complete CIS 2012r2 level 1 standard #11
Conversation
files/localComputer.inf
Outdated
| SeCreateSymbolicLinkPrivilege = *S-1-5-32-544 | ||
| [Version] | ||
| signature="$CHICAGO$" | ||
| Revision=1 |
There was a problem hiding this comment.
This is awesome. We spent some time building some tooling around managing local security policy with Chef using secedit. The objective was to make it as modular / flexible as possible and separate tooling to a hardening cookbook. It's rough and ready but there is- https://github.com/grdnrio/windows-security-policy
You'll see that we're building the inf file dynamically. Would appreciate your feedback on it. Also would be great to collaborate.
There was a problem hiding this comment.
@MattTunny This is awesome work and I appreciate all the hard work you put into that PR. I see some parts that we need to improve before the merge:
- add additional documentation (via InSpec tests and possible attributes)
- split the big recipe into multiple smaller components
Could you also please sign-off your commits?
| @@ -1,8 +1,7 @@ | |||
| name 'base-win2012-hardening' | |||
There was a problem hiding this comment.
I think there is no need to update that file. We updated the name of the cookbook. We should bump the version to 1.x though since this is adding a lot of new features
| @@ -0,0 +1,571 @@ | |||
| # | |||
| # Cookbook Name:: base-win2012-hardening | |||
| # Recipe:: CIS_2012r2_L1 | |||
There was a problem hiding this comment.
Be aware that all code is licensed under Apache 2
| # unless ENV['TEST_KITCHEN'] | ||
|
|
||
| # NTLM Hardening -- This settings breaks WinRM | ||
| if node['NTLM_Harden'] == true |
There was a problem hiding this comment.
We need to update the parameters in our README.
There was a problem hiding this comment.
yeah i'll remove it for now and add it as a seperate recipe
| end | ||
| end | ||
|
|
||
| # Winlogon Settings |
There was a problem hiding this comment.
I am thinking about different recipes for each component, like winlogon.rb, lsa.rb what do you think?
There was a problem hiding this comment.
yeah thats a better way, i'll split them all out
| action :create | ||
| end | ||
|
|
||
| # Setting this on breaks test-kitchen - Federal Information Processing Standards. |
There was a problem hiding this comment.
This highlights that we need to reference that to the specific standard. I propose to do that in a approved InSpec benchmark https://github.com/dev-sec/windows-baseline
| # found at http://inspec.io/docs/reference/resources/ | ||
|
|
||
| # WinLogon Tests | ||
| describe registry_key('HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon') do |
There was a problem hiding this comment.
It is okay to have integration tests here. For improved user experience, we should move most tests to https://github.com/dev-sec/windows-baseline. This allows users to run the same tests easily against production environments
There was a problem hiding this comment.
yeah, i'll start a pull request on breaking apart the tests in line with new ones added in here
| - https://github.com/dev-sec/windows-hardening-benchmark | ||
|
|
||
| - name: CIS_2012r2_L1 |
There was a problem hiding this comment.
I feel like we should merge this and add the tests to https://github.com/dev-sec/windows-baseline
| end | ||
|
|
||
| # LSA tests | ||
| describe registry_key('HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa') do |
There was a problem hiding this comment.
I think we may want to use controls and add references to the specific cis benchmarks. Like
control 'lsa-1' do
impact 1.0
title 'LSA Network access'
desc 'Do not allow anonymous enumeration of SAM accounts and shares' to `Enabled`'
tag cis: '2.3.11.3'
...
tag remediation: 'https://github.com/dev-sec/chef-windows-hardening'
ref 'CIS Windows 2012 R2', url: 'https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v1.1.0.pdf'
describe registry_key()
...
end
end
Further examples are available here: https://github.com/chef/inspec/blob/master/examples/profile/controls/meta.rb
|
@MattTunny anything we can help you with? |
|
nah all good, been really busy at work, will be able to do all these changes on the weekend hopefully |
|
@MattTunny have a look at #16, this uses the flexible security policy generation |
Not sure if you guys want to add this as a complete cis standard? I think it might be easier to group them via versions since a lot of settings are different e.g 2008/2012/2016. I also added all the testing for each setting with InSpec, I haven't added them to the other repo since this might not be the direction you want to go?
If so happy to start working on more versions