From b4cfb35d5294168f009ff2ff5f5f063e34d0ff2e Mon Sep 17 00:00:00 2001 From: mick Date: Mon, 27 Jul 2020 09:57:36 +0200 Subject: [PATCH] Add new comparsion "contains" [+] Add new comparison operator [*] Update machine finding list When comparing the audit policy configuration, "Success and Failure" is classified as an issue if only "Success" is recommended. The new comparison operator solves this problem. --- Invoke-HardeningKitty.ps1 | 1 + lists/finding_list_0x6d69636b_machine.csv | 24 +++++++++++------------ 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/Invoke-HardeningKitty.ps1 b/Invoke-HardeningKitty.ps1 index e1e0392..7a93ba6 100644 --- a/Invoke-HardeningKitty.ps1 +++ b/Invoke-HardeningKitty.ps1 @@ -646,6 +646,7 @@ "=" { If ($Result -eq $Finding.RecommendedValue) { $ResultPassed = $true }; Break} "<=" { try { If ([int]$Result -le [int]$Finding.RecommendedValue) { $ResultPassed = $true }} catch { $ResultPassed = $false }; Break} ">=" { try { If ([int]$Result -ge [int]$Finding.RecommendedValue) { $ResultPassed = $true }} catch { $ResultPassed = $false }; Break} + "contains" { If ($Result.Contains($Finding.RecommendedValue)) { $ResultPassed = $true }; Break} } If ($ResultPassed) { diff --git a/lists/finding_list_0x6d69636b_machine.csv b/lists/finding_list_0x6d69636b_machine.csv index 0a837f7..8ce949d 100644 --- a/lists/finding_list_0x6d69636b_machine.csv +++ b/lists/finding_list_0x6d69636b_machine.csv @@ -71,30 +71,30 @@ 1417,"Windows Firewall","Log successful connections (Public Profile, Policy)","Registry",,"HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging","LogSuccessfulConnections",,,,0,1,"=","Low" 1435,"Windows Firewall","Log successful connections (Public Profile)","Registry",,"HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging","LogSuccessfulConnections",,,,0,1,"=","Low" 1500,"Advanced Audit Policy Configuration","Credential Validation","auditpol",,,,,,,,"Success and Failure","=","Low" -1501,"Advanced Audit Policy Configuration","Security Group Management","auditpol",,,,,,,"Success","Success","=","Low" +1501,"Advanced Audit Policy Configuration","Security Group Management","auditpol",,,,,,,"Success","Success","contains","Low" 1502,"Advanced Audit Policy Configuration","User Account Management","auditpol",,,,,,,"Success","Success and Failure","=","Low" 1503,"Advanced Audit Policy Configuration","DPAPI Activity","auditpol",,,,,,,,"Success and Failure","=","Low" -1504,"Advanced Audit Policy Configuration","Plug and Play Events","auditpol",,,,,,,,"Success","=","Low" -1505,"Advanced Audit Policy Configuration","Process Creation","auditpol",,,,,,,,"Success","=","Low" -1506,"Advanced Audit Policy Configuration","Account Lockout","auditpol",,,,,,,"Success","Failure","=","Low" -1507,"Advanced Audit Policy Configuration","Group Membership","auditpol",,,,,,,,"Success","=","Low" +1504,"Advanced Audit Policy Configuration","Plug and Play Events","auditpol",,,,,,,,"Success","contains","Low" +1505,"Advanced Audit Policy Configuration","Process Creation","auditpol",,,,,,,,"Success","contains","Low" +1506,"Advanced Audit Policy Configuration","Account Lockout","auditpol",,,,,,,"Success","Failure","contains","Low" +1507,"Advanced Audit Policy Configuration","Group Membership","auditpol",,,,,,,,"Success","contains","Low" 1508,"Advanced Audit Policy Configuration","Logon","auditpol",,,,,,,"Success","Success and Failure","=","Low" 1509,"Advanced Audit Policy Configuration","Other Logon/Logoff Events","auditpol",,,,,,,,"Success and Failure","=","Low" -1510,"Advanced Audit Policy Configuration","Special Logon","auditpol",,,,,,,"Success","Success","=","Low" -1511,"Advanced Audit Policy Configuration","Detailed File Share","auditpol",,,,,,,,"Failure","=","Low" +1510,"Advanced Audit Policy Configuration","Special Logon","auditpol",,,,,,,"Success","Success","contains","Low" +1511,"Advanced Audit Policy Configuration","Detailed File Share","auditpol",,,,,,,,"Failure","contains","Low" 1512,"Advanced Audit Policy Configuration","File Share","auditpol",,,,,,,,"Success and Failure","=","Low" 1513,"Advanced Audit Policy Configuration","Kernel Object","auditpol",,,,,,,,"Success and Failure","=","Low" 1514,"Advanced Audit Policy Configuration","Other Object Access Events","auditpol",,,,,,,,"Success and Failure","=","Low" 1515,"Advanced Audit Policy Configuration","Removable Storage","auditpol",,,,,,,,"Success and Failure","=","Low" 1516,"Advanced Audit Policy Configuration","SAM","auditpol",,,,,,,"Success","Success and Failure","=","Low" -1517,"Advanced Audit Policy Configuration","Audit Policy Change","auditpol",,,,,,,"Success","Success","=","Low" -1518,"Advanced Audit Policy Configuration","Authentication Policy Change","auditpol",,,,,,,"Success","Success","=","Low" +1517,"Advanced Audit Policy Configuration","Audit Policy Change","auditpol",,,,,,,"Success","Success","contains","Low" +1518,"Advanced Audit Policy Configuration","Authentication Policy Change","auditpol",,,,,,,"Success","Success","contains","Low" 1519,"Advanced Audit Policy Configuration","MPSSVC Rule-Level Policy Change","auditpol",,,,,,,,"Success and Failure","=","Low" -1520,"Advanced Audit Policy Configuration","Other Policy Change Events","auditpol",,,,,,,,"Failure","=","Low" +1520,"Advanced Audit Policy Configuration","Other Policy Change Events","auditpol",,,,,,,,"Failure","contains","Low" 1521,"Advanced Audit Policy Configuration","Sensitive Privilege Use","auditpol",,,,,,,,"Success and Failure","=","Low" 1522,"Advanced Audit Policy Configuration","Other System Events","auditpol",,,,,,,"Success and Failure","Success and Failure","=","Low" -1523,"Advanced Audit Policy Configuration","Security State Change","auditpol",,,,,,,"Success","Success","=","Low" -1524,"Advanced Audit Policy Configuration","Security System Extension","auditpol",,,,,,,,"Success","=","Low" +1523,"Advanced Audit Policy Configuration","Security State Change","auditpol",,,,,,,"Success","Success","contains","Low" +1524,"Advanced Audit Policy Configuration","Security System Extension","auditpol",,,,,,,,"Success","contains","Low" 1525,"Advanced Audit Policy Configuration","System Integrity","auditpol",,,,,,,"Success and Failure","Success and Failure","=","Low" 1600,"System","Control Panel: Prevent enabling lock screen camera","Registry",,"HKLM:\Software\Policies\Microsoft\Windows\Personalization","NoLockScreenCamera",,,,0,1,"=","Low" 1601,"System","Network: DNS Client: Turn off multicast name resolution (LLMNR)","Registry",,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient","EnableMulticast",,,,1,0,"=","Medium"