Parameterize 2016 baseline

controls/V-73231.rb

@@ -1,6 +1,6 @@
 control 'V-73231' do
   title "Manually managed application account passwords must be changed at
-  least annually or when a system administrator with knowledge of the password
+  least #{input('app_password_age')} days or when a system administrator with knowledge of the password
   leaves the organization."
   desc  "Setting application account passwords to expire may cause applications
   to stop functioning. However, not changing them on a regular basis exposes them
@@ -19,7 +19,7 @@
   exist. If none exist, this is NA.
 
   If passwords for manually managed application/service accounts are not changed
-  at least annually or when an administrator with knowledge of the password
+  at least #{input('app_password_age')} days or when an administrator with knowledge of the password
   leaves the organization, this is a finding.
 
   Identify manually managed application/service accounts.
@@ -46,7 +46,7 @@
 
   If the Password Last Set date is more than one year old, this is a finding."
   desc "fix", "Change passwords for manually managed application/service
-  accounts at least annually or when an administrator with knowledge of the
+  accounts at least #{input('app_password_age')} days or when an administrator with knowledge of the
   password leaves the organization.
 
   It is recommended that system-managed service accounts be used whenever
@@ -68,7 +68,7 @@
 
       describe "Password age for managed account: #{account_name}" do
         subject { pwd_last_set_days }
-        it { should cmp <= 365 }
+        it { should cmp <= input('app_password_age') }
       end
     end
   else

controls/V-73309.rb

@@ -1,6 +1,6 @@
 control 'V-73309' do
-  title "Windows 2016 account lockout duration must be configured to 15 minutes
-  or greater."
+  title "Windows 2016 account lockout duration must be configured to #{input('pass_lock_duration') == 0? 'until the locked account is released by an administrator.' : "for #{input('pass_lock_duration')} minutes or greater."}"
+
   desc "The account lockout feature, when enabled, prevents brute-force
   password attacks on the system. This parameter specifies the period of time
   that an account will remain locked after the specified number of failed logon
@@ -20,20 +20,20 @@
   Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings
   >> Security Settings >> Account Policies >> Account Lockout Policy.
 
-  If the Account lockout duration is less than 15 minutes (excluding
+  If the Account lockout duration is less than #{input('pass_lock_duration')} minutes (excluding
   0), this is a finding.
 
   Configuring this to 0, requiring an administrator to unlock the account, is
   more restrictive and is not a finding."
   desc "fix", "Configure the policy value for Computer Configuration >> Windows
   Settings >> Security Settings >> Account Policies >> Account Lockout Policy >>
-  Account lockout duration to 15 minutes or greater.
+  Account lockout duration to #{input('pass_lock_duration')} minutes or greater.
 
   A value of 0 is also acceptable, requiring an administrator to unlock the
   account."
   describe.one do
     describe security_policy do
-      its('LockoutDuration') { should be >= 15 }
+      its('LockoutDuration') { should be >= input('pass_lock_duration') }
     end
     describe security_policy do
       its('LockoutDuration') { should eq 0 }

controls/V-73311.rb

@@ -1,6 +1,5 @@
 control 'V-73311' do
-  title "The number of allowed bad logon attempts must be configured to three
-  or less."
+  title "The number of allowed bad logon attempts must be configured to #{input('max_pass_lockout')} or less."
   desc "The account lockout feature, when enabled, prevents brute-force
   password attacks on the system. The higher this value is, the less effective
   the account lockout feature will be in protecting the local system. The number
@@ -23,14 +22,14 @@
   Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings
   >> Security Settings >> Account Policies >> Account Lockout Policy.
 
-  If the Account lockout threshold is 0 or more than 3 attempts, this
+  If the Account lockout threshold is 0 or more than #{input('max_pass_lockout')} attempts, this
   is a finding."
   desc "fix", "Configure the policy value for Computer Configuration >> Windows
   Settings >> Security Settings >> Account Policies >> Account Lockout Policy >>
-  Account lockout threshold to 3 or fewer invalid logon attempts
+  Account lockout threshold to #{input('max_pass_lockout')} or fewer invalid logon attempts
   (excluding 0, which is unacceptable)."
   describe security_policy do
-    its('LockoutBadCount') { should be <= 3 }
+    its('LockoutBadCount') { should be <= input('max_pass_lockout') }
   end
   describe security_policy do
     its('LockoutBadCount') { should be > 0 }

controls/V-73313.rb

@@ -1,6 +1,6 @@
 control 'V-73313' do
   title "The period of time before the bad logon counter is reset must be
-  configured to 15 minutes or greater."
+  configured to #{input('pass_lock_time')} minutes or greater."
   desc "The account lockout feature, when enabled, prevents brute-force
   password attacks on the system. This parameter specifies the period of time
   that must pass after failed logon attempts before the counter is reset to
@@ -24,12 +24,12 @@
   Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings
   >> Security Settings >> Account Policies >> Account Lockout Policy.
 
-  If the Reset account lockout counter after value is less than 15
+  If the Reset account lockout counter after value is less than #{input('pass_lock_time')}
   minutes, this is a finding."
   desc "fix", "Configure the policy value for Computer Configuration >> Windows
   Settings >> Security Settings >> Account Policies >> Account Lockout Policy >>
-  Reset account lockout counter after to at least 15 minutes."
+  Reset account lockout counter after to at least #{input('pass_lock_time')} minutes."
   describe security_policy do
-    its('ResetLockoutCount') { should be >= 15 }
+    its('ResetLockoutCount') { should be >= input('pass_lock_time') }
   end
 end

controls/V-73641.rb

@@ -1,10 +1,10 @@
 control 'V-73641' do
-  title "The maximum age for machine account passwords must be configured to 30
+  title "The maximum age for machine account passwords must be configured to #{input('maximum_password_age_machine')}
   days or less."
   desc "Computer account passwords are changed automatically on a regular
   basis. This setting controls the maximum password age that a machine account
-  may have. This must be set to no more than 30 days, ensuring the machine
-  changes its password monthly."
+  may have. This must be set to no more than #{input('maximum_password_age_machine')} days, ensuring the machine
+  changes its password every #{input('maximum_password_age_machine')} days."
   impact 0.5
   tag "gtitle": 'SRG-OS-000480-GPOS-00227'
   tag "gid": 'V-73641'
@@ -14,7 +14,7 @@
   tag "cci": ['CCI-000366']
   tag "nist": ['CM-6 b', 'Rev_4']
   tag "documentable": false
-  desc "check", "This is the default configuration for this setting (30 days).
+  desc "check", "This is the default configuration for this setting (#{input('maximum_password_age_machine')} days).
 
   If the following registry value does not exist or is not configured as
   specified, this is a finding.
@@ -25,16 +25,16 @@
   Value Name: MaximumPasswordAge
 
   Value Type: REG_DWORD
-  Value: 0x0000001e (30) (or less, but not 0)"
-  desc "fix", "This is the default configuration for this setting (30 days).
+  Value: 0x0000001e (#{input('maximum_password_age_machine')}) (or less, but not 0)"
+  desc "fix", "This is the default configuration for this setting (#{input('maximum_password_age_machine')} days).
 
   Configure the policy value for Computer Configuration >> Windows Settings >>
   Security Settings >> Local Policies >> Security Options >> Domain member:
-  Maximum machine account password age to 30 or less (excluding 0,
+  Maximum machine account password age to #{input('maximum_password_age_machine')} days or less (excluding 0,
   which is unacceptable)."
   describe registry_key('HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters') do
     it { should have_property 'MaximumPasswordAge' }
-    its('MaximumPasswordAge') { should be <= 30 }
+    its('MaximumPasswordAge') { should be <= input('maximum_password_age_machine') }
   end
   describe registry_key('HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters') do
     it { should have_property 'MaximumPasswordAge' }

inspec.yml

@@ -54,6 +54,31 @@ inputs:
     type: Numeric
     value: 3
 
+  - name: pass_lock_duration
+    desc: "List the number of minutes for account lockout duration"
+    type: Numeric
+    value: 15
+
+  - name: max_pass_lockout 
+    desc: "Account lockout threshold based on invalid logon attempts"
+    type: Numeric
+    value: 3
+
+  - name: pass_lock_time
+    desc: "List the number of minutes before a session is locked out"
+    type: Numeric
+    value: 15 
+
+  - name: app_password_age
+    desc: "Set the number of days that manually managed application account passwords must be changed"
+    type: Numeric
+    value: 365 
+
+  - name: maximum_password_age_machine
+    desc: "Set the machine account maximum password age stated by your organiztion"
+    type: Numeric
+    value: 30
+
   - name: administrator_domain_group
     description: 'List of authorized users in the local Administrators domain group'
     type: Array