Why are Hardened Images not getting a 100% Assessment report?

Problem

Solution

All CIS Hardened Images will report lower than 100% on a CIS-CAT report. Not all recommendations in the corresponding CIS Benchmark can be applied to a CIS Hardened Image in order for the virtual machine to function within a cloud environment. Each CIS Hardened Image contains a CIS-CAT report to provide evidence of compliance in alignment with the appropriate CIS Benchmark. The report will be located in C:\CIS Hardening Reports on Windows and \home\CIS_Hardened_Reports on Linux. Each recommendation reporting as a “Fail” on the CIS-CAT report will be identified in an Exceptions.txt file, also saved in the mentioned location. The Exceptions.txt file will list each recommendation that could not be applied or retain compliance for that virtual machine, accompanied by an explanation as to why that is the case.

If your score differs from the CIS score of the image, one factor to consider when assessing the image is the versioning of CIS-CAT. If you are using a different version of CIS CAT, that could be impacting the scoring.

In addition to the potential impacts of using a different CIS-CAT version, recommendations that fail in your CIS-CAT report that do not match the exceptions listed by CIS could be attributed to modifications made on the image, customizations upon building the image that alter those recommendations or cloud configuration drift.  You can manually harden any recommendations that are failing or recommendations that were listed as exceptions by CIS. This type of modification requires knowledge of your specific environment that CIS would not be able to configure for.