Can CIS Build Kits (previously Remediation kits) be edited?


Product Name

CIS Build Kits

Product Version

All

Date

Jan 11, 2021



Problem

We would like to modify the CIS build kits to exclude certain Recommendations, can we?

Solution

Yes and No.
No: The Windows build kits themselves cannot be edited before unzipping. The build kits are a full remediation of a specific Benchmark and profile. You can choose which profiles and Profile Levels you would like to apply, however, you will apply the full level at once, then go back into the system and modify policies to suite the needs of your Organization. If this is a standalone device there will not be an Active Directory to put these GPOs into.

Yes: IF you are deploying to a domain-joined enterprise systems you will be importing the GPOs contained in the Build Kit into your group policy of your domain controller For domain joined systems: “Once imported, edit the GPOs accordingly before applying to any system. Once the GPOs are tailored to the organization’s needs and properly tested, begin rollout to a small group of systems.”
Yes: In Linux/ Debian/ Ubuntu systems you can open the .sh script and comment out which recommendations you do not want to run. To know what every recommendation is and what it does, you can go to the Benchmark Workbench page, on the left you’ll see ‘Navigation’ and a link to each Recommendation and sub-recommendation. The Description, Rationale Statement, Remediation process, and Impact Statement for each recommendation are explained. It will additionally state the Applicable Profiles for each Recommendation eg. L1 - User, L1 Domain Controller, etc. I highly recommend looking at each recommendation contained within a profile before applying the full level.

 

Per the exclusion_list.txt within our Linux Benchmarks

###########################################
To exclude a recommendation from being
Implemented by the CIS Linux Build Kit
Please enter the recommendation number
of the recommendation you wish to
exclude on it's own line bellow
###########################################

 


Copyright © 2020

Center for Internet Security®