/
Can CIS Build Kits (previously Remediation kits) be edited?

Can CIS Build Kits (previously Remediation kits) be edited?


Product Name

CIS Build Kits

Product Version

All

Date

Jan 11, 2021



Problem

We would like to modify the CIS build kits to exclude certain Recommendations, can we?

Solution

Yes and No.
No: The Windows build kits themselves cannot be edited before unzipping. The build kits are a full remediation of a specific Benchmark and profile. You can choose which profiles and Profile Levels you would like to apply, however, you will apply the full level at once, then go back into the system and modify policies to suite the needs of your Organization. If this is a standalone device there will not be an Active Directory to put these GPOs into.

Yes: IF you are deploying to a domain-joined enterprise systems you will be importing the GPOs contained in the Build Kit into your group policy of your domain controller For domain joined systems: “Once imported, edit the GPOs accordingly before applying to any system. Once the GPOs are tailored to the organization’s needs and properly tested, begin rollout to a small group of systems.”
Yes: In Linux/ Debian/ Ubuntu systems you can open the .sh script and comment out which recommendations you do not want to run. To know what every recommendation is and what it does, you can go to the Benchmark Workbench page, on the left you’ll see ‘Navigation’ and a link to each Recommendation and sub-recommendation. The Description, Rationale Statement, Remediation process, and Impact Statement for each recommendation are explained. It will additionally state the Applicable Profiles for each Recommendation eg. L1 - User, L1 Domain Controller, etc. I highly recommend looking at each recommendation contained within a profile before applying the full level.

 

Per the exclusion_list.txt within our Linux Benchmarks

###########################################
To exclude a recommendation from being
Implemented by the CIS Linux Build Kit
Please enter the recommendation number
of the recommendation you wish to
exclude on it's own line bellow
###########################################

 


Copyright © 2020

Center for Internet Security®


 

Related content

Is there documentation that can be referred to while customizing the CIS Build Kits®?
Is there documentation that can be referred to while customizing the CIS Build Kits®?
More like this
I would like to update existing GPOs from a Windows Build Kit to align with the newest Benchmark release
I would like to update existing GPOs from a Windows Build Kit to align with the newest Benchmark release
Read with this
Rollback scripts for the automated remediation using CIS Build Kits
Rollback scripts for the automated remediation using CIS Build Kits
More like this
What CIS Build Kits® are available?
What CIS Build Kits® are available?
Read with this
Our Cloud Servers are not domain joined, can we still use the CIS Build Kits®?
Our Cloud Servers are not domain joined, can we still use the CIS Build Kits®?
More like this
Password incorrect for Admin user after applying Server2012R2v2.4.0 Build Kit MS-L. I need help restoring access to this server
Password incorrect for Admin user after applying Server2012R2v2.4.0 Build Kit MS-L. I need help restoring access to this server
Read with this