implement first cis controls

atomic111 · atomic111 · commit 1d38142d798f · 2019-03-28T14:40:13.000+01:00
Signed-off-by: Patrick Münch &lt;patrick.muench1111@gmail.com&gt;
diff --git a/Gemfile b/Gemfile
@@ -1,21 +1,21 @@
 source 'https://rubygems.org'
 
-gem 'berkshelf', '~> 5.3'
-gem 'chef', '~> 12.5'
+gem 'berkshelf', '~> 7.0.8'
+gem 'chef', '~> 14'
 
 group :test do
-  gem 'foodcritic', '~> 6.0'
-  gem 'highline', '~> 1.6.0'
-  gem 'rubocop', '~> 0.56.0'
+  gem 'foodcritic', '~> 15.1.0'
+  gem 'highline', '~> 1.6'
+  gem 'rubocop', '~> 0.66.0'
 end
 
 group :integration do
-  gem 'inspec', '~> 1'
+  gem 'inspec', '~> 3'
   gem 'kitchen-inspec'
   gem 'kitchen-vagrant'
   gem 'test-kitchen'
 end
 
 group :tools do
-  gem 'github_changelog_generator', '~> 1.12.0'
+  gem 'github_changelog_generator', '~> 1.14.3'
 end
diff --git a/attributes/sec_policy.rb b/attributes/sec_policy.rb
@@ -5,14 +5,20 @@
 
 # System access settings
 # Nil value means nothing will be written to the security policy template.
-default['security_policy']['access']['PasswordComplexity'] = 1
-default['security_policy']['access']['LockoutBadCount'] = 3
-default['security_policy']['access']['ResetLockoutCount'] = 15
-default['security_policy']['access']['LockoutDuration'] = 15
+default['security_policy']['access']['PasswordHistorySize']     = 24
+default['security_policy']['access']['PasswordComplexity']      = 1
+default['security_policy']['access']['MinimumPasswordAge']      = 1
+default['security_policy']['access']['MaximumPasswordAge']      = 60
+default['security_policy']['access']['MinimumPasswordLength']   = 14
+default['security_policy']['access']['LockoutBadCount']         = 10
+default['security_policy']['access']['ResetLockoutCount']       = 15
+default['security_policy']['access']['LockoutDuration']         = 15
+default['security_policy']['access']['ClearTextPassword']       = 0
 
 # Security policy rights / privileges settings.
 default['security_policy']['rights']['SeRemoteInteractiveLogonRight']       = '*S-1-5-32-544'
 default['security_policy']['rights']['SeTcbPrivilege']                      = ''
 default['security_policy']['rights']['SeMachineAccountPrivilege']           = '*S-1-5-32-544'
 default['security_policy']['rights']['SeTrustedCredManAccessPrivilege']     = ''
 default['security_policy']['rights']['SeNetworkLogonRight']                 = ''
+default['security_policy']['rights']['SeMachineAccountPrivilege']           = '*S-1-5-32-544'
diff --git a/recipes/default.rb b/recipes/default.rb
@@ -6,7 +6,7 @@
 
 return unless node['platform_family'] == 'windows'
 
-include_recipe 'windows-hardening::password_policy'
+#include_recipe 'windows-hardening::password_policy'
 include_recipe 'windows-hardening::security_policy'
 include_recipe 'windows-hardening::user_rights'
 include_recipe 'windows-hardening::audit'
diff --git a/recipes/password_policy.rb b/recipes/password_policy.rb
diff --git a/test/integration/default/inspec/controls/tests.rb b/test/integration/default/inspec/controls/tests.rb
@@ -1,6 +1,5 @@
 include_controls 'windows-baseline' do
   # we need to skip the test to ensure we can connect with non-administrator
   # winrm user for our tests
-  skip_control 'cis-network-access-2.2.2'
-  skip_control 'windows-account-100'
+  attribute('se_network_logon_right', default: ['S-1-1-0', 'S-1-5-32-544', 'S-1-5-32-545', 'S-1-5-32-551'])
 end
diff --git a/test/integration/default/inspec/inspec.yml b/test/integration/default/inspec/inspec.yml
@@ -1,4 +1,4 @@
 name: windows-hardening-integration-tests
 depends:
   - name: windows-baseline
-    url: https://github.com/dev-sec/windows-baseline
+    path: ../windows-baseline
