v3r1 delta

mitre · Oct 2, 2024 · 5e74110 · 5e74110
1 parent 0025cb0
commit 5e74110
Show file tree

Hide file tree

Showing 438 changed files with 8,858 additions and 9,858 deletions.
diff --git a/controls/V-92975.rb → controls/SV-205624.rb b/controls/V-92975.rb → controls/SV-205624.rb
@@ -1,38 +1,35 @@
-# encoding: UTF-8
-
-control 'V-92975' do
-  title "Windows Server 2019 must automatically remove or disable temporary user accounts after #{input('temporary_account_period')*24} hours."
-  desc  "If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.
+control 'SV-205624' do
+  title 'Windows Server 2019 must automatically remove or disable temporary user accounts after 72 hours.'
+  desc 'If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.
 
   Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation.
-  If temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a #{input('org_name')[:acronym]}-defined time period of #{input('temporary_account_period')*24} hours.
-  To address access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements."
-  desc  'rationale', ''
-  desc  'check', "Review temporary user accounts for expiration dates.
+  If temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours.
+  To address access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.'
+  desc 'check', 'Review temporary user accounts for expiration dates.
   Determine if temporary user accounts are used and identify any that exist. If none exist, this is NA.
 
   Domain Controllers:
-  Open \"PowerShell\".
-  Enter \"Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate\".
-  If \"AccountExpirationDate\" has not been defined within #{input('temporary_account_period')*24} hours for any temporary user account, this is a finding.
+  Open "PowerShell".
+  Enter "Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate".
+  If "AccountExpirationDate" has not been defined within 72 hours for any temporary user account, this is a finding.
 
   Member servers and standalone systems:
-  Open \"Command Prompt\".
-  Run \"Net user [username]\", where [username] is the name of the temporary user account.
-  If \"Account expires\" has not been defined within #{input('temporary_account_period')*24} hours for any temporary user account, this is a finding."
-  desc 'fix', "Configure temporary user accounts to automatically expire within #{input('temporary_account_period')*24} hours.
-  Domain accounts can be configured with an account expiration date, under \"Account\" properties.
-  Local accounts can be configured to expire with the command \"Net user [username] /expires:[mm/dd/yyyy]\", where username is the name of the temporary user account.
-  Delete any temporary user accounts that are no longer necessary."
-  impact 0.5
-  tag 'severity': nil
-  tag 'gtitle': 'SRG-OS-000002-GPOS-00002'
-  tag 'gid': 'V-92975'
-  tag 'rid': 'SV-103063r1_rule'
-  tag 'stig_id': 'WN19-00-000300'
-  tag 'fix_id': 'F-99221r1_fix'
-  tag 'cci': ['CCI-000016']
-  tag 'nist': ['AC-2 (2)', 'Rev_4']
+  Open "Command Prompt".
+  Run "Net user [username]", where [username] is the name of the temporary user account.
+  If "Account expires" has not been defined within 72 hours for any temporary user account, this is a finding.'
+  desc 'fix', 'Configure temporary user accounts to automatically expire within 72 hours.
+  Domain accounts can be configured with an account expiration date, under "Account" properties.
+  Local accounts can be configured to expire with the command "Net user [username] /expires:[mm/dd/yyyy]", where username is the name of the temporary user account.
+  Delete any temporary user accounts that are no longer necessary.'
+  impact 0.0
+  tag severity: nil
+  tag gtitle: 'SRG-OS-000002-GPOS-00002'
+  tag gid: 'V-92975'
+  tag rid: 'SV-103063r1_rule'
+  tag stig_id: 'WN19-00-000300'
+  tag fix_id: 'F-99221r1_fix'
+  tag cci: ['CCI-000016']
+  tag nist: ['AC-2 (2)', 'Rev_4']
 
   domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip
 

diff --git a/controls/SV-205625.rb b/controls/SV-205625.rb
@@ -0,0 +1,53 @@
+control 'SV-205625' do
+  title 'Windows Server 2019 must be configured to audit Account Management -
+Security Group Management successes.'
+  desc 'Maintaining an audit trail of system activity logs can help identify
+configuration errors, troubleshoot service disruptions, and analyze compromises
+that have occurred, as well as detect attacks. Audit logs are necessary to
+provide a trail of evidence in case the system or network is compromised.
+Collecting this data is essential for analyzing the security of information
+assets and detecting signs of suspicious and unexpected behavior.
+
+    Security Group Management records events such as creating, deleting, or
+changing security groups, including changes in group members.'
+  desc 'check', 'Security Option "Audit: Force audit policy subcategory settings (Windows
+Vista or later) to override audit policy category settings" must be set to
+"Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be
+effective.
+
+    Use the "AuditPol" tool to review the current Audit Policy configuration:
+
+    Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run
+as administrator").
+
+    Enter "AuditPol /get /category:*"
+
+    Compare the "AuditPol" settings with the following:
+
+    If the system does not audit the following, this is a finding.
+
+    Account Management >> Security Group Management - Success'
+  desc 'fix', 'Configure the policy value for Computer Configuration >>
+Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >>
+System Audit Policies >> Account Management >> "Audit Security Group
+Management" with "Success" selected.'
+  impact 0.5
+  tag severity: nil
+  tag gtitle: 'SRG-OS-000004-GPOS-00004'
+  tag satisfies: ['SRG-OS-000004-GPOS-00004', 'SRG-OS-000239-GPOS-00089', 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091', 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000476-GPOS-00221']
+  tag gid: 'V-92979'
+  tag rid: 'SV-103067r1_rule'
+  tag stig_id: 'WN19-AU-000100'
+  tag fix_id: 'F-99225r1_fix'
+  tag cci: ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-001404', 'CCI-001405', 'CCI-002130']
+  tag nist: ['AC-2 (4)', 'AU-12 c', 'AC-2 (4)', 'AC-2 (4)', 'AC-2 (4)', 'AC-2\n(4)', 'Rev_4']
+
+  describe.one do
+    describe audit_policy do
+      its('Security Group Management') { should eq 'Success' }
+    end
+    describe audit_policy do
+      its('Security Group Management') { should eq 'Success and Failure' }
+    end
+  end
+end
diff --git a/controls/SV-205626.rb b/controls/SV-205626.rb
@@ -0,0 +1,53 @@
+control 'SV-205626' do
+  title 'Windows Server 2019 must be configured to audit Account Management -
+User Account Management successes.'
+  desc 'Maintaining an audit trail of system activity logs can help identify
+configuration errors, troubleshoot service disruptions, and analyze compromises
+that have occurred, as well as detect attacks. Audit logs are necessary to
+provide a trail of evidence in case the system or network is compromised.
+Collecting this data is essential for analyzing the security of information
+assets and detecting signs of suspicious and unexpected behavior.
+
+    User Account Management records events such as creating, changing,
+deleting, renaming, disabling, or enabling user accounts.'
+  desc 'check', 'Security Option "Audit: Force audit policy subcategory settings (Windows
+Vista or later) to override audit policy category settings" must be set to
+"Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be
+effective.
+
+    Use the "AuditPol" tool to review the current Audit Policy configuration:
+
+    Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run
+as administrator").
+
+    Enter "AuditPol /get /category:*"
+
+    Compare the "AuditPol" settings with the following:
+
+    If the system does not audit the following, this is a finding.
+
+    Account Management >> User Account Management - Success'
+  desc 'fix', 'Configure the policy value for Computer Configuration >>
+Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >>
+System Audit Policies >> Account Management >> "Audit User Account
+Management" with "Success" selected.'
+  impact 0.5
+  tag severity: nil
+  tag gtitle: 'SRG-OS-000004-GPOS-00004'
+  tag satisfies: ['SRG-OS-000004-GPOS-00004', 'SRG-OS-000239-GPOS-00089', 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091', 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000476-GPOS-00221']
+  tag gid: 'V-92981'
+  tag rid: 'SV-103069r1_rule'
+  tag stig_id: 'WN19-AU-000110'
+  tag fix_id: 'F-99227r1_fix'
+  tag cci: ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-001404', 'CCI-001405', 'CCI-002130']
+  tag nist: ['AC-2 (4)', 'AU-12 c', 'AC-2 (4)', 'AC-2 (4)', 'AC-2 (4)', 'AC-2\n(4)', 'Rev_4']
+
+  describe.one do
+    describe audit_policy do
+      its('User Account Management') { should eq 'Success' }
+    end
+    describe audit_policy do
+      its('User Account Management') { should eq 'Success and Failure' }
+    end
+  end
+end
diff --git a/controls/SV-205627.rb b/controls/SV-205627.rb
@@ -0,0 +1,53 @@
+control 'SV-205627' do
+  title 'Windows Server 2019 must be configured to audit Account Management -
+User Account Management failures.'
+  desc 'Maintaining an audit trail of system activity logs can help identify
+configuration errors, troubleshoot service disruptions, and analyze compromises
+that have occurred, as well as detect attacks. Audit logs are necessary to
+provide a trail of evidence in case the system or network is compromised.
+Collecting this data is essential for analyzing the security of information
+assets and detecting signs of suspicious and unexpected behavior.
+
+    User Account Management records events such as creating, changing,
+deleting, renaming, disabling, or enabling user accounts.'
+  desc 'check', 'Security Option "Audit: Force audit policy subcategory settings (Windows
+Vista or later) to override audit policy category settings" must be set to
+"Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be
+effective.
+
+    Use the "AuditPol" tool to review the current Audit Policy configuration:
+
+    Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run
+as administrator").
+
+    Enter "AuditPol /get /category:*"
+
+    Compare the "AuditPol" settings with the following:
+
+    If the system does not audit the following, this is a finding.
+
+    Account Management >> User Account Management - Failure'
+  desc 'fix', 'Configure the policy value for Computer Configuration >>
+Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >>
+System Audit Policies >> Account Management >> "Audit User Account
+Management" with "Failure" selected.'
+  impact 0.5
+  tag severity: nil
+  tag gtitle: 'SRG-OS-000004-GPOS-00004'
+  tag satisfies: ['SRG-OS-000004-GPOS-00004', 'SRG-OS-000239-GPOS-00089', 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091', 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000476-GPOS-00221']
+  tag gid: 'V-92983'
+  tag rid: 'SV-103071r1_rule'
+  tag stig_id: 'WN19-AU-000120'
+  tag fix_id: 'F-99229r1_fix'
+  tag cci: ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-001404', 'CCI-001405', 'CCI-002130']
+  tag nist: ['AC-2 (4)', 'AU-12 c', 'AC-2 (4)', 'AC-2 (4)', 'AC-2 (4)', 'AC-2\n(4)', 'Rev_4']
+
+  describe.one do
+    describe audit_policy do
+      its('User Account Management') { should eq 'Failure' }
+    end
+    describe audit_policy do
+      its('User Account Management') { should eq 'Success and Failure' }
+    end
+  end
+end
diff --git a/controls/SV-205628.rb b/controls/SV-205628.rb
@@ -0,0 +1,63 @@
+control 'SV-205628' do
+  title 'Windows Server 2019 must be configured to audit Account Management -
+Computer Account Management successes.'
+  desc 'Maintaining an audit trail of system activity logs can help identify
+configuration errors, troubleshoot service disruptions, and analyze compromises
+that have occurred, as well as detect attacks. Audit logs are necessary to
+provide a trail of evidence in case the system or network is compromised.
+Collecting this data is essential for analyzing the security of information
+assets and detecting signs of suspicious and unexpected behavior.
+
+    Computer Account Management records events such as creating, changing,
+deleting, renaming, disabling, or enabling computer accounts.'
+  desc 'check', 'This applies to domain controllers. It is NA for other systems.
+
+    Security Option "Audit: Force audit policy subcategory settings (Windows
+Vista or later) to override audit policy category settings" must be set to
+"Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be
+effective.
+
+    Use the "AuditPol" tool to review the current Audit Policy configuration:
+
+    Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run
+as administrator").
+
+    Enter "AuditPol /get /category:*"
+
+    Compare the "AuditPol" settings with the following:
+
+    If the system does not audit the following, this is a finding.
+
+    Account Management >> Computer Account Management - Success'
+  desc 'fix', 'Configure the policy value for Computer Configuration >>
+Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >>
+System Audit Policies >> Account Management >> "Audit Computer Account
+Management" with "Success" selected.'
+  impact 0.5
+  tag severity: nil
+  tag gtitle: 'SRG-OS-000004-GPOS-00004'
+  tag satisfies: ['SRG-OS-000004-GPOS-00004', 'SRG-OS-000239-GPOS-00089', 'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091', 'SRG-OS-000303-GPOS-00120', 'SRG-OS-000476-GPOS-00221']
+  tag gid: 'V-92985'
+  tag rid: 'SV-103073r1_rule'
+  tag stig_id: 'WN19-DC-000230'
+  tag fix_id: 'F-99231r1_fix'
+  tag cci: ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-001404', 'CCI-001405', 'CCI-002130']
+  tag nist: ['AC-2 (4)', 'AU-12 c', 'AC-2 (4)', 'AC-2 (4)', 'AC-2 (4)', 'AC-2\n(4)', 'Rev_4']
+
+  domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip
+  if domain_role == '4' || domain_role == '5'
+    describe.one do
+      describe audit_policy do
+        its('Computer Account Management') { should eq 'Success' }
+      end
+      describe audit_policy do
+        its('Computer Account Management') { should eq 'Success and Failure' }
+      end
+    end
+  else
+    impact 0.0
+    describe 'This system is not a domain controller, therefore this control is not applicable' do
+      skip 'This system is not a domain controller, therefore this control is not applicable'
+    end
+  end
+end
diff --git a/controls/V-93141.rb → controls/SV-205629.rb b/controls/V-93141.rb → controls/SV-205629.rb
@@ -1,44 +1,41 @@
-# encoding: UTF-8
-
-control "V-93141" do
-  title "Windows Server 2019 must have the number of allowed bad logon attempts
-configured to #{input('max_pass_lockout')} or less."
-  desc  "The account lockout feature, when enabled, prevents brute-force
+control 'SV-205629' do
+  title 'Windows Server 2019 must have the number of allowed bad logon attempts
+configured to 3 or less.'
+  desc 'The account lockout feature, when enabled, prevents brute-force
 password attacks on the system. The higher this value is, the less effective
 the account lockout feature will be in protecting the local system. The number
 of bad logon attempts must be reasonably small to minimize the possibility of a
 successful password attack while allowing for honest errors made during normal
-user logon."
-  desc  "rationale", ""
-  desc  'check', "Verify the effective setting in Local Group Policy Editor.
+user logon.'
+  desc 'check', 'Verify the effective setting in Local Group Policy Editor.
 
-    Run \"gpedit.msc\".
+    Run "gpedit.msc".
 
     Navigate to Local Computer Policy >> Computer Configuration >> Windows
 Settings >> Security Settings >> Account Policies >> Account Lockout Policy.
 
-    If the \"Account lockout threshold\" is \"0\" or more than \"#{input('max_pass_lockout')}\" attempts,
+    If the "Account lockout threshold" is "0" or more than "3" attempts,
 this is a finding.
 
     For server core installations, run the following command:
 
     Secedit /Export /Areas SecurityPolicy /CFG C:\\Path\\FileName.Txt
 
-    If \"LockoutBadCount\" equals \"0\" or is greater than \"#{input('max_pass_lockout')}\" in the file,
-this is a finding."
-  desc  'fix', "Configure the policy value for Computer Configuration >>
+    If "LockoutBadCount" equals "0" or is greater than "3" in the file,
+this is a finding.'
+  desc 'fix', 'Configure the policy value for Computer Configuration >>
 Windows Settings >> Security Settings >> Account Policies >> Account Lockout
-Policy >> \"Account lockout threshold\" to \"#{input('max_pass_lockout')}\" or fewer invalid logon
-attempts (excluding \"0\", which is unacceptable)."
+Policy >> "Account lockout threshold" to "3" or fewer invalid logon
+attempts (excluding "0", which is unacceptable).'
   impact 0.5
-  tag 'severity': nil
-  tag 'gtitle': 'SRG-OS-000021-GPOS-00005'
-  tag 'gid': 'V-93141'
-  tag 'rid': 'SV-103229r1_rule'
-  tag 'stig_id': 'WN19-AC-000020'
-  tag 'fix_id': 'F-99387r1_fix'
-  tag 'cci': ["CCI-000044"]
-  tag 'nist': ["AC-7 a", "Rev_4"]
+  tag severity: nil
+  tag gtitle: 'SRG-OS-000021-GPOS-00005'
+  tag gid: 'V-93141'
+  tag rid: 'SV-103229r1_rule'
+  tag stig_id: 'WN19-AC-000020'
+  tag fix_id: 'F-99387r1_fix'
+  tag cci: ['CCI-000044']
+  tag nist: ['AC-7 a', 'Rev_4']
 
   os_type = command('Test-Path "$env:windir\explorer.exe"').stdout.strip
 
@@ -55,4 +52,3 @@
   end
  end
 end
-