Skip to content

Benchmark scanner integrations

For all of the following examples, you must have installed Versio.io OneImporter or OneGate on the host where the process is running.

The following Versio.io permissions are required to create the necessary Versio.io API tokens:

Scope Permission Target Requirement Why?
Benchmark Results Write Asset & Configuration Item Inventory Entity instance result-benchmark Required Stores benchmark results.
Benchmark Fulfillment Write Asset & Configuration Item Inventory Benchmark fulfillment metric (%) Required Enables benchmark score reporting.

Table: Requirement permission for the Versio.io API token

Ubuntu Security Guide

The Ubuntu Security Guide (USG) is a security compliance and hardening tool provided by Canonical for Ubuntu systems. It enables administrators to audit and remediate system configurations against recognized security benchmarks such as the CIS CIS Benchmarks and other compliance profiles. Ubuntu Security Guide is included with Ubuntu Pro subscriptions and provides an easy way to assess, enforce, and maintain security compliance across Ubuntu environments.

Terms

The Ubuntu Security Guide (USG) is only available as part of an Ubuntu Pro subscription and cannot be used with standard Ubuntu installations without an active Ubuntu Pro entitlement.

The following script example demonstrates how to perform a benchmark audit with USG and import the benchmark results into Versio.io.

#!/bin/bash

# Custom configuration
BENCHMARK_PROFILE="cis_level1_server-v1.0.0"

# Versio.io Konfiguration
VERSIO_SERVER="<YOUR_VERSIO_SERVER>" # IP or domaen name
VERSIO_ENV="<YOUR_VERSIO_ENV>"
VERSIO_TOKEN="<YOUR_VERSIO_TOKEN>"
#VERSIO_WORKSPACE_ID="<YOUR_VERSIO_WORKSPACE_ID>" #optional

# Script
echo "=== Ubuntu Security Guide (USG) Benchmark Audit ==="
# echo "[Info] Listing available benchmark profiles..."
# usg list

echo "[2/2] Executing benchmark audit using profile '${BENCHMARK_PROFILE}'..."
usg audit "${BENCHMARK_PROFILE}" --results /tmp/usg-hardening-benchmark-results.xml

echo "[3/2] Importing benchmark results into Versio.io..."
# Optional: --workspace="${VERSIO_WORKSPACE_ID}"
/opt/versio.io/one-importer/node/bin/node \
  /opt/versio.io/one-importer/src/utils-bm/importScapResult.js \
  --file=/tmp/usg-hardening-benchmark-results.xml \
  --server="${VERSIO_SERVER}" \
  --environment="${VERSIO_ENVIRONMENT}" \
  --token="${VERSIO_TOKEN}" 

echo "Benchmark audit completed successfully."

Code: Execute Ubuntu host benchmark with Ubuntu Security Guid

OpenSCAP

OpenSCAP is an open-source security compliance and vulnerability assessment framework that automates the evaluation of systems against security policies, hardening benchmarks, and regulatory requirements. It uses standardized formats such as the SCAP to check configurations, detect vulnerabilities, and generate compliance reports. OpenSCAP is commonly used to assess systems against benchmarks such as CIS CIS Benchmarks, DISA STIGs, and other security standards in Linux and enterprise environments.

Terms

Originally developed and maintained by Red Hat and the open-source community, OpenSCAP is freely available and can be used without licensing costs in both commercial and non-commercial environments.

The following script example demonstrates how to perform a benchmark audit with OpenSCAP and import the benchmark results into Versio.io.

#!/bin/bash

# Custom configuration
OPENSCAP_DATASTREAM="/usr/share/xml/scap/ssg/content/ssg-ubuntu2404-ds.xml"
OPENSCAP_PROFILE="xccdf_org.ssgproject.content_profile_cis_level1_server"
OPENSCAP_RESULTS_FILE="/tmp/openscap-benchmark-results.xml"

# Versio.io Konfiguration
VERSIO_SERVER="<YOUR_VERSIO_SERVER>" # IP or domaen name
VERSIO_ENV="<YOUR_VERSIO_ENV>"
VERSIO_TOKEN="<YOUR_VERSIO_TOKEN>"
#VERSIO_WORKSPACE_ID="<YOUR_VERSIO_WORKSPACE_ID>" #optional

# Script
echo "=== Ubuntu Security Guide (USG) Benchmark Audit ==="

echo "[1/2] Executing benchmark audit using profile '${OPENSCAP_PROFILE}'..."
echo "Starte OpenSCAP Audit..."
oscap xccdf eval \
  --profile "$OPENSCAP_PROFILE" \
  --results "$OPENSCAP_RESULTS_FILE" \
  "$OPENSCAP_DATASTREAM"

echo "[2/2] Importing benchmark results into Versio.io..."
# Optional: --workspace="${VERSIO_WORKSPACE_ID}"
/opt/versio.io/one-importer/node/bin/node \
    /opt/versio.io/one-importer/src/utils-bm/importScapResult.js \
  --file="$OPENSCAP_RESULTS_FILE" \
  --server="$VERSIO_SERVER" \
  --environment="$VERSIO_ENV" \
  --token="$VERSIO_TOKEN"

echo "Benchmark audit completed successfully."

Code: Execute Linux host benchmark with OpenSCAP

CIS-CAT Pro Assessor

The CIS-CAT Pro Assessor is a Java-based security compliance and hardening assessment tool provided by the Center for Internet Security (CIS). It enables administrators to audit system configurations against recognized security benchmarks, such as the CIS Benchmarks, across multiple operating systems, applications, and cloud environments. CIS-CAT Pro is included with a CIS SecureSuite membership and provides a standardized, automated way to assess, report, and maintain security compliance across enterprise environments.

Terms

The CIS-CAT Pro Assessor is exclusively available to CIS SecureSuite members. It requires a valid membership to download the assessor binaries and the associated XML-based CIS Benchmark Schemas.

The following script example demonstrates how to perform a benchmark audit with CIS-CAT Pro and import the benchmark results into Versio.io.

#!/bin/bash

# Custom configuration
CIS_CAT_DIR="/opt/cis-cat-pro"
BENCHMARK_XCCDF="${CIS_CAT_DIR}/benchmarks/CIS_Ubuntu_Linux_22.04_LTS_Benchmark_v2.0.0-xccdf.xml"
BENCHMARK_PROFILE="xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server"

# Versio.io Konfiguration
VERSIO_SERVER="<YOUR_VERSIO_SERVER>" # IP or domaen name
VERSIO_ENV="<YOUR_VERSIO_ENV>"
VERSIO_TOKEN="<YOUR_VERSIO_TOKEN>"
#VERSIO_WORKSPACE_ID="<YOUR_VERSIO_WORKSPACE_ID>" #optional

# Script
echo "=== CIS-CAT Pro Assessor Benchmark Audit ==="

echo "[1/3] Verifying CIS-CAT environment..."
if [ ! -d "${CIS_CAT_DIR}" ]; then
  echo "Error: CIS-CAT directory not found at ${CIS_CAT_DIR}"
  exit 1
fi

echo "[2/3] Executing benchmark audit using profile '${BENCHMARK_PROFILE}'..."
# Execute CIS-CAT Pro via Java, generating ARF (Asset Reporting Format) XML output
java -jar "${CIS_CAT_DIR}/cis-cat-centralized-cc.jar" \
  -b "${BENCHMARK_XCCDF}" \
  -p "${BENCHMARK_PROFILE}" \
  -ara \
  -axl /tmp/ciscat-hardening-benchmark-results.xml

echo "[3/3] Importing benchmark results into Versio.io..."
# Optional: --workspace="${VERSIO_WORKSPACE_ID}"
/opt/versio.io/one-importer/node/bin/node \
  /opt/versio.io/one-importer/src/utils-bm/importScapResult.js \
  --file=/tmp/ciscat-hardening-benchmark-results.xml \
  --server="${VERSIO_SERVER}" \
  --environment="${VERSIO_ENVIRONMENT}" \
  --token="${VERSIO_TOKEN}"

echo "Benchmark audit completed successfully."

Code: Execute CIS-CAT Pro benchmark and integrate with Versio.io