Can CIS Build Kits (previously Remediation kits) be edited?
Product Name
CIS Build Kits
Product Version
All
Date
Jan 11, 2021
Problem
We would like to modify the CIS build kits to exclude certain Recommendations, can we?
Solution
Yes and No.
No: The Windows build kits themselves cannot be edited before unzipping. The build kits are a full remediation of a specific Benchmark and profile. You can choose which profiles and Profile Levels you would like to apply, however, you will apply the full level at once, then go back into the system and modify policies to suite the needs of your Organization. If this is a standalone device there will not be an Active Directory to put these GPOs into.
Yes: IF you are deploying to a domain-joined enterprise systems you will be importing the GPOs contained in the Build Kit into your group policy of your domain controller For domain joined systems: “Once imported, edit the GPOs accordingly before applying to any system. Once the GPOs are tailored to the organization’s needs and properly tested, begin rollout to a small group of systems.”
Yes: In Linux/ Debian/ Ubuntu systems you can open the .sh script and comment out which recommendations you do not want to run. To know what every recommendation is and what it does, you can go to the Benchmark Workbench page, on the left you’ll see ‘Navigation’ and a link to each Recommendation and sub-recommendation. The Description, Rationale Statement, Remediation process, and Impact Statement for each recommendation are explained. It will additionally state the Applicable Profiles for each Recommendation eg. L1 - User, L1 Domain Controller, etc. I highly recommend looking at each recommendation contained within a profile before applying the full level.
Per the exclusion_list.txt within our Linux Benchmarks
###########################################
To exclude a recommendation from being
Implemented by the CIS Linux Build Kit
Please enter the recommendation number
of the recommendation you wish to
exclude on it's own line bellow
###########################################