Fleet & CIS Benchmarks: Simplified, Cross-Platform Security

akhil mittal - Nov 4 - - Dev Community

Ever feel overwhelmed trying to maintain security compliance across multiple platforms? CIS Benchmarks are a great start, and Fleet makes implementing them even easier.

Why CIS benchmarks?

CIS (Center for Internet Security) Benchmarks are a set of best practice guidelines for securing IT systems and data. CIS Benchmarks are not owned or developed by a single organization. Instead they are developed and maintained by a community of cybersecurity professionals and subject matter experts with the goal of enhancing every organization’s security posture. They provide configuration recommendations for various platforms including workstations, servers, cloud providers, and networking devices.

CIS Benchmarks provide step-by-step instructions to harden systems by configuring security settings, minimizing vulnerabilities, and improving compliance. They are commonly used as a baseline for security audits, and organizations often align their security policies with CIS recommendations to help meet industry or regulatory requirements.

Many device management solutions have included, or are starting to include, CIS Benchmark reporting in their products. This gives admins, security professionals, and executives alike a quick and easy way to gauge the general security posture of their organization against these benchmarks. Where some of these solutions fall short is they only support one platform, some are challenging to configure and may be even more challenging to configure remediation, you might have to pay more for this feature, it may exist as a different app within a product suite, or even worse they may lack transparency into their checks or operations. What if you could baseline all of your macOS and Windows workstations within an hour, configure remediation in minutes, and have full visibility into the benchmarks and source code making everything work? Enter Fleet.

How to with Fleet

I am taking some liberties and making assumptions that you already have devices enrolled into Fleet. If not, getting devices enrolled with Fleet is straightforward. You should also have fleetctl on your system. fleetctl (pronounced "Fleet control") is a command line interface (CLI) tool for managing Fleet. It provides a quick way to work with all the data available in Fleet without having to use the Fleet UI or work directly with the Fleet API. It also enables GitOps workflows.

With those requirements met, as long as you can run the following two commands, you’ll have the CIS Benchmarks uploaded to your Fleet instance in seconds. Your hosts will start submitting their vitals over the next hour and populating Yes/No (Pass/Fail) data. Simple, right?

# Download the CIS policy queries for macOS 14 
% wget https://raw.githubusercontent.com/fleetdm/fleet/main/ee/cis/macos-14/cis-policy-queries.yml 

# Apply the policies to your Fleet instance 
% fleetctl apply -f cis-policy-queries.yml
Enter fullscreen mode Exit fullscreen mode

This is an example for macOS 14. For Windows, the wget URL will differ, but the process is the same.

Automated resolution and compliance

The release of Fleet 4.57.0 enabled admins to install software as part of policy automations, helping admins and security teams automate their patch management strategy. The release of 4.58.0 added automated remediation with scripts, providing another option to allow devices to self-heal if policy checks fail.

Image description

One of the greatest strengths of the CIS benchmarks, and the community of contributors, is not only do you get out-of-the-box ways to check the security posture of your devices, they also propose resolutions to get your devices compliant. That means the heavy lifting is done. For most cases, you can copy and deploy their recommendations to meet compliance with each benchmark. In addition, Fleet enables custom resolution steps that present themselves to the end user through Fleet Desktop, empowering your end users to resolve their own issues, further reiterating that security and compliance are a team effort.

Image description

Start your Fleet journey

Security and compliance don't have to be burdensome or require separate tools for workstations, servers, or different operating systems. With Fleet’s open-source, cross-platform solution, you can manage policies across all your end user devices and servers effortlessly. Whether it's vulnerability management, compliance, or automation, Fleet integrates seamlessly with your existing systems. With GitOps support, your workflows become even more hands-off and automated.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .