Windows 2019 CIS audit

Overview

This is a BETA release.

How it works

The audit is designed to run as part of the ansible remediation playbook (coming soon) or as a standalone configurable script contained within this repo (run_audit.ps1)
- This script discovers and sets several variables to ensure consistent running of the command.
- This also allows the audit to be triggered by other automations
When goss runs it will run the required OS commands to capture the data for analysis.
- For GPO settings goss runs the powershell script ./scripts/gpo_regex.ps1 with arguments is run to search for the matching policy name
- Will output the details if defined
- if nothing is found will output "Not Defined"

NOTE: It is expected to run from a single audit directory (a directory containing both the goss file and audit profile), you will need to modify the script paths in vars accordingly

What is goss?

Gives the ability to audit a local system using a lightweight binary to check the current state.

This is:

very small 11MB executable
low resource impact
self contained

Due to the variations that can occur within windows this is released as beta. It has been tested on base installation

standalone system
domain controller

How To Guide

Development/Contributing Notes

goss.yml - the main goss file to run (has to be used with a -g) - this loads all the sections as required
(benchmark_name).yml - These are the variable used as part of the goss file - this is split into sections to control the variables - This file will get large
Try to reuse elements/vars as much as possible
use variables wherever you can to be more efficient in the code
Build variables up
Some controls only work on DC or MS - The settings in Vars will determine if host is DC or MS (will be populated by ansible when run from task)
some controls written twice, this is due to different vars for a DC or MS (e.g. 2.2.7)

Join us

On our Discord Server to ask questions, discuss features, or just chat with other Ansible-Lockdown users

Requirements

Permissions to run all the commands may need admin to run this
- also if iis or exchange is installed
download goss (current version 0.3.6 - Alpha for windows)
- x86_64-goss
- validate SHA
Suggest reboot and gpupdate is run prior to audit - will potentially give differing results

Not using wrapper script information

These are just some of the requirements needed if running goss standalone. Please refer to goss documentation if running manually.

Goss to be on the host running the audit _ note its current alpha but works well
- need to set environment

$env:GOSS_USE_ALPHA=1

Domain members and domain controllers

gpresult /v /r > file_location.txt need to be created (variable gpresult_file needs to be updated)
auditpol.exe /get /category:* > file_location.txt ( the variable auditresults_file needs to be updated)

If standalone server will require the following commands

secedit /export /cfg {{ file output location }} ( variable standalone_policies.txt )
auditpol.exe /get /category:* > file_location.txt
Due to the output we need to search for SID for std users using the MS doc below
- Microsoft_security_identifiers
- also added to vars for completeness

further information

Example output (standalone after running benchmark)

PS C:\vagrant\Win2019-CIS-Audit> .\run_audit.ps1
Pre checks - Ensure files exist
OK - "C:\vagrant\goss.exe" exists
OK - "C:\vagrant\Win2019-CIS-Audit\CIS.yml" exists
OK - "C:\vagrant\Win2019-CIS-Audit\goss.yml" exists
OK - Files Exist
Running Audit commands

OK - ran auditpol report - created C:\vagrant\auditpol_1646394033.txt

StandAlone Server system discovered running relevant checks

OK - secedit report - created C:\vagrant\secedit_1646394033.txt

Running Audit
Audit Successful

    "summary": {         "failed-count": 31,         "summary-line": "Count: 661, Failed: 31, Duration: 44.994s",         "test-count": 661,         "total-duration": 44993809300     } }

Complete audit file can be found at C:\vagrant\audit_1646394033.json
PS C:\vagrant\Win2019-CIS-Audit>

goss audit with run_audit.ps1 script results in >600 out 661 failures

When running the run_audit.ps1 script on a Windows 2019 host that was remediated with the Windows-2019-CIS role using all defaults except for the following:

win19cis_skip_for_ansible: true

I'm getting the following result:

        "summary-line": "Count: 661, Failed: 649, Duration: 445.400s",

The failures are always as follows:

        "err": "Command execution timed out (10s)",

This happens even with adding a timeout: 30000 line to the command in any of the yml files in the Windows-2019-CIS-Audit folder structure. Example:

  {{ if .Vars.win2019cis_2_3_10_5 }}
  disable_everyone_inc_anon:
    title: 2.3.10.5 | L1 | Ensure 'Network access - Let Everyone permissions apply to anonymous users' is set to 'Disabled' | reg_check
    exec:  {{ .Vars.ps_regcheck }} {{ .Vars.HKLM_CCS_LSA }} -Name EveryoneIncludesAnonymous
    exit-status: 0
    timeout: 30000
    stdout:
    - '1'
    meta:
      Domain_Controller: 1
      Member_Server: 1
      CIS_ID: 2.3.10.5
      CISv8:
      - 4.1
      CISv8_IG1: true
      CISv8_IG2: true
      CISv8_IG3: true
  {{ end }}

Note that this is using goss version 3.22 as 3.6 is no longer available for Windows.

ansible-lockdown / windows-2019-cis-audit Goto Github PK