← All posts
How-To

Security Automation: Running CIS Benchmarks on Your Fleet

From a quarterly audit scramble to a nightly, scored compliance run.

NAPT Team8 min read
CIS benchmark scoring model75%fleet score

A CIS benchmark is a long checklist no one wants to run by hand. Automated, it becomes a nightly score you can trend and act on — turning a quarterly scramble into continuous assurance.

The scoring model

Each control is a pass/fail check with a weight. The device score is weighted passes over total; the fleet score is the average. Trending the score over time shows whether posture is improving or sliding.

A check looks like this

python
def check_no_telnet(config: str) -> dict:
    failed = "transport input telnet" in config
    return {
        "control": "CIS-1.1.1 disable telnet",
        "severity": "high",
        "passed": not failed,
        "key": "cis/telnet-enabled",
    }

From checks to a score

Run every control against each device's running config, emit findings for failures, and roll the weighted results into a per-device and fleet score. Feed the failures into remediation playbooks.

Prioritizing remediation

Don't chase 100% on day one. Sort failures by severity and blast radius, fix the high-severity controls that appear across many devices first, and watch the fleet score climb.

Pro tip: Run the benchmark on a nightly cron and only alert when the score drops — continuous verification without "still compliant" noise.
#security#how-to#compliance

Was this helpful?

Generate scripts for the task covered in this post

Describe what you need and NAPT writes production-ready automation in Netmiko, NAPALM, or Nornir.

Open Script Generator →
New to NAPT? Start with the Setup Guide

Related posts