search

nsacyber / Windows-Secure-Host-Baseline

Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. #nsacyber
Other
1.55k stars 289 forks source link

Test-Compliance on Windows 2016 #39

Open kman27 opened 7 years ago

kman27 commented 7 years ago

Test-Compliance on Windows 2016 with the audit file: DISA_STIG_Server_2016_v1r1.audit returns the following error.

Cannot validate argument on parameter 'checkType'. The argument CHECK_REGEX does not belong...

FAILED windows Server 2016 is not installed on this system or the Remote Registry service is disabled on the target.

I am thinking that this is because the audit file calls for CHECK_REGEX and the Compliance.psm1 only supports the audit items: 

Script currently supports following audit items:
    ANONYMOUS_SID_SETTING
    AUDIT_POLICY_SUBCATEGORY
    AUDIT_POWERSHELL
    CHECK_ACCOUNT
    FILE_CHECK
    FILE_PERMISSIONS
    FILE_VERSION
    LOCKOUT_POLICY
    PASSWORD_POLICY
    REG_CHECK
    REGISTRY_PERMISSIONS
    REGISTRY_SETTING
    REPORT
    SERVICE_POLICY
    USER_RIGHTS_POLICY
iadgovuser1 commented 7 years ago

We haven't incorporated any Windows Server 2016 items into this project yet. We wrote the .audit file for Windows 10 that exists in this repo so it doesn't surprise me that a different audit file doesn't work. That being said, it shouldn't be too hard to add support for CHECK_REGEX.

kman27 commented 7 years ago

Thanks! The other items that I see in the audit file are as follows:

CHECK_REGEX CHECK_NOT_REGEX CHECK_EQUAL CHECK_NOT_EQUAL CHECK_GREATER_THAN_OR_EQUAL WMI_POLICY AUDIT_USER_TIMESTAMPS

iadgovuser1 commented 7 years ago

@kman27 Thanks for letting us know. We are going to completely rewrite the compliance module at some point so it will be easier for us to use from an automation standpoint and also have better coverage of all the check types.