CIS Benchmark Compliance Audit
Compliance assessment skill that maps network device configuration against
CIS benchmark controls. Organizes audit checks by Management Plane, Control
Plane, and Data Plane — the three architectural layers CIS uses to structure
network device benchmarks.
Covers the four platforms CIS publishes network device benchmarks for:
Cisco IOS, PAN-OS, JunOS, and Check Point. The operator must obtain the
applicable CIS benchmark document for their specific platform and version —
this skill references CIS control IDs and section categories for traceability
but does not reproduce copyrighted benchmark text, remediation steps, or
rationale (see D026).
Consult references/control-reference.md for CIS control ID mappings to
audit areas and references/cli-reference.md for per-platform read-only
verification commands.
When to Use
- - Annual or quarterly CIS compliance audit against network infrastructure
- Pre-audit preparation — building evidence collection before formal assessment
- New device commissioning — establishing CIS compliance baseline on day one
- Post-upgrade verification — confirming controls remain in place after OS upgrade
- Regulatory compliance evidence — mapping CIS controls to PCI DSS, HIPAA, or SOX
technical requirements via CIS crosswalk references
- - Merger/acquisition due diligence — assessing acquired network infrastructure
against organizational CIS compliance posture
Prerequisites
- - Read-only CLI or API access to each target device (SSH, console, or management
API with read-only administrative role)
- - The applicable CIS benchmark document for the target platform and OS version —
operators must obtain their own licensed copy (e.g., "CIS Cisco IOS 16
Benchmark v1.1.0"). This skill references control IDs only
- - Understanding of the device's role in the network architecture — the device's
position (edge, core, distribution, management) affects which controls apply
and their priority
- - Awareness of any compensating controls already in place that satisfy CIS
requirements through alternative mechanisms
- - Documentation of any accepted risk exceptions for controls intentionally not
implemented
Procedure
Follow this six-step compliance assessment flow. Each step builds on prior
findings. The procedure maps device configuration to CIS benchmark controls
organized by management architecture layer.
Step 1: Platform Identification and Benchmark Selection
Identify the device platform, OS version, and hardware model. Select the
matching CIS benchmark by ID and version.
[Cisco] show version — capture IOS/IOS-XE version, hardware model
[PAN-OS] show system info — capture PAN-OS version, platform model
[JunOS] show version — capture Junos OS version, hardware model
[CheckPoint] fw ver and cpinfo -y all — capture Gaia OS version, platform
Record the exact benchmark ID that matches your platform version (e.g.,
"CIS Cisco IOS 16 Benchmark v1.1.0", "CIS Palo Alto Firewall 10 Benchmark
v1.0.0"). If no benchmark exists for the exact OS version, use the closest
available and document the version gap.
Determine the CIS profile level to assess against:
- - Level 1: Essential security controls, broadly applicable
- Level 2: Defense-in-depth controls, may reduce functionality
Step 2: Management Plane Audit
Assess controls that protect device management access and monitoring.
This covers CIS sections typically numbered 1.x and 2.x.
Local authentication and authorization:
[Cisco] show running-config | section aaa — verify AAA is enabled with
TACACS+ or RADIUS, check that local fallback accounts use strong hashing
(algorithm-type scrypt or secret 9).
[PAN-OS] show config running | match authentication — verify
authentication profile binds to RADIUS/LDAP/SAML, check password complexity
profile exists.
[JunOS] show configuration system authentication-order — verify
TACACS+/RADIUS is primary with local fallback, check show configuration
system login for account policies.
[CheckPoint] show configuration aaa — verify RADIUS/TACACS+ integration,
check administrator account password policies.
SSH and management transport:
Verify SSH v2 only (no SSHv1 or Telnet), session timeout configured,
management access restricted to specific source addresses or management VLAN.
Check certificate-based authentication where supported.
Logging and monitoring:
Verify syslog is configured to a remote server with appropriate severity
levels (informational minimum for security events), SNMP v3 with
authentication and encryption (no v1/v2c with community strings), and
NTP authentication to trusted time sources.
Login banners:
Confirm legal notice/warning banners are configured on all management access
methods (console, VTY, web UI).
Step 3: Control Plane Audit
Assess controls that protect routing and signaling protocols. CIS sections
typically numbered 3.x.
Routing protocol authentication:
Verify OSPF, BGP, and IS-IS neighbor authentication is enabled.
[Cisco] show ip ospf interface — check for authentication type
(MD5 or SHA-256). show ip bgp neighbors — verify password is set per
neighbor.
[PAN-OS] show routing protocol ospf area — verify area authentication.
show routing protocol bgp peer — check MD5 authentication.
[JunOS] show ospf interface detail — verify authentication-type.
show bgp neighbor — check authentication-key presence.
[CheckPoint] Routing configured via Gaia Clish: show route ospf with
show configuration ospf for authentication settings.
Control Plane Protection:
Verify rate limiting on management-bound traffic to prevent CPU exhaustion
from packet floods targeting the control plane processor.
[Cisco] show policy-map control-plane — verify CoPP (Control Plane
Policing) is applied with appropriate rate limits.
[JunOS] show firewall filter — verify loopback/lo0 filter protects
the routing engine with rate-limit policers.
ARP and DHCP protection:
Verify Dynamic ARP Inspection (DAI) and DHCP snooping on access-layer
switches to prevent ARP spoofing and rogue DHCP attacks.
Step 4: Data Plane Audit
Assess controls that protect traffic forwarding. CIS sections typically
numbered 4.x and 5.x.
Access control lists:
Verify explicit deny rules with logging at ACL boundaries. Check that
infrastructure ACLs protect device management addresses from data plane
traffic.
Unicast Reverse Path Forwarding (uRPF):
[Cisco] show ip interface — check for ip verify unicast source
reachable-via on external-facing interfaces.
[JunOS] show configuration interfaces — check for family inet rpf-check
on upstream interfaces.
Anti-spoofing via uRPF validates source addresses against the routing table,
dropping packets with forged source IPs.
Storm control and port security:
Verify broadcast/multicast/unicast storm control thresholds on access ports.
Check 802.1X or MAC-based authentication on edge ports where applicable.
Encryption:
Verify management traffic encryption (SSH, HTTPS, SNMPv3). Assess MACsec
for LAN encryption and IPsec for WAN links where required by organizational
policy or CIS Level 2 controls.
Step 5: Compliance Scoring and Gap Analysis
Tally results per CIS section and per architectural plane.
For each control tested, record:
- - Pass: Device configuration satisfies the control requirement
- Fail: Device configuration does not meet the control requirement
- Not Applicable: Control does not apply to this device role or
deployment model (document justification)
Calculate compliance percentage per plane:
Compliance % = (Pass / (Pass + Fail)) × 100 (exclude N/A from denominator)
Identify critical gaps — any Level 1 control failure in the Management Plane
is a priority finding because it affects the security of all other controls
(if management access is compromised, all other controls are bypassable).
Step 6: Priority-Ranked Remediation Plan
Order findings for remediation based on CIS control level and operational
impact.
Priority 1 — Level 1 Management Plane failures:
AAA bypass, cleartext management protocols, missing logging. These undermine
all other controls.
Priority 2 — Level 1 Control/Data Plane failures:
Unauthenticated routing protocols, missing ACLs, disabled uRPF. These allow
traffic manipulation or spoofing.
Priority 3 — Level 2 Management Plane items:
Enhanced encryption, additional monitoring, granular access controls. These
add defense-in-depth.
Priority 4 — Level 2 Control/Data Plane items:
CoPP fine-tuning, MACsec deployment, advanced storm control thresholds.
These optimize existing protections.
Group remediation actions by effort:
- - Quick wins: Configuration commands that can be applied in a maintenance
window without service impact
- - Planned changes: Items requiring change management, testing, or
coordination with other teams
- - Projects: Items requiring infrastructure changes, new hardware, or
significant design work
Threshold Tables
Compliance Violation Severity
| Severity | CIS Level | Condition | Examples |
|---|
| Critical | Level 1 fail | Management access without AAA or encryption | Telnet enabled, no AAA configuration, SNMP v1/v2c with default community, no remote logging configured |
| High |
Level 1 fail | Partial control implementation with gaps | NTP configured but without authentication, SSH enabled but v1 not disabled, login banner missing on some access methods |
| Medium | Level 2 fail | Defense-in-depth control not implemented | CoPP not configured, uRPF not enabled on external interfaces, storm control disabled on access ports |
| Low | Level 2 | Optional hardening not applied | Custom banner text not meeting organizational standard, SNMP informational traps not tuned, optional encryption on internal-only links |
Compliance Posture Summary
| Score Range | Posture | Guidance |
|---|
| 90–100% | Strong | Address remaining gaps in next maintenance cycle |
| 70–89% |
Moderate | Prioritize Level 1 failures, schedule Level 2 within quarter |
| 50–69% | Weak | Immediate remediation plan required, escalate to management |
| <50% | Critical | Device may require isolation until baseline controls are applied |
Decision Trees
Compliance Remediation Priority
CODEBLOCK0
Benchmark Version Selection
CODEBLOCK1
Report Template
CODEBLOCK2
Troubleshooting
Benchmark Version Mismatch
CIS benchmarks target specific OS versions. When the device runs a version
not covered by any published benchmark, use the nearest available benchmark
and document the gap. New features introduced after the benchmark's target
version may not have corresponding controls — assess these independently.
Platform-Specific Configuration Locations
The same logical control (e.g., AAA configuration) exists in different
configuration hierarchies per platform. Cisco IOS uses aaa new-model in
global config, PAN-OS uses authentication profiles in device settings, JunOS
uses system authentication-order, and Check Point uses SmartConsole or
Gaia Clish. The references/cli-reference.md file provides the correct
audit command per platform.
Controls Not Applicable to All Deployment Models
Some CIS controls assume a specific deployment model. For example, DHCP
snooping controls apply to access-layer switches but not to core routers or
firewalls. 802.1X controls apply to wired access ports but not to WAN
interfaces. Document each N/A determination with a clear justification tied
to the device's role in the network architecture.
Multi-Context and Virtual System Considerations
PAN-OS virtual systems (vsys), Cisco VDCs/VRFs, and JunOS logical systems
create isolated administrative domains within a single physical device.
Each virtual context should be assessed independently — controls in one
context do not automatically apply to others. Inventory all contexts before
beginning the audit with platform-specific enumeration commands.
Compensating Controls Documentation
When a CIS control cannot be implemented exactly as described but an
equivalent protection exists, document the compensating control with:
what CIS control it addresses, what alternative mechanism is in place,
and why it provides equivalent or better protection. Accepted risk
exceptions require management sign-off with a review date.
CIS 基准合规审计
合规评估技能,将网络设备配置与CIS基准控制项进行映射。按管理平面、控制平面和数据平面——CIS用于构建网络设备基准的三个架构层——组织审计检查。
涵盖CIS发布网络设备基准的四个平台:Cisco IOS、PAN-OS、JunOS和Check Point。操作人员必须获取适用于其特定平台和版本的CIS基准文档——本技能引用CIS控制ID和章节类别以实现可追溯性,但不复制受版权保护的基准文本、修复步骤或原理说明(参见D026)。
请查阅references/control-reference.md获取CIS控制ID与审计区域的映射关系,以及references/cli-reference.md获取各平台只读验证命令。
使用场景
- - 针对网络基础设施的年度或季度CIS合规审计
- 审计前准备——在正式评估前收集证据
- 新设备上线——在第一天建立CIS合规基线
- 升级后验证——确认操作系统升级后控制项仍然有效
- 监管合规证据——通过CIS交叉引用将CIS控制项映射到PCI DSS、HIPAA或SOX技术要求
- 并购尽职调查——评估被收购网络基础设施与组织CIS合规态势的匹配度
前提条件
- - 对每个目标设备具有只读CLI或API访问权限(SSH、控制台或具有只读管理角色的管理API)
- 适用于目标平台和操作系统版本的CIS基准文档——操作人员必须获取自己的许可副本(例如,CIS Cisco IOS 16 Benchmark v1.1.0)。本技能仅引用控制ID
- 了解设备在网络架构中的角色——设备的位置(边缘、核心、分布、管理)影响哪些控制项适用及其优先级
- 了解已通过替代机制满足CIS要求的任何补偿性控制
- 对有意未实施的控制项的任何已接受风险豁免的文档记录
流程
遵循以下六步合规评估流程。每一步都基于之前的发现结果。该流程将设备配置映射到按管理架构层组织的CIS基准控制项。
第1步:平台识别与基准选择
识别设备平台、操作系统版本和硬件型号。按ID和版本选择匹配的CIS基准。
[Cisco] show version — 获取IOS/IOS-XE版本、硬件型号
[PAN-OS] show system info — 获取PAN-OS版本、平台型号
[JunOS] show version — 获取Junos OS版本、硬件型号
[CheckPoint] fw ver 和 cpinfo -y all — 获取Gaia OS版本、平台
记录与平台版本匹配的确切基准ID(例如,CIS Cisco IOS 16 Benchmark v1.1.0、CIS Palo Alto Firewall 10 Benchmark v1.0.0)。如果不存在与确切操作系统版本匹配的基准,则使用最接近的可用版本并记录版本差距。
确定要评估的CIS配置文件级别:
- - 级别1: 基本安全控制,广泛适用
- 级别2: 纵深防御控制,可能降低功能
第2步:管理平面审计
评估保护设备管理访问和监控的控制项。这涵盖通常编号为1.x和2.x的CIS章节。
本地认证和授权:
[Cisco] show running-config | section aaa — 验证AAA已启用并配置了TACACS+或RADIUS,检查本地备用账户使用强哈希(algorithm-type scrypt 或 secret 9)。
[PAN-OS] show config running | match authentication — 验证认证配置文件绑定到RADIUS/LDAP/SAML,检查是否存在密码复杂度配置文件。
[JunOS] show configuration system authentication-order — 验证TACACS+/RADIUS是主要方式并带有本地备用,检查 show configuration system login 的账户策略。
[CheckPoint] show configuration aaa — 验证RADIUS/TACACS+集成,检查管理员账户密码策略。
SSH和管理传输:
验证仅使用SSH v2(无SSHv1或Telnet),配置了会话超时,管理访问限制到特定源地址或管理VLAN。在支持的情况下检查基于证书的认证。
日志记录和监控:
验证syslog已配置到具有适当严重级别的远程服务器(安全事件至少为信息级别),SNMP v3带有认证和加密(无使用团体字符串的v1/v2c),以及NTP认证到可信时间源。
登录横幅:
确认在所有管理访问方法(控制台、VTY、Web UI)上配置了法律通知/警告横幅。
第3步:控制平面审计
评估保护路由和信令协议的控制项。CIS章节通常编号为3.x。
路由协议认证:
验证OSPF、BGP和IS-IS邻居认证已启用。
[Cisco] show ip ospf interface — 检查认证类型(MD5或SHA-256)。show ip bgp neighbors — 验证每个邻居设置了密码。
[PAN-OS] show routing protocol ospf area — 验证区域认证。show routing protocol bgp peer — 检查MD5认证。
[JunOS] show ospf interface detail — 验证认证类型。show bgp neighbor — 检查认证密钥是否存在。
[CheckPoint] 通过Gaia Clish配置路由:show route ospf 配合 show configuration ospf 查看认证设置。
控制平面保护:
验证对发往管理流量的速率限制,以防止针对控制平面处理器的数据包洪泛导致CPU耗尽。
[Cisco] show policy-map control-plane — 验证CoPP(控制平面管制)已应用并带有适当的速率限制。
[JunOS] show firewall filter — 验证环回/lo0过滤器通过速率限制管制器保护路由引擎。
ARP和DHCP保护:
验证接入层交换机上的动态ARP检查(DAI)和DHCP监听已启用,以防止ARP欺骗和恶意DHCP攻击。
第4步:数据平面审计
评估保护流量转发的控制项。CIS章节通常编号为4.x和5.x。
访问控制列表:
验证ACL边界处存在带有日志记录的显式拒绝规则。检查基础设施ACL保护设备管理地址免受数据平面流量影响。
单播逆向路径转发(uRPF):
[Cisco] show ip interface — 检查面向外部接口上的 ip verify unicast source reachable-via。
[JunOS] show configuration interfaces — 检查上游接口上的 family inet rpf-check。
通过uRPF进行反欺骗验证源地址与路由表的匹配性,丢弃具有伪造源IP的数据包。
风暴控制和端口安全:
验证接入端口上的广播/组播/单播风暴控制阈值。在适用的情况下检查边缘端口上的802.1X或基于MAC的认证。
加密:
验证管理流量加密(SSH、HTTPS、SNMPv3)。根据组织策略或CIS级别2控制的要求,评估LAN加密的MACsec和WAN链路的IPsec。
第5步:合规评分与差距分析
按CIS章节和架构平面汇总结果。
对于每个测试的控制项,记录:
- - 通过: 设备配置满足控制要求
- 失败: 设备配置不满足控制要求
- 不适用: 控制项不适用于此设备角色或部署模型(记录理由)
计算每个平面的合规百分比:
合规百分比 = (通过 / (通过 + 失败)) × 100(从分母中排除不适用项)
识别关键差距——管理平面中的任何级别1控制失败都是优先发现,因为它影响所有其他控制的安全性(如果管理访问被攻破,所有其他控制都可被绕过)。
第6步:按优先级排序的修复计划
根据CIS控制级别和运营影响对发现进行排序以进行修复。
优先级1 — 级别1管理平面失败:
AAA绕过、明文管理协议、缺少日志记录。这些会破坏所有其他控制。
优先级2 — 级别1控制/数据平面失败:
未认证的路由协议、缺少ACL、禁用的uRPF。这些允许流量操纵或欺骗。
优先级3 — 级别2管理平面项目:
增强加密、额外监控、细粒度访问控制。这些增加纵深防御。
优先级4 — 级别2控制/数据平面项目:
CoPP微调、MACsec部署、高级风暴控制阈值。这些优化现有保护。
按工作量对修复行动进行分组:
- - 速赢项: 可在维护窗口内应用且不影响服务的配置命令
- 计划变更: 需要变更管理、测试或与其他团队协调的项目
- 项目: 需要基础设施变更、新硬件或重大设计工作的项目
阈值表
合规违规严重性
| 严重性 | CIS级别 | 条件 | 示例 |
|---|
| 严重 | 级别1失败 | 管理访问无AAA或加密 | Telnet已启用,无AAA配置,SNMP v1/v2c使用默认团体,未配置远程日志记录 |
| 高 |
级别1失败 |
