CoursesInSpecIntermediate

Inheritance & overlays

Reuse and tailor baselines.

Intermediate12 min · lesson 7 of 12

You rarely write a whole baseline from scratch — you inherit one and tailor it. A profile can depend on another and then include, skip, or modify its controls. This is the overlay pattern: take an upstream CIS or DISA baseline as the base, and your organization’s profile overlays it — skipping controls that do not apply, adjusting inputs, and adding org-specific controls the baseline lacks. You get the rigor of a maintained baseline plus your own tailoring, without forking it.

BASE + OVERLAY
Upstream baseline (consumed)
CIS / DISA profile
hundreds of mapped controls
Maintained upstream
you adopt new versions
Your overlay (deltas only)
skip_control
with documented reason
override control
tighten inputs / thresholds
add controls
org-specific gaps
Result
Tailored profile
baseline rigor + your deltas
Consume the maintained baseline; keep only your small, reviewable deltas in the overlay.
controls/overlay.rb
# include controls from the inherited baseline, with tailoring
include_controls 'cis-dil-benchmark' do
# skip a control that genuinely does not apply, with justification
skip_control 'xccdf_org.cisecurity.benchmarks_rule_1.1.1.1'
# override a control’s expectation for your environment
control 'sshd-01' do
describe sshd_config do
its('ClientAliveInterval') { should cmp <= 900 }
end
end
end

Base plus overlay, maintained separately

The value is separation: the upstream baseline is maintained by its community and you consume new versions, while your overlay holds only your deltas — the skips, the tightened thresholds, the extra controls — which stay small and reviewable. When the baseline updates, you adopt it and re-check your overlay, rather than diffing a forked copy. It is the same base/overlay discipline as Kustomize or Terragrunt, applied to compliance content.

A skip in an overlay must carry a documented reason
skip_control in an overlay silently drops a baseline requirement, so an undocumented skip is an unexplained gap in your compliance posture that an auditor will (rightly) question. Every skip should reference a justification (a risk acceptance, a ticket) — ideally as a waiver (next lesson) rather than a bare skip — so the exception is explicit, owned, and reviewable, not a quiet hole in the baseline.