From 40a126624a6fe83f1c98139db9d655c96ab6f90d Mon Sep 17 00:00:00 2001
From: Gabriel Gendron <ggendron@comitari.fr>
Date: Mon, 18 Mar 2024 15:45:56 +0100
Subject: [PATCH] add checks

---
 setup.py | 131 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 131 insertions(+)

diff --git a/setup.py b/setup.py
index 5375073..81e7997 100644
--- a/setup.py
+++ b/setup.py
@@ -236,6 +236,104 @@ def install():
     #CIS - Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'.
     registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\XboxNetApiSvc", "Start","4")
 
+    #CIS - Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'.
+    run("netsh advfirewall set allprofiles state on")
+    #CIS - Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'.
+    run("netsh advfirewall firewall add rule name="BlockInbound" dir=in action=block")
+    #CIS - Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'.
+    run("netsh advfirewall firewall add rule name="BlockOutbound" dir=out action=allow")
+    #CIS - Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'.
+    run("netsh advfirewall set allprofiles settings notifications off")
+    #CIS - Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'.
+    run(r'netsh advfirewall set domain logging filename "%SystemRoot%\System32\logfiles\firewall\domainfw.log"')
+    #CIS - Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'.
+    run(r'netsh advfirewall set private logging filename "%SystemRoot%\System32\logfiles\firewall\privatefw.log"')
+    #CIS - Ensure 'Windows Firewall: public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'.
+    run(r'netsh advfirewall set public logging filename "%SystemRoot%\System32\logfiles\firewall\publicfw.log"')
+    #CIS - Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'.
+    run('netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log allowedconnections 16384')
+    #CIS - Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'.
+    run('netsh advfirewall set allprofiles logging droppedpackets enable')
+    #CIS - Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'.
+    registry_set(HKEY_LOCAL_MACHINE, r"Policies\Microsoft\WindowsFirewall\DomainProfile\Logging", "LogSuccessfulConnections","1")
+    #CIS - Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'.
+    registry_set(HKEY_LOCAL_MACHINE, r"Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging", "LogSuccessfulConnections","1")
+    #CIS - Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'.
+    registry_set(HKEY_LOCAL_MACHINE, r"Policies\Microsoft\WindowsFirewall\PublicProfile\Logging", "LogSuccessfulConnections","1")
+    #CIS - Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'.
+    run("netsh advfirewall set public settings localconsecrules enforce=no")
+    #CIS - Ensure 'Audit Credential Validation' is set to 'Success and Failure'.
+    run('auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable')
+    # Ensure 'Audit Application Group Management' is set to 'Success and Failure'.
+    run('auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable')
+    # Ensure 'Audit Security Group Management' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Security Group Management" /success:enable')
+    # Ensure 'Audit User Account Management' is set to 'Success and Failure'.
+    run('auditpol /set /subcategory:"User Account Management" /success:enable')
+    # Ensure 'Plug and Play Events' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Plug and Play Events" /success:enable')
+    # Ensure 'Process Creation' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Process Creation" /success:enable')
+    # Ensure 'Account Lockout' is set to 'Success and Failure'.
+    run('auditpol /set /subcategory:"Account Lockout" /failure:enable')
+    # Ensure 'Group Membership' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Group Membership" /success:enable')
+    # Ensure 'Logon' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Logon" /success:enable /failure:enable')
+    # Ensure 'Logoff' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Logoff" /success:enable')
+    # Ensure 'Other Logon/Logoff Events' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable')
+    # Ensure 'Special Logon' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Special Logon" /success:enable')
+    # Ensure 'Detailed File Share' is set to 'Success and Failure'.
+    run('auditpol /set /subcategory:"Detailed File Share" /failure:enable')
+    # Ensure 'File Share' is set to include 'Success'.
+    run('auditpol /set /subcategory:"File Share" /success:enable /failure:enable')
+    # Ensure 'Other Object Access Events' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable')
+    # Ensure 'Removable Storage' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable')
+    # Ensure 'Audit Policy Change' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Audit Policy Change" /success:enable')
+    # Ensure 'Authentication Policy Change' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Authentication Policy Change" /success:enable')
+    # Ensure 'Authorization Policy Change' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Authorization Policy Change" /success:enable')
+    # Ensure 'MPSSVC Rule-Level Policy Change' is set to include 'Success'.
+    run('auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable /failure:enable')
+    # Ensure 'Other Policy Change Events' is set to 'Success and Failure'.
+    run('auditpol /set /subcategory:"Other Policy Change Events" /failure:enable')
+    # Ensure 'Sensitive Privilege Use' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable')
+    # Ensure 'IPsec Driver' is set to include 'Success'.
+    run('auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable')
+
+    # Ensure 'Other System Events' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable')
+    # Ensure 'Security State Change' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Security State Change" /success:enable')
+    # Ensure 'Security System Extension' is set to include 'Success'.
+    run('auditpol /set /subcategory:"Security System Extension" /success:enable')
+    # Ensure 'System Integrity' is set to include 'Success'.
+    run('auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable')
+
+    #CIS - Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\Personalization", "NoLockScreenCamera","1")
+    #CIS - Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\Personalization", "NoLockScreenSlideshow","1")
+    #CIS - Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\InputPersonalization", "AllowInputPersonalization ","0")
+    #CIS - Ensure 'Allow Online Tips' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer", "AllowOnlineTips","0")
+    #CIS - Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "LocalAccountTokenFilterPolicy","0")
+    #CIS - Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\mrxsmb10", "Start","4")
+    #CIS - Ensure 'Configure SMB v1 server' is set to 'Disabled'.
+    registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters", "SMB1","0")
+
+
     
 
 
@@ -263,6 +361,39 @@ def install():
 
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+