Customizing the CIS profile

Customizing the CIS profile

Compliance with a benchmark is not an all-or-nothing task. Each environment is different and options that are considered as niche in one place can be essential in another. As such, USG allows to tailor the profile and remove unnecessary rules, as well as customize the rules that have multiple options available.

Setting variables

You can customize a profile using a tailoring file, as demonstrated below.

  1. Generate a tailoring file
    $ sudo usg generate-tailoring stig tailor.xml

  2. Edit the tailoring file and go through the rules shown as comments. For example to set the remote auditd server (rule UBTU-20-010216), find the text:

<!-- UBTU-20-010216
<xccdf:set-value idref="var_audispd_remote_server">logcollector</xccdf:set-value>

And replace the logcollector with the name of the server.

  1. Audit using the new tailoring file
    usg audit --tailoring-file tailor.xml

  2. Fix using the new tailoring file
    usg fix --tailoring-file tailor.xml

Disabling / Removing rules

Let’s also examine how we can disable certain rules from applying. Let’s say that we are in an environment where we require the jffs2 filesystem, but we also need to comply with the CIS level 1 for server that prohibits it.

  1. Generate a tailoring file
    $ sudo usg generate-tailoring cis_level1_server tailor.xml

  2. Edit the tailoring file and go through the rules shown as comments. Let try to find jffs2 in that file.

<!-- 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled (Automated) -->
<xccdf:select idref="kernel_module_jffs2_disabled" selected="true"/>

By replacing the “selected=true” with “selected=false” we no longer enforce the disablement of this filesystem.

  1. Audit using the new tailoring file
    usg audit --tailoring-file tailor.xml

  2. Fix using the new tailoring file
    usg fix --tailoring-file tailor.xml