This script shows some basic recommendations that should be applied on gaia OS to comply with CIS benchmarks.

https://www.cisecurity.org/cis-benchmarks

lab output:

[Expert@LIN_FW_01:0]# ./gaia_cis.sh
=== GAiA CIS-style Recommendations Audit ===
Host: LIN_FW_01
Time: Wed Jan 21 12:18:55 EST 2026
Mode: READ-ONLY

Version (top lines):
Product version Check Point Gaia R81.20
OS build 791
OS kernel version 3.10.0-1160.15.2cpx86_64
OS edition 64-bit

[FAIL] 1.1 Min password length
Current: 6
Recommended: >= 14
Fix (clish): set password-controls min-password-length 14

[PASS] 1.2 Disallow palindromes
Current: on
Recommended: on
Fix (clish): set password-controls palindrome-check on

[FAIL] 1.3 Password complexity
Current: 2
Recommended: >= 3
Fix (clish): set password-controls complexity 3

[FAIL] 1.4 Password history
Current: on, length=10
Recommended: on, length>= 12
Fix (clish): set password-controls history-check on; set password-controls history-length 12

./gaia_cis.sh: line 166: [[: 0329: value too great for base (error token is "0329")
[FAIL] 1.5 Password expiration (days)
Current: 0329
Recommended: <= 90
Fix (clish): set password-controls expiration-days 90

./gaia_cis.sh: line 175: [[: 0329: value too great for base (error token is "0329")
[FAIL] 1.6 Warn before expiration (days)
Current: 0329
Recommended: <= 7
Fix (clish): set password-controls warn-days 7

./gaia_cis.sh: line 184: [[: 0329: value too great for base (error token is "0329")
[FAIL] 1.7 Lockout after expiration (days)
Current: 0329
Recommended: <= 1
Fix (clish): set password-controls lockout-days 1

./gaia_cis.sh: line 199: [[: 0329: value too great for base (error token is "0329")
[FAIL] 1.8/1.9 Lock unused accounts
Current: on, days=0329
Recommended: on, days<= 30
Fix (clish): set password-controls deny-inactive-accounts on; set password-controls inactive-lockout-days 30

./gaia_cis.sh: line 227: [[: 0329: value too great for base (error token is "0329")
./gaia_cis.sh: line 228: [[: 0329: value too great for base (error token is "0329")
[PASS] 1.11-1.13 Failed login lockout
Current: on, max=0329, unlock=0329s
Recommended: on, max<= 5, unlock>= 300s
Fix (clish): set password-controls deny-after-failed-login on; set password-controls max-failed-login-attempts 5; set password-controls allow-access-again-after 300

[FAIL] 2.5.1 Clish inactivity timeout
Current: 120 min
Recommended: <= 10 min
Fix (clish): set inactivity-timeout 10

[FAIL] 2.5.2 WebUI session timeout
Current: 120 min
Recommended: <= 10 min
Fix (clish): set web session-timeout 10

[PASS] 2.1.9 Telnet disabled
Current: telnet off
Recommended: telnet off
Fix (clish): set net-access telnet off

[FAIL] 2.3.1 NTP enabled + 2 servers
Current: UNKNOWN, servers=2
Recommended: on + >=2 servers
Fix (clish): set ntp active on; set ntp server primary <IP/FQDN>; set ntp server secondary <IP/FQDN>

[PASS] 2.2.1 SNMP agent disabled
Current: off
Recommended: off (or v3-only if required)
Fix (clish): set snmp agent off

[PASS] 2.1.7 IPv6 not active (no addrs)
Current: No IPv6 addresses
Recommended: Disable IPv6 if unused
Fix (clish): If needed: disable IPv6 in Gaia Portal (requires reboot); otherwise OK

[PASS] 2.1.2 MOTD present
Current: present
Recommended: present
Fix (clish): Edit /etc/motd with approved banner text

[MANUAL] 2.1.4 Configuration saved
Current: CLINFR0329 Invalid command:'show-config state'.
Recommended: saved
Fix (clish): save config

=== Done ===
Tip: run with --apply to enforce the clish remediations (be careful).
[Expert@LIN_FW_01:0]#