Predefined CCS CIS Benchmark standards have some checks that have a 'not defined' rating
search cancel

Predefined CCS CIS Benchmark standards have some checks that have a 'not defined' rating

book

Article ID: 185661

calendar_today

Updated On:

Products

Control Compliance Suite Control Compliance Suite Standards Server

Issue/Introduction

In some of our predefined standards like for example "CIS Security Benchmark for HP-UX v1.3.1" and "CIS SUSE Linux Enterprise Server 10 Benchmark v2.0.0". In the standards, you can see in section 1.x.x of the standard. All the checks don't have anything set, for the CIA or CVSS rating. They are marked as 'no impact' or 'not defined'.

Resolution

Purposely these checks were not assigned a CIA rating as CIS has only one check for ‘Apply Latest OS Patches’, whereas we implemented multiple checks around all the packages available in that particular OS. Having these many checks will help to exactly identify the package/s that need to be updated.

As per CIS, only one check needs to be failed if all packages are not updated to the latest available patch, whereas in our assessment we may need to fail multiple checks. Assigning CIA ratings for these individual checks (more than 300+ checks in an individual standard) will drastically impact the final scoring of the benchmark assessment.