Customizing CIS check

Hi everyone,

I’m new using BigFix and after reading the BigFix documentation I still have some questions.

We are using CIS Benchmarks and we want to customize one of its checks.Specifically, we want to customize the check “(L1) Ensure ‘Deny log on locally’ to include ‘Guests’” changing “Guests” by a group of Active Directory (p.e. “Domain\Group”).

I’ve tried the following steps:

1) Modify the analysis: first of all, we’ve modified the analysis in order to retrieve all the accounts who have the right “sedenyinteractivelogonright”. In this point we have retrieved that al the computers have the account “Domain\Group” in the following format:

account : S-1-5-21-xxxxxxxxx-xxxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx (Domain\Group)

  1. Modify the fixlet: in this point I’ve modify only the compliance part (in “Description” section) to detect “Group”.

Nevertheless, In BigFix Compliance this check appears as “Not Compliant”…

In the following image I show you the fixlet and analysis from external site, and the fixlet and analysis from the customized site (copy of external site).

Could you please help me? Thank you in advance!!

Regards,
Eva