Security Compliance
SlimRMM includes a comprehensive CIS benchmark-based security compliance monitoring system to help ensure your endpoints meet industry security standards.
Overview
The compliance module continuously monitors your managed systems against the CIS Benchmarks, providing:
- Real-time compliance scoring
- Policy-based monitoring
- Exception/waiver management
- Historical trend analysis
- Remediation guidance
CIS Benchmark Levels
Level 1 (Basic)
Recommended security settings that can be implemented without significant impact on system functionality:
- Basic firewall configuration
- Standard password policies
- Common user account restrictions
- Basic audit logging
Level 2 (Defense in Depth)
Advanced security settings for environments requiring enhanced security:
- Strict firewall rules
- Advanced encryption requirements
- Comprehensive audit policies
- Additional access restrictions
Check Categories
SlimRMM includes 30+ built-in checks across these categories:
| Category | Description | Example Checks |
|---|---|---|
| Firewall | Firewall status and configuration | Firewall enabled, profiles active |
| Encryption | Disk encryption status | BitLocker (Windows), FileVault (macOS), LUKS (Linux) |
| User Accounts | Account security settings | Guest account disabled, admin account restrictions |
| Password Policy | Password requirements | Complexity, length, age, history |
| Remote Access | Remote access configuration | SSH hardening, RDP restrictions |
| Audit Logging | System audit configuration | Audit policy enabled, log retention |
| Antivirus | Malware protection status | Windows Defender status, real-time protection |
| System Updates | Update configuration | Auto-updates enabled, pending updates |
Scoring Algorithm
Compliance scores are calculated using a weighted severity system:
| Severity | Weight | Description |
|---|---|---|
| Critical | 10 | Issues requiring immediate attention |
| High | 5 | Significant security concerns |
| Medium | 3 | Moderate security improvements |
| Low | 1 | Minor security enhancements |
Score Calculation:
Score = (Passed Weight / Total Weight) * 100Risk Level Assignment:
- Critical: Any critical check failed
- High: More than 2 high-severity checks failed
- Medium: 1-2 high-severity or 5+ medium-severity checks failed
- Low: All critical/high checks passed, few medium/low failures
Policies
Creating a Policy
Policies define which checks to run and against which agents:
{
"name": "Windows Workstations - CIS Level 1",
"cis_level": "level_1",
"target_os": "windows",
"schedule_type": "continuous",
"check_interval_minutes": 60,
"passing_score_threshold": 80
}Policy Options
| Option | Description |
|---|---|
cis_level | level_1 or level_2 |
target_os | windows, darwin, linux, or all |
schedule_type | continuous, scheduled, or manual |
check_interval_minutes | How often to run checks (default: 60) |
passing_score_threshold | Minimum score to be considered compliant (default: 80) |
Exceptions
For cases where a check cannot be satisfied due to business requirements, you can create exceptions:
- Reason: Document why the exception is needed
- Expiry: Optional expiration date
- Scope: Per-agent or global
Excepted checks are marked as "Exempted" and excluded from scoring.
API Endpoints
Policies
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/v1/compliance/policies | List all policies |
| POST | /api/v1/compliance/policies | Create a policy |
| GET | /api/v1/compliance/policies/{id} | Get policy details |
| PUT | /api/v1/compliance/policies/{id} | Update a policy |
| DELETE | /api/v1/compliance/policies/{id} | Delete a policy |
Checks
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/v1/compliance/checks | List all checks |
| POST | /api/v1/compliance/checks/seed | Import built-in CIS checks |
Results & Scores
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/v1/compliance/results/agent/{uuid} | Get agent check results |
| GET | /api/v1/compliance/score/agent/{uuid} | Get agent compliance score |
| GET | /api/v1/compliance/history/agent/{uuid} | Get agent score history |
Statistics
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/v1/compliance/stats | Overall compliance statistics |
| GET | /api/v1/compliance/trend | Compliance trend data |
| GET | /api/v1/compliance/stats/top-failing | Most common failing checks |
Dashboard
The compliance dashboard provides:
- Overview Stats: Total agents, compliant percentage, average score
- Risk Distribution: Chart showing agents by risk level
- Category Breakdown: Compliance by check category
- Top Failing Checks: Most common compliance issues
- Non-Compliant Agents: List of agents needing attention
- 30-Day Trend: Historical compliance scores
Agent View
Each agent's detail page includes a Compliance tab showing:
- Current compliance score
- Pass/fail status per check
- Remediation guidance for failed checks
- Score history graph
- Exception management
Remediation
SlimRMM provides detailed remediation guidance for each failed check, including:
- Description of the security issue
- Impact of the misconfiguration
- Steps to manually remediate
- Command (where applicable) for reference
No Auto-Remediation
SlimRMM intentionally does not automatically remediate compliance issues. All changes must be reviewed and applied by an administrator to prevent unintended system modifications.
Best Practices
- Start with Level 1: Begin with CIS Level 1 checks before advancing to Level 2
- Review Exceptions: Regularly review and expire outdated exceptions
- Monitor Trends: Use the 30-day trend to track improvement
- Prioritize Critical: Address critical and high-severity issues first
- Document Exceptions: Always provide clear reasons for exceptions