is this actually checking that the cis vulnerabilities were addressed?
It will check only if the specific vulnerabilities asked to be fixed in the report were addressed (i.e authorization-mode not set to AlwaysAllow)
ok thanks. I was verifying other questions were answered correctly, and had not touched this question. so I was surprised that it showed as passing.