Index

This method allows you to retrieve a list of CIS benchmarks for your organization.

Method URL
GET /api/v2/cis.json

Example Response

Code Status
200 OK

Response JSON

[
    {
        "benchmark_id": "xccdf_org.cisecurity.benchmarks_benchmark_1.4.0.1_CIS_Red_Hat_Enterprise_Linux_6_Benchmark",
        "benchmark_title": "CIS Red Hat Enterprise Linux 6 Benchmark",
        "cis_benchmark_id": "5",
        "node_id": "109",
        "node_name": "QA ESXi Ubuntu 14.04 (2.11.0 RC7 - a)",
        "policy_id": "85",
        "profile_title": "Level 1",
        "result": "failure",
        "vuln_ref": "xccdf_org.cisecurity.benchmarks_rule_6.1.6_Set_UserGroup_Owner_and_Permission_on_etccron.daily"
    },
    {
        "benchmark_id": "xccdf_org.cisecurity.benchmarks_benchmark_1.4.0.1_CIS_Red_Hat_Enterprise_Linux_6_Benchmark",
        "benchmark_title": "CIS Red Hat Enterprise Linux 6 Benchmark",
        "cis_benchmark_id": "5",
        "node_id": "109",
        "node_name": "QA ESXi Ubuntu 14.04 (2.11.0 RC7 - a)",
        "policy_id": "85",
        "profile_title": "Level 1",
        "result": "failure",
        "vuln_ref": "xccdf_org.cisecurity.benchmarks_rule_6.1.7_Set_UserGroup_Owner_and_Permission_on_etccron.weekly"
    },
    {
        "benchmark_id": "xccdf_org.cisecurity.benchmarks_benchmark_1.4.0.1_CIS_Red_Hat_Enterprise_Linux_6_Benchmark",
        "benchmark_title": "CIS Red Hat Enterprise Linux 6 Benchmark",
        "cis_benchmark_id": "5",
        "node_id": "109",
        "node_name": "QA ESXi Ubuntu 14.04 (2.11.0 RC7 - a)",
        "policy_id": "85",
        "profile_title": "Level 1",
        "result": "failure",
        "vuln_ref": "xccdf_org.cisecurity.benchmarks_rule_6.1.8_Set_UserGroup_Owner_and_Permission_on_etccron.monthly"
    },
    ...
]

Show

This method returns details of the CIS benchmark, specified by the ID given in the URL.

Method URL
GET /api/v2/cis/[cis_benchmark_id].json?[params]

Parameters

Param Type Required Notes
environment_id int No Returns results for the environment id in which the benchmark applies to
node_group_id int No Returns results for the node group id in which the benchmark applies to
node_id int No Returns results for the node id in which the benchmark applies to
timespan int No Returns results of applicable rules for the number of weeks defined

Example Response

Code Status
200 OK

Response JSON

{
    "benchmark": {
        "benchmark_id": "xccdf_org.cisecurity.benchmarks_benchmark_1.4.0.1_CIS_Red_Hat_Enterprise_Linux_6_Benchmark",
        "benchmark_title": "CIS Red Hat Enterprise Linux 6 Benchmark",
        "benchmark_version": "1.4.0.1",
        "created_at": "2016-03-29T13:52:13-07:00",
        "docs": [
            ... // JSON list of CIS checks sorted into their relevant categories.
        ],
        "id": 1,
        "oval_text_file_id": 2,
        "policy_id": 1,
        "policy_version_id": 2,
        "profile_id": "xccdf_org.cisecurity.benchmarks_profile_Level_1",
        "profile_index": 0,
        "profile_title": "Level 1",
        "results": [
            {
                "row_id": "741124",
                "rule_id": "xccdf_org.cisecurity.benchmarks_rule_1.1.1_Create_Separate_Partition_for_tmp",
                "node_id": 166,
                "node_name": "RHEL6 AWS Arapaho",
                "result": "failure",
                "created_at": "2016-06-10T22:21:01+00:00"
            },
            ...
        ],
        "status": 1,
        "updated_at": "2016-03-29T13:52:13-07:00",
        "xccdf_text_file_id": 4
    },
    "specific": false,
    "timespan": false
}

Benchmarks

This method returns the CIS benchmarks which are active.

Method URL
GET /api/v2/cis_benchmarks.json?[params]

Parameters

Param Type Required Notes
active_only boolean No Defaults to true, toggle to return only active CIS benchmarks, not superceded ones.

Example Response

Code Status
200 OK

Response JSON

[
    {
        "benchmark_id": "cis_redhat_enterprise_linux_4_benchmark",
        "benchmark_title": "CIS Red Hat 4 and Fedora Core 1, 2, 3, 4, 5 Benchmark",
        "benchmark_version": "1.0.5.6",
        "profiles": [
          {
            "row_id": 15,
            "profile_id": "rhel4-level-1-profile",
            "profile_title": "Level 1 Profile"
          },
          {
            "row_id": 16,
            "profile_id": "rhel4-level-1-profile",
            "profile_title": "Level 1 Profile"
          }
        ]
    },
    {
        "benchmark_id": "xccdf_org.cisecurity.benchmarks_benchmark_1.2.0_CIS_VMware_ESXi_5.5_Benchmark",
        "benchmark_title": "CIS VMware ESXi 5.5 Benchmark",
        "benchmark_version": "1.2.0",
        "profiles": [
          {
            "row_id": 21,
            "profile_id": "xccdf_org.cisecurity.benchmarks_profile_Level_1",
            "profile_title": "Level 1"
          },
          {
            "row_id": 22,
            "profile_id": "xccdf_org.cisecurity.benchmarks_profile_Level_1",
            "profile_title": "Level 1"
          },
          {
            "row_id": 23,
            "profile_id": "xccdf_org.cisecurity.benchmarks_profile_Level_2",
            "profile_title": "Level 2"
          },
          {
            "row_id": 24,
            "profile_id": "xccdf_org.cisecurity.benchmarks_profile_Level_2",
            "profile_title": "Level 2"
          }
        ]
    },
  ...
]

Benchmark Rules

This method returns a plain list of CIS benchmark rules that match and belong to the benchmark id.

Method URL
GET /api/v2/cis_benchmark_rules.json?benchmark_id=[benchmark_id]

Parameters

Param Type Required Notes
benchmark_id string Yes The CIS benchmark id is required for data retrieval

Example Response

Code Status
200 OK

Response JSON

[
    {
        "id": "xccdf_org.cisecurity.benchmarks_rule_1.1.1_L1_Set_Enforce_password_history_to_24_or_more_passwords",
        "name": "1.1.1 - (L1) Set 'Enforce password history' to '24 or more password(s)'",
        "description": "\n This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwords, but the default setting in a domain is 24 passwords. To maintain the effectiveness of this policy setting, use the Minimum password age setting to prevent users from repeatedly changing their password.\n               The recommended state for this setting is: 24 or more password(s).\n            ",
        "rationale": "\n The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised will remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented, or if users continually reuse a small number of passwords, the effectiveness of a good password policy is greatly reduced.If you specify a low number for this policy setting, users will be able to use the same small number of passwords repeatedly. If you do not also configure the Minimum password age setting, users might repeatedly change their passwords until they can reuse their original password.\n            ",
        "fix": "\n\n\n To implement the recommended configuration state, set the following Group Policy setting to 24 or more password(s):\n                     Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Enforce password history\n Impact:\n\n The major impact of this configuration is that users must create a new password every time they are required to change their old one. If users are required to change their passwords to new unique values, there is an increased risk of users who write their passwords somewhere so that they do not forget them. Another risk is that users may create passwords that change incrementally (for example, password01, password02, and so on) to facilitate memorization but make them easier to guess. Also, an excessively low value for the Minimum password age setting will likely increase administrative overhead, because users who forget their passwords might ask the help desk to reset them frequently.\n                     \n                  \n               \n            "
    },
    ...
]

Benchmark Results

This method returns the CIS benchmark results which are active for the specified node group, environment or node id.

Method URL
GET /api/v2/cis_benchmark_results.json?environment_id=[environment_id]
GET /api/v2/cis_benchmark_results.json?node_group_id=[node_group_id]
GET /api/v2/cis_benchmark_results.json?node_id=[node_id]

Parameters

Param Type Required Notes
environment_id int Yes Returns results for the environment id in which the benchmark rules apply to
node_group_id int Yes Returns results for the node group id in which the benchmark rules apply to
node_id int Yes Returns results for the node id in which the benchmark rules apply to
date_from string No Start date for received results
date_to string No End date for received results

Example Response

Code Status
200 OK

Response JSON

[
    {
        "node_id": 95,
        "benchmark_id": "xccdf_org.cisecurity.benchmarks_benchmark_2.1.0_CIS_Microsoft_Windows_Server_2012_R2_Benchmark",
        "profile_id": "xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Domain_Controller",
        "rule_id": "xccdf_org.cisecurity.benchmarks_rule_1.1.1_L1_Set_Enforce_password_history_to_24_or_more_passwords",
        "result": "failure",
        "created_at": "2016-03-21 17:43:52"
    },
    {
        "node_id": 95,
        "benchmark_id": "xccdf_org.cisecurity.benchmarks_benchmark_2.1.0_CIS_Microsoft_Windows_Server_2012_R2_Benchmark",
        "profile_id": "xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Domain_Controller",
        "rule_id": "xccdf_org.cisecurity.benchmarks_rule_1.1.2_L1_Set_Maximum_password_age_to_60_or_fewer_days_but_not_0",
        "result": "failure",
        "created_at": "2016-03-21 17:43:52"
    },
    ...
]

Fragments

This method returns a benchmark and its corresponding profile, along with an XML output of the definitions defined for the XCCDF profile.

Method URL
GET /api/v2/cis_fragments.json?id=[id]
GET /api/v2/cis_fragments.json?task_id=[task_id]
GET /api/v2/cis_fragments.json?benchmark_id=[benchmark_id]

Parameters

Param Type Required Notes
task_id int Yes task_id and id are the same parameters, both look up a task_id that has ran on UpGuard to look up a CIS fragment
benchmark_id int Yes Specifies the benchmark to return the xml output of the definitions

Example Response

Code Status
200 OK

Response JSON

{
    "row_id": 1,
    "benchmark_id": "xccdf_org.cisecurity.benchmarks_benchmark_2.1.0_CIS_Microsoft_Windows_Server_2012_R2_Benchmark",
    "benchmark_title": "CIS Microsoft Windows Server 2012 R2 Benchmark",
    "profile_id": "xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Domain_Controller",
    "profile_title": "Level 1 - Domain Controller",
    "xccdf_xml": "XML dump of the xccdf profile definition if any",
    "oval_xml": "XML dump of the OVAL definitions if any"
}

CIS Blacklist Scan Options

Should you wish to set a blacklist of CIS benchmarks for a node group, you may learn more about the scan options API that is provided here.

Tags: cis