To secure your infrastructure assets with Automation for Secure Hosts Compliance, you must start by defining policies.

Automation for Secure Hosts Compliance provides different industry benchmarks to choose from including checks for Center for Internet Security (CIS) and more. Each benchmark includes a collection of security checks. You can choose to apply all available checks for a given benchmark, or use only a subset of available checks. Using a subset of checks is useful for customizing Automation for Secure Hosts Compliance for your unique infrastructure needs, for example if remediating a given check poses the risk of breaking a known dependency.

When creating your policy, you must select a target to apply the policy to, along with which benchmarks and checks to run against your system.

To connect to the SDK directly, see Automation for Secure Hosts.


A target is the group of minions, across one or many Salt masters, that a job’s Salt command applies to. A Salt master is managed similarly to a minion and can be a target if it is running the minion service. When creating a policy and selecting a target, you are defining the nodes that the security checks are run against. You can choose an existing target or create a new one.


Automation for Secure Hosts Compliance simplifies the process of defining your security policy by grouping security checks by benchmark.

Benchmarks are category of security checks. Automation for Secure Hosts Compliance benchmarks are defined by widely-accepted experts, while custom benchmarks are defined by your own organization’s standards. You can use benchmarks to help create a range of different policies optimized for different groups of nodes. For example, you might create an Oracle Linux policy that applies CIS checks to your Oracle Linux minions, and a Windows policy that applies CIS checks to your Windows minions. For more information on creating custom content, see Creating custom compliance components.

Note: Specifically for Windows Server benchmarks, the CIS content for certain benchmarks (notated with a tooltip ) is distributed across three different benchmarks:
  • Domain master content
  • Member content
  • Domain master and member content
If you want to include all Member content, you must select both the benchmarks for Member and benchmarks for Domain master and member.


A check is a security standard that Automation for Secure Hosts Compliance assesses for compliance. The Automation for Secure Hosts Compliance library updates checks frequently as security standards change. In addition to checks included the Automation for Secure Hosts Compliance content library, you can create your own custom checks. Custom checks are indicated by a custom-checks-user-icon, instead of the built-in-checks-shield-icon. For more information on creating custom content, see Creating custom compliance components. Each check includes several information fields.
Information field Description
Description Description of the check.
Action Description of the action that is performed during remediation.
Break Used for internal testing only. For more information, contact your administrator.
Global Description Detailed description of the check.
Osfinger List of osfinger values that the check is implemented for. Osfinger is found in grains items for each minion to identify the minion's operating system and major release version. Grains are collected for the operating system, domain name, IP address, kernel, OS type, memory, and other system properties.
Profile List of configuration profiles for different benchmarks.
Rationale Description of rationale for implementing the check.
Refs Compliance cross-references between benchmarks.
Remediate Values that indicate if Automation for Secure Hosts Compliance is capable of remediating noncompliant nodes, as not all checks include specific, actionable remediation steps.
Remediation Description of how any noncompliant systems are remediated, if applicable.
Scored CIS benchmark Scored value. Score recommendations impact the target's benchmark scroe, while recommendation that are not scored do not affect the score. True indicates scored and false indicates not scored.
State file Copy of the Salt state that is applied to perform the check and if applicable, the subsequent remediation.
Variables Variables in Automation for Secure Hosts Compliance used to pass values into the Salt states that make up security checks. For best results, use the default values.For more information, see How do I use Salt States.
Schedules Select the schedule frequency from Recurring, Repeart Date & Time, Once, or Cron Expression. Additional options are available, depending on the scheduled activity, and on the schedule frequency you choose.
  • Recurring - set an interval for repeating the schedule, with optional fields for start or end date, splay, and maximum number of parallel jobs.
  • Repeat Date & Time - repeat the schedule weekly or daily, with optional fields for start or end date, and maximum number of parallel jobs.
  • Once - set a date and time to run the job once.
  • Cron - enter a cron expression to define a custom schedule based on Croniter syntax. See the CronTab Editor for syntax guidelines. Avoid scheduling jobs fewer than 60 secs apart when defining a custom cron expression.
Note: In the schedule editor, the terms “Job” and “Assessment” are used interchangeably. When you define a schedule for the policy, you are scheduling the assessment only - not the remediation.
Note: When defining an assessment schedule, you can choose the Not Scheduled (on demand) option. If you select this option, you choose to run a one-time assessment, and no schedule is defined.
Note: You can exempt checks and minions from remediation by clicking Add Exemption, entering the reason for exemption and clicking Add Exemption again to confirm. Remediation is skipped for exempted items.


  1. On the Automation for Secure Hosts Compliance home page, click Create Policy.
  2. Enter the policy name and select a target to apply the policy. Click Next.
  3. On the Benchmarks tab, select all benchmarks you want to include in the policy and then click Next.
    Note: If no benchmarks are available, you might need to download compliance content. You can update and download content to the security library by clicking Administration > Secure Hosts on the side menu, and then selecting Compliance Content - Secure Hosts > Check for updates.
  4. On the Checks tab, select all checks that you would like to include in the policy. The available checks are determined by the benchmarks you selected in step 3. Click Next.
  5. On the Variables tab, enter or modify variables as needed. You can also choose to accept the default values (recommended). Click Next.
  6. On the schedule page, define the schedule frequency and click Save.
  7. (Optional) To run an assessment immediately after saving your policy, select Run assessment on save.
  8. Click Save.
    The policy is saved. If you selected Run assessment on save, the assesment is run immediately after saving.


The compliance policy is saved and used to run an assessment. You can edit the policy by selecting the policy from the home page, and clicking Edit Policy.