-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathinspec.yml
298 lines (265 loc) · 10.8 KB
/
inspec.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
name: Microsoft-windows-10-stig-baseline
title: microsoft-windows-10-stig-baseline
maintainer: MITRE SAF Team
copyright: MITRE, 2020
copyright_email: [email protected]
license: Apache-2.0
summary: "InSpec Validation Profile for Microsoft Windows 10 STIG"
version: 1.20.1
inspec_version: ">= 4.0"
inputs:
# V-633351
- name: av_approved_software
desc: "This is a list of Approved Anti-Virus Software"
type: Array
value:
- Windows Defender
- McAfee Host Intrusion Prevention
- McAfee Endpoint Security
- McAfee Agent
# V-94861
- name: bitlocker_pin_len
desc: "The minimum length for the BitLocker Pin [6]"
type: Numeric
value: 6
# V-63423
- name: min_pass_len
desc: "Sets the minimum length of passwords [14]"
type: Numeric
value: 14
# V-63427
- name: enable_pass_complexity
desc: "If windows should enforce password complexity (0/1) [1]"
type: Numeric
value: 1
# V-63421
- name: min_pass_age
desc: "Sets the minimum age for a password [1]"
type: Numeric
value: 1
# V-63419
- name: max_pass_age
desc: "Sets the maximum age for a password [60]"
type: Numeric
value: 60
# V-63405, V-63413
- name: pass_lock_time
desc: "Sets the number of min before a session is locked out [15]"
type: Numeric
value: 15
# V-63415
- name: pass_hist_size
desc: "Number of passwords remembered in the password history [24]"
type: Numeric
value: 24
# V-63409
- name: max_pass_lockout
desc: "Account lockout threshold is recommended to be 3 or less invalid logon attempts [3]"
type: Numeric
value: 3
# V-63359
- name: max_inactive_days
desc: "Max number of days an account is allowed to be inactive [35]"
type: Numeric
value: 35
# V-63345, V-63579, V-63583, V-63587, V-63589, V-63685, V-63699, V-63701
# V-63713, V-77091, V-77095, V-77097, V-77097, V-77101, V-77103, V-77189
# V-77191, V-77195, V-77201, V-77205, V-77209, V-77213, V-77217, V-77221
# V-77223, V-77227, V-77231, V-77233, V-77235, V-77239, V-77243, V-77245
# V-77247, V-77249, V-77255, V-77259, V-77263, V-77267, V-77269
- name: sensitive_system
description: "Set flag to true if the target system is sensitive"
type: String
value: "false"
# V-63363
- name: backup_operators
type: Array
description: "List of authorized users in the local Backup Operators Group"
value:
-
# V-63321, V-63361, V-63365, V-63373, V-63533, V-63537, V-63541, V-63593
# V-63599, V-63601, V-63635, V-63679, V-63819, V-63829, V-63845, V-63847
# V-63851, V-63853, V-63853, V-63855, V-63857, V-63861, V-63865, V-63869
# V-63883, V-63889, V-63917, V-63927, V-63931, V-63933, V-63935, V-63939
# V-63941, V-71769
- name: administrators
type: Array
description: "List of authorized users in the local Administrators group"
sensitive: true
value:
-
# V-63365
- name: hyper_v_admin
type: Array
description: "List of authorized users in the Hyper-V Group"
sensitive: true
value:
-
# V-63675
- name: LegalNoticeText
type: String
value:
"You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent
to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for
purposes including, but not limited to, penetration testing, COMSEC monitoring,
network operations and defense, personnel misconduct (PM), law enforcement
(LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject
to routine monitoring, interception, and search, and may be disclosed or used
for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls)
to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE
or CI investigative searching or monitoring of the content of privileged
communications, or work product, related to personal representation or services
by attorneys, psychotherapists, or clergy, and their assistants. Such
communications and work product are private and confidential. See User
Agreement for details."
# V-63681
- name: LegalNoticeCaption
type: String
value: "DoD Notice and Consent Banner, US Department of Defense Warning Statement, or a site-defined equivalent."
# V-63589
- name: dod_cceb_certificates
description: "List of DoD CCEB Interoperability CA Root Certificates"
type: Array
value:
- :Subject: "CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US"
:Issuer: "CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US"
:Thumbprint: "929BF3196896994C0A201DF4A5B71F603FEFBF2E"
:NotAfter: "Friday, September 27, 2019"
# V-63587
- name: dod_certificates
description: "List of DoD Interoperability Root Certificates"
type: Array
value:
- :Subject: "CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US"
:Issuer: "CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US"
:Thumbprint: "AC06108CA348CC03B53795C64BF84403C1DBD341"
:NotAfter: "Saturday, January 22, 2022"
# V-63583
- name: dod_eca_certificates
description: "List of ECA Root CA certificates Certificates"
type: Array
value:
- :Subject: "CN=ECA Root CA 2, OU=ECA, O=U.S. Government, C=US"
:Thumbprint: "C313F919A6ED4E0E8451AFA930FB419A20F181E4"
:NotAfter: "Thursday, March 30, 2028"
- :Subject: "CN=ECA Root CA 4, OU=ECA, O=U.S. Government, C=US"
:Thumbprint: "73E8BB08E337D6A5A6AEF90CFFDD97D9176CB582"
:NotAfter: "Sunday, December 30, 2029"
# V-63579
- name: dod_trusted_certificates
description: "List of DOD Trusted CA certificates Certificates"
type: Array
value:
- :Subject: "CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US"
:Thumbprint: "D73CA91102A2204A36459ED32213B467D7CE97FB"
:NotAfter: "Sunday, December 30, 2029"
- :Subject: "CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US"
:Thumbprint: "B8269F25DBD937ECAFD4C35A9838571723F2D026"
:NotAfter: "Sunday, July 25, 2032"
- :Subject: "CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US"
:Thumbprint: "AC06108CA348CC03B53795C64BF84403C1DBD341"
:NotAfter: "Saturday, January 22, 2022"
- :Subject: "CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US"
:Thumbprint: "929BF3196896994C0A201DF4A5B71F603FEFBF2E"
:NotAfter: "Friday, September 27, 2019"
- :Subject: "CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US"
:Thumbprint: "8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561"
:NotAfter: "Wednesday, December 05, 2029"
- :Subject: "CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US"
:Thumbprint: "4ECB5CC3095670454DA1CBD410FC921F46B8564B"
:NotAfter: "Friday, June 14, 2041"
# V-63593
- name: reg_software_perms
desc: "The required Registry Software Permission Settings"
type: Array
value:
- CREATOR OWNER Allow FullControl
- NT AUTHORITY\SYSTEM Allow FullControl
- BUILTIN\Administrators Allow FullControl
- BUILTIN\Users Allow ReadKey
- APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadKey
- S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Allow ReadKey
# V-63593
- name: reg_security_perms
desc: "The required Registry Security Permissions Settings"
type: Array
value:
- NT AUTHORITY\SYSTEM Allow FullControl
- BUILTIN\Administrators Allow ReadKey, ChangePermissions
# V-63593
- name: reg_system_perms
desc: "The required Registry System Permissions Settings"
type: Array
value:
- CREATOR OWNER Allow FullControl
- NT AUTHORITY\SYSTEM Allow FullControl
- BUILTIN\Administrators Allow FullControl
- BUILTIN\Users Allow ReadKey
- APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadKey
- S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Allow ReadKey
# V-63373
- name: c_folder_permissions
desc: "Default Permissions for C:\\ Folder on OS"
type: Array
value:
- NT AUTHORITY\Authenticated Users:(S,AD)
- NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M)
- NT AUTHORITY\SYSTEM:(OI)(CI)(F)
- BUILTIN\Administrators:(OI)(CI)(F)
- BUILTIN\Users:(OI)(CI)(RX)
- Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)
# V-63373
- name: c_windows_folder_permissions
desc: "Default Permissions for C:\\Windows Folder on OS"
type: Array
value:
- NT SERVICE\TrustedInstaller:(F)
- NT SERVICE\TrustedInstaller:(CI)(IO)(F)
- NT AUTHORITY\SYSTEM:(M)
- NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
- BUILTIN\Administrators:(M)
- BUILTIN\Administrators:(OI)(CI)(IO)(F)
- BUILTIN\Users:(RX)
- BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
- CREATOR OWNER:(OI)(CI)(IO)(F)
- APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
- APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)
- APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX)
- APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)
# V-63373
- name: c_program_files_folder_permissions
desc: "Default Permissions for C:\\Windows Folder on OS"
type: Array
value:
- NT SERVICE\TrustedInstaller:(F)
- NT SERVICE\TrustedInstaller:(CI)(IO)(F)
- NT AUTHORITY\SYSTEM:(M)
- NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
- BUILTIN\Administrators:(M)
- BUILTIN\Administrators:(OI)(CI)(IO)(F)
- BUILTIN\Users:(RX)
- BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
- CREATOR OWNER:(OI)(CI)(IO)(F)
- APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
- APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)
- APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX)
- APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)
# V-88203
- name: onedrive_tenant_guid
desc: "This is the OneDrive GUID for the Organization"
type: String
value: "1111-2222-3333-4444"
# V-99555
- name: local_administrator
desc: "List of Local Accounts on Desktop that are Administrators"
type: Array
sensitive: true
value:
-