Remediation Kits FAQ
What are Remediation Kits?
CIS offers Remediation Kits for certain technologies to assist in the automation of hardening systems. The Remediation Kit is designed to cover the majority of the benchmark settings. Not all settings within a corresponding CIS Benchmark can be applied from a Remediation Kit as certain settings cannot be managed though group policy objects or scripts. Any settings not included in the Remediation Kit will be reflected in the CIS-CAT Assessment Report. These templates or scripts should be modified to align with your organization’s defined policies.
Where does the content for each Remediation Kit come from?
Remediation Kits are built upon the corresponding CIS Benchmark’s “Remediation” section. This section can be found within the CIS Benchmark PDF and provides the end user with the remediation steps necessary to make that recommendation compliant to the CIS Benchmark.
CIS Benchmark PDFs can also be downloaded through our community platform, CIS WorkBench. CIS WorkBench is free to join and community participation is encouraged! CIS Benchmark PDFs can be accessed from the Downloads page within CIS WorkBench.
Remediation Kits automate the processes within the “Remediation” section of the CIS Benchmark PDF to spare the end user from manually applying each security recommendation.
How do Remediation Kits work?
For Windows technologies, Remediation Kits take the form of Group Policy Objects (GPOs). The Remediation Kits are zip files that contain a GPO for each profile within the corresponding CIS Benchmark. These GPOs are intended to be imported into the organization’s group policy management console and pushed out to machines in order to meet compliance with the CIS Benchmark. For additional information, please reference the Read Me document contained within each Remediation Kit.
The Remediation Kits for UNIX and LINUX environments are basic shell scripts that can be run from the machine or through another organizationally-approved tool.
Please note, reviewing the content within the corresponding Benchmark PDF is imperative for an overall successful application of the Remediation Kit, as there may be some settings that your organization needs to exempt itself from due to unique operational requirements. Applying the Remediation Kit to a system without proper testing and review may result in a negative impact within your environment. In some cases, less than 100% of the CIS Benchmark will be applied; it is the responsibility and decision of each organization to determine which settings are applicable to their unique needs.
Where should I start?
Begin by reviewing the CIS Benchmark for which you are planning to apply the Remediation Kit. During the review process, certain recommendations that do not align with organizational process and procedure can be marked and notated using the checklist contained with the CIS Benchmark PDF. Once all recommendations have been reviewed and the checklist has been approved for your organization, download the Remediation Kit of interest and modify the contents of the Remediation Kit to match the list developed. Once modifications have been completed, test the application of your now-customized Remediation Kit on a test system to identify any conflicts that may arise. Upon working through any errors identified in the testing process, the final Remediation Kit is ready to be deployed in a live environment.
The application of the Remediation Kits will be unique depending on if the system involved is a standalone machine or domain-joined. Please reference the Read Me within the Remediation Kit as certain Read Me documents provide different instructions based upon the system.
Where can the Remediation Kits be found?
In order to access Remediation Kits, your organization must be a CIS SecureSuite Member. The Remediation Kits can be downloaded from the Downloads page on CIS WorkBench. Using the “Tag” feature on the WorkBench Downloads page, type “Remediation Kit” and click “Search.” This search will populate all of the available Remediation Kits that CIS has to offer.
Are Remediation Kits available for all technologies?
At this time, not all CIS Benchmarks have corresponding Remediation Kits. As your feedback is incredibly valuable and necessary to our mission at CIS, please inform us if there is a CIS Benchmark for which a Remediation Kit would be beneficial to your organization by reaching out to firstname.lastname@example.org.