CIS-CAT Lite Deep Dive¶

Platform: Cross-platform (Linux & Windows) | Binary: Assessor-CLI.sh / Assessor-CLI.bat | Type: Official CIS benchmark assessor

Overview¶

CIS-CAT Lite is the official Configuration Assessment Tool from the Center for Internet Security. It evaluates systems against CIS Benchmarks — the gold standard for security configuration.

How CISentinel Uses CIS-CAT¶

1. Download & Installation¶

CISentinel downloads CIS-CAT Lite as a ZIP from the CIS Workbench API:

https://workbench.cisecurity.org/api/vendor/v1/cis-cat/lite/latest

Version Pinning¶

CISentinel auto-pins CIS-CAT versions based on the host OS:

Override via environment variables:

# Full URL override
export CISCAT_LITE_URL="https://example.com/ciscat.zip"

# Version pin
export CISCAT_LITE_VERSION="4.59.0"

2. Java Runtime¶

• Linux: Installs openjdk-11-jre-headless or equivalent via package manager
• Windows: Uses CIS-CAT's bundled JRE (no separate Java install needed)

3. Scan Execution¶

Linux:

./Assessor-CLI.sh -i -html -csv

Windows:

.\Assessor-CLI.bat -i -html -csv

Installation per Platform¶

Linux¶

Windows¶

No Java install needed — CIS-CAT bundles its own JRE under Assessor/jre/.

The tool checks multiple candidate locations: 1. %LOCALAPPDATA%\cis-sentinel\tools 2. %USERPROFILE%\Documents\tools 3. C:\tools

Zip Extraction Security¶

CISentinel implements zip-slip protection when extracting CIS-CAT:

# Verify each member path stays within the extraction directory
member_path = os.path.realpath(os.path.join(extract_path, member))
if not member_path.startswith(os.path.realpath(extract_path) + os.sep):
    raise ValueError(f"Zip slip detected: {member}")

Output Artifacts¶

Common Issues¶