Update PowerSTIG to parse the IIS 8.5 1.9 Site and Server STIGs #537

erjenkin · 2019-11-18T20:00:42Z

Pull Request (PR) description:
Adding Updated IIS Site and Server STIGS V1R9

This Pull Request (PR) fixes the following issues:

This fixes #530

Task list:

Change details added to Unreleased section of CHANGELOG.md (Not required for Convert modules)?
Added/updated documentation, comment-based help and descriptions where appropriate?
Examples appropriately updated?
New/changed code adheres to Style Guidelines?
Unit and (optional) Integration tests created/updated where possible?

This change is

…into ejenkins#530

bcwilhite

Reviewed 12 of 12 files at r1.
Reviewable status: complete! all files reviewed, all discussions resolved (waiting on @jcwalker)

stevehose

Reviewable status: all files reviewed, 2 unresolved discussions (waiting on @erjenkin and @jcwalker)

Module/Rule.WebAppPool/Convert/Methods.ps1, line 111 at r1 (raw file):

        { $PsItem -match 'idleTimeout' }
        {
            return "[TimeSpan]{0} -le [TimeSpan]'00:20:00' -and [TimeSpan]{0} -ne [TimeSpan]'00:00:00'"

FYI, perhaps a better trap would be -gt 0 instead of -ne 0.

StigData/Archive/Web Server/U_MS_IIS_8-5_Server_STIG_V1R9_Manual-xccdf.log, line 2 at r1 ([raw file](https://github.com/microsoft/powerstig/blob/ea5fae154880c1b0ecd575ab7a6031292c8d0d6c/StigData/Archive/Web Server/U_MS_IIS_8-5_Server_STIG_V1R9_Manual-xccdf.log#L2)):

V-76695::This check does not apply to service account IDs utilized by automated services necessary to process, manage, and store log files::If an account associated with roles other than auditors
V-76759::*::HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server'; ValueData = 0; ValueName = 'DisabledByDefault'; ValueType = 'DWORD'}<splitRule>HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server'; ValueData = 0; ValueName = 'DisabledByDefault'; ValueType = 'DWORD'}<splitRule>HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server'; ValueData = 1; ValueName = 'DisabledByDefault'; ValueType = 'DWORD'}<splitRule>HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server'; ValueData = 1; ValueName = 'DisabledByDefault'; ValueType = 'DWORD'}<splitRule>HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server'; ValueData = 1; ValueName = 'DisabledByDefault'; ValueType = 'DWORD'}<splitRule>HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server'; ValueData = 0; ValueName = 'Enabled'; ValueType = 'DWORD'}<splitRule>HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server'; ValueData = 0; ValueName = 'Enabled'; ValueType = 'DWORD'}<splitRule>HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server'; ValueData = 0; ValueName = 'Enabled'; ValueType = 'DWORD'}

Looks perfect.

StigData/Processed/IISServer-8.5-1.9.org.default.xml, line 9 at r1 (raw file):

-->
<OrganizationalSettings fullversion="1.9">
  <!-- Ensure ''V-76727.b'' -le '00:20:00'-->

Minor. Should update to match the test for -ne 0.

StigData/Processed/IISSite-8.5-1.9.xml, line 847 at r1 (raw file):

      <Key>idleTimeout</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>[TimeSpan]{0} -le [TimeSpan]'00:20:00' -and [TimeSpan]{0} -ne [TimeSpan]'00:00:00'</OrganizationValueTestString>

FYI. Again, recommend -gt 0.

erjenkin · 2019-11-21T16:16:01Z

StigData/Processed/IISServer-8.5-1.9.org.default.xml, line 9 at r1 (raw file):

Previously, stevehose (Steve Hose) wrote…

Minor. Should update to match the test for -ne 0.

this is a different rule that states 20 mins or less only

erjenkin · 2019-11-21T16:18:53Z

Module/Rule.WebAppPool/Convert/Methods.ps1, line 111 at r1 (raw file):

Previously, stevehose (Steve Hose) wrote…

FYI, perhaps a better trap would be -gt 0 instead of -ne 0.

Updated thanks

erjenkin · 2019-11-21T16:19:05Z

StigData/Processed/IISSite-8.5-1.9.xml, line 847 at r1 (raw file):

Previously, stevehose (Steve Hose) wrote…

FYI. Again, recommend -gt 0.

Updated thanks

erjenkin · 2019-11-21T16:19:11Z

StigData/Archive/Web Server/U_MS_IIS_8-5_Server_STIG_V1R9_Manual-xccdf.log, line 2 at r1 ([raw file](https://github.com/microsoft/powerstig/blob/ea5fae154880c1b0ecd575ab7a6031292c8d0d6c/StigData/Archive/Web Server/U_MS_IIS_8-5_Server_STIG_V1R9_Manual-xccdf.log#L2)):

Previously, stevehose (Steve Hose) wrote…

Looks perfect.

Done.

* Updated based on issue (#523) * Feature request: additional support for servicerule properties #514 (#525) * Added property based on community request * updated issue version * Updated win10 system drive path in convert module (#526) * added support for 2012R2 MS/DC 2.17/2.18 (#532) * added support for 2012R2 MS/DC 2.17/2.18 * added new line on the xccdf * removed tab from processed xml. * updated to successfully parse Win10 V1R19 (#534) * added support for FireFox 4.27 (#541) * added support for IE 1.18 (#539) * added support for .net 4.0 V1R9 (#536) * Update PowerSTIG to parse the IIS 8.5 1.9 Site and Server STIGs (#537) * Initial Convert and update IIS 8.5 1.9 * remove n-2 STIGs * removed quotes * added newline to raw xccdf * updated based on PR feedback * Update PowerSTIG to successfully parse Microsoft SQL Server 2016 Instance STIG - Ver 1, Rel 7 (#544) * fixed and updated SQL Instance STIGs * updated sqlserver composite and removed tabs * updated sqlserver composite. * removed tabs * Updated JRE rule V-66941.a to be a org setting (#543) * updated JRE rule V-66941.a to be a org settings * updated name of processed STIG * update changelog * added space to TS build issue. * Need a test to verify the conversionstatus="fail" does not exist in processed STIGs (#550) * updated Win2016DC failed converts and added tests * removed V-73517 from MS-1.9 as the rule no longer exist. * Update PowerSTIG to parse and apply OfficeSystem 2013 STIG V1R9 / 2016 V1R1 (#553) * added Office-System2013 STIG support. * reconverted xccdfs, corrected issues in some processed stigs. * added OfficeSystem 2016 V1R1 STIG * updated changelog.md * stevehose#443 and #528 check list bug fixes (#529) * Update to fix checklist bugs * Fixed bug in checklist parameter ManualCheckFile * Updated Checklist Pester tests * Updates based upon PR comments * Updated changelog.md * Add test to assert dependent module versions (#555) * Added helper function And test to verify module versions * Added tests to assert dependant module versions. * Removed commented code * Removed whitespace * Update PowerSTIG to parse and apply Windows Server 2019 V1R2 STIG (#557) * added support for 2019 MS modified hardcoded parser rule ids to support 2019 MS * added support for 2019 DC STIG; parser update to address failed AD permission rules (ActiveDirectoryAuditRule) which isn't currently implemented * Added ProcessMitigation to WindowsServer composite * regenerated all xccdfs, 6 were corrected/modified * updated changelog.md * appveyor build issue - space insert * prep for 4.2.0 release, update changelog, filehash markdowns and module manifest Co-authored-by: Eric Jenkins <erjenkin@microsoft.com> Co-authored-by: Steve Hose <33662177+stevehose@users.noreply.github.com> Co-authored-by: Jason Walker <walkerjason@live.com>

* Updated based on issue (#523) * Feature request: additional support for servicerule properties #514 (#525) * Added property based on community request * updated issue version * Updated win10 system drive path in convert module (#526) * Updates for Issues #259 and #527 * added support for 2012R2 MS/DC 2.17/2.18 (#532) * added support for 2012R2 MS/DC 2.17/2.18 * added new line on the xccdf * removed tab from processed xml. * updated to successfully parse Win10 V1R19 (#534) * added support for FireFox 4.27 (#541) * added support for IE 1.18 (#539) * added support for .net 4.0 V1R9 (#536) * Update PowerSTIG to parse the IIS 8.5 1.9 Site and Server STIGs (#537) * Initial Convert and update IIS 8.5 1.9 * remove n-2 STIGs * removed quotes * added newline to raw xccdf * updated based on PR feedback * Version update * MInor updates * Update PowerSTIG to successfully parse Microsoft SQL Server 2016 Instance STIG - Ver 1, Rel 7 (#544) * fixed and updated SQL Instance STIGs * updated sqlserver composite and removed tabs * updated sqlserver composite. * removed tabs * Code changes to correct issues * Updated JRE rule V-66941.a to be a org setting (#543) * updated JRE rule V-66941.a to be a org settings * updated name of processed STIG * update changelog * added space to TS build issue. * Updates to add functionality and address bugs * Need a test to verify the conversionstatus="fail" does not exist in processed STIGs (#550) * updated Win2016DC failed converts and added tests * removed V-73517 from MS-1.9 as the rule no longer exist. * Update PowerSTIG to parse and apply OfficeSystem 2013 STIG V1R9 / 2016 V1R1 (#553) * added Office-System2013 STIG support. * reconverted xccdfs, corrected issues in some processed stigs. * added OfficeSystem 2016 V1R1 STIG * updated changelog.md * Update: duplicate rules for checklist & bug fixes * Updates to fix DSC results bugs * Fixed error in New-StigChecklist * Minor update to support debugging * Final commit prior to PR. Updated changelog. * stevehose#443 and #528 check list bug fixes (#529) * Update to fix checklist bugs * Fixed bug in checklist parameter ManualCheckFile * Updated Checklist Pester tests * Updates based upon PR comments * Updated changelog.md * Add test to assert dependent module versions (#555) * Added helper function And test to verify module versions * Added tests to assert dependant module versions. * Removed commented code * Removed whitespace * Update PowerSTIG to parse and apply Windows Server 2019 V1R2 STIG (#557) * added support for 2019 MS modified hardcoded parser rule ids to support 2019 MS * added support for 2019 DC STIG; parser update to address failed AD permission rules (ActiveDirectoryAuditRule) which isn't currently implemented * Added ProcessMitigation to WindowsServer composite * regenerated all xccdfs, 6 were corrected/modified * updated changelog.md * appveyor build issue - space insert * Updates to fix build bugs * Updated to fix bugs in build * Fix to missing reference * Build error fix - missing newline * prep for 4.2.0 release, update changelog, filehash markdowns and module manifest * Fix for build missing functions reference * Relocated file to be picked up during runtime * Minor update to remove test code * Updated for build errors * Updated processed SQL Server 1.3 files * Updates for PR * Updates for PR * Updated for PR * Updates for PR * Moving changes for SQL to another branch * Update for PR Co-authored-by: Eric Jenkins <erjenkin@microsoft.com> Co-authored-by: Brian Wilhite <bcwilhite@live.com> Co-authored-by: Jason Walker <walkerjason@live.com>

erjenkin added 4 commits November 18, 2019 10:21

Initial Convert and update IIS 8.5 1.9

bc55f6f

remove n-2 STIGs

0ecc556

removed quotes

ee99cca

Merge branch '4.2.0' into ejenkins#530

e9cd30b

bcwilhite requested review from jcwalker and bcwilhite November 19, 2019 14:19

erjenkin added 2 commits November 19, 2019 10:51

added newline to raw xccdf

f519f92

Merge branch 'ejenkins#530' of https://github.com/microsoft/PowerStig …

ea5fae1

…into ejenkins#530

erjenkin added this to the 4.2.0 milestone Nov 19, 2019

erjenkin added the enhancement New feature or request label Nov 19, 2019

bcwilhite approved these changes Nov 19, 2019

View reviewed changes

erjenkin requested a review from stevehose November 20, 2019 16:33

stevehose approved these changes Nov 21, 2019

View reviewed changes

erjenkin removed the request for review from jcwalker November 21, 2019 16:04

updated based on PR feedback

a9d467c

bcwilhite merged commit 0514efc into 4.2.0 Nov 21, 2019

bcwilhite deleted the ejenkins#530 branch November 21, 2019 17:24

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update PowerSTIG to parse the IIS 8.5 1.9 Site and Server STIGs #537

Update PowerSTIG to parse the IIS 8.5 1.9 Site and Server STIGs #537

erjenkin commented Nov 18, 2019 •

edited by athaynes

Loading

bcwilhite left a comment

stevehose left a comment

erjenkin commented Nov 21, 2019

erjenkin commented Nov 21, 2019

erjenkin commented Nov 21, 2019

erjenkin commented Nov 21, 2019

Update PowerSTIG to parse the IIS 8.5 1.9 Site and Server STIGs #537

Update PowerSTIG to parse the IIS 8.5 1.9 Site and Server STIGs #537

Conversation

erjenkin commented Nov 18, 2019 • edited by athaynes Loading

bcwilhite left a comment

Choose a reason for hiding this comment

stevehose left a comment

Choose a reason for hiding this comment

erjenkin commented Nov 21, 2019

erjenkin commented Nov 21, 2019

erjenkin commented Nov 21, 2019

erjenkin commented Nov 21, 2019

erjenkin commented Nov 18, 2019 •

edited by athaynes

Loading