bagelhole/cis-benchmarks
security/hardening/cis-benchmarks/SKILL.md
Audit and remediate CIS benchmark violations. Use automated tools to assess compliance and implement hardening recommendations. Use when meeting compliance requirements or implementing security baselines.
$ install --global
skillsauthnpx skillsauth add bagelhole/devops-security-agent-skills cis-benchmarksInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 3, 2026, 5:06 PM6.9s1 file scanned
SKILL.md
- name:
- cis-benchmarks
- description:
- Audit and remediate CIS benchmark violations. Use automated tools to assess compliance and implement hardening recommendations. Use when meeting compliance requirements or implementing security baselines.
- license:
- MIT
- author:
- devops-skills
- version:
- 1.0
CIS Benchmarks
Implement and audit CIS security benchmarks.
When to Use This Skill
Use this skill when:
- Assessing security compliance
- Implementing security baselines
- Meeting regulatory requirements
- Hardening systems to standards
Assessment Tools
OpenSCAP
# Install
apt install openscap-scanner scap-security-guide
# Run CIS benchmark scan
oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis \
--results results.xml \
--report report.html \
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml
Lynis
# Install
apt install lynis
# Run audit
lynis audit system
# Generate report
lynis audit system --report-file /tmp/lynis-report.dat
InSpec
# cis-profile/controls/ssh.rb
control 'cis-ssh-1' do
impact 1.0
title 'Ensure SSH root login is disabled'
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
control 'cis-ssh-2' do
impact 0.7
title 'Ensure SSH password authentication is disabled'
describe sshd_config do
its('PasswordAuthentication') { should eq 'no' }
end
end
# Run InSpec
inspec exec cis-profile -t ssh://user@target
Kubernetes CIS
# kube-bench
docker run --rm -v /etc:/etc:ro -v /var:/var:ro \
aquasec/kube-bench:latest run --targets node
# Check specific sections
kube-bench run --targets master --check 1.1,1.2
Remediation Workflow
workflow:
1_scan:
- Run automated assessment
- Generate baseline report
2_analyze:
- Review findings
- Identify false positives
- Prioritize by risk
3_remediate:
- Apply fixes
- Document exceptions
- Verify changes
4_validate:
- Re-run assessment
- Confirm remediation
- Generate compliance report
Best Practices
- Baseline before hardening
- Document exceptions
- Automate assessments
- Track compliance over time
- Regular re-assessment
- Version control configurations
Related Skills
- linux-hardening - Linux security
- vulnerability-scanning - Security scanning
Related Skills
bagelhole/sre-dashboards
development
VerifiedTrustedCommunity
Design and operationalize SRE dashboards that surface reliability, latency, error, saturation, and capacity signals across services. Use when building observability views for SLOs, incident response, and executive reliability reporting.
28SKILL.mdUpdated May 23, 2026
bagelhole/openclaw-security-hardening
testing
VerifiedTrustedCommunity
Harden OpenClaw self-hosted environments with baseline host controls, auth tightening, secret handling, network segmentation, and safe update/rollback workflows. Use when deploying OpenClaw in home labs, startups, or production-like local AI infrastructure.
28SKILL.mdUpdated Apr 3, 2026
bagelhole/vector-database-ops
devops
VerifiedTrustedCommunity
Deploy, manage, and optimize vector databases for AI applications. Covers Qdrant, Weaviate, pgvector, and Pinecone — collection management, indexing strategies, backup, and performance tuning for production RAG and semantic search workloads.
28SKILL.mdUpdated Apr 3, 2026
bagelhole/model-serving-kubernetes
testing
VerifiedTrustedCommunity
Deploy ML models on Kubernetes with KServe (formerly KFServing) and NVIDIA Triton Inference Server. Includes canary deployments, autoscaling, model versioning, A/B testing, and GPU resource management for production model serving.
28SKILL.mdUpdated Apr 3, 2026