Alternatives to the CIS-CAT auditing tool

The Center for Internet Security, CIS for short, is the organization behind several in-depth hardening guides. The quality of these hardening guides is outstanding, with a high level of detail.

This high level of detail has one downside: it costs a lot of time to read, try and test the recommendations. Sometimes we simply don’t have the time to do an extensive audit by hand. Let alone the time to actually repeat the auditing and hardening steps on a regular basis. Fortunately there is a solution: tooling.

CIS has their own CIS-CAT auditing tool. Unfortunately this is out of reach for most of us, as membership is expensive. For companies and individuals who seek to do auditing, yet want an alternative to the paid CIS-CAT tool, might be delighted to know there are several open source options available.

Vulnerability management

Depending on your organization, size and type of business, there are a lot of tools available to assist you. For example the well known port scanner Nmap. During the years it became much more than just port scanning. For example with the use of plugins, you can use it to test for new vulnerabilities.

When we continue within the area of vulnerability management, we can’t ignore the great project OpenVAS. As an original fork of the now commercial Nessus, it helps with finding vulnerabilities on your system. While it may be different than using a hardening guide, it will definitely discover other issues and more quickly.

Linux system auditing

When it comes to a closer alternative of CIS-CAT tooling, we can’t ignore our own tool Lynis. Like Nmap and OpenVAS, it is open source and freely available. It helps automating the system auditing process. On top of that, it provides feedback for further hardening of your Linux systems.

For those who search compliance checking (e.g. PCI DSS), we are sure that Lynis will be a great help. If your goal is “easy hardening”, we suggest to start creating your customized scripts. Don’t fall into the trap of a false sense of security. We covered this in our post about the possible backfire of hardening scripts.

More alternatives

GitHub

Another great research nowadays are the snippets found on GitHub. It must be said that some repositories are simply a mess, but when searching you might find some gold nuggets. Most of these snippets are provided by passionate people, who like to share their knowledge. The caveat is that some snippets are not up-to-date, wrong or might not work. But depending on what you try to achieve, that might be simple to check.

Your OS distribution

Most Linux distributions have their own hardening guides available. While not a direct replacement for tooling, it might be a combination. For example mixing OpenVAS, Lynis, Nmap and the guides from both CIS and the distribution.

Depending on your OS, the quality might be different. So even if you are not using Fedora, it might be still worth checking out their resources. Also Arch and Gentoo are known for sharing a lot about security related topics.

Links

Order by alphabetical order, some useful links:

• CIS
• Fedora security guide (newer version might be available)
• Lynis
• Nmap
• OpenVAS
• Red Hat hardening guide
• Ubuntu security tips

Do you know any other open source tools, as a simple alternative to CIS-CAT? Love to hear in the comments!