Skip to content

Benchmark rule import

To perform benchmark audits, you define appropriate custom or predefined profiles based on the benchmark scanner being used. A profile consists of a set of rules that the scanner then executes on the system being audited (host, network device, etc.).

Use Cases

You can import the rules into Versio.io. There are two ways to use them:

  • Rule Content (highly recommended):
    • The rules, along with all detailed information, are stored in Versio.io.
    • This makes the rule content directly available for viewing benchmark results.
    • Furthermore, this enables grouping and analysis based on regulatory or industry standards (e.g., CIS Benchmark or BSI Basic Protection).
  • Policies (optional):
    • The rules are stored in Versio.io as rule-based policies.
    • This allows violations to be generated in Versio.io for control and risk management purposes.

API Token permissions

The following Versio.io permissions are required to create the necessary Versio.io API tokens:

Scope Permission Target Requirement Why?
Benchmark Rules Write Asset & Configuration Item Inventory Entity instance rule-benchmark Optional Provides rule-level visibility and standard mapping.
Policies Based on Rules Edit Policy Verification Policy sets and policies Optional Connects benchmark findings with risk management processes.

Table: Requirement permission for the Versio.io API token

Import

To import the benchmarks, install Versio.io OneImporter on the device running the benchmark. This provides you with the runtime environment needed to import the benchmark rules.

Attention

You only need to import the rules based on the benchmark results to create or update the Versio.io rule description or guidelines if you have changed the benchmark profile! 

#!/bin/bash

# CUSTOM CONFIGURATION
# --------------------
# Benchmark configuration
BENCHMARK_RESULTS_FILE="<YOUR_BENCHMARK_RESULT_FILE" # Example: /tmp/openscap-benchmark-results.xml
IMPORT_BENCHMARK_RULES="true"
IMPORT_POLICIES="false"

# Versio.io configuration
VERSIO_SERVER="<YOUR_VERSIO_SERVER>" # IP or domaen name
VERSIO_ENV="<YOUR_VERSIO_ENV>"
VERSIO_TOKEN="<YOUR_VERSIO_TOKEN>"
# Optional: --workspace="${VERSIO_WORKSPACE_ID}"

# SCRIPT EXECUTION
# --------------------
echo "[1/1] Importing benchmark rules into Versio.io..."
# Optional: --workspace="${VERSIO_WORKSPACE_ID}"
/opt/versio.io/one-importer/node/bin/node \
  /opt/versio.io/one-importer/src/utils-bm/importScapResult.js \
  --importBenchmarkRules="$IMPORT_BENCHMARK_RULES" \
  --importPolicies="$IMPORT_POLICIES" \
  --file="$BENCHMARK_RESULTS_FILE" \
  --server="$VERSIO_SERVER" \
  --environment="$VERSIO_ENV" \
  --token="$VERSIO_TOKEN"

echo "Import benchmark rules completed successfully."

Code: Import benchmark rule as Versio.io rule content and policies