Installation and Upgrade - Linux

---

Introduction

Learn how to install, upgrade, and uninstall the CIS SecureSuite Platform on Linux operating systems.

This guide covers:

• Minimum requirements
• Before you start
• Installing the CIS SecureSuite Platform
• Uninstalling the CIS SecureSuite Platform
• HTTPS certificate trust
• Additional resources

Minimum Requirements

Verify that your system meets the following minimum requirements for running the CIS SecureSuite Platform.

Server

• Ubuntu 22.04 or 24.04
• 64 bit
• 8 GB RAM
• 2 vCPUs, 4 cores each
• Minimum 40 GB total free disk space allocated to the main OS drive (usually root partition or /):
  • Minimum 32 GB for the OS
  • 2 GB for the CIS SecureSuite Platform
  • 6 GB buffer for a small volume of configuration assessment results
  • Additional disk space on top of the 40 GB will be required depending on your organization's configuration assessment volume. One assessment is about 12 MB, 1,000 assessments about 12 GB, and 10,000 assessments about 120 GB.

Note

For optimal performance, we recommend retaining up to 10,000 assessments. CIS SecureSuite Platform System Admins can set file limits for the directory that holds assessments and schedule bulk deletion of assessments.

Traffic and Ports

• Port 3306 available for MariaDB
• Port 8081 available for Keycloak
• Port 80 available for Apache
• Traffic allowed on port 443
  • If installed on AWS, AWS security group must allow traffic on port 443.
  • As needed, add an inbound rule in Windows Firewall.
• For the application to access the SMTP server for emails, port 25 (default), 465, or 587 (depending on your email configuration) needs to be included as an outbound rule.

Info

The installer will verify that the required ports are available.

Browser

The CIS SecureSuite Platform officially supports Google Chrome only. Other browsers may work with the application but could produce unexpected behavior.

Cloud Installations

• Use a static public IP so that the public IP does not change if the instance shuts down.
• Ensure security groups or firewalls are properly configured to allow connectivity from external remote systems and within the instance.
• If using an AWS EC2 instance, enable Instance metadata service. IMDSv2 can be either Optional or Required.

Java Runtime Environment (JRE)

The installer establishes Java environment variables specifically for use with the CIS SecureSuite Platform. To run the CIS SecureSuite Platform, no other application requiring a JRE can exist on the CIS SecureSuite Platform host server.

Internet Connection

Your system must be connected to the internet for the installation to run successfully.

Before you Start

Download the following before installing the CIS SecureSuite Platform:

• CIS SecureSuite Platform Installer
• SecureSuite License

CIS SecureSuite Platform Installer

The CIS SecureSuite Platform Installer guides you through the installation process and ensures setup is completed correctly.

Download the CIS SecureSuite Platform Installer

1. In WorkBench, go to Downloads.
2. Select Download CIS SecureSuite Platform.
3. Select the Linux bundle and then Download Selection.
4. Choose a directory to download the installer bundle.

SecureSuite License

SecureSuite licenses grant you full access to the CIS SecureSuite Platform's features and content. If a valid license is not in the location you designate during installation, the CIS SecureSuite Platform provides limited functionality.

Download SecureSuite License

1. In WorkBench, go to Downloads.
2. Select Download License.

3. Select Download.

Download Issues?

If the file is not downloading, verify that JavaScript is enabled on your browser.

4. Extract the contents from the downloaded ZIP.

For the installation and use of the CIS SecureSuite Platform, you will only need the license.xml file from the extracted contents.

5. Move the license.xml file to a stable directory.

Info

During the installation of the CIS SecureSuite Platform, you will identify the directory above as the location where the application will look for your license. To change the license directory after installation, run the installer again and select the new directory on the Select License Directory screen.

Renewal

Your license expires when your SecureSuite membership expires. Upon renewing your membership, a new license file bundle will be available on WorkBench. Download your new license and move the license file to the folder you designated during installation.

Limited Functionality

Without a valid license in the folder you designated during installation, the CIS SecureSuite Platform restricts the following functionality:

• Remote configuration assessments cannot be performed
• New Controls assessments cannot be created or imported

---

Install the CIS SecureSuite Platform

The CIS SecureSuite Platform Installer will help set up the application, database, and services for you.

Required Task and Services

The installation process will create three services (MariaDB, SecureSuite_Windows, and Apache_HTTPD) and a task (Keycloak). All must be running to support the application. Do not disable any of these tasks and services.

Start Installation

1. Open Terminal and go to the directory where you extracted the Linux installer.
2. Make the script executable with the following command:

chmod +x SecureSuite_unix_Installer.sh

3. Run SecureSuite_unix_Installer.sh with the following command:

sudo ./SecureSuite_unix_Installer.sh -c

4. When prompted, enter o to start the installation.

Installation Errors

If you encounter installation errors, do not close the installer before getting the logs.

Select Destination Directory

Define the directory where the CIS SecureSuite Platform application, MariaDB, and Java will be installed. Ensure you have allocated enough memory to this directory.

• Enter the path to the directory where the CIS SecureSuite Platform will be installed (e.g., /usr/local/SecureSuite).

Select License Directory

Define where your organization keeps its SecureSuite license. The CIS SecureSuite Platform validates your license at the beginning of each command execution performed.

• Enter the full path to your organization's license.xml file (e.g., /usr/local/license.xml).

Note

Ensure you load a valid license file. The field only accepts XML files.

Configure HTTPS

Encrypting data in transit is vital for safeguarding your private and sensitive information. Choose and configure one of the two Transport Layer Security (TLS) options to safeguard your data.

1. Consider the following requirements and details for SSL certificates before choosing a TLS option:

• Self-signed certificate

  • Requires port 443 availability
  • Installer creates the self-signed certificate for you
  • Valid for 90 days from creation
    • Google Chrome warns of expiration
    • Update certificate by running the installer and going to the HTTPS Configuration page.
  • The certificate can be found here: /destination-directory/SecureSuite/.certificates
  • Trust the certificate utilizing the command line during/post installation or via Google Chrome post installation
  • In Google Chrome, specify the list of names covered by the SSL certificate in the Subject Alternative Name (SAN)

• Organization/CA certificate

  • Requires port 443 availability
  • Obtain your organization's certificate from your Certificate Authority (CA)
  • Create a keystore file P12 (PKCS 12) format. Only this format is supported.
    • A new keystore is recommended. The CSR must come from the keystore planned for use
    • Use your tool of choice. Some Members have found this digicert knowledge base article helpful.

2. Enter n to configure HTTPS with a new self-signed certificate or e to configure HTTPS with an existing certificate.
3. Complete the fields according to the TLS option selected:

• HTTPS with a new self-signed certificate
  • Description: Enter a descriptive, user-friendly name for the self-signed certificate file. Consider including the expiry date as a reminder.
  • Password: Enter a keystore password for access to the certificate.
  • Confirm Password: Enter the password again.

Password Requirements

• Minimum 14 characters
• Does not start with a special character
• At least 1 lowercase letter
• At least 1 uppercase letter
• At least 1 number
• At least 1 of these special characters: !#$%^

• HTTPS with an existing certificate
  • Certificate: Enter the path to the certificate (e.g., /usr/local/cert.p12)
  • Password: Enter the keystore password exactly as it is in the CSR and keystore.
  • Confirm Password: Enter the password again.

Warning

If the password does not match what is in the CSR and keystore, the CIS SecureSuite Platform will be inaccessible. If the password does not match what is in the CSR and keystore, the CIS SecureSuite Platform will be inaccessible.

The installer will take a moment to configure various services.

Set Up Database Admin

Set up the native admin account for your MariaDB server.

1. Enter a password.

Password Requirements

• Minimum 14 characters
• Does not start with a special character
• At least 1 lowercase letter
• At least 1 uppercase letter
• At least 1 number
• At least 1 of these special characters: !#$%^

2. Enter the password again.

Info

For those backing up their CIS SecureSuite Platform database, store the password in a discoverable but secure place. root is the username of the account.

Set Up CIS SecureSuite Platform Admin

Set up an admin account for the CIS SecureSuite Platform.

1. Configure the the CIS SecureSuite Platform admin user as follows:

• First Name: Enter the first name of the admin.
• Last Name: Enter the last name of the admin.
• Email: Enter the professional email of the admin.
• Password: Enter a password for the admin account.
• Confirm Password: Re-enter the password.

Password Requirements

• Minimum 14 characters
• Does not start with a special character
• At least 1 lowercase letter
• At least 1 uppercase letter
• At least 1 number
• At least 1 of these special characters: !#$%^

Note

Store the password in a discoverable but secure place. You will need it to log in to the CIS SecureSuite Platform. admin is the username of the account.

Protect the admin password as the account has full administrative access to the CIS SecureSuite Platform.

Set up Identity Access Management Vault

Set up the module that manages user identity and access.

1. Enter a password.

Password requirements

• Minimum 14 characters
• Does not start with a special character
• At least 1 lowercase letter
• At least 1 uppercase letter
• At least 1 number
• At least 1 of these special characters: !#$%^

2. Enter the password again.

Set Up Identity Access Management

Create a Keycloak admin account for IAM. Keycloak supports all of the CIS SecureSuite Platform's user authentication, handling single sign-on (SSO), multi-factor authentication (MFA), and Lightweight Directory Access Protocol (LDAP).

1. Enter a password.

Password requirements

• Minimum 14 characters
• Does not start with a special character
• At least 1 lowercase letter
• At least 1 uppercase letter
• At least 1 number
• At least 1 of these special characters: !#$%^

2. Enter the password again.

Note

Store the password in a discoverable but secure place.

The installer will finalize the configuration:

Complete Installation

After the installer finalizes the configuration, you should see a message that the CIS SecureSuite Platform has successfully installed.

Going forward, whenever you or other users in your organization need to use the CIS SecureSuite Platform, open Google Chrome and go to your CIS SecureSuite Platform URL (e.g., https://123.456.78.901/SecureSuite/). Be aware that the application URL must have "SecureSuite" capitalized as shown in the example; otherwise, you'll encounter an error.

"Your connection isn't private" Warning

If you are using a self-signed certificate that has not been added to the trust store, you will see a warning that the connection is not secure whenever you open the CIS SecureSuite Platform.

Select Advanced and then Continue to ... to log in to the CIS SecureSuite Platform.



To learn more about certificates and remove the warning, refer to HTTPS Certificate Trust.

Guidance on logging in to the CIS SecureSuite Platform

Refer to the Login section of the Get Started guide for instructions on how to log in to the CIS SecureSuite Platform.

Review Installation

After the installation is complete, the following folders should be in your destination directory.

Warning

CIS does not support any modifications to the installation made without the installer. If you do so, we cannot guarantee the CIS SecureSuite Platform will work.

Folder	Description
securesuite_imports	Contains configuration assessment results only in ARF XML format produced by CIS-CAT Pro Assessor. Reports failing to import will move to the error folder, while successfully imported reports will move to the processed folder. It is possible to manually place reports in the input folder for CIS SecureSuite Platform import.
certificate	By default, contains only self-signed certificates user-selected/created to support HTTPS during installation. You may optionally store an organizational certificate here, but it is not required. If, during upgrades, members modify communication protocols, folder contents will not be cleared.
conf*	Contains the configuration file that supports CIS SecureSuite Platform functionality. Modifications to this file are supported only if done through the installer. Users other than root are prevented from viewing this file.
content	Contains the supported CIS Benchmark content for the CIS SecureSuite Platform. The Benchmarks provided will be the latest supported content at the time of the most recent CIS SecureSuite Platform version release. On upgrade, new content will be added to this folder. Old Benchmarks must be removed manually. The CIS SecureSuite Platform officially supports CIS Benchmark automated assessment content delivered with the application in datastream format.
logs	Contains CIS-CAT Pro Assessor and CIS SecureSuite Platform logs. For troubleshooting purposes, CIS Product Support may ask for these files.

*The conf folder contains the securesuite-config.yml file that contains information to support the operation of the CIS SecureSuite Platform. The installation process limits read/write privileges to only root. Users who are not a member of the authenticated group do not have privileges to view or write to the file.

---

Upgrade the CIS SecureSuite Platform

CIS will regularly release new versions of the CIS SecureSuite Platform with additional features, functionality, and changes.

1. Download the latest version of the CIS SecureSuite Platform from WorkBench.
2. Run SecureSuite_unix_Installer.sh with the following command:

sudo ./SecureSuite_unix_Installer.sh -c

3. Enter o to start the upgrade process.

Back up the CIS SecureSuite Platform Database

Refer to Back Up and Restore Database with Mariabackup for guidance on taking a backup of your CIS SecureSuite Platform data.

4. If desired, enter the path to a different license file. If not, select the Enter key.
5. Generate a new self-signed certificate or update your SSL certificate.
6. Enter y if you want to back up the existing SecureSuite.war file or n if you do not.

What is the SecureSuite.war file?

The file holds everything needed to run your application, including compiled Java code, embedded Tomcat, web pages, stylesheets, and configurations. Taking a backup of the file is helpful if you need to revert to a previous version of the CIS SecureSuite Platform due to potential update errors.

The upgrade will start automatically. A success message should show after the upgrade has finished.

---

Uninstall the CIS SecureSuite Platform

• To uninstall completed installations of the CIS SecureSuite Platform, follow the Uninstall with the CIS SecureSuite Platform Uninstaller procedure.
• To uninstall SecureSuite installations that were cancelled midway, follow the Uninstall Manually procedure.

Uninstall with the CIS SecureSuite Platform Uninstaller

Completed installations of the CIS SecureSuite Platform should use the CIS SecureSuite Platform Uninstaller. Uninstalling will delete all data and services supporting the CIS SecureSuite Platform.

1. Open Terminal.
2. Go to the directory where you installed the CIS SecureSuite Platform:

cd /usr/local/SecureSuite

3. Run SecureSuite_Uninstaller with the following command:

sudo ./SecureSuite_Uninstaller -c

Warning

Be careful before running the uninstaller. If executed, the uninstaller will remove the CIS SecureSuite Platform and delete its database without additional confirmation.

4. Select the Enter key.

The uninstallation will run:

5. Restart your system to complete the uninstallation.

Note

Restarting your system is a must. If you do not, you may encounter issues reinstalling the application.

Uninstall Manually

If you cancelled the installation, you may need to manually uninstall the services, environment variables, or files related to the CIS SecureSuite Platform.

1. Stop and delete services.
2. Delete SecureSuite files.

Note

Please follow the steps in order. All services should be stopped and deleted before deleting the SecureSuite folder.

Stop and Delete Services

1. Verify which services are running.

systemctl is-active --quiet securesuite && echo "SecureSuite is running" 
systemctl is-active --quiet mariadb && echo "MariaDB is running" 
systemctl is-active --quiet apache2 && echo "Apache_HTTPD is running"
systemctl is-active --quiet keycloak && echo "Keycloak is running"

2. Stop the services that are running.

sudo systemctl stop securesuite
sudo systemctl stop mariadb
sudo systemctl stop apache2
sudo systemctl stop keycloak

3. Delete the services that were running.

sudo rm -f /etc/systemd/system/securesuite.service
sudo rm -f /etc/systemd/system/mariadb.service
sudo rm -f /etc/systemd/system/apache2.service
sudo rm -f /etc/systemd/system/keycloak

Delete SecureSuite Folder

1. Go to your destination directory:

cd /usr/local

2. Delete the SecureSuite folder:

sudo rm -r SecureSuite

3. Restart your system.

Note

Restarting your system is a must. If you do not, you may encounter issues reinstalling the application.

HTTPS Certificate Trust

Self-signed certificates that are not in the system's trust store will produce a trust warning within the browser.

Some organizations' security policies do not permit self-signed certificates. These organizations must utilize a certificate trusted by a public or private certificate authority (CA). While both self-signed and organizational certificates assist in protecting incoming assessment data, each organization must use its own discretion to decide whether the browser warnings are acceptable.

Certificates Validated by CA

Using a certificate issued by a public or private CA allows you to associate a different fully qualified domain name (FQDN) of your choosing that would be accessible to others.

Organizations should publish a DNS record that matches the subject alternative name (common name attribute is deprecated), which will be the FQDN. The DNS name is selected by the organization.

It’s possible to use an IP address to the subject alternative name; however, if the IP changes, a new certificate would need to be generated. It's also possible to utilize the IP of the host server, but utilizing an organizational certificate is a good approach to avoid exposing the IP of the host server.

Using a certificate is best practice as it ensures you are accessing the correct page and prevents “man in the middle” and cache poisoning attempts.

It is an organization’s preference whether to purchase a certificate from a public CA such as digicert. Most organizations have access to a public CA when they have a website. Certificates allow the organization’s website to be automatically trusted by various browsers.

Organizations may also choose to maintain a private CA. This certificate will be validated over a corporate/VPN internal network. This is a good approach for an internal application that an organization wants to trust. If this approach is pursued, the certificate still must be added to the trust store/keychain.

When testing access to a web server, it’s helpful to use the FQDN from the host to ensure it is working. Try pinging the site and flushing the DNS after any changes.

For example, a server can have the hostname web on the domain acme.org and there is an A record for web.acme.org with the IP address 1.2.3.4. You can create a CNAME DNS record that uses web.acme.org and set an alias to something else like website.acme.com and the cert is valid as long as it matches up with website.acme.com.

Add Certificate to Trust Store

To fully trust self-signed certificates and avoid browser warnings, each system that will access the CIS SecureSuite Platform instance must have the certificate added to its trust store.

Note

root is the minimum group membership required to complete this procedure. If you are not the administrator of your computer, contact your system administrator.

Additional Resources

For assistance resolving issues with the installer, refer to Resolve Installation Errors.