This is a BETA release.

Version 1.3 is available but not showing as latest release this is based on version 1.2. Recent updates to the remediation repo have now caused this audit to be outdated.

• The audit is designed to run as part of the ansible remediation playbook (coming soon) or as a standalone configurable script contained within this repo (run_audit.ps1)
  • This script discovers and sets several variables to ensure consistent running of the command.
  • This also allows the audit to be triggered by other automations
• When goss runs it will run the required OS commands to capture the data for analysis.
  • For GPO settings goss runs the powershell script ./scripts/gpo_regex.ps1 with arguments is run to search for the matching policy name
  • Will output the details if defined
  • if nothing is found will output "Not Defined"

Gives the ability to audit a local system using a lightweight binary to check the current state.

This is:

• very small 11MB executable
• low resource impact
• self contained

Due to the variations that can occur within windows this is released as beta. It has been tested on base installation

• standalone system
• domain controller

How To Guide

• goss.yml - the main goss file to run (has to be used with a -g) - this loads all the sections as required
• (benchmark_name).yml - These are the variable used as part of the goss file - this is split into sections to control the variables - This file will get large
• Try to reuse elements/vars as much as possible
• use variables wherever you can to be more efficient in the code
• Build variables up
• Some controls only work on DC or MS - The settings in Vars will determine if host is DC or MS (will be populated by ansible when run from task)
• some controls written twice, this is due to different vars for a DC or MS (e.g. 2.2.7)

Join us on our Discord Server to ask questions, discuss features, or just chat with other Ansible-Lockdown users.

• Permissions to run all the commands may need admin to run this

  • also if iis or exchange is installed

• download goss (current version v0.3.23 - Alpha for windows)

  • x86_64-goss
  • validate SHA

• Suggest reboot and gpupdate is run prior to audit - will potentially give differing results

These are just some of the requirements needed if running goss standalone. Please refer to goss documentation if running manually.

• Goss to be on the host running the audit _ note its current alpha but works well
  • need to set environment

$env:GOSS_USE_ALPHA=1

• gpresult /v /r > file_location.txt need to be created (variable gpresult_file needs to be updated)
• auditpol.exe /get /category:* > file_location.txt ( the variable auditresults_file needs to be updated)

• secedit /export /cfg {{ file output location }} ( variable standalone_policies.txt )
• auditpol.exe /get /category:* > file_location.txt
• Due to the output we need to search for SID for std users using the MS doc below
  • Microsoft_security_identifiers
  • also added to vars for completeness

• goss documentation
• CIS standards

PS C:\vagrant\Win2016-CIS-Audit> .\run_audit.ps1
Pre checks - Ensure files exist
OK - "C:\vagrant\goss.exe" exists
OK - "C:\vagrant\Win2016-CIS-Audit\CIS.yml" exists
OK - "C:\vagrant\Win2016-CIS-Audit\goss.yml" exists
OK - Files Exist
Running Audit commands

OK - ran auditpol report - created C:\vagrant\auditpol_1646394033.txt

StandAlone Server system discovered running relevant checks

OK - secedit report - created C:\vagrant\secedit_1646394033.txt

Running Audit
Audit Successful

    "summary": {         "failed-count": 31,         "summary-line": "Count: 661, Failed: 31, Duration: 44.994s",         "test-count": 661,         "total-duration": 44993809300     } }

Complete audit file can be found at C:\vagrant\audit_1646394033.json
PS C:\vagrant\Win2016-CIS-Audit>