When you deploy CCS in your environment a set of predefined CCS standards are installed along with the other components. A CCS standard basically comprises of sections that contain checks. A check is executed on a target system or asset to assess compliance.
The hierarchical structure of a check is as follows:
Standard -> Sections -> Checks
Broadcom ships CIS standards (also known as CIS Benchmarks) and standards based on CIS (also known as Security Essentials) that are created by Broadcom. Customers can use these predefined standards out-of-the-box to assess compliance within the organization.
The predefined CCS standards contain one of the following types of checks:
-
Simple XML checks for evaluation of assets to check for the existence of a particular registry key, etc.
-
Complex C# checks for complex evaluation of assets. Complex checks can be customized to some extent by modifying the parameters of the checks. Such modified complex checks are categorized as custom checks.
-
Script-based checks that use an in-house script to execute the check. A script-based check can be used when you want to extend the product capability beyond simple or complex checks.
Using the Check Builder from the product user interface, you can create new checks or modify existing simple checks. A newly created or modified check is called a custom check. A script-based check also falls under the category of custom checks. You can create a copy of a predefined standard in CCS. If the copy of the standard does not have any modifications, then such a standard is supported by Broadcom. However, if any changes are made to the check logic (expression, pre-condition, data filter) that affect the functionality or performance of the check, then such a check is considered as a custom check. For technical assistance on custom checks, you must seek assistance from Professional Services partners. Contact your Broadcom Account Manager or Broadcom Sales Team to see what is available or to begin the process of contacting Professional Services.
Symantec Support provides assistance with out-of-the-box or predefined checks only (that have not been deprecated).
CIS checks that cause an issue in the customer environment due to the interpretation or implementation of the check cannot be considered as defects. If customization is requested of such checks to suit the specific environment, then it is considered as an enhancement.
In general, any changes requested to checks, standards, or templates are considered enhancements and follow the standard cycle:
Review -> Approve -> Build.
However, issues reported on out-of-the-box or predefined checks are considered defects and are handled accordingly.