CLT reports vulnerabilities when run against CIS 5.x

CLT was designed to test CIS 3.x not CIS 5.x with its integrated sandbox.

It can be run against CIS 5.x, but needs to be run extremely carefully, and may not give reliable results when run with the sandbox enabled. If you have not run it very carefully, following the guidelines below it is likely to suggest vulnerabilities when none exist.

To use CLT to test CIS 5:

[ol]- With the sandbox off - follow the guideline in this post exactly.

  • With the sandbox on - follow the guideline in the same post exactly except please leave the sandbox switched on. When running CLT click the ‘Sandbox’ button on the unlimited access alert, and interpret results very carefully. For example if a test tries to contact a web server, check whether a web page is actually displayed. (The sandbox should allow the browser to be invoked but prevent it accessing the internet).[/ol]