this is due to technical limitations (when no script or command is available to audit the item reliably), and in others the particular automation logic (referred to as Artifacts) has not yet been implemented by the Benchmark development team, but may be part of a future Benchmark update.
These non-verifiable entries are marked as “Manual” in the HTML report, indicating that the system administrator / owner will have to manually check whether the CIS Benchmark Recommendation has been applied. Manual results are excluded from the scoring process and do not affect the “Pass” percentage value.
The recommended approach for Manual items is to open the corresponding Benchmark Recommendation page on CIS WorkBench, then following the “Audit Procedure” and “Remediation Procedure” sections:
Note that in some cases, a Recommendation’s “Assessment Status” will display as “Automated” on CIS WorkBench, but may not include any corresponding Artifacts to facilitate automated assessment (indicated by a “No artifacts listed” line near the end of the page).
These Recommendations will also be reflected as “Manual” in the CIS-CAT Pro Assessor report file.
For “Not Checked” / “Not Applicable” / “Not Selected” Results
These return values can be observed in the Console Assessment Results data for a CIS-CAT Pro Assessor run, and indicate the following:
Not Checked and Informational are functionally the same as “Manual” in the HTML report - no method currently exists for Assessor to verify the system settings.
Not Selected pertains to Recommendations that are not part of the selected Profile; for example, L2-only items when an L1 Profile is used for the assessment.
Not Applicable indicates a platform mismatch; ensure that the correct Benchmark has been selected for the target system & OS. A list of supported Benchmarks is available in the Assessor documentation.
For “Unknown” Results
A failure to connect and / or execute commands will result in "Unknown" assessment results, indicating that CIS-CAT Pro Assessor was unable to collect the system's state information.
Below are a few common causes and their associated resources:
For Windows assessments, the required PowerShell version is not installed, or set to an incorrect Language Mode or Execution Policy.
For Linux assessments, the
/tmp
directory used by default for the temporary assessment files has theNOEXEC
flag set, preventing script execution.For ESXi assessments, VMware PowerCLI is not installed, or the scan is not run as “Local”.
For Cisco assessments, the selected user does not have the required privileged
EXEC
permissions.
Should you require additional assistance, please contact CIS Product Support.
Keywords; Assessor Manual Not Checked Not Applicable Report
Content by Label