Parameterize 2016 baseline

controls/V-73229.rb

@@ -1,9 +1,9 @@
 control 'V-73229' do
-  title "Manually managed application account passwords must be at least 15
+  title "Manually managed application account passwords must be at least #{input('minimum_password_length_manual')}
   characters in length."
   desc "Application/service account passwords must be of sufficient length to
   prevent being easily cracked. Application/service accounts that are manually
-  managed must have passwords at least 15 characters in length."
+  managed must have passwords at least #{input('minimum_password_length_manual')} characters in length."
   impact 0.5
   tag "gtitle": 'SRG-OS-000078-GPOS-00046'
   tag "gid": 'V-73229'
@@ -17,13 +17,15 @@
   exist. If none exist, this is NA.
 
   Verify the organization has a policy to ensure passwords for manually managed
-  application/service accounts are at least 15 characters in length.
+  application/service accounts are at least #{input('minimum_password_length_manual')} characters in length.
 
   If such a policy does not exist or has not been implemented, this is a finding."
   desc "fix", "Establish a policy that requires application/service account
-  passwords that are manually managed to be at least 15 characters in length.
+  passwords that are manually managed to be at least #{input('minimum_password_length_manual')} characters in length.
   Ensure the policy is enforced."
-  describe security_policy do
-    its('MinimumPasswordLength') { should be >= 15 }
+  mplm = input('minimum_password_length_manual')
+
+  describe 'Please Check all Accounts that are used for Services or Applications to validate they meet the Password Length Policy, Control is a Manual Check' do
+    skip "Determine if manually managed application/service accounts exist. If none exist, this is NA. Verify the organization has a policy to ensure passwords for manually managed application/service accounts are at least #{mplm} characters in length."
   end
 end

controls/V-73231.rb

@@ -1,6 +1,6 @@
 control 'V-73231' do
   title "Manually managed application account passwords must be changed at
-  least annually or when a system administrator with knowledge of the password
+  least #{input('app_password_age')} days or when a system administrator with knowledge of the password
   leaves the organization."
   desc  "Setting application account passwords to expire may cause applications
   to stop functioning. However, not changing them on a regular basis exposes them
@@ -19,7 +19,7 @@
   exist. If none exist, this is NA.
 
   If passwords for manually managed application/service accounts are not changed
-  at least annually or when an administrator with knowledge of the password
+  at least #{input('app_password_age')} days or when an administrator with knowledge of the password
   leaves the organization, this is a finding.
 
   Identify manually managed application/service accounts.
@@ -46,7 +46,7 @@
 
   If the Password Last Set date is more than one year old, this is a finding."
   desc "fix", "Change passwords for manually managed application/service
-  accounts at least annually or when an administrator with knowledge of the
+  accounts at least #{input('app_password_age')} days or when an administrator with knowledge of the
   password leaves the organization.
 
   It is recommended that system-managed service accounts be used whenever
@@ -68,7 +68,7 @@
 
       describe "Password age for managed account: #{account_name}" do
         subject { pwd_last_set_days }
-        it { should cmp <= 365 }
+        it { should cmp <= input('app_password_age') }
       end
     end
   else

controls/V-73259.rb

@@ -19,9 +19,9 @@
 
   Domain Controllers:
 
-  Enter Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00
+  Enter \"Search-ADAccount -AccountInactive -UsersOnly -TimeSpan #{input('unused_account_age')}.00:00:00\"
 
-  This will return accounts that have not been logged on to for 35 days, along
+  This will return accounts that have not been logged on to for  #{input('unused_account_age')} days, along
   with various attributes such as the Enabled status and LastLogonDate.
 
   Member servers and standalone systems:
@@ -54,18 +54,18 @@
   - Built-in guest account (Renamed, Disabled, SID ending in 501)
   - Application accounts
 
-  If any enabled accounts have not been logged on to within the past 35 days,
+  If any enabled accounts have not been logged on to within the past #{input('unused_account_age')} days,
   this is a finding.
 
   Inactive accounts that have been reviewed and deemed to be required must be
   documented with the ISSO."
   desc "fix", "Regularly review accounts to determine if they are still active.
-  Remove or disable accounts that have not been used in the last 35 days."
+  Remove or disable accounts that have not been used in the last #{input('unused_account_age')} days."
 
   domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip
-
+  age = input('unused_account_age')
   if domain_role == '4' || domain_role == '5'
-    user_query = "Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00 | Where-Object { ($_.SID -notlike '*500') -and ($_.SID -notlike '*501') -and ($_.Enabled -eq $true) } | Select-Object @{Name=\"name\";Expression={$_.SamAccountName}}, @{Name=\"lastLogin\";Expression={$_.LastLogonDate}} | ConvertTo-Json"
+    user_query = "Search-ADAccount -AccountInactive -UsersOnly -TimeSpan #{age}.00:00:00 | Where-Object { ($_.SID -notlike '*500') -and ($_.SID -notlike '*501') -and ($_.Enabled -eq $true) } | Select-Object @{Name=\"name\";Expression={$_.SamAccountName}}, @{Name=\"lastLogin\";Expression={$_.LastLogonDate}} | ConvertTo-Json"
   else
     user_query = <<-FOO
       $users = @() 
@@ -112,8 +112,8 @@
           expect(subject).not_to(cmp nil)
         end
         subject { account['lastLogin'] }
-        it "should not be more than 35 days" do
-          expect(subject).to(be <= 35)
+        it "should not be more than #{input("unused_account_age")} days" do
+          expect(subject).to(be <= age)
         end
       end
     end

controls/V-73309.rb

@@ -1,6 +1,6 @@
 control 'V-73309' do
-  title "Windows 2016 account lockout duration must be configured to 15 minutes
-  or greater."
+  title "Windows 2016 account lockout duration must be configured to #{input('pass_lock_duration') == 0? 'until the locked account is released by an administrator.' : "for #{input('pass_lock_duration')} minutes or greater."}"
+
   desc "The account lockout feature, when enabled, prevents brute-force
   password attacks on the system. This parameter specifies the period of time
   that an account will remain locked after the specified number of failed logon
@@ -20,20 +20,22 @@
   Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings
   >> Security Settings >> Account Policies >> Account Lockout Policy.
 
-  If the Account lockout duration is less than 15 minutes (excluding
+  If the Account lockout duration is less than #{input('pass_lock_duration')} minutes (excluding
   0), this is a finding.
 
   Configuring this to 0, requiring an administrator to unlock the account, is
   more restrictive and is not a finding."
   desc "fix", "Configure the policy value for Computer Configuration >> Windows
   Settings >> Security Settings >> Account Policies >> Account Lockout Policy >>
-  Account lockout duration to 15 minutes or greater.
+  Account lockout duration to #{input('pass_lock_duration')} minutes or greater.
 
   A value of 0 is also acceptable, requiring an administrator to unlock the
   account."
+
+  pass_lock_duration = input('pass_lock_duration')
   describe.one do
     describe security_policy do
-      its('LockoutDuration') { should be >= 15 }
+      its('LockoutDuration') { should be >= input('pass_lock_duration') }
     end
     describe security_policy do
       its('LockoutDuration') { should eq 0 }

controls/V-73311.rb

@@ -1,6 +1,5 @@
 control 'V-73311' do
-  title "The number of allowed bad logon attempts must be configured to three
-  or less."
+  title "The number of allowed bad logon attempts must be configured to #{input('max_pass_lockout')} or less."
   desc "The account lockout feature, when enabled, prevents brute-force
   password attacks on the system. The higher this value is, the less effective
   the account lockout feature will be in protecting the local system. The number
@@ -23,14 +22,14 @@
   Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings
   >> Security Settings >> Account Policies >> Account Lockout Policy.
 
-  If the Account lockout threshold is 0 or more than 3 attempts, this
+  If the Account lockout threshold is 0 or more than #{input('max_pass_lockout')} attempts, this
   is a finding."
   desc "fix", "Configure the policy value for Computer Configuration >> Windows
   Settings >> Security Settings >> Account Policies >> Account Lockout Policy >>
-  Account lockout threshold to 3 or fewer invalid logon attempts
+  Account lockout threshold to #{input('max_pass_lockout')} or fewer invalid logon attempts
   (excluding 0, which is unacceptable)."
   describe security_policy do
-    its('LockoutBadCount') { should be <= 3 }
+    its('LockoutBadCount') { should be <= input('max_pass_lockout') }
   end
   describe security_policy do
     its('LockoutBadCount') { should be > 0 }

controls/V-73313.rb

@@ -1,6 +1,6 @@
 control 'V-73313' do
   title "The period of time before the bad logon counter is reset must be
-  configured to 15 minutes or greater."
+  configured to #{input('pass_lock_time')} minutes or greater."
   desc "The account lockout feature, when enabled, prevents brute-force
   password attacks on the system. This parameter specifies the period of time
   that must pass after failed logon attempts before the counter is reset to
@@ -24,12 +24,12 @@
   Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings
   >> Security Settings >> Account Policies >> Account Lockout Policy.
 
-  If the Reset account lockout counter after value is less than 15
+  If the Reset account lockout counter after value is less than #{input('pass_lock_time')}
   minutes, this is a finding."
   desc "fix", "Configure the policy value for Computer Configuration >> Windows
   Settings >> Security Settings >> Account Policies >> Account Lockout Policy >>
-  Reset account lockout counter after to at least 15 minutes."
+  Reset account lockout counter after to at least #{input('pass_lock_time')} minutes."
   describe security_policy do
-    its('ResetLockoutCount') { should be >= 15 }
+    its('ResetLockoutCount') { should be >= input('pass_lock_time') }
   end
 end

controls/V-73315.rb

@@ -1,10 +1,10 @@
 control 'V-73315' do
-  title 'The password history must be configured to 24 passwords remembered.'
+  title "The password history must be configured to #{input('password_history_size')} passwords remembered."
   desc  "A system is more vulnerable to unauthorized access when system users
   recycle the same password several times without being required to change to a
   unique password on a regularly scheduled basis. This enables users to
   effectively negate the purpose of mandating periodic password changes. The
-  default value is 24 for Windows domain systems. DoD has decided this is the
+  default value is #{input('password_history_size')} for Windows domain systems. DoD has decided this is the
   appropriate value for all Windows systems."
   impact 0.5
   tag "gtitle": 'SRG-OS-000077-GPOS-00045'
@@ -22,12 +22,12 @@
   Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings
   >> Security Settings >> Account Policies >> Password Policy.
 
-  If the value for Enforce password history is less than 24 passwords
+  If the value for Enforce password history is less than #{input('password_history_size')} passwords
   remembered, this is a finding."
   desc "fix", "Configure the policy value for Computer Configuration >> Windows
   Settings >> Security Settings >> Account Policies >> Password Policy >>
-  Enforce password history to 24 passwords remembered."
+  Enforce password history to #{input('password_history_size')} passwords remembered."
   describe security_policy do
-    its('PasswordHistorySize') { should cmp >= 24 }
+    its('PasswordHistorySize') { should be >= input('password_history_size') } 
   end
 end

controls/V-73321.rb

@@ -1,5 +1,5 @@
 control 'V-73321' do
-  title 'The minimum password length must be configured to 14 characters.'
+  title "The minimum password length must be configured to #{input('minimum_password_length')} characters."
   desc  "Information systems not protected with strong password schemes
   (including passwords of minimum length) provide the opportunity for anyone to
   crack the password, thus gaining access to the system and compromising the
@@ -20,12 +20,12 @@
   Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings
   >> Security Settings >> Account Policies >> Password Policy.
 
-  If the value for the Minimum password length, is less than 14
+  If the value for the Minimum password length, is less than #{input('minimum_password_length')}
   characters, this is a finding."
   desc "fix", "Configure the policy value for Computer Configuration >> Windows
   Settings >> Security Settings >> Account Policies >> Password Policy >>
-  Minimum password length to 14 characters."
+  Minimum password length to #{input('minimum_password_length')} characters."
   describe security_policy do
-    its('MinimumPasswordLength') { should be >= 14 }
+    its('MinimumPasswordLength') { should be >= input('minimum_password_length')}
   end
 end

controls/V-73387.rb

@@ -1,6 +1,6 @@
 control 'V-73387' do
   title "The directory service must be configured to terminate LDAP-based
-  network connections to the directory server after 5 minutes of inactivity."
+  network connections to the directory server after #{input('maximum_idle_time')} minutes of inactivity."
   desc "The failure to terminate inactive network connections increases the
   risk of a successful attack on the directory server. The longer an established
   session is in progress, the more time an attacker has to hijack the session,
@@ -35,7 +35,7 @@
 
   At the ldap policy: prompt, enter show values.
 
-  If the value for MaxConnIdleTime is greater than 300 (5 minutes) or is not
+  If the value for MaxConnIdleTime is greater than \"#{input('maximum_idle_time')*60}\" (#{input('maximum_idle_time')} minutes) or is not
   specified, this is a finding.
 
   Enter q at the ldap policy: and ntdsutil: prompts to exit.
@@ -53,31 +53,20 @@
   of the domain being reviewed (e.g., dc=disaost,dc=mil).
 
   If the results do not specify a MaxConnIdleTime or it has a value greater
-  than 300 (5 minutes), this is a finding."
+  than \"#{input('maximum_idle_time')*60}\" (#{input('maximum_idle_time')} minutes), this is a finding."
   desc "fix", "Configure the directory service to terminate LDAP-based network
-  connections to the directory server after 5 minutes of inactivity.
+  connections to the directory server after #{input('maximum_idle_time')} minutes of inactivity.
+    Open an elevated \"Command prompt\" (run as administrator).
+    Enter \"ntdsutil\".
+    At the \"ntdsutil:\" prompt, enter \"LDAP policies\".
+    At the \"ldap policy:\" prompt, enter \"connections\".
+    At the \"server connections:\" prompt, enter \"connect to server [host-name]\" (where [host-name] is the computer name of the domain controller).
+    At the \"server connections:\" prompt, enter \"q\".
+    At the \"ldap policy:\" prompt, enter \"Set MaxConnIdleTime to #{input('maximum_idle_time')*60}\".
+    Enter \"Commit Changes\" to save.
+    Enter \"Show values\" to verify changes.
+    Enter \"q\" at the \"ldap policy:\" and \"ntdsutil:\" prompts to exit."
 
-  Open an elevated Command prompt (run as administrator).
-
-  Enter ntdsutil.
-
-  At the ntdsutil: prompt, enter LDAP policies.
-
-  At the ldap policy: prompt, enter connections.
-
-  At the server connections: prompt, enter connect to server [host-name]
-  (where [host-name] is the computer name of the domain controller).
-
-  At the server connections: prompt, enter q.
-
-  At the ldap policy: prompt, enter Set MaxConnIdleTime to 300.
-
-  Enter Commit Changes to save.
-
-  Enter Show values to verify changes.
-
-  Enter q at the ldap policy: and ntdsutil: prompts to exit."
-  max_conn_idle_time = input('max_conn_idle_time')
   domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip
   if domain_role == '4' || domain_role == '5'
     query = command("dsquery * \"cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration," + input('forrest') + "\" -attr LDAPAdminLimits").stdout
@@ -88,7 +77,7 @@
     end
     describe "The MaxConnIdleTime" do
       subject { ldap_admin_limits['MaxConnIdleTime'] }
-      it { should cmp <= 300 }
+      it { should cmp <= input("maximum_idle_time")*60 } 
     end
   else
     impact 0.0

controls/V-73641.rb

@@ -1,10 +1,10 @@
 control 'V-73641' do
-  title "The maximum age for machine account passwords must be configured to 30
+  title "The maximum age for machine account passwords must be configured to #{input('maximum_password_age_machine')}
   days or less."
   desc "Computer account passwords are changed automatically on a regular
   basis. This setting controls the maximum password age that a machine account
-  may have. This must be set to no more than 30 days, ensuring the machine
-  changes its password monthly."
+  may have. This must be set to no more than #{input('maximum_password_age_machine')} days, ensuring the machine
+  changes its password every #{input('maximum_password_age_machine')} days."
   impact 0.5
   tag "gtitle": 'SRG-OS-000480-GPOS-00227'
   tag "gid": 'V-73641'
@@ -14,7 +14,7 @@
   tag "cci": ['CCI-000366']
   tag "nist": ['CM-6 b', 'Rev_4']
   tag "documentable": false
-  desc "check", "This is the default configuration for this setting (30 days).
+  desc "check", "This is the default configuration for this setting (#{input('maximum_password_age_machine')} days).
 
   If the following registry value does not exist or is not configured as
   specified, this is a finding.
@@ -25,16 +25,16 @@
   Value Name: MaximumPasswordAge
 
   Value Type: REG_DWORD
-  Value: 0x0000001e (30) (or less, but not 0)"
-  desc "fix", "This is the default configuration for this setting (30 days).
+  Value: 0x0000001e (#{input('maximum_password_age_machine')}) (or less, but not 0)"
+  desc "fix", "This is the default configuration for this setting (#{input('maximum_password_age_machine')} days).
 
   Configure the policy value for Computer Configuration >> Windows Settings >>
   Security Settings >> Local Policies >> Security Options >> Domain member:
-  Maximum machine account password age to 30 or less (excluding 0,
+  Maximum machine account password age to #{input('maximum_password_age_machine')} days or less (excluding 0,
   which is unacceptable)."
   describe registry_key('HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters') do
     it { should have_property 'MaximumPasswordAge' }
-    its('MaximumPasswordAge') { should be <= 30 }
+    its('MaximumPasswordAge') { should be <= input('maximum_password_age_machine') }
   end
   describe registry_key('HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters') do
     it { should have_property 'MaximumPasswordAge' }