Skip to content

Customizing a benchmark rule

Benchmark rules

Within a CIS benchmark, there are multiple, up to hundreds of checks to be performed by the Nanitor agent. These checks are also known as benchmark rules. 

Custom benchmark rules

The benchmark rules provided by CIS can be checks that can in most cases be answered with a yes or no indicating if the check (rule) has been passed or failed. But sometimes these checks include a value to be compared to. E.g., CIS checks if the password length is 24 characters. In some cases, this might not fit customer needs since organizations might have other technical policies. From the example above there could be a requirement for a more or less strong password policy. 

Starting with the Nanitor release 2.3. onwards it is possible for certain benchmark rules to set customized values for a rule to check against. E.g., you might want to set the password policy to 30 characters rather than the default value provided by CIS. Customizable rules are available within the Windows 10 and 2016 benchmarks only to start with but will be extended to further benchmarks in the upcoming releases. 

How do I know if a benchmark rule is customizable?

When a customizable value is available for a benchmark rule you will notice the Available option menu within the Custom Value column from within the selected benchmark.

Customizing a benchmark rule

Opening the same benchmark rule that is available for customization will reveal the possibility to amend the value that is rule is checking against. 

The value(s) that can be amended is different depending on the nature of the benchmark rule. You might be presented with a dropdown menu to select a value or the option to enter a custom value (e.g., a user account to check the access rights against). In this case you will need to select the "Custom" option.

This will bring up a new field that allows you to enter a new user value

After you have created that value you can select it from the dropdown menu

Why are customizations not available for all benchmark rules

For some use cases it makes sense to offer/allow customized values to compare against. For those case Nanitor is strived to implement them upon requests from customers. However, Nanitor is still an IT security tool and might for that reason not allow any customizations when the possible amendments circumvention the intention from CIS to ensure a more secure IT infrastructure. In that sense it is worth mentioning that you are still able to exclude a benchmark rule by removing the rule from the baseline (deselecting the "In baseline" option).