Giter VIP home page Giter VIP logo

windows-bench's Introduction

windows-bench

GitHub Release License GitHub Build Actions GitHub Release Actions release-snapshot

windows-bench is a Go application that checks whether the windows operating system is configured securely by running the checks documented in the CIS Distribution Independent windows Benchmark.

Tests are configured with YAML files, making this tool easy to update as test specifications evolve.

CIS windows Benchmark support windows-bench currently supports tests for Windows server 2022 benchmark version 2.0.0 only.

windows-bench will determine the test set to run on the host machine based on the following:

Operating system platform - windows server 2022

Install Go, then clone this repository and run as follows (assuming your $GOPATH is set):

go get github.com/aquasecurity/windows-bench

cd $GOPATH/src/github.com/aquasecurity/windows-bench

GOOS=windows GOARCH=386 go build -o bin/windows-bench.exe main.go

See all supported options

./windows-bench --help

Run checks

./windows-bench

[INFO] 1 Account Policies
[INFO] 1.1 Password Policy
[PASS] 1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)' (Automated)
[PASS] 1.1.2 Ensure 'Maximum password age' is set to '365 or fewer days, but not 0' (Automated)
[PASS] 1.1.3 Ensure 'Minimum password age' is set to '1 or more day(s)' (Automated)
[FAIL] 1.1.4 Ensure 'Minimum password length' is set to '14 or more character(s)' (Automated)
[FAIL] 1.1.5 Ensure 'Password must meet complexity requirements' is set to 'Enabled' (Automated)

== Remediations ==
1.1.4 To establish the recommended configuration via GP, set the following UI path to 14 or more character(s):
    Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length

1.1.5 To establish the recommended configuration via GP, set the following UI path to 14 or more character(s):
     Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements


== Summary ==
3 checks PASS
2 checks FAIL
0 checks WARN
0 checks INFO

Run checks for specified windows cis version

./windows-bench --version Tests Tests are specified in definition files cfg//definitions.yaml.

Where is the version of windows cis for which the test applies.

Run checks with json format

./windows-bench --json

{
  "id": "1",
  "text": "Account Policies",
  "tests": [
    {
      "section": "1.1",
      "desc": "Password Policy",
      "Constraints": null,
      "type": "",
      "results": [
        {
          "test_number": "1.1.1",
          "test_desc": "Ensure 'Enforce password history' is set to '24 or more password(s)' (Automated)",
          "SubChecks": null,
          "audit_type": "powershell",
          "audit": {
            "cmd": {
              "DomainController": "Get-ADDefaultDomainPasswordPolicy -Current LocalComputer | Select -ExpandProperty PasswordHistoryCount",
              "Server": "Get-ADDefaultDomainPasswordPolicy -Current LocalComputer | Select -ExpandProperty PasswordHistoryCount"
            }
          },
          "type": "",
          "test_info": [
            "To establish the recommended configuration via GP, set the following UI path to 24 or more password(s):\n  Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account\n  Policies\\Password Policy\\Enforce password history\n"
          ],
          "status": "PASS",
          "actual_value": "24",
          "expected_result": "'' is greater or equal to 24",
          "scored": true,
          "IsMultiple": false
        },
        {
          "test_number": "1.1.2",
          "test_desc": "Ensure 'Maximum password age' is set to '365 or fewer days, but not 0' (Automated)",
          "SubChecks": null,
          "audit_type": "powershell",
          "audit": {
            "cmd": {
              "DomainController": "Get-ADDefaultDomainPasswordPolicy -Current LocalComputer | Select -ExpandProperty MaxPasswordAge | Select -ExpandProperty TotalDays",
              "Server": "Get-ADDefaultDomainPasswordPolicy -Current LocalComputer | Select -ExpandProperty MaxPasswordAge | Select -ExpandProperty TotalDays"
            }
          },
          "type": "",
          "test_info": [
            "To establish the recommended configuration via GP, set the following UI path to 365 or fewer days, but not 0:\n Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Maximum password age\n"
          ],
          "status": "PASS",
          "actual_value": "42",
          "expected_result": "'' is lower or equal to 365 AND '' is not equal to '0'",
          "scored": true,
          "IsMultiple": false
        },
        {
          "test_number": "1.1.3",
          "test_desc": "Ensure 'Minimum password age' is set to '1 or more day(s)' (Automated)",
          "SubChecks": null,
          "audit_type": "powershell",
          "audit": {
            "cmd": {
              "DomainController": "Get-ADDefaultDomainPasswordPolicy -Current LocalComputer | Select -ExpandProperty MinPasswordAge | Select -ExpandProperty TotalDays",
              "Server": "Get-ADDefaultDomainPasswordPolicy -Current LocalComputer | Select -ExpandProperty MinPasswordAge | Select -ExpandProperty TotalDays"
            }
          },
          "type": "",
          "test_info": [
            "To establish the recommended configuration via GP, set the following UI path to 1 or more day(s):\n   Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Minimum password age\n"
          ],
          "status": "PASS",
          "actual_value": "1",
          "expected_result": "'' is greater or equal to 1",
          "scored": true,
          "IsMultiple": false
        },
        {
          "test_number": "1.1.4",
          "test_desc": "Ensure 'Minimum password length' is set to '14 or more character(s)' (Automated)",
          "SubChecks": null,
          "audit_type": "powershell",
          "audit": {
            "cmd": {
              "DomainController": "Get-ADDefaultDomainPasswordPolicy -Current LocalComputer | Select -ExpandProperty MinPasswordLength",
              "Server": "Get-ADDefaultDomainPasswordPolicy -Current LocalComputer | Select -ExpandProperty MinPasswordLength"
            }
          },
          "type": "",
          "test_info": [
            "To establish the recommended configuration via GP, set the following UI path to 14 or more character(s):\n    Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Minimum password length\n"
          ],
          "status": "FAIL",
          "actual_value": "7",
          "expected_result": "'' is greater or equal to 14",
          "scored": true,
          "IsMultiple": false
        },
        {
          "test_number": "1.1.5",
          "test_desc": "Ensure 'Password must meet complexity requirements' is set to 'Enabled' (Automated)",
          "SubChecks": null,
          "audit_type": "powershell",
          "audit": {
            "cmd": {
              "DomainController": "Get-ADDefaultDomainPasswordPolicy -Current LocalComputer | Select -ExpandProperty ComplexityEnabled",
              "Server": "Get-ADDefaultDomainPasswordPolicy -Current LocalComputer | Select -ExpandProperty ComplexityEnabled"
            }
          },
          "type": "",
          "test_info": [
            "To establish the recommended configuration via GP, set the following UI path to 14 or more character(s):\n     Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements\n"
          ],
          "status": "PASS",
          "actual_value": "True",
          "expected_result": "'' has 'True'",
          "scored": true,
          "IsMultiple": false
        }
      ],
      "pass": 4,
      "fail": 1,
      "warn": 0,
      "info": 0
    }
  ],
  "total_pass": 4,
  "total_fail": 1,
  "total_warn": 0,
  "total_info": 0
}

windows-bench's People

Contributors

afdesk avatar chen-keinan avatar dependabot[bot] avatar lizrice avatar robertojrojas avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

afdesk chen-keinan kaerez

windows-bench's Issues

scan result should look a like (format) as linux bench

The structure of the results JSON for WindowsBench differs from that of LinuxBench.

In LinuxBench JSON, there is a "result" field containing information about tests, total pass/fail/warn counts, etc. In contrast, the WindowsBench JSON focuses on individual test cases. The WindowsBench JSON does not include the "scan_status" field found in the LinuxBench JSON.

linux_bench_results.json

windows_bench_results.json

Attached are example of both results scan

bug: run checks for specific OS

It seems there is no check for OS type.

> Get-ComputerInfo -Property "os*" | Select -ExpandProperty OsProductType
DomainController

but we still run checks for Server too:
изображение

Support the ability to provide a test yaml file configured using the --config parameter CLI

Support the ability to give a specific configuration file to windows-bench CLI , same as we do for bench-common.
Whenever the --config is present, windows-bench won't run the built-in tests but only use the yaml filename tests

E.g.,
windows-bench.exe --json --outputfile "C:\Program Files\AquaSec\tmp\windowsbench_yFFRnHRL.json" --config "C:\Program Files\AquaSec\tmp\windowsbench_cfg_yFFRnHRL.yaml"

Add code coverage

Could use the same code coverage tools as we use in the other *-bench projects

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.