fbprogmbh / audit-test-automation Goto Github PK

Audit TAP seems to have a problem with named Instances.
Error message: Server Instance not found or accessible.

Settings in the applicationhost.config file are currently not checked. A new section between the system report and the site reports is needed.

Please check: if an application is not available, because of not existing physical folder. Audit TAP should mark them, and should not try to read the web.config.

Error message:
Ausnahme beim Aufrufen von "GetSection" mit 1 Argument(en): "Dateiname: \?\C:\Program Files
(x86)\Plesk\admin\services\public\web.config
Fehler: Die Konfigurationsdatei kann nicht gelesen werden

STIG File:
If the value ExcelBypassEncryptedMacroScan does not exist, this is not a finding.
If the value is REG_DWORD = 0, this is not a finding.

After adding and changing the value, the status doesn't change.

In a case there is no option to install PS version 5/5.1, how can I still generate a report ?
Can you explain me on how to run all the task manually without report, using the functions (such as Full site report) ?

Audit TAP seems to have a problem with named Instances.
Error message: Server Instance not found or accessible.

local guest account SID ends with 501
$account = Get-localUser | Where-Object -Property sid -like "S-1-5-*-501"

	if ( $account.Disabled ) {

Property Disabled does not exist, it should be tested for enabled -eq $false.

Advanced IIS logging is not used since IIS 8.5-
However CIS IIS shows with this point, that enhanced IIS logging is the tool now and that companies should be aware of this point.
Advanced Logging is not available for IIS 10. See enhanced logging instead. maybe this should be changed, showing where to find Information about Enhanced logging.

STIG File context is:
If the value DisableUnsafeLocationsInPV is REG_DWORD = 0, this is not a finding.
If the value does not exist, this is not a finding.
If the value is REG_DWORD = 1, then this is a finding.

After adding and changing the value, the status doesn't change.

In the AUDIT-TAP report header, show the percentage of compliant/not-compliant tested rules.

For example:

Overall tested settings => 196
Failed (non-compliant) settings => 11

=> System is 94,38 % compliant to DISA/CIS/FB Pro security recommendations

STIG File context is:
If the value DisableEditFromPV is set to REG_DWORD = 1, this is not a finding.
If the value is set to REG_DWORD = 0, this is a finding.

After adding and changing the value, the status doesn't change.

After using IIS Crypto: https://www.nartac.com/Products/IISCrypto/ I tried running IIS10Audit again and was still getting failures. After digging further I noticed they were changing the values to 0xffffffff as enabled instead of dword 1. So I emailed them and they confirmed that is intentional behavior:

Actually both are valid. Microsoft's own documentation also conflicts with itself:
https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc
IIS Crypto originally set them to 1 and then a bunch of people complained as it did break software (not audit tools) so we changed it to the proper 0xffffffff. IIS Crypto will read both 1 and 0xffffffff when run though.

So I would request that IISAudit check for both values as valid Enabled.

Using some powershell or DISM commands extract base language and display it in "baseline information" on top of the report for example below "Hostname" or "build number".

This clarifies errors in case if system language is

1. not English OR
2. English was not used as installation language.

Rational
Audit TAP works best if

• English is used language OR

• Another language was installed as language pack on top of an english operating system installation.

It is currently necessary to use a subfolder in order to create a html-report.

This Problem does not exist for Windows 10 Report.

Getting rid of code duplication allows for

• consistent report style between audit modules
• easier maintenance

CIS Benchmark requires that value is set to number of minutes.
Audit checks for number of seconds value.

See attached screenshot

the result is always "false"

Add system information like hostname, operation system, iis version, free disk space, disk space, total ram, ram usage. Branding

CIS Benchmark requires that value is set to "Enabled"
Audit checks if value is "True"

CIS Benchmark requires that value is set to number of minutes.
Audit checks for number of seconds value.

TLS 1.1 should be disabled in IIS 10, according to CIS.
Here you still check, if it is enabled.

Got this error on Windows Server 2016 without Desktop interface

• Should be more textual description
• Should be one or two examples

• Should be Mozilla Firefox
• Should be DISA and CIS...

Checking on "Available" seems better be "Installed"
if ($ftpBindings.Count -gt 0 -or (Get-WindowsFeature Web-Ftp-Server).InstallState -eq [InstallState]::Available) { $message = "FTP is not disabled"

CIS Benchmark requires that value is set to "Disabled"
Audit checks if value is "False"

In a test environment the Windows Server 2016 audit tap shows "Found member(s)" if a User Rights Assignment setting is configured with no group or user.

For example:
The User Rights Assignment "The Lock pages in memory user right must not be assigned to any groups or accounts" is configured via GPO and no group or user are added which would be compliant with DISA. Nevertheless the audit report flags red for this section.

Further rules: SV_88455r1_rule, SV_88443r1_rule, SV_88415r1_rule

Problem: Throws a "non compliant if setting is set to "Success and Failure".
Expected: Should be compliant as setting is better than CIS benchmarks require.

When an error occurs in a test, some messages are duplicated.

User Rights Assignment causes problems, because it uses ConvertTo-NtAccount function. The ConvertTo-NTAccount function cannot translate english account names to SIDs.

CIS Benchmark requires that value is to number of days.
Audit checks for seconds value.

When entering filename as Report-Filename, "Test-Path" fails.
Please correct usage guidelines to howto documentation as useage guideline states to use file name. Without any path creation of HTML report works.
Screenshot anbei...

Hello,

Error feedback within the audit TAP 4.5

None:
17.3.1 - Cannot get Subcategory ''
17.5.2 - Cannot get Subcategory ''
17.5.5 - Cannot get Subcategory 'Other Logon Logoff Events'
17.7.4 - Cannot get Subcategory 'Mpssvc Rule Level Policy Change'

False:
1.2.2 - 'LockoutBadCount' currently set to: 3. Expected: x <= 10 and x > 0
2.2.14 - The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: NT VIRTUAL MACHINE\Virtual Machines

Best
Andre

Check the passed path right before starting all test function otherwise tests are done unnecessarily because report cannot be written to desired destination.
As in a bigger environment the report cmdlet could take up to 45 minutes or more to finish, checking the path as a first step could be a huge time saver.

This only applies to .Net 2.0. Future versions have stopped supporting this feature.
Future versions may have stopped supporting this feature, however if this is hardened, then the application just stop working.
Maybe a warning would be enough for checking this point.

STIG File context is:
If the value DisableInternetFilesInPV is REG_DWORD = 0, this is not a finding.
If the value does not exist, this is not a finding.
If the value is REG_DWORD = 1, then this is a finding.

After adding and changing the value, the status doesn't change.

Would be easier to read long reports.

SQL Server is hardend, user is admin on windows machine and sql server.

On a german system, Audit TAP needs also to check for "Erfolg, Erfolg und Fehler and Keine Überwachung"
For all settings, Audit TAP could not get setting.

CIS Benchmark requires that value is set to number of days.
Audit checks for number of seconds value.

Basemark list will then be more clear to read.