CIS Build Kits FAQ
What are Build Kits?
CIS offers Build Kits for certain technologies to assist in the automation of hardening systems. The Build Kit is designed to cover the majority of the benchmark settings. Not all settings within a corresponding CIS Benchmark can be applied from a Build Kit as certain settings cannot be managed though group policy objects or scripts. Any settings not included in the Build Kit will be reflected in the CIS-CAT Assessment Report. These templates or scripts should be modified to align with your organization’s defined policies.
Where does the content for each CIS Build Kit come from?
Build Kits are built upon the corresponding CIS Benchmark’s “Remediation” section. This section can be found within the CIS Benchmark PDF and provides the end user with the remediation steps necessary to make that recommendation compliant to the CIS Benchmark.
CIS Benchmark PDFs can also be downloaded through our community platform, CIS WorkBench. CIS WorkBench is free to join and community participation is encouraged! CIS Benchmark PDFs can be accessed from the Downloads page within CIS WorkBench.
Build Kits automate the processes within the “Remediation” section of the CIS Benchmark PDF to spare the end user from manually applying each security recommendation.
How do Build Kits work?
For Windows technologies, Build Kits take the form of Group Policy Objects (GPOs). The Build Kits are zip files that contain a GPO for each profile within the corresponding CIS Benchmark. These GPOs are intended to be imported into the organization’s group policy management console and pushed out to machines in order to meet compliance with the CIS Benchmark. For additional information, please reference the Read Me document contained within each Build Kit.
The Build Kits for UNIX and LINUX environments are basic shell scripts that can be run from the machine or through another organizationally-approved tool.
Please note, reviewing the content within the corresponding Benchmark PDF is imperative for an overall successful application of the Build Kit, as there may be some settings that your organization needs to exempt itself from due to unique operational requirements. Applying the Build Kit to a system without proper testing and review may result in a negative impact within your environment. In some cases, less than 100% of the CIS Benchmark will be applied; it is the responsibility and decision of each organization to determine which settings are applicable to their unique needs.
Where should I start?
Begin by reviewing the CIS Benchmark for which you are planning to apply the Build Kit. During the review process, certain recommendations that do not align with organizational process and procedure can be marked and notated using the checklist contained with the CIS Benchmark PDF. Once all recommendations have been reviewed and the checklist has been approved for your organization, download the Build Kit of interest and modify the contents of the Build Kit to match the list developed. Once modifications have been completed, test the application of your now-customized Build Kit on a test system to identify any conflicts that may arise. Upon working through any errors identified in the testing process, the final Build Kit is ready to be deployed in a live environment.
The application of the Build Kits will be unique depending on if the system involved is a standalone machine or domain-joined. Please reference the Read Me within the Build Kit as certain Read Me documents provide different instructions based upon the system.
Where can the Build Kits be found?
In order to access Build Kits, your organization must be a CIS SecureSuite Member. The Build Kits can be downloaded from the Downloads page on CIS WorkBench. Using the “Tag” feature on the WorkBench Downloads page, type “Build Kit” and click “Search.” This search will populate all of the available Build Kits that CIS has to offer.
Are Build Kits available for all technologies?
At this time, not all CIS Benchmarks have corresponding Build Kits. As your feedback is incredibly valuable and necessary to our mission at CIS, please inform us if there is a CIS Benchmark for which a Build Kit would be beneficial to your organization by reaching out to firstname.lastname@example.org.