From cis-controls
Generates comprehensive evidence collection checklists for CIS Controls v8 safeguards, organized by Implementation Group (IG1, IG2, IG3) with automated and manual collection guidance.
npx claudepluginhub rifh2000/claude-grc-engineering. --plugin cis-controls# CIS Controls v8 Evidence Checklist Generates comprehensive evidence collection checklists for CIS Controls v8 safeguards, organized by Implementation Group (IG1, IG2, IG3) with automated and manual collection guidance. > **Never commit evidence artifacts to source control.** The outputs below include real usernames, credential reports, MFA device states, and privileged-account inventories. `.gitignore` covers `evidence/` by default so `git add -A` will not sweep it up, but durable storage is your responsibility. Use an encrypted, access-controlled evidence locker (encrypted S3 with leas...
/evidence-checklistGenerates evidence preparation checklists for compliance frameworks like NIST, FedRAMP, SOC2, ISO27001 based on controls and optional audit type.
/evidence-checklistGenerates StateRAMP evidence checklists for NIST 800-53 control families, supporting moderate/high baselines and markdown/JSON/CSV export.
/evidence-checklistGenerates evidence checklists for EU DORA articles or topics, tailored to financial entity types like credit institutions, exportable as markdown, JSON, or CSV.
/evidence-checklistGenerates evidence collection checklists for GLBA Safeguards Rule and Privacy Rule compliance by rule section, institution type (bank, broker, insurer), and export format (markdown, json, csv).
/evidence-checklistGenerates detailed SOC 2 evidence checklists for control IDs, categories, or security areas, including policies, procedures, and automated/manual collection guidance for Type 1/2 audits.
/evidence-checklistGenerates CMMC 2.0 evidence checklists for practices by ID or domain, organized by level (1-3) and maturity requirements with DoD contractor guidance. Supports --level and --export flags.
Generates comprehensive evidence collection checklists for CIS Controls v8 safeguards, organized by Implementation Group (IG1, IG2, IG3) with automated and manual collection guidance.
Never commit evidence artifacts to source control. The outputs below include real usernames, credential reports, MFA device states, and privileged-account inventories.
.gitignorecoversevidence/by default sogit add -Awill not sweep it up, but durable storage is your responsibility. Use an encrypted, access-controlled evidence locker (encrypted S3 with least-privilege IAM, a GRC platform, or a shared drive with full-disk encryption and MFA-gated access).
/cis-controls:evidence-checklist <safeguard-id> [--ig-level <1|2|3>] [--export <format>]
<safeguard-id>: CIS safeguard (e.g., "1.1", "5.2", "8.3") or domain (e.g., "Asset Management", "Access Control")--ig-level: Filter by Implementation Group (1, 2, or 3). Default: all applicable--export: Export format (json, csv, markdown). Default: markdown/cis-controls:evidence-checklist 5.1 --ig-level 1
Output:
CIS Controls v8 Evidence Checklist
Safeguard: 5.1 - Establish and Maintain an Inventory of Accounts
Implementation Group: IG1 (Basic Cyber Hygiene)
Asset Type: Users
Security Function: Identify
## Control Description
Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person's name, username, start date, and end date.
## Evidence Requirements
### Required Documentation
□ Account Management Policy
- Document account lifecycle procedures
- Include approval processes
- Define account types (standard, privileged, service, shared)
- Update frequency: Annually or when procedures change
- Approver: IT Director or CISO
□ Account Inventory Procedures
- Step-by-step account creation process
- Step-by-step account modification process
- Step-by-step account deletion process
- Include screenshots or workflow diagrams
### Automated Evidence Collection
✓ **Complete Account Inventory (Primary Evidence)**
```bash
# AWS IAM Users
aws iam list-users --output json > evidence/cis-5.1-iam-users-$(date +%Y%m%d).json
aws iam get-credential-report > evidence/cis-5.1-credential-report-$(date +%Y%m%d).csv
# Azure AD Users
az ad user list --output json > evidence/cis-5.1-azure-users-$(date +%Y%m%d).json
# Google Workspace Users
gcloud identity groups memberships list --group-email=all-users@company.com \
--format=json > evidence/cis-5.1-gcp-users-$(date +%Y%m%d).json
# Linux/Unix Systems (if applicable)
sudo cat /etc/passwd | awk -F: '{print $1,$3,$5}' > evidence/cis-5.1-local-accounts-$(date +%Y%m%d).txt
# Windows Active Directory (if applicable)
Get-ADUser -Filter * -Properties DisplayName,SamAccountName,Created,LastLogonDate,Enabled |
Export-Csv evidence/cis-5.1-ad-users-$(date +%Y%m%d).csv -NoTypeInformation
Collection Frequency: Monthly snapshot Retention: 12 months minimum
✓ Privileged Account Inventory
# AWS Admin Accounts
aws iam list-users | jq '.Users[] | select(.PermissionsBoundary != null or .Tags[]? | select(.Key == "PrivilegedAccess"))' \
> evidence/cis-5.1-privileged-aws-$(date +%Y%m%d).json
# Azure Privileged Accounts
az ad user list --filter "userType eq 'Admin'" --output json \
> evidence/cis-5.1-privileged-azure-$(date +%Y%m%d).json
# List of users with sudo access (Linux)
sudo grep -r "^[^#]" /etc/sudoers /etc/sudoers.d/ > evidence/cis-5.1-sudo-users-$(date +%Y%m%d).txt
Collection Frequency: Weekly snapshot Retention: 12 months minimum
✓ Service Account Inventory
# AWS Service Accounts (IAM roles)
aws iam list-roles --output json > evidence/cis-5.1-service-roles-$(date +%Y%m%d).json
# Azure Service Principals
az ad sp list --all --output json > evidence/cis-5.1-service-principals-$(date +%Y%m%d).json
# GCP Service Accounts
gcloud iam service-accounts list --format=json \
> evidence/cis-5.1-gcp-service-accounts-$(date +%Y%m%d).json
Collection Frequency: Monthly snapshot Retention: 12 months minimum
✓ Account Creation/Modification Logs
# AWS CloudTrail for IAM events
aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=EventName,AttributeValue=CreateUser \
--start-time $(date -u -d '30 days ago' +%Y-%m-%dT%H:%M:%S) \
--output json > evidence/cis-5.1-account-creation-$(date +%Y%m%d).json
aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=EventName,AttributeValue=DeleteUser \
--start-time $(date -u -d '30 days ago' +%Y-%m-%dT%H:%M:%S) \
--output json > evidence/cis-5.1-account-deletion-$(date +%Y%m%d).json
# Azure AD Audit Logs
az monitor activity-log list \
--caller 'Microsoft.Authorization' \
--start-time $(date -u -d '30 days ago' +%Y-%m-%dT%H:%M:%S) \
--output json > evidence/cis-5.1-azure-audit-$(date +%Y%m%d).json
Collection Frequency: Monthly Retention: 12 months minimum
□ Account Inventory Validation
□ Account Creation Approvals (Sample)
□ Account Termination Evidence (Sample)
□ Orphaned Account Review
✓ Account inventory exists and is documented ✓ Inventory includes at minimum:
✓ Automated inventory collection (not manual spreadsheets) ✓ Privileged accounts identified separately ✓ Service accounts tracked separately ✓ Account creation/deletion audit trail ✓ Quarterly validation of inventory completeness
✓ Real-time or weekly inventory updates ✓ Automated orphaned account detection ✓ Integration with HR system for terminations ✓ Automated alerting for policy violations ✓ Continuous monitoring dashboard
❌ No account inventory exists ❌ Inventory missing >25% of actual accounts ❌ No evidence of account deletion process ❌ Shared accounts not tracked or monitored
⚠️ Inventory incomplete (missing 10-25% of accounts) ⚠️ Manual inventory (spreadsheets) instead of automated ⚠️ Service accounts not inventoried separately ⚠️ Inventory not updated in >6 months
⚠️ Inventory missing optional fields (last login, department) ⚠️ Orphaned account review not documented ⚠️ Evidence retention <12 months
Immediate Actions (Week 1)
Short-term (Weeks 2-4)
Long-term (Months 2-3)
evidence/
└── cis-5.1-account-inventory/
├── 2025-01/
│ ├── automated/
│ │ ├── iam-users-20250115.json
│ │ ├── credential-report-20250115.csv
│ │ ├── privileged-accounts-20250115.json
│ │ └── cloudtrail-account-events-20250115.json
│ ├── manual/
│ │ ├── account-inventory-policy-v1.2.pdf
│ │ ├── account-procedures-2025.docx
│ │ ├── quarterly-validation-Q1-2025.pdf
│ │ └── approval-samples-Q1-2025/
│ │ ├── account-request-001.pdf
│ │ ├── account-request-002.pdf
│ │ └── ... (25 samples)
│ └── screenshots/
│ ├── aws-iam-console-20250115.png
│ └── access-analyzer-findings-20250115.png
└── README.md (evidence index)
#!/usr/bin/env python3
"""
CIS 5.1 Evidence Collection Automation
Collects account inventory evidence from AWS, Azure, GCP
"""
import boto3
import json
import subprocess
from datetime import datetime
import os
class CIS51EvidenceCollector:
def __init__(self, output_dir="evidence/cis-5.1"):
self.output_dir = output_dir
self.timestamp = datetime.now().strftime("%Y%m%d")
os.makedirs(f"{output_dir}/automated", exist_ok=True)
def collect_aws_accounts(self):
"""Collect AWS IAM user inventory"""
iam = boto3.client('iam')
# Get all users
users = iam.list_users()['Users']
output_file = f"{self.output_dir}/automated/aws-iam-users-{self.timestamp}.json"
with open(output_file, 'w') as f:
json.dump(users, f, indent=2, default=str)
print(f"✓ Collected {len(users)} AWS IAM users -> {output_file}")
# Get credential report
iam.generate_credential_report()
report = iam.get_credential_report()
report_file = f"{self.output_dir}/automated/aws-credential-report-{self.timestamp}.csv"
with open(report_file, 'wb') as f:
f.write(report['Content'])
print(f"✓ Generated AWS credential report -> {report_file}")
return len(users)
def collect_privileged_accounts(self):
"""Identify and collect privileged account inventory"""
iam = boto3.client('iam')
# Find users with admin policies
admin_users = []
for user in iam.list_users()['Users']:
username = user['UserName']
# Check attached policies
attached = iam.list_attached_user_policies(UserName=username)
for policy in attached['AttachedPolicies']:
if 'Admin' in policy['PolicyName']:
admin_users.append({
'username': username,
'policy': policy['PolicyName'],
'created': user['CreateDate']
})
output_file = f"{self.output_dir}/automated/privileged-accounts-{self.timestamp}.json"
with open(output_file, 'w') as f:
json.dump(admin_users, f, indent=2, default=str)
print(f"✓ Identified {len(admin_users)} privileged accounts -> {output_file}")
return len(admin_users)
def generate_evidence_report(self, total_users, privileged_count):
"""Generate summary evidence report"""
report = f"""
CIS Controls v8 - Safeguard 5.1 Evidence Report
Generated: {datetime.now().strftime("%Y-%m-%d %H:%M:%S")}
ACCOUNT INVENTORY SUMMARY
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Total Accounts: {total_users}
Privileged Accounts: {privileged_count} ({privileged_count/total_users*100:.1f}%)
Service Accounts: (manual review required)
EVIDENCE COLLECTED
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✓ Complete IAM user inventory
✓ Credential report with last login dates
✓ Privileged account identification
✓ CloudTrail account creation/deletion logs
COMPLIANCE STATUS: ✓ COMPLIANT (IG1)
NEXT ACTIONS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
□ Quarterly validation review (next due: {(datetime.now().replace(month=datetime.now().month+3)).strftime("%Y-%m-%d")})
□ Collect approval samples (25 accounts)
□ Review orphaned accounts (>90 days inactive)
□ Update account management policy (annual)
Evidence stored in: {self.output_dir}/
"""
report_file = f"{self.output_dir}/evidence-report-{self.timestamp}.txt"
with open(report_file, 'w') as f:
f.write(report)
print(f"\n{report}")
print(f"Full report: {report_file}")
if __name__ == "__main__":
collector = CIS51EvidenceCollector()
print("CIS 5.1 Evidence Collection Starting...")
print("=" * 50)
total = collector.collect_aws_accounts()
privileged = collector.collect_privileged_accounts()
collector.generate_evidence_report(total, privileged)
print("\n✓ Evidence collection complete!")
| Evidence Type | Collection Method | Frequency | Retention |
|---|---|---|---|
| Account inventory | Automated (AWS CLI) | Monthly | 12 months |
| Privileged accounts | Automated (AWS CLI) | Weekly | 12 months |
| Service accounts | Automated (AWS CLI) | Monthly | 12 months |
| Account creation logs | CloudTrail | Monthly | 12 months |
| Account approvals (sample) | Manual (tickets) | Quarterly | 12 months |
| Termination evidence (sample) | Manual (HR + logs) | Quarterly | 12 months |
| Inventory validation | Manual (review) | Quarterly | 12 months |
| Policy documentation | Manual (document) | Annual | 3 years |
Implementation Priority: 🔴 CRITICAL (IG1 Requirement) Typical Assessment Weight: HIGH (Foundational control) Estimated Implementation Time: 2-6 weeks (depending on IG level)