Security Automation: Running CIS Benchmarks on Your Fleet
From a quarterly audit scramble to a nightly, scored compliance run.
A CIS benchmark is a long checklist no one wants to run by hand. Automated, it becomes a nightly score you can trend and act on — turning a quarterly scramble into continuous assurance.
The scoring model
Each control is a pass/fail check with a weight. The device score is weighted passes over total; the fleet score is the average. Trending the score over time shows whether posture is improving or sliding.
A check looks like this
def check_no_telnet(config: str) -> dict:
failed = "transport input telnet" in config
return {
"control": "CIS-1.1.1 disable telnet",
"severity": "high",
"passed": not failed,
"key": "cis/telnet-enabled",
}From checks to a score
Run every control against each device's running config, emit findings for failures, and roll the weighted results into a per-device and fleet score. Feed the failures into remediation playbooks.
Prioritizing remediation
Don't chase 100% on day one. Sort failures by severity and blast radius, fix the high-severity controls that appear across many devices first, and watch the fleet score climb.
Was this helpful?
Generate scripts for the task covered in this post
Describe what you need and NAPT writes production-ready automation in Netmiko, NAPALM, or Nornir.
Open Script Generator →Related posts
Compliance Without the Spreadsheet: Continuous Posture for Network Devices
The Compliance panel runs your hardening rule packs across the fleet, scores devices, and tracks drift so audits start with evidence, not promises.
Read →Inventory & IPAM: The Source of Truth Your Scripts Actually Trust
Upload a CSV, connect to NetBox, or generate an IP range — Inventory normalises every source into the same validated row shape for the platform.
Read →Runbooks: Living Documents That Run
Runbooks combine narrative, parameters, and executable scripts so on-call engineers stop choosing between reading the doc and fixing the problem.
Read →