Python库 | watchmaker-0.16.7.tar.gz

[](https://ci.appveyor.com/project/plus3it/ash-windows-formula) # ash-windows-formula Automated System Hardening - Windows (*ash-windows*) is a Salt Formula for applying a security baseline to a Windows system. The *ash-windows* security baselines are developed from guidance provided by the OS vendor and guidance derived from [Security Control Automated Protocol (SCAP) content][2] based on [DISA Secure Technical Implementation Guides (STIGs)][4]. [SCAP][1] is a program managed by the [National Institute of Standards and Technology (NIST)][0]. ## Supported Windows and Internet Explorer Versions - Microsoft Windows Server 2008 R2 - Microsoft Windows Server 2012 R2 - Microsoft Windows Server 2016 - Microsoft Windows 8.1 - Microsoft Windows 10 (SCM Baseline only for now, until DISA STIG is release) - Microsoft Internet Explorer 8 - Microsoft Internet Explorer 9 - Microsoft Internet Explorer 10 - Microsoft Internet Explorer 11 ## Available Baselines ### ash-windows.scm The **Microsoft SCM Baseline** (`ash-windows.scm`) is based on guidance provided by Microsoft through the [Microsoft Security Compliance Manager (SCM)][3]. This baseline includes the following steps: - Install the [Maximum Segment Size (MSS)][5] extensions for the local group policy editor - Install the [Pass the Hash (PtH)][6] extensions for the local group policy editor - Apply the OS security policies from the Microsoft SCM baseline - Apply the IE security policies from the Microsoft SCM baseline - Apply the audit policies from the Microsoft SCM baseline ### ash-windows.stig The **DISA STIG Baseline** (`ash-windows.stig`) is derived from a SCAP scan based on the [DISA STIG][4] benchmark. This baseline includes the following steps: - Apply the Microsoft SCM baseline (includes everything listed in [ash-windows.scm](#ash-windowsscm)) - Apply the OS security policies from the DISA STIG baseline - The settings configured by the baseline are available from the DISA STIG website - Apply the IE security policies from the DISA STIG baseline - Apply the audit policies from the DISA STIG baseline ### ash-windows.delta The **Delta baseline** (`ash-windows.delta`) is used both to enforce additional security settings, or to loosen them where they interfere with operation of the system. For example, the Microsoft SCM policy will prevent local accounts from logging on remotely, including the local administrator. When a system is joined to a domain, this isn't a problem as domain accounts would still be able to login. However, on a system that is not (or not yet) joined to a domain, or in environments where there is no local console access (such as many cloud infrastructures), this setting effectively bricks the system. As this formula is intended to support both domain-joined and non-domain-joined systems, as well as infrastructures of all types, the delta policy loosens this security setting. In a domain, it would be recommended to use group policy to re-apply this setting. The **Delta** policy is also used to address inconsistencies across baseline versions and between different OS versions. For example, the DISA STIG for Windows 2008 R2 has a requirement to change the name of the local administrator account. For whatever reason, this requirement is not present in the STIG for Windows 2012 R2. For the sake of operational consistency, the **Delta** policy modifies the name of the local administrator account for all OS versions. This baseline is not included by any other states. It must be applied using targeting via top.sls, orchestrate, or an external utility. Below are all the configuration tasks of the **Delta** policy: - Rename local guest account to `xGuest` - Rename local administrator account to `xAdministrator` - Remove `NT Authority\Local Account` from the deny network logon right and the deny remote interactive logon right; the **Delta** baseline settings, listed below, deny only the Guest account: - `SeDenyRemoteInteractiveLogonRight` = `*S-1-5-32-546` - `SeDenyNetworkLogonRight` = `*S-1-5-32-546` - Allow users to ignore certificate errors in IE: - `HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\PreventIgnoreCertErrors` = `0` ### ash-windows.custom The **Custom Baseline** (`ash-windows.custom`) is designed to allow the user to define and apply their own baseline policy or policies to a system. This can also be used to override a policy from another baseline. For example, the `ash-windows.stig` baseline could be applied to a system first, then the `ash-windows.custom` policy could be applied to change a specific setting from the DISA STIG that interferred with the purpose of the system. This baseline works by reading policies from both pillar and grains using the key `ash-windows:lookup:custom_policies`. If the same policy setting is defined in both pillar and grains, the policy in grains takes precedence (as grains are considered more "local"). However, if the pillar policy includes the flag `no_override: True`, then the pillar policy is always enforced. One use case for this feature is to allow a central team managing the salt master to determine whether specific policy settings should never be overridden by a local administrator. This baseline is not included by any other states. It must be applied using targeting via top.sls, orchestrate, or an external utility. See the [Configuration](#Configuration) section for examples of how to define custom policies for use with the Custom Baseline. ## Configuration The *ash-windows* formula supports configuration via pillar. The `role` and `custom_policies` settings may alternatively be set via grains. All settings must be namespaced under the `ash-windows:lookup` key. The available settings include: - `apply_lgpo_source`: URL to the [Apply_LGPO_Delta][7] utility. This utility is used to apply policies as Local Group Policy Objects. Defaults to: - `https://s3.amazonaws.com/watchmaker/repo/microsoft/lgpo/Apply_LGPO_Delta.exe` - `apply_lgpo_source_hash`: URL to a file containing the hash of the Apply_LGPO_Delta utility. Defaults to: - `https://s3.amazonaws.com/watchmaker/repo/microsoft/lgpo/Apply_LGPO_Delta.exe.SHA512` - `apply_lgpo_filename`: Full path on the local file system (including the filename) where the Apply_LGPO_Delta utility will be saved. Defaults to: - `C:\Windows\System32\Apply_LGPO_Delta.exe` - `logdir`: Path on the local filesystem where the formula will store output of any command line [tools](#Tools) that apply baseline settings. Defaults to: - `C:\Ash\logs` - `role`: Sets the role-type of the server. This setting may be configured via the pillar or grain system. The grain value will take precedence over the pillar value. The `role` value may be one of: - `MemberServer` - this is the default for a Server OS - `DomainController` - `Workstation` - this is the default for a Desktop OS - `custom_policies`: A list of policy dictionaries. This key is used by the [Custom Baseline](#ash-windowscustom) to apply a user-specified baseline to a system. Each policy dictionary may either be a 'regpol' policy or a 'secedit' policy. 'regpol' policies are used to manage registry entries. 'secedit' policies are used to manage [Privilege Rights][9] and [Systems Access][10] settings. Below is an example pillar structure: ``` ash-windows: lookup: apply_lgpo_source: https://s3.amazonaws.com/watchmaker/repo/microsoft/lgpo/Apply_LGPO_Delta.exe apply_lgpo_source_hash: https://s3.amazonaws.com/watchmaker/repo/microsoft/lgpo/Apply_LGPO_Delta.exe.SHA512 apply_lgpo_filename: C:\Windows\System32\Apply_LGPO_Delta.exe logdir: C:\Ash\logs role: MemberServer custom_policies: - policy_type: regpol key: HKLM\Software\Salt\Foo value: 1 vtype: REG_DWORD - policy_type: regpo