add checks
This commit is contained in:
131
setup.py
131
setup.py
@@ -236,6 +236,104 @@ def install():
|
|||||||
#CIS - Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'.
|
#CIS - Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'.
|
||||||
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\XboxNetApiSvc", "Start","4")
|
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\XboxNetApiSvc", "Start","4")
|
||||||
|
|
||||||
|
#CIS - Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'.
|
||||||
|
run("netsh advfirewall set allprofiles state on")
|
||||||
|
#CIS - Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'.
|
||||||
|
run("netsh advfirewall firewall add rule name="BlockInbound" dir=in action=block")
|
||||||
|
#CIS - Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'.
|
||||||
|
run("netsh advfirewall firewall add rule name="BlockOutbound" dir=out action=allow")
|
||||||
|
#CIS - Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'.
|
||||||
|
run("netsh advfirewall set allprofiles settings notifications off")
|
||||||
|
#CIS - Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'.
|
||||||
|
run(r'netsh advfirewall set domain logging filename "%SystemRoot%\System32\logfiles\firewall\domainfw.log"')
|
||||||
|
#CIS - Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'.
|
||||||
|
run(r'netsh advfirewall set private logging filename "%SystemRoot%\System32\logfiles\firewall\privatefw.log"')
|
||||||
|
#CIS - Ensure 'Windows Firewall: public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'.
|
||||||
|
run(r'netsh advfirewall set public logging filename "%SystemRoot%\System32\logfiles\firewall\publicfw.log"')
|
||||||
|
#CIS - Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'.
|
||||||
|
run('netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log allowedconnections 16384')
|
||||||
|
#CIS - Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'.
|
||||||
|
run('netsh advfirewall set allprofiles logging droppedpackets enable')
|
||||||
|
#CIS - Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'.
|
||||||
|
registry_set(HKEY_LOCAL_MACHINE, r"Policies\Microsoft\WindowsFirewall\DomainProfile\Logging", "LogSuccessfulConnections","1")
|
||||||
|
#CIS - Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'.
|
||||||
|
registry_set(HKEY_LOCAL_MACHINE, r"Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging", "LogSuccessfulConnections","1")
|
||||||
|
#CIS - Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'.
|
||||||
|
registry_set(HKEY_LOCAL_MACHINE, r"Policies\Microsoft\WindowsFirewall\PublicProfile\Logging", "LogSuccessfulConnections","1")
|
||||||
|
#CIS - Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'.
|
||||||
|
run("netsh advfirewall set public settings localconsecrules enforce=no")
|
||||||
|
#CIS - Ensure 'Audit Credential Validation' is set to 'Success and Failure'.
|
||||||
|
run('auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable')
|
||||||
|
# Ensure 'Audit Application Group Management' is set to 'Success and Failure'.
|
||||||
|
run('auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable')
|
||||||
|
# Ensure 'Audit Security Group Management' is set to include 'Success'.
|
||||||
|
run('auditpol /set /subcategory:"Security Group Management" /success:enable')
|
||||||
|
# Ensure 'Audit User Account Management' is set to 'Success and Failure'.
|
||||||
|
run('auditpol /set /subcategory:"User Account Management" /success:enable')
|
||||||
|
# Ensure 'Plug and Play Events' is set to include 'Success'.
|
||||||
|
run('auditpol /set /subcategory:"Plug and Play Events" /success:enable')
|
||||||
|
# Ensure 'Process Creation' is set to include 'Success'.
|
||||||
|
run('auditpol /set /subcategory:"Process Creation" /success:enable')
|
||||||
|
# Ensure 'Account Lockout' is set to 'Success and Failure'.
|
||||||
|
run('auditpol /set /subcategory:"Account Lockout" /failure:enable')
|
||||||
|
# Ensure 'Group Membership' is set to include 'Success'.
|
||||||
|
run('auditpol /set /subcategory:"Group Membership" /success:enable')
|
||||||
|
# Ensure 'Logon' is set to include 'Success'.
|
||||||
|
run('auditpol /set /subcategory:"Logon" /success:enable /failure:enable')
|
||||||
|
# Ensure 'Logoff' is set to include 'Success'.
|
||||||
|
run('auditpol /set /subcategory:"Logoff" /success:enable')
|
||||||
|
# Ensure 'Other Logon/Logoff Events' is set to include 'Success'.
|
||||||
|
run('auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable')
|
||||||
|
# Ensure 'Special Logon' is set to include 'Success'.
|
||||||
|
run('auditpol /set /subcategory:"Special Logon" /success:enable')
|
||||||
|
# Ensure 'Detailed File Share' is set to 'Success and Failure'.
|
||||||
|
run('auditpol /set /subcategory:"Detailed File Share" /failure:enable')
|
||||||
|
# Ensure 'File Share' is set to include 'Success'.
|
||||||
|
run('auditpol /set /subcategory:"File Share" /success:enable /failure:enable')
|
||||||
|
# Ensure 'Other Object Access Events' is set to include 'Success'.
|
||||||
|
run('auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable')
|
||||||
|
# Ensure 'Removable Storage' is set to include 'Success'.
|
||||||
|
run('auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable')
|
||||||
|
# Ensure 'Audit Policy Change' is set to include 'Success'.
|
||||||
|
run('auditpol /set /subcategory:"Audit Policy Change" /success:enable')
|
||||||
|
# Ensure 'Authentication Policy Change' is set to include 'Success'.
|
||||||
|
run('auditpol /set /subcategory:"Authentication Policy Change" /success:enable')
|
||||||
|
# Ensure 'Authorization Policy Change' is set to include 'Success'.
|
||||||
|
run('auditpol /set /subcategory:"Authorization Policy Change" /success:enable')
|
||||||
|
# Ensure 'MPSSVC Rule-Level Policy Change' is set to include 'Success'.
|
||||||
|
run('auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable /failure:enable')
|
||||||
|
# Ensure 'Other Policy Change Events' is set to 'Success and Failure'.
|
||||||
|
run('auditpol /set /subcategory:"Other Policy Change Events" /failure:enable')
|
||||||
|
# Ensure 'Sensitive Privilege Use' is set to include 'Success'.
|
||||||
|
run('auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable')
|
||||||
|
# Ensure 'IPsec Driver' is set to include 'Success'.
|
||||||
|
run('auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable')
|
||||||
|
|
||||||
|
# Ensure 'Other System Events' is set to include 'Success'.
|
||||||
|
run('auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable')
|
||||||
|
# Ensure 'Security State Change' is set to include 'Success'.
|
||||||
|
run('auditpol /set /subcategory:"Security State Change" /success:enable')
|
||||||
|
# Ensure 'Security System Extension' is set to include 'Success'.
|
||||||
|
run('auditpol /set /subcategory:"Security System Extension" /success:enable')
|
||||||
|
# Ensure 'System Integrity' is set to include 'Success'.
|
||||||
|
run('auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable')
|
||||||
|
|
||||||
|
#CIS - Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'.
|
||||||
|
registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\Personalization", "NoLockScreenCamera","1")
|
||||||
|
#CIS - Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'.
|
||||||
|
registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\Personalization", "NoLockScreenSlideshow","1")
|
||||||
|
#CIS - Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'.
|
||||||
|
registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\InputPersonalization", "AllowInputPersonalization ","0")
|
||||||
|
#CIS - Ensure 'Allow Online Tips' is set to 'Disabled'.
|
||||||
|
registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer", "AllowOnlineTips","0")
|
||||||
|
#CIS - Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'.
|
||||||
|
registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "LocalAccountTokenFilterPolicy","0")
|
||||||
|
#CIS - Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'.
|
||||||
|
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\mrxsmb10", "Start","4")
|
||||||
|
#CIS - Ensure 'Configure SMB v1 server' is set to 'Disabled'.
|
||||||
|
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters", "SMB1","0")
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@@ -263,6 +361,39 @@ def install():
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user