Need some help with custom CIS benchmarks for Windows

sms552 · October 27, 2022, 10:29pm

My company took the CIS benchmarks and used them as a guide but made changes to them. I was tasked with writing the controls to match. I do not have a development background but can usually fumble my way through reverse engineering code when I need to. In this case I am stumped. In security policy we have added "Domain Admins" to several policies. I have updated the code to ensure it checks for the proper SID's but the problem is we have 6 different domains. The code I wrote is below but it doesnt work. Is there any way for the control to check just the name and not the SID? I havent found anything online that points to a solution.

control "Profile single process" do
    title "1.6.17 Profile single process "
    desc "The recommended state for this setting is: Administrators and Domain Admins"
    impact 1.0
    describe security_policy do
        its("SeProfileSingleProcessPrivilege") { should include ["S-1-5-32-544"] }
    end
    describe.one do
        describe security_policy do
            its("SeProfileSingleProcessPrivilege") { should include ["S-1-5-21-2130074997-81545660-1235820382-512"] }
        end
        describe security_policy do
            its("SeProfileSingleProcessPrivilege") { should include ["S-1-5-21-3053786073-42204541-311281481-512"] }
        end
        describe security_policy do
            its("SeProfileSingleProcessPrivilege") { should include ["S-1-5-21-2966979743-2295456427-714907244-512"] }
        end
        describe security_policy do
            its("SeProfileSingleProcessPrivilege") { should include ["S-1-5-21-91418938-2878961142-3976046778-512"] }
        end
        describe security_policy do
            its("SeProfileSingleProcessPrivilege") { should include ["S-1-5-21-2850343096-11590899-1094912238-512"] }
        end
        describe security_policy do
            its("SeProfileSingleProcessPrivilege") { should include ["S-1-5-21-3511417508-3068775331-305963285-512"] }
        end
    end
end

Stromweld · October 27, 2022, 10:51pm

There is a translate_sid property. Set it to true like in the example shown here. security_policy resource

sms552 · November 1, 2022, 3:58pm

Sorry for the delay in responding. I have tried this and was unable to get it working. Is there something I am missing. I get a basic "Input/output error - TerminateProcess (Errno::EIO)" when trying to run code as simple as:

describe security_policy(translate_sid: true) do
its("SeDebugPrivilege") { should include "Administrators" }
end

Stromweld · November 1, 2022, 4:05pm

it probably still needs the array ["Administrator"] around the user since it would take in multiple users/groups. What version of inspec are you running?

Topic		Replies	Views
CIS (Windows) Benkmarks Chef Infra (archive)	4	1593	September 28, 2015
Parse SID on security_policy Chef InSpec	2	733	July 26, 2019
Modifying Inspec controls Chef InSpec	1	489	September 14, 2018
AWS security group Chef InSpec	3	860	June 28, 2020
Unable to Skip Inspec Test os-06 (Check for SUID/ SGID blacklist) in DevSec Linux Security Baseline 2.2.0 profile Chef InSpec	0	963	May 10, 2018

Need some help with custom CIS benchmarks for Windows

Related topics