Giter VIP home page Giter VIP logo

microsoft-windows-server-2019-stig-baseline's Introduction

microsoft-windows-server-2019-stig-baseline

InSpec profile to validate the secure configuration of Microsoft Windows Server 2019, against DISA's Microsoft Windows Server 2019 Security Technical Implementation Guide (STIG) Version 1, Release 3.

Getting Started

It is intended and recommended that InSpec run this profile from a "runner" host (such as a DevOps orchestration server, an administrative management system, or a developer's workstation/laptop) against the target remotely over winrm.

For the best security of the runner, always install on the runner the latest version of InSpec and supporting Ruby language components.

The latest versions and installation options are available at the InSpec site.

Tailoring to Your Environment

The following inputs must be configured in an inputs ".yml" file for the profile to run correctly for your specific environment. More information about InSpec inputs can be found in the InSpec Profile Documentation.

# Set to either the string "true" or "false"
sensitive_system: false

# List of temporary accounts on the domain
temp_accounts_domain: []

# List of temporary accounts on local system
temp_accounts_local: []

# List of emergency accounts on the domain
emergency_accounts_domain: []

# List of emergency accounts on the system
emergency_accounts_local: []

# List of authorized users in the local Administrators group for a domain controller
local_administrators_dc: []

# List of authorized users in the local Administrators group for a member server
local_administrators_member: []

# Local Administrator Account on Windows Server
local_administrator: ""

# List of authorized users in the Backup Operators Group
backup_operators: []

# List Application or Service Accounts domain
application_accounts_domain: []

# List Excluded Accounts domain
excluded_accounts_domain: []

# List Application Local Accounts
application_accounts_local: []

# List of authorized users in the local Administrators group
administrators: []

Running This Baseline Directly from Github

# How to run
inspec exec https://github.com/mitre/microsoft-windows-server-2019-stig-baseline/archive/master.tar.gz --target winrm://<hostip> --user '<admin-account>' --password=<password> --input-file=<path_to_your_inputs_file/name_of_your_inputs_file.yml> --reporter=cli json:<path_to_your_output_file/name_of_your_output_file.json>

Different Run Options

Full exec options

Running This Baseline from a local Archive copy

If your runner is not always expected to have direct access to GitHub, use the following steps to create an archive bundle of this baseline and all of its dependent tests:

(Git is required to clone the InSpec profile using the instructions below. Git can be downloaded from the Git site.)

When the "runner" host uses this profile baseline for the first time, follow these steps:

mkdir profiles
cd profiles
git clone https://github.com/mitre/microsoft-windows-server-2019-stig-baseline
inspec archive microsoft-windows-server-2019-stig-baseline
inspec exec <name of generated archive> --target winrm://<hostip> --user '<admin-account>' --password=<password> --input-file=<path_to_your_inputs_file/name_of_your_inputs_file.yml> --reporter=cli json:<path_to_your_output_file/name_of_your_output_file.json>

For every successive run, follow these steps to always have the latest version of this baseline:

cd microsoft-windows-server-2019-stig-baseline
git pull
cd ..
inspec archive microsoft-windows-server-2019-stig-baseline --overwrite
inspec exec <name of generated archive> --target winrm://<hostip> --user '<admin-account>' --password=<password> --input-file=<path_to_your_inputs_file/name_of_your_inputs_file.yml> --reporter=cli json:<path_to_your_output_file/name_of_your_output_file.json>

Using Heimdall for Viewing the JSON Results

The JSON results output file can be loaded into heimdall-lite for a user-interactive, graphical view of the InSpec results.

The JSON InSpec results file may also be loaded into a full heimdall server, allowing for additional functionality such as to store and compare multiple profile runs.

Authors

Special Thanks

Contributing and Getting Help

To report a bug or feature request, please open an issue.

NOTICE

© 2018-2020 The MITRE Corporation.

Approved for Public Release; Distribution Unlimited. Case Number 18-3678.

NOTICE

MITRE hereby grants express written permission to use, reproduce, distribute, modify, and otherwise leverage this software to the extent permitted by the licensed terms provided in the LICENSE.md file included with this project.

NOTICE

This software was produced for the U. S. Government under Contract Number HHSM-500-2012-00008I, and is subject to Federal Acquisition Regulation Clause 52.227-14, Rights in Data-General.

No other use other than that granted to the U. S. Government, or to those acting on behalf of the U. S. Government under that Clause is authorized without the express written permission of The MITRE Corporation.

For further information, please contact The MITRE Corporation, Contracts Management Office, 7515 Colshire Drive, McLean, VA 22102-7539, (703) 983-6000.

NOTICE

DISA STIGs are published by DISA IASE, see: https://iase.disa.mil/Pages/privacy_policy.aspx

microsoft-windows-server-2019-stig-baseline's People

Contributors

aagiardd avatar aaronlippold avatar abailey1021 avatar ejaronne avatar em-c-rod avatar georgedias avatar hackershark avatar karikarshivani avatar raheelaziz avatar raziz086 avatar rdean716 avatar t0sche avatar yarick avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

bwry rdean716 automatewithansible automatecompliance t0sche rlakey gstonetiger graybw neatnerdprime chriss-0x01

microsoft-windows-server-2019-stig-baseline's Issues

Incorrect input value for eventvwr_perms

Hi maintainers,

The input value is currently:

  - name: eventvwr_perms
    profile: Windows_Server_2019_STIG
    value:
      - NT AUTHORITY\SYSTEM Allow  ReadAndExecute, Synchronize
      - BUILTIN\Administrators Allow  ReadAndExecute, Synchronize
      - BUILTIN\Users Allow  ReadAndExecute, Synchronize
      - NT SERVICE\TrustedInstaller Allow  FullControl
      - APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  ReadAndExecute, Synchronize

it should include - APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize as well.

From a running 2019 host:

(get-acl .\eventvwr.exe).AccessToString
NT AUTHORITY\SYSTEM Allow  ReadAndExecute, Synchronize
BUILTIN\Administrators Allow  ReadAndExecute, Synchronize
BUILTIN\Users Allow  ReadAndExecute, Synchronize
NT SERVICE\TrustedInstaller Allow  FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Allow  ReadAndExecute, Synchronize

I will submit a PR, if you're accepting of the modification?

V-93037 Add edge case for single OU

This code block might be leading to the following error when running the profile against a Domain Controller:

ou_list = json(command: "Get-ADOrganizationalUnit -filter * -SearchBase '#{distinguishedName}' | Select-Object -ExpandProperty distinguishedname | ConvertTo-Json").params

ou_list.each do |ou|
         acl_rules = json(command: "(Get-ACL -Audit -Path AD:'#{ou}').Access | ConvertTo-CSV | ConvertFrom-CSV | ConvertTo-JSON").params

Error:

undefined method `each' for "OU=Domain Controllers,DC=saf,DC=cms":String

Recommendation:
Since the tests are 100 lines long, the easiest way to address this would be to set the variable as an array early on so single values don't affect the for loop.

ou_list = []
ou_list << json(command: <cmd>).params
if ou_list.empty?
  <skip>
else
  <for loop with tests>

Exploit Protection Edge case: V-9331x & V-93565

The exploit protection controls (V-93313, V-93315, V-93317, V-93319, V-93565) need an edge case if the following command does not return anything instead of throwing a profile error:

Get-ProcessMitigation -System

Local admin accounts with a dash (or other excluded string) in their name are excluded from evaluation

microsoft-windows-server-2019-stig-baseline/controls/V-93043.rb

Line 70 in 6d2dac5

administrator_group = command("net localgroup Administrators | Format-List | Findstr /V 'Alias Name Comment Members - command'").stdout.strip.split("\r\n")

Not sure what the best solution to modifying this command would be other than adding 2+ dashes to read net localgroup Administrators | Format-List | Findstr /V 'Alias Name Comment Members -- command'.

Github Actions Failing

Apparently all github actions are failing and none of the artifacts are correct.

-----> Starting Test Kitchen (v3.1.0)
>>>>>> ------Exception-------
>>>>>> Class: Kitchen::UserError
>>>>>> Message: Vagrant 1.1.0 or higher is not installed. Please download a package from https://www.vagrantup.com/downloads.html.
>>>>>> ----------------------
>>>>>> Please see .kitchen/logs/kitchen.log for more details
>>>>>> Also try running `kitchen diagnose --all` for configuration

Updates to w32time_config cause error when running profile

Updates to w32time_config cause error when running profile. Removing the require statements causes the error to go away.

<internal:C:/opscode/chef-workstation/embedded/lib/ruby/3.0.0/rubygems/core_ext/kernel_require.rb>:85:in `require': cannot load such file -- inspec/resource/registry_key (LoadError)
        from <internal:C:/opscode/chef-workstation/embedded/lib/ruby/3.0.0/rubygems/core_ext/kernel_require.rb>:85:in `require'
        from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.41.20/lib/inspec/dsl_shared.rb:33:in `require'
        from libraries/w32time_config.rb:2:in `load_with_context'
        from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.41.20/lib/inspec/profile_context.rb:170:in `instance_eval'
        from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.41.20/lib/inspec/profile_context.rb:170:in `load_with_context'
        from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.41.20/lib/inspec/profile_context.rb:159:in `load_library_file'
        from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.41.20/lib/inspec/profile_context.rb:144:in `block in load_libraries'
        from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.41.20/lib/inspec/profile_context.rb:143:in `each'
        from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.41.20/lib/inspec/profile_context.rb:143:in `load_libraries'
        from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.41.20/lib/inspec/profile.rb:314:in `load_libraries'
        from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.41.20/lib/inspec/runner.rb:108:in `block in load'
        from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.41.20/lib/inspec/runner.rb:102:in `each'
        from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.41.20/lib/inspec/runner.rb:102:in `load'
        from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.41.20/lib/inspec/runner.rb:136:in `run'
        from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.41.20/lib/inspec/cli.rb:287:in `exec'
        from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/thor-1.1.0/lib/thor/command.rb:27:in `run'
        from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/thor-1.1.0/lib/thor/invocation.rb:127:in `invoke_command'
        from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/thor-1.1.0/lib/thor.rb:392:in `dispatch'
        from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/thor-1.1.0/lib/thor/base.rb:485:in `start'
        from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.41.20/lib/inspec/base_cli.rb:35:in `start'
        from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-bin-4.41.20/bin/inspec:11:in `<top (required)>'
        from C:/opscode/chef-workstation/bin/inspec:386:in `load'
        from C:/opscode/chef-workstation/bin/inspec:386:in `<main>'

V-92961 incorrect matcher

The expected value of inactivity limit should not equal 0 per the check text:

Value: 0x00000384 (900) (or less, excluding "0" which is effectively disabled)

The test should be corrected to:

its('InactivityTimeoutSecs') { should_not eq 0 }

V-93187 is erroring due to unavailable w32time_config resources

Error message when executing the InSpec profile on Windows 2019:

#< CLIXML
<internal:C:/opscode/chef-workstation/embedded/lib/ruby/3.0.0/rubygems/core_ext/kernel_require.rb>:85:in `require': cannot load such file -- resources/aws/w32time_config (LoadError)
	from <internal:C:/opscode/chef-workstation/embedded/lib/ruby/3.0.0/rubygems/core_ext/kernel_require.rb>:85:in `require'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/dsl.rb:42:in `rescue in method_missing_resource'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/dsl.rb:39:in `method_missing_resource'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/describe_base.rb:34:in `method_missing'
	from microsoft-windows-server-2019-stig-baseline-master/controls/V-93187.rb:81:in `block (2 levels) in load_with_context'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/describe_base.rb:21:in `instance_eval'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/describe_base.rb:21:in `one'
	from microsoft-windows-server-2019-stig-baseline-master/controls/V-93187.rb:80:in `block in load_with_context'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/rule.rb:46:in `instance_eval'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/rule.rb:46:in `initialize'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/control_eval_context.rb:58:in `new'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/control_eval_context.rb:58:in `control'
	from microsoft-windows-server-2019-stig-baseline-master/controls/V-93187.rb:1:in `load_with_context'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/profile_context.rb:170:in `instance_eval'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/profile_context.rb:170:in `load_with_context'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/profile_context.rb:154:in `load_control_file'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/profile.rb:225:in `block in collect_tests'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/profile.rb:220:in `each'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/profile.rb:220:in `collect_tests'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/dependencies/dependency_set.rb:64:in `block in each'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/dependencies/dependency_set.rb:63:in `each'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/dependencies/dependency_set.rb:63:in `each'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/profile.rb:218:in `collect_tests'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/dependencies/dependency_set.rb:64:in `block in each'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/dependencies/dependency_set.rb:63:in `each'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/dependencies/dependency_set.rb:63:in `each'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/profile.rb:218:in `collect_tests'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/runner.rb:120:in `block in load'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/runner.rb:102:in `each'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/runner.rb:102:in `load'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/runner.rb:136:in `run'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/cli.rb:288:in `exec'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/thor-1.1.0/lib/thor/command.rb:27:in `run'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/thor-1.1.0/lib/thor/invocation.rb:127:in `invoke_command'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/thor-1.1.0/lib/thor.rb:392:in `dispatch'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/thor-1.1.0/lib/thor/base.rb:485:in `start'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/base_cli.rb:35:in `start'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-bin-4.46.13/bin/inspec:11:in `<top (required)>'
	from C:/opscode/chef-workstation/bin/inspec:393:in `load'
	from C:/opscode/chef-workstation/bin/inspec:393:in `<main>'
<internal:C:/opscode/chef-workstation/embedded/lib/ruby/3.0.0/rubygems/core_ext/kernel_require.rb>:85:in `require': cannot load such file -- inspec/resources/w32time_config (LoadError)
	from <internal:C:/opscode/chef-workstation/embedded/lib/ruby/3.0.0/rubygems/core_ext/kernel_require.rb>:85:in `require'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/dsl.rb:40:in `method_missing_resource'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/describe_base.rb:34:in `method_missing'
	from microsoft-windows-server-2019-stig-baseline-master/controls/V-93187.rb:81:in `block (2 levels) in load_with_context'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/describe_base.rb:21:in `instance_eval'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/describe_base.rb:21:in `one'
	from microsoft-windows-server-2019-stig-baseline-master/controls/V-93187.rb:80:in `block in load_with_context'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/rule.rb:46:in `instance_eval'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/rule.rb:46:in `initialize'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/control_eval_context.rb:58:in `new'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/control_eval_context.rb:58:in `control'
	from microsoft-windows-server-2019-stig-baseline-master/controls/V-93187.rb:1:in `load_with_context'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/profile_context.rb:170:in `instance_eval'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/profile_context.rb:170:in `load_with_context'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/profile_context.rb:154:in `load_control_file'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/profile.rb:225:in `block in collect_tests'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/profile.rb:220:in `each'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/profile.rb:220:in `collect_tests'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/dependencies/dependency_set.rb:64:in `block in each'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/dependencies/dependency_set.rb:63:in `each'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/dependencies/dependency_set.rb:63:in `each'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/profile.rb:218:in `collect_tests'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/dependencies/dependency_set.rb:64:in `block in each'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/dependencies/dependency_set.rb:63:in `each'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/dependencies/dependency_set.rb:63:in `each'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/profile.rb:218:in `collect_tests'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/runner.rb:120:in `block in load'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/runner.rb:102:in `each'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/runner.rb:102:in `load'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/runner.rb:136:in `run'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/cli.rb:288:in `exec'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/thor-1.1.0/lib/thor/command.rb:27:in `run'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/thor-1.1.0/lib/thor/invocation.rb:127:in `invoke_command'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/thor-1.1.0/lib/thor.rb:392:in `dispatch'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/thor-1.1.0/lib/thor/base.rb:485:in `start'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-core-4.46.13/lib/inspec/base_cli.rb:35:in `start'
	from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/inspec-bin-4.46.13/bin/inspec:11:in `<top (required)>'
	from C:/opscode/chef-workstation/bin/inspec:393:in `load'
	from C:/opscode/chef-workstation/bin/inspec:393:in `<main>'

Looks like a recent commit is the sources of this issue: af260e0#diff-e4d403771200908dfbf9319326986195e5a35ddd6f5fb274a5b76e6311b6f415

Overlaying back to the old method does not resolve the issue.

V-92991 should not expect optical drives to be formatted NTFS

Hi Maintainers,

Currently the control is using WMI to grab all instances of logical disks to ensure that they are all formatted NTFS or ReFS. Drive type 5 is "Compact Disc" and, i think NTFS is not an appropriate expectation here. I would propose limiting the original WMI query to only type 3 drives, or excluding type 5 drives from the results, though I think NTFS may not be appropriate for the other drive types as well.

currently:
get_volumes = command("wmic logicaldisk get FileSystem | findstr /r /v '^$' |Findstr /v 'FileSystem'").stdout.strip.split("\r\n")

proposed:
get_volumes = command("wmic logicaldisk where DriveType=3 get FileSystem | findstr /r /v '^$' |Findstr /v 'FileSystem'").stdout.strip.split("\r\n")

Will submit a PR if you concur?

V-93035 Control failure on Domain Controller 

              “status”: “failed”,
              “code_desc”: “Control Source Code Error microsoft-windows-server-2019-stig-baseline/controls/V-93035.rb:3 “,
              “run_time”: 0.016248295,
              “start_time”: “2020-07-31T19:27:51+00:00”,
              “message”: “undefined local variable or method `distinguishedName’ for #<Inspec::Rule:0x000055f405b43210>“,
              “exception”: “RuntimeError”,
              “backtrace”: [
                “/var/lib/gems/2.5.0/gems/inspec-core-4.19.2/lib/inspec/rule.rb:61:in `block (2 levels) in initialize’“,
                “/var/lib/gems/2.5.0/gems/rspec-core-3.9.2/lib/rspec/core/example.rb:257:in `instance_exec’“,
                “/var/lib/gems/2.5.0/gems/rspec-core-3.9.2/lib/rspec/core/example.rb:257:in `block in run’“,
                “/var/lib/gems/2.5.0/gems/rspec-core-3.9.2/lib/rspec/core/example.rb:503:in `block in with_around_and_singleton_context_hooks’“,
                “/var/lib/gems/2.5.0/gems/rspec-core-3.9.2/lib/rspec/core/example.rb:460:in `block in with_around_example_hooks’“,
                “/var/lib/gems/2.5.0/gems/rspec-core-3.9.2/lib/rspec/core/hooks.rb:481:in `block in run’“,
                “/var/lib/gems/2.5.0/gems/rspec-core-3.9.2/lib/rspec/core/hooks.rb:619:in `run_around_example_hooks_for’“,
                “/var/lib/gems/2.5.0/gems/rspec-core-3.9.2/lib/rspec/core/hooks.rb:481:in `run’“,
                “/var/lib/gems/2.5.0/gems/rspec-core-3.9.2/lib/rspec/core/example.rb:460:in `with_around_example_hooks’“,
                “/var/lib/gems/2.5.0/gems/rspec-core-3.9.2/lib/rspec/core/example.rb:503:in `with_around_and_singleton_context_hooks’“,
                “/var/lib/gems/2.5.0/gems/rspec-core-3.9.2/lib/rspec/core/example.rb:254:in `run’“,
                “/var/lib/gems/2.5.0/gems/rspec-core-3.9.2/lib/rspec/core/example_group.rb:644:in `block in run_examples’“,
                “/var/lib/gems/2.5.0/gems/rspec-core-3.9.2/lib/rspec/core/example_group.rb:640:in `map’“,
                “/var/lib/gems/2.5.0/gems/rspec-core-3.9.2/lib/rspec/core/example_group.rb:640:in `run_examples’“,
                “/var/lib/gems/2.5.0/gems/rspec-core-3.9.2/lib/rspec/core/example_group.rb:606:in `run’“,
                “/var/lib/gems/2.5.0/gems/rspec-core-3.9.2/lib/rspec/core/example_group.rb:607:in `block in run’“,
                “/var/lib/gems/2.5.0/gems/rspec-core-3.9.2/lib/rspec/core/example_group.rb:607:in `map’“,
                “/var/lib/gems/2.5.0/gems/rspec-core-3.9.2/lib/rspec/core/example_group.rb:607:in `run’“,
                “/var/lib/gems/2.5.0/gems/rspec-core-3.9.2/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs’“,
                “/var/lib/gems/2.5.0/gems/rspec-core-3.9.2/lib/rspec/core/runner.rb:121:in `map’“,
                “/var/lib/gems/2.5.0/gems/rspec-core-3.9.2/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs’“,
                “/var/lib/gems/2.5.0/gems/rspec-core-3.9.2/lib/rspec/core/configuration.rb:2058:in `with_suite_hooks’“,
                “/var/lib/gems/2.5.0/gems/rspec-core-3.9.2/lib/rspec/core/runner.rb:116:in `block in run_specs’“,
                “/var/lib/gems/2.5.0/gems/rspec-core-3.9.2/lib/rspec/core/reporter.rb:74:in `report’“,
                “/var/lib/gems/2.5.0/gems/rspec-core-3.9.2/lib/rspec/core/runner.rb:115:in `run_specs’“,
                “/var/lib/gems/2.5.0/gems/inspec-core-4.19.2/lib/inspec/runner_rspec.rb:82:in `run’“,
                “/var/lib/gems/2.5.0/gems/inspec-core-4.19.2/lib/inspec/runner.rb:159:in `run_tests’“,
                “/var/lib/gems/2.5.0/gems/inspec-core-4.19.2/lib/inspec/runner.rb:130:in `run’“,
                “/var/lib/gems/2.5.0/gems/inspec-core-4.19.2/lib/inspec/cli.rb:279:in `exec’“,
                “/var/lib/gems/2.5.0/gems/thor-1.0.1/lib/thor/command.rb:27:in `run’“,
                “/var/lib/gems/2.5.0/gems/thor-1.0.1/lib/thor/invocation.rb:127:in `invoke_command’“,
                “/var/lib/gems/2.5.0/gems/thor-1.0.1/lib/thor.rb:392:in `dispatch’“,
                “/var/lib/gems/2.5.0/gems/thor-1.0.1/lib/thor/base.rb:485:in `start’“,
                “/var/lib/gems/2.5.0/gems/inspec-core-4.19.2/lib/inspec/base_cli.rb:35:in `start’“,
                “/var/lib/gems/2.5.0/gems/inspec-bin-4.19.2/bin/inspec:11:in `<top (required)>‘“,
                “/usr/local/bin/inspec:23:in `load’“,
                “/usr/local/bin/inspec:23:in `<main>’”
              ]
            }
          ]

Phase 2

  • Manual checks to be automated checks (wherever possible)

  • Standardize inputs

  • Parameterize values

Input Optimization

Consider removing redundant inputs that were created to parameterize STIG text. Currently, the inputs that can be removed are:

  • temporary_account_period_phrase
  • emergency_account_period_phrase
  • maximum_idle_time_phrase

These inputs can be instead calculated as needed (ex: #{input('xphrase')/60})

Do these check for any other SIDs?

https://github.com/mitre/microsoft-windows-server-2019-stig-baseline/blob/peer-review/controls/V-92995.rb

Does this check if any SIDs other than the following are granted the
"SeNetworkLogonRight" user right, because this would be a finding (fail).

S-1-5-32-544 (Administrators)
S-1-5-11 (Authenticated Users)
S-1-5-9 (Enterprise Domain Controllers)

RIght now it seems to only check if these 3 do have the right, but not if other SIDs do?

Similar question for V-93059, V-93069, V-93073

V-93267 bug

This check includes checking for registry value PreXPSP2ShellProtocolBehavior when this is not required in the check.

V-93187 fix

forest pdc emulator should be uniquely configured

Incorrect AD query in V-93439

Current command will get all users, including the PasswordNotRequired property where enabled equals true, but does not filter the PasswordNotRequired property.

"Get-ADUser -Filter * -Properties PasswordNotRequired | Where-Object -Property Enabled -eq $True | Select -ExpandProperty Name | ConvertTo-Json"

Should be: Get all users that are enabled AND PasswordNotRequired is also true.

"Get-ADUser -Filter \"(Enabled -eq $true) -And (PasswordNotRequired -eq $true)\" | Select -ExpandProperty Name | ConvertTo-Json"

I will submit a PR shortly.

V-93013 on fails on domain controllers because the member server expectations are executed in addition to the Skip for AD systems.

Actual behavior:

  ↺  V-93013: Windows Server 2019 Deny log on as a service user right on
    domain-joined member servers must be configured to prevent access from highly
    privileged domain accounts. No other groups or accounts must be assigned this
    right. (2 failed) (1 skipped)
     ↺  This system is dedicated to the management of Active Directory, therefore this system is exempt from this control
     ×  Security Policy SeDenyServiceLogonRight is expected to include "S-1-5-21-2485657338-1484356311-222256282-512"
     expected [] to include "S-1-5-21-2485657338-1484356311-222256282-512"
     ×  Security Policy SeDenyServiceLogonRight is expected to include "S-1-5-21-2485657338-1484356311-222256282-519"
     expected [] to include "S-1-5-21-2485657338-1484356311-222256282-519"

expected behavior:

↺  V-93013: Windows Server 2019 Deny log on as a service user right on
    domain-joined member servers must be configured to prevent access from highly
    privileged domain accounts. No other groups or accounts must be assigned this
    right.
     ↺  This system is dedicated to the management of Active Directory, therefore this system is exempt from this control

I believe the same or similar issue exists in V-93013, v-93011, V-93015, V-92965 and V-93009.

  ↺  V-92965: Windows Server 2019 Deny log on through Remote Desktop Services user
  right on domain-joined member servers must be configured to prevent access from
  highly privileged domain accounts and all local accounts and from
  unauthenticated access on all systems. (2 failed) (1 skipped)
     ↺  This system is dedicated to the management of Active Directory, therefore this system is exempt from this control
     ×  Security Policy SeDenyRemoteInteractiveLogonRight is expected to include "S-1-5-21-2485657338-1484356311-222256282-512"
     expected ["S-1-5-32-546"] to include "S-1-5-21-2485657338-1484356311-222256282-512"
     ×  Security Policy SeDenyRemoteInteractiveLogonRight is expected to include "S-1-5-21-2485657338-1484356311-222256282-519"
     expected ["S-1-5-32-546"] to include "S-1-5-21-2485657338-1484356311-222256282-519"
  ↺  V-93009: Windows Server 2019 Deny access to this computer from the network user
    right on domain-joined member servers must be configured to prevent access from
    highly privileged domain accounts and local accounts and from unauthenticated
    access on all systems. (4 failed) (1 skipped)
     ↺  This system is dedicated to the management of Active Directory, therefore this system is exempt from this control
     ×  Security Policy SeDenyNetworkLogonRight is expected to include "S-1-5-21-2485657338-1484356311-222256282-512"
     expected ["S-1-5-32-546"] to include "S-1-5-21-2485657338-1484356311-222256282-512"
     ×  Security Policy SeDenyNetworkLogonRight is expected to include "S-1-5-21-2485657338-1484356311-222256282-519"
     expected ["S-1-5-32-546"] to include "S-1-5-21-2485657338-1484356311-222256282-519"
     ×  Security Policy SeDenyNetworkLogonRight is expected to include "S-1-5-113"
     expected ["S-1-5-32-546"] to include "S-1-5-113"
     ×  Security Policy SeDenyNetworkLogonRight is expected to include "S-1-5-114"
     expected ["S-1-5-32-546"] to include "S-1-5-114"
  ↺  V-93011: Windows Server 2019 Deny log on as a batch job user right on
  domain-joined member servers must be configured to prevent access from highly
  privileged domain accounts and from unauthenticated access on all systems. (2 failed) (1 skipped)
     ↺  This system is dedicated to the management of Active Directory, therefore this system is exempt from this control
     ×  Security Policy SeDenyBatchLogonRight is expected to include "S-1-5-21-2485657338-1484356311-222256282-512"
     expected ["S-1-5-32-546"] to include "S-1-5-21-2485657338-1484356311-222256282-512"
     ×  Security Policy SeDenyBatchLogonRight is expected to include "S-1-5-21-2485657338-1484356311-222256282-519"
     expected ["S-1-5-32-546"] to include "S-1-5-21-2485657338-1484356311-222256282-519"
  ↺  V-93013: Windows Server 2019 Deny log on as a service user right on
    domain-joined member servers must be configured to prevent access from highly
    privileged domain accounts. No other groups or accounts must be assigned this
    right. (2 failed) (1 skipped)
     ↺  This system is dedicated to the management of Active Directory, therefore this system is exempt from this control
     ×  Security Policy SeDenyServiceLogonRight is expected to include "S-1-5-21-2485657338-1484356311-222256282-512"
     expected [] to include "S-1-5-21-2485657338-1484356311-222256282-512"
     ×  Security Policy SeDenyServiceLogonRight is expected to include "S-1-5-21-2485657338-1484356311-222256282-519"
     expected [] to include "S-1-5-21-2485657338-1484356311-222256282-519"
  ↺  V-93015: Windows Server 2019 Deny log on locally user right on domain-joined
  member servers must be configured to prevent access from highly privileged
  domain accounts and from unauthenticated access on all systems. (2 failed) (1 skipped)
     ↺  This system is dedicated to the management of Active Directory, therefore this system is exempt from this control
     ×  Security Policy SeDenyInteractiveLogonRight is expected to include "S-1-5-21-2485657338-1484356311-222256282-512"
     expected ["S-1-5-32-546"] to include "S-1-5-21-2485657338-1484356311-222256282-512"
     ×  Security Policy SeDenyInteractiveLogonRight is expected to include "S-1-5-21-2485657338-1484356311-222256282-519"
     expected ["S-1-5-32-546"] to include "S-1-5-21-2485657338-1484356311-222256282-519"

I would like to submit to PR addressing each control.

Compare 2016 and 2019

Compare the controls and scope out the LOE

Context

Who: ISPG, CFACTS
What: Develop and deliver InSpec profile of the DISA STIG baseline and develop CMS ARS 3.1 overlay profiles for low, moderate, high systems.
Why: This profile enables ISPG and any other CMS team to continuously validate their systems against a standard DISA STIG baseline for compliance and CDM reporting. Also, supports data requests from external ACT, CDM, and other audit requests.

Inconsistent `describe.one` blocks

The describe.one blocks for these controls are not consistent:

  • V-93249
  • V-93261
  • V-93263
  • V-93267
  • V-93311
  • V-93413
  • V-93563

The controls listed above have this in the check text:

If the registry value name below does not exist, this is not a finding.
If it exists and is configured with a value of <value>, this is not a finding.
If it exists and is configured with a value of <value>, this is a finding.

Code recommendation:

describe.one do
    describe registry_key('<path>') do
        it { should_not have_property '<property>' }
    end
    describe registry_key('<path>') do
        it { should have_property '<property>' }
        its('SaveZoneInformation') { should_not cmp <value> }
        its('SaveZoneInformation') { should cmp <value> }
    end
end

Profile input c_windows_sysvol_perm has a typo

is currently:

 - name: c_windows_sysvol_perm
    desc: "Permissions on folder and file for SYSVOL Directory"
    type: Array
    value:
      - NT AUTHORITY\Authenticated Users:(RX)
      - NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE)
      - BUILTIN\Server Operators:(RX)
      - BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE)
      - BUILTIN\Administrators:(M,WDAC,WO)
      - BUILTIN\Administrators:(OI)(CI)(IO)(F)
      - NT AUTHORITY\SYSTEM:(F)
      - NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
      - BUILTIN\Administrators:(M,WDAC,WO)
      - CREATOR OWNER:(OI)(CI)(IO)(F)

Should be:

 - name: c_windows_sysvol_perm
    desc: "Permissions on folder and file for SYSVOL Directory"
    type: Array
    value:
      - NT AUTHORITY\Authenticated Users:(RX)
      - NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE)
      - BUILTIN\Server Operators:(RX)
      - BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE)
      - BUILTIN\Administrators:(M,WDAC,WO)
      - BUILTIN\Administrators:(OI)(CI)(IO)(F)
      - NT AUTHORITY\SYSTEM:(F)
      - NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
      - **NT AUTHORITY\SYSTEM:(M,WDAC,WO)**
      - CREATOR OWNER:(OI)(CI)(IO)(F)

I will submit a PR.

V-93339 syntax error

./controls/V-93339.rb:89: syntax error, unexpected end', expecting end-of-input (SyntaxError)

`

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.