From fe887edd515cb392261cccc48b7bbb57aa1735ee Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Thu, 18 Jun 2020 09:51:11 +0000 Subject: [PATCH] update inspec.yml and changelog --- CHANGELOG.md | 50 +++++++++++- inspec.yml | 214 +++++++++++++++++++++++++-------------------------- 2 files changed, 153 insertions(+), 111 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c2af2b4..b2ecf9e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,42 @@ -# Change Log +# Changelog + +## [2.0.1](https://github.com/dev-sec/windows-baseline/tree/2.0.1) (2020-06-18) + +[Full Changelog](https://github.com/dev-sec/windows-baseline/compare/2.1.1...2.0.1) + +**Closed issues:** + +- formatting error when executing profile [\#34](https://github.com/dev-sec/windows-baseline/issues/34) +- LAN Manager authentication level incorrect [\#25](https://github.com/dev-sec/windows-baseline/issues/25) +- Should we close SeNetworkLogonRight for all users? [\#19](https://github.com/dev-sec/windows-baseline/issues/19) +- The title of each test should clearly state what should be done [\#18](https://github.com/dev-sec/windows-baseline/issues/18) + +**Merged pull requests:** + +- github actions release [\#39](https://github.com/dev-sec/windows-baseline/pull/39) ([micheelengronne](https://github.com/micheelengronne)) +- replace the german text to english and fix the windows 2012r2 tag [\#37](https://github.com/dev-sec/windows-baseline/pull/37) ([atomic111](https://github.com/atomic111)) +- Feature/inspec4alerts [\#33](https://github.com/dev-sec/windows-baseline/pull/33) ([imjoseangel](https://github.com/imjoseangel)) + +## [2.1.1](https://github.com/dev-sec/windows-baseline/tree/2.1.1) (2019-06-11) + +[Full Changelog](https://github.com/dev-sec/windows-baseline/compare/2.1.0...2.1.1) + +**Merged pull requests:** + +- Replace German characters to avoid exec failures and bump version to 2.1.1 [\#36](https://github.com/dev-sec/windows-baseline/pull/36) ([alexpop](https://github.com/alexpop)) +- Update administrative\_templates\_computer.rb [\#32](https://github.com/dev-sec/windows-baseline/pull/32) ([Staggerlee011](https://github.com/Staggerlee011)) +- fix missing "o" in windows-245 [\#31](https://github.com/dev-sec/windows-baseline/pull/31) ([rndmh3ro](https://github.com/rndmh3ro)) + +## [2.1.0](https://github.com/dev-sec/windows-baseline/tree/2.1.0) (2019-05-16) + +[Full Changelog](https://github.com/dev-sec/windows-baseline/compare/2.0.0...2.1.0) + +**Merged pull requests:** + +- Update gems and bump profile version to 2.1.0 [\#30](https://github.com/dev-sec/windows-baseline/pull/30) ([alexpop](https://github.com/alexpop)) ## [2.0.0](https://github.com/dev-sec/windows-baseline/tree/2.0.0) (2019-05-15) + [Full Changelog](https://github.com/dev-sec/windows-baseline/compare/1.2.0...2.0.0) **Merged pull requests:** @@ -8,14 +44,18 @@ - New windows cis profile for win2012r2 and 2016 [\#27](https://github.com/dev-sec/windows-baseline/pull/27) ([atomic111](https://github.com/atomic111)) ## [1.2.0](https://github.com/dev-sec/windows-baseline/tree/1.2.0) (2019-05-15) + [Full Changelog](https://github.com/dev-sec/windows-baseline/compare/1.1.2...1.2.0) **Merged pull requests:** - correct license style and bump version to 1.1.3 [\#28](https://github.com/dev-sec/windows-baseline/pull/28) ([atomic111](https://github.com/atomic111)) - Update common [\#26](https://github.com/dev-sec/windows-baseline/pull/26) ([atomic111](https://github.com/atomic111)) +- Update issue templates [\#24](https://github.com/dev-sec/windows-baseline/pull/24) ([rndmh3ro](https://github.com/rndmh3ro)) +- fixing control for 'cis-access-cred-manager-2.2.1' [\#23](https://github.com/dev-sec/windows-baseline/pull/23) ([wer-sce](https://github.com/wer-sce)) ## [1.1.2](https://github.com/dev-sec/windows-baseline/tree/1.1.2) (2019-03-26) + [Full Changelog](https://github.com/dev-sec/windows-baseline/compare/1.1.0...1.1.2) **Closed issues:** @@ -24,12 +64,11 @@ **Merged pull requests:** -- Update issue templates [\#24](https://github.com/dev-sec/windows-baseline/pull/24) ([rndmh3ro](https://github.com/rndmh3ro)) -- fixing control for 'cis-access-cred-manager-2.2.1' [\#23](https://github.com/dev-sec/windows-baseline/pull/23) ([wer-sce](https://github.com/wer-sce)) - Fixed spelling error [\#17](https://github.com/dev-sec/windows-baseline/pull/17) ([hannah-radish](https://github.com/hannah-radish)) - Move SMB1 control to windows-baseline [\#16](https://github.com/dev-sec/windows-baseline/pull/16) ([yvovandoorn](https://github.com/yvovandoorn)) ## [1.1.0](https://github.com/dev-sec/windows-baseline/tree/1.1.0) (2017-05-08) + [Full Changelog](https://github.com/dev-sec/windows-baseline/compare/1.0.1...1.1.0) **Implemented enhancements:** @@ -52,6 +91,9 @@ - add contribution guidelines [\#7](https://github.com/dev-sec/windows-baseline/pull/7) ([chris-rock](https://github.com/chris-rock)) ## [1.0.1](https://github.com/dev-sec/windows-baseline/tree/1.0.1) (2017-02-01) + +[Full Changelog](https://github.com/dev-sec/windows-baseline/compare/5b20a47a9d7ce334d28800aa5719e5bf83fd3898...1.0.1) + **Merged pull requests:** - Removed per control licensing as repo is under Apache 2.0 [\#5](https://github.com/dev-sec/windows-baseline/pull/5) ([grdnrio](https://github.com/grdnrio)) @@ -61,4 +103,4 @@ -\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* \ No newline at end of file +\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)* diff --git a/inspec.yml b/inspec.yml index 57d4197..cc5a38f 100644 --- a/inspec.yml +++ b/inspec.yml @@ -2,116 +2,116 @@ name: windows-baseline title: DevSec Windows Security Baseline summary: An InSpec Compliance Profile that covers CIS Microsoft Windows Server 2012R2, 2016 RTM (Release 1607) Benchmark Level 1 and 2 and additional controls from MS technet. -version: 2.1.1 +version: 2.0.1 maintainer: DevSec Hardening Framework Team copyright: DevSec Hardening Framework Team copyright_email: hello@dev-sec.io license: Apache-2.0 supports: - - platform-family: windows + - platform-family: windows attributes: - - name: level_1_or_2 - required: false - description: 'define if you want to execute Level 1 or (Level 1 and Level 2)' - value: 1, - type: numeric - - name: ms_or_dc - required: false - description: 'define if you want to execute the profile in the context of a Memeber Server (MS) or Domain Controler (DC)' - value: 'MS' - type: string - - name: password_history_size - required: false - description: 'define password history size' - value: 24 - type: numeric - - name: maximum_password_age - required: false - description: 'define MaximumPasswordAge' - value: 60 - type: numeric - - name: se_network_logon_right - required: false - description: 'define which users are allowed to access this computer from the network' - value: ['S-1-5-9', 'S-1-5-32-544'] - type: array - - name: se_interactive_logon_right - required: false - description: 'define which users are allowed to log on locally' - value: ['S-1-5-32-544'] - type: array - - name: se_remote_interactive_logon_right - required: false - description: 'define which users are allowed to log on through Remote Desktop Services' - value: ['S-1-5-32-544'] - type: array - - name: se_backup_privilege - required: false - description: 'define which users are allowed to backup files and directories' - value: ['S-1-5-32-544'] - type: array - - name: se_systemtime_privilege - required: false - description: 'define which users are allowed to change system time' - value: ['S-1-5-19', 'S-1-5-32-544'] - type: array - - name: se_time_zone_privilege - required: false - description: 'define which users are allowed to change system time zone' - value: ['S-1-5-19', 'S-1-5-32-544'] - type: array - - name: se_create_symbolic_link_privilege - required: false - description: 'define which users are allowed to create symbolic links' - value: ['S-1-5-32-544'] - type: array - - name: se_deny_network_logon_right - required: false - description: 'define which users are not allowed to access this computer from the network' - value: ['S-1-5-32-546'] - type: array - - name: se_deny_remote_interactive_logon_right - required: false - description: 'define which users are not allowed to log on through Remote Desktop Services' - value: ['S-1-5-32-546'] - type: array - - name: se_enable_delegation_privilege - required: false - description: 'define which users are allowed to enable computer and user accounts to be trusted' - value: [] - type: array - - name: se_impersonate_privilege - required: false - description: 'define which users are allowed to impersonate a client after authentication' - value: ['S-1-5-19', 'S-1-5-20', 'S-1-5-32-544', 'S-1-5-6'] - type: array - - name: se_load_driver_privilege - required: false - description: 'define which users are allowed to impersonate a client after authentication' - value: ['S-1-5-32-544'] - type: array - - name: se_batch_logon_right - required: false - description: 'define which users are allowed to log on as a batch job' - value: ['S-1-5-32-544', 'S-1-5-32-551'] - type: array - - name: se_security_privilege - required: false - description: 'define which users are allowed to manage auditing and security logs' - value: ['S-1-5-32-544'] - type: array - - name: se_assign_primary_token_privilege - required: false - description: 'define which users are allowed to replace a process level token' - value: ['S-1-5-19', 'S-1-5-20'] - type: array - - name: se_restore_privilege - required: false - description: 'define which users are allowed to restore files and directories' - value: ['S-1-5-32-544'] - type: array - - name: hklm_null_session_pipes - required: false - description: 'define named pipes that can be accessed anonymously' - value: [] - type: array + - name: level_1_or_2 + required: false + description: 'define if you want to execute Level 1 or (Level 1 and Level 2)' + value: 1, + type: numeric + - name: ms_or_dc + required: false + description: 'define if you want to execute the profile in the context of a Memeber Server (MS) or Domain Controler (DC)' + value: 'MS' + type: string + - name: password_history_size + required: false + description: 'define password history size' + value: 24 + type: numeric + - name: maximum_password_age + required: false + description: 'define MaximumPasswordAge' + value: 60 + type: numeric + - name: se_network_logon_right + required: false + description: 'define which users are allowed to access this computer from the network' + value: ['S-1-5-9', 'S-1-5-32-544'] + type: array + - name: se_interactive_logon_right + required: false + description: 'define which users are allowed to log on locally' + value: ['S-1-5-32-544'] + type: array + - name: se_remote_interactive_logon_right + required: false + description: 'define which users are allowed to log on through Remote Desktop Services' + value: ['S-1-5-32-544'] + type: array + - name: se_backup_privilege + required: false + description: 'define which users are allowed to backup files and directories' + value: ['S-1-5-32-544'] + type: array + - name: se_systemtime_privilege + required: false + description: 'define which users are allowed to change system time' + value: ['S-1-5-19', 'S-1-5-32-544'] + type: array + - name: se_time_zone_privilege + required: false + description: 'define which users are allowed to change system time zone' + value: ['S-1-5-19', 'S-1-5-32-544'] + type: array + - name: se_create_symbolic_link_privilege + required: false + description: 'define which users are allowed to create symbolic links' + value: ['S-1-5-32-544'] + type: array + - name: se_deny_network_logon_right + required: false + description: 'define which users are not allowed to access this computer from the network' + value: ['S-1-5-32-546'] + type: array + - name: se_deny_remote_interactive_logon_right + required: false + description: 'define which users are not allowed to log on through Remote Desktop Services' + value: ['S-1-5-32-546'] + type: array + - name: se_enable_delegation_privilege + required: false + description: 'define which users are allowed to enable computer and user accounts to be trusted' + value: [] + type: array + - name: se_impersonate_privilege + required: false + description: 'define which users are allowed to impersonate a client after authentication' + value: ['S-1-5-19', 'S-1-5-20', 'S-1-5-32-544', 'S-1-5-6'] + type: array + - name: se_load_driver_privilege + required: false + description: 'define which users are allowed to impersonate a client after authentication' + value: ['S-1-5-32-544'] + type: array + - name: se_batch_logon_right + required: false + description: 'define which users are allowed to log on as a batch job' + value: ['S-1-5-32-544', 'S-1-5-32-551'] + type: array + - name: se_security_privilege + required: false + description: 'define which users are allowed to manage auditing and security logs' + value: ['S-1-5-32-544'] + type: array + - name: se_assign_primary_token_privilege + required: false + description: 'define which users are allowed to replace a process level token' + value: ['S-1-5-19', 'S-1-5-20'] + type: array + - name: se_restore_privilege + required: false + description: 'define which users are allowed to restore files and directories' + value: ['S-1-5-32-544'] + type: array + - name: hklm_null_session_pipes + required: false + description: 'define named pipes that can be accessed anonymously' + value: [] + type: array