From f70c15efe3c81c8d0651c98a4159cf9e8facfac7 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sun, 19 Oct 2025 11:49:43 +0900 Subject: [PATCH 01/19] feat: add ConfigureAuditSettings function to manage audit log configurations --- WELA.ps1 | 125 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 125 insertions(+) diff --git a/WELA.ps1 b/WELA.ps1 index 1127a00b..47e6bdef 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -5417,6 +5417,121 @@ function UpdateRules { } } +function ConfigureAuditSettings { + param ( + [string] $Baseline = "YamatoSecurity" + ) + # Requires Administrator privileges + if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { + Write-Error "This script requires Administrator privileges" + exit 1 + } + + # Set Security and PowerShell-related logs' maximum file size to 1 GB + $oneGB = 1073741824 + wevtutil sl Security /ms:$oneGB + wevtutil sl Microsoft-Windows-PowerShell/Operational /ms:$oneGB + wevtutil sl "Windows PowerShell" /ms:$oneGB + wevtutil sl PowerShellCore/Operational /ms:$oneGB + + # Set all other important logs to 128 MB + $oneTwentyEightMB = 134217728 + $logs = @( + "System", + "Application", + "Microsoft-Windows-Windows Defender/Operational", + "Microsoft-Windows-Bits-Client/Operational", + "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", + "Microsoft-Windows-NTLM/Operational", + "Microsoft-Windows-Security-Mitigations/KernelMode", + "Microsoft-Windows-Security-Mitigations/UserMode", + "Microsoft-Windows-PrintService/Admin", + "Microsoft-Windows-PrintService/Operational", + "Microsoft-Windows-SmbClient/Security", + "Microsoft-Windows-AppLocker/MSI and Script", + "Microsoft-Windows-AppLocker/EXE and DLL", + "Microsoft-Windows-AppLocker/Packaged app-Deployment", + "Microsoft-Windows-AppLocker/Packaged app-Execution", + "Microsoft-Windows-CodeIntegrity/Operational", + "Microsoft-Windows-Diagnosis-Scripted/Operational", + "Microsoft-Windows-DriverFrameworks-UserMode/Operational", + "Microsoft-Windows-WMI-Activity/Operational", + "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", + "Microsoft-Windows-TaskScheduler/Operational" + ) + + foreach ($log in $logs) { + wevtutil sl $log /ms:$oneTwentyEightMB + } + + # Enable logs that need to be enabled + wevtutil sl Microsoft-Windows-TaskScheduler/Operational /e:true + wevtutil sl Microsoft-Windows-DriverFrameworks-UserMode/Operational /e:true + + # Enable PowerShell Module logging + New-Item -Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -Force | Out-Null + Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -Name "EnableModuleLogging" -Value 1 -Type DWord + New-Item -Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames" -Force | Out-Null + Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames" -Name "*" -Value "*" -Type String + + # Enable PowerShell Script Block logging + New-Item -Path "HKLM:\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Force | Out-Null + Set-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1 -Type DWord + + # Account Logon + auditpol /set /subcategory:{0CCE923F-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + auditpol /set /subcategory:{0CCE9242-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + auditpol /set /subcategory:{0CCE9240-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + + # Account Management + auditpol /set /subcategory:{0CCE9236-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + auditpol /set /subcategory:{0CCE923A-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + auditpol /set /subcategory:{0CCE9237-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + auditpol /set /subcategory:{0CCE9235-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + + # Detailed Tracking + auditpol /set /subcategory:{0cce9248-69ae-11d9-bed3-505054503030} /success:enable /failure:enable + auditpol /set /subcategory:{0CCE922B-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Force | Out-Null + Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 -Type DWord + auditpol /set /subcategory:{0CCE922E-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + + # DS Access + auditpol /set /subcategory:{0CCE923B-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + auditpol /set /subcategory:{0CCE923C-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + + # Logon/Logoff + auditpol /set /subcategory:{0CCE9217-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + auditpol /set /subcategory:{0CCE9216-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + auditpol /set /subcategory:{0CCE9215-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + auditpol /set /subcategory:{0CCE921C-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + auditpol /set /subcategory:{0CCE921B-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + + # Object Access + auditpol /set /subcategory:{0CCE9221-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + auditpol /set /subcategory:{0CCE9224-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + auditpol /set /subcategory:{0CCE9226-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + auditpol /set /subcategory:{0CCE9227-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + auditpol /set /subcategory:{0CCE9245-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + auditpol /set /subcategory:{0CCE9220-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + + # Policy Change + auditpol /set /subcategory:{0CCE922F-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + auditpol /set /subcategory:{0CCE9230-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + auditpol /set /subcategory:{0CCE9234-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + + # Privilege Use + auditpol /set /subcategory:{0CCE9228-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + + # System + auditpol /set /subcategory:{0CCE9214-69AE-11D9-BED3-505054503030} /success:disable /failure:enable + auditpol /set /subcategory:{0CCE9210-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + auditpol /set /subcategory:{0CCE9211-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + auditpol /set /subcategory:{0CCE9212-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + + Write-Host "Configuration completed successfully" -ForegroundColor Green +} + $logo = @" ┏┓┏┓┏┳━━━┳┓ ┏━━━┓ ┃┃┃┃┃┃┏━━┫┃ ┃┏━┓┃ @@ -5433,6 +5548,7 @@ Usage: ./WELA.ps1 audit-settings -Baseline YamatoSecurity # Audit current setting and show in stdout, save to csv ./WELA.ps1 audit-settings -Baseline ASD -OutType gui # Audit current setting and show in gui, save to csv ./WELA.ps1 audit-filesize -Baseline YamatoSecurity # Audit current file size and show in stdout, save to csv + ./WELA.ps1 configure -Baseline YamatoSecurity # Configure audit settings based on the specified baseline ./WELA.ps1 update-rules # Update rule config files from https://github.com/Yamato-Security/WELA ./WELA.ps1 help # Show this help "@ @@ -5454,6 +5570,15 @@ switch ($Cmd.ToLower()) { AuditFileSize } + "configure" { + $validGuides = @("YamatoSecurity", "ASD", "Microsoft_Client", "Microsoft_Server") + if (-not ($validGuides -contains $Baseline.ToLower())) { + Write-Host "Invalid Guide specified. Valid options are: YamatoSecurity, ASD, Microsoft_Client, Microsoft_Server." + break + } + ConfigureAuditSettings $Baseline + } + "update-rules" { UpdateRules } From 6c9947f599ff9ca25f66dc040cb0c2431399504d Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sun, 19 Oct 2025 14:04:17 +0900 Subject: [PATCH 02/19] feat: enhance WELA.ps1 to configure event logs and audit policies with improved error handling --- WELA.ps1 | 197 ++++++++++++++++++++++++++++++++++++------------------- 1 file changed, 129 insertions(+), 68 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index 47e6bdef..72400724 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -5421,22 +5421,38 @@ function ConfigureAuditSettings { param ( [string] $Baseline = "YamatoSecurity" ) - # Requires Administrator privileges + + # 管理者権限の確認 if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { Write-Error "This script requires Administrator privileges" exit 1 } - # Set Security and PowerShell-related logs' maximum file size to 1 GB + # ログサイズ定数 $oneGB = 1073741824 - wevtutil sl Security /ms:$oneGB - wevtutil sl Microsoft-Windows-PowerShell/Operational /ms:$oneGB - wevtutil sl "Windows PowerShell" /ms:$oneGB - wevtutil sl PowerShellCore/Operational /ms:$oneGB - - # Set all other important logs to 128 MB $oneTwentyEightMB = 134217728 - $logs = @( + + # セキュリティおよびPowerShellログを1GBに設定 + Write-Host "Configuring Event Logs..." + Write-Host "" + $largeLogs = @( + "Security", + "Microsoft-Windows-PowerShell/Operational", + "Windows PowerShell" + ) + + foreach ($log in $largeLogs) { + try { + wevtutil sl $log /ms:$oneGB 2>&1 | Out-Null + Write-Host " [OK] $log : 1 GB" + } + catch { + Write-Host " [ERROR] $log : $_" -ForegroundColor Red + } + } + + # その他の重要なログを128MBに設定 + $mediumLogs = @( "System", "Application", "Microsoft-Windows-Windows Defender/Operational", @@ -5460,76 +5476,121 @@ function ConfigureAuditSettings { "Microsoft-Windows-TaskScheduler/Operational" ) - foreach ($log in $logs) { - wevtutil sl $log /ms:$oneTwentyEightMB + foreach ($log in $mediumLogs) { + try { + wevtutil sl $log /ms:$oneTwentyEightMB 2>&1 | Out-Null + Write-Host " [OK] $log : 128 MB" + } + catch { + Write-Host " [ERROR] $log : $_" -ForegroundColor Red + } } - # Enable logs that need to be enabled - wevtutil sl Microsoft-Windows-TaskScheduler/Operational /e:true - wevtutil sl Microsoft-Windows-DriverFrameworks-UserMode/Operational /e:true + # 特定のログの有効化 + Write-Host "Enabling Event Logs..." + foreach ($log in @("Microsoft-Windows-TaskScheduler/Operational", "Microsoft-Windows-DriverFrameworks-UserMode/Operational")) { + try { + wevtutil sl $log /e:true 2>&1 | Out-Null + Write-Host " [OK] Enabled: $log" + } + catch { + Write-Host " [ERROR] Failed to enable $log : $_" -ForegroundColor Red + } + } - # Enable PowerShell Module logging - New-Item -Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -Force | Out-Null - Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -Name "EnableModuleLogging" -Value 1 -Type DWord - New-Item -Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames" -Force | Out-Null - Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames" -Name "*" -Value "*" -Type String + # PowerShell ロギングの設定 + Write-Host "Configuring PowerShell Logging..." + $regPaths = @( + @{Path = "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging"; Name = "EnableModuleLogging"; Value = 1}, + @{Path = "HKLM:\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"; Name = "EnableScriptBlockLogging"; Value = 1} + ) - # Enable PowerShell Script Block logging - New-Item -Path "HKLM:\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Force | Out-Null - Set-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1 -Type DWord + foreach ($reg in $regPaths) { + try { + New-Item -Path $reg.Path -Force | Out-Null + Set-ItemProperty -Path $reg.Path -Name $reg.Name -Value $reg.Value -Type DWord + Write-Host " [OK] Set $($reg.Name)" + } + catch { + Write-Host " [ERROR] Failed to set registry: $_" -ForegroundColor Red + } + } - # Account Logon - auditpol /set /subcategory:{0CCE923F-69AE-11D9-BED3-505054503030} /success:enable /failure:enable - auditpol /set /subcategory:{0CCE9242-69AE-11D9-BED3-505054503030} /success:enable /failure:enable - auditpol /set /subcategory:{0CCE9240-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + # モジュール名レジストリの設定 + try { + $moduleLoggingPath = "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames" + New-Item -Path $moduleLoggingPath -Force | Out-Null + Set-ItemProperty -Path $moduleLoggingPath -Name "*" -Value "*" -Type String + Write-Host " [OK] Module logging enabled for all modules" + } + catch { + Write-Host " [ERROR] Failed to configure module names: $_" -ForegroundColor Red + } - # Account Management - auditpol /set /subcategory:{0CCE9236-69AE-11D9-BED3-505054503030} /success:enable /failure:enable - auditpol /set /subcategory:{0CCE923A-69AE-11D9-BED3-505054503030} /success:enable /failure:enable - auditpol /set /subcategory:{0CCE9237-69AE-11D9-BED3-505054503030} /success:enable /failure:enable - auditpol /set /subcategory:{0CCE9235-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + # コマンドライン監査の有効化 + Write-Host "Enabling Command Line Auditing..." + $regPath = "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" + $arguments = "add $regPath /v ProcessCreationIncludeCmdLine_Enabled /f /t REG_DWORD /d 1" + $process = Start-Process -FilePath "reg.exe" -ArgumentList $arguments -Wait -PassThru -NoNewWindow -RedirectStandardOutput "NUL" - # Detailed Tracking - auditpol /set /subcategory:{0cce9248-69ae-11d9-bed3-505054503030} /success:enable /failure:enable - auditpol /set /subcategory:{0CCE922B-69AE-11D9-BED3-505054503030} /success:enable /failure:enable - New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Force | Out-Null - Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 -Type DWord - auditpol /set /subcategory:{0CCE922E-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + if ($process.ExitCode -eq 0) { + Write-Host " [OK] Command line auditing enabled" + } + else { + Write-Host " [ERROR] Command line auditing failed (ExitCode: $($process.ExitCode))" -ForegroundColor Red + } - # DS Access - auditpol /set /subcategory:{0CCE923B-69AE-11D9-BED3-505054503030} /success:enable /failure:enable - auditpol /set /subcategory:{0CCE923C-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + # 監査ポリシーの設定 + Write-Host "Configuring Audit Policies..." + $auditPolicies = @( + @{Category = "Account Logon"; Name = "Credential Validation"; GUID = "{0CCE923F-69AE-11D9-BED3-505054503030}"}, + @{Category = "Account Logon"; Name = "Kerberos Authentication Service"; GUID = "{0CCE9242-69AE-11D9-BED3-505054503030}"}, + @{Category = "Account Logon"; Name = "Kerberos Service Ticket Operations"; GUID = "{0CCE9240-69AE-11D9-BED3-505054503030}"}, + @{Category = "Account Management"; Name = "Computer Account Management"; GUID = "{0CCE9236-69AE-11D9-BED3-505054503030}"}, + @{Category = "Account Management"; Name = "Other Account Management Events"; GUID = "{0CCE923A-69AE-11D9-BED3-505054503030}"}, + @{Category = "Account Management"; Name = "Security Group Management"; GUID = "{0CCE9237-69AE-11D9-BED3-505054503030}"}, + @{Category = "Account Management"; Name = "User Account Management"; GUID = "{0CCE9235-69AE-11D9-BED3-505054503030}"}, + @{Category = "Detailed Tracking"; Name = "Plug and Play"; GUID = "{0cce9248-69ae-11d9-bed3-505054503030}"}, + @{Category = "Detailed Tracking"; Name = "Process Creation"; GUID = "{0CCE922B-69AE-11D9-BED3-505054503030}"}, + @{Category = "Detailed Tracking"; Name = "RPC Events"; GUID = "{0CCE922E-69AE-11D9-BED3-505054503030}"}, + @{Category = "DS Access"; Name = "Directory Service Access"; GUID = "{0CCE923B-69AE-11D9-BED3-505054503030}"}, + @{Category = "DS Access"; Name = "Directory Service Changes"; GUID = "{0CCE923C-69AE-11D9-BED3-505054503030}"}, + @{Category = "Logon/Logoff"; Name = "Account Lockout"; GUID = "{0CCE9217-69AE-11D9-BED3-505054503030}"}, + @{Category = "Logon/Logoff"; Name = "Logoff"; GUID = "{0CCE9216-69AE-11D9-BED3-505054503030}"}, + @{Category = "Logon/Logoff"; Name = "Logon"; GUID = "{0CCE9215-69AE-11D9-BED3-505054503030}"}, + @{Category = "Logon/Logoff"; Name = "Other Logon/Logoff Events"; GUID = "{0CCE921C-69AE-11D9-BED3-505054503030}"}, + @{Category = "Logon/Logoff"; Name = "Special Logon"; GUID = "{0CCE921B-69AE-11D9-BED3-505054503030}"}, + @{Category = "Object Access"; Name = "Certification Services"; GUID = "{0CCE9221-69AE-11D9-BED3-505054503030}"}, + @{Category = "Object Access"; Name = "File Share"; GUID = "{0CCE9224-69AE-11D9-BED3-505054503030}"}, + @{Category = "Object Access"; Name = "Filtering Platform Connection"; GUID = "{0CCE9226-69AE-11D9-BED3-505054503030}"}, + @{Category = "Object Access"; Name = "Other Object Access Events"; GUID = "{0CCE9227-69AE-11D9-BED3-505054503030}"}, + @{Category = "Object Access"; Name = "Removable Storage"; GUID = "{0CCE9245-69AE-11D9-BED3-505054503030}"}, + @{Category = "Object Access"; Name = "SAM"; GUID = "{0CCE9220-69AE-11D9-BED3-505054503030}"}, + @{Category = "Policy Change"; Name = "Audit Policy Change"; GUID = "{0CCE922F-69AE-11D9-BED3-505054503030}"}, + @{Category = "Policy Change"; Name = "Authentication Policy Change"; GUID = "{0CCE9230-69AE-11D9-BED3-505054503030}"}, + @{Category = "Policy Change"; Name = "Other Policy Change Events"; GUID = "{0CCE9234-69AE-11D9-BED3-505054503030}"}, + @{Category = "Privilege Use"; Name = "Sensitive Privilege Use"; GUID = "{0CCE9228-69AE-11D9-BED3-505054503030}"}, + @{Category = "System"; Name = "Security State Change"; GUID = "{0CCE9210-69AE-11D9-BED3-505054503030}"; Success = "enable"}, + @{Category = "System"; Name = "Security System Extension"; GUID = "{0CCE9211-69AE-11D9-BED3-505054503030}"; Success = "enable"}, + @{Category = "System"; Name = "System Integrity"; GUID = "{0CCE9212-69AE-11D9-BED3-505054503030}"; Success = "enable"}, + @{Category = "System"; Name = "Other System Events"; GUID = "{0CCE9214-69AE-11D9-BED3-505054503030}"; Success = "disable"} + ) - # Logon/Logoff - auditpol /set /subcategory:{0CCE9217-69AE-11D9-BED3-505054503030} /success:enable /failure:enable - auditpol /set /subcategory:{0CCE9216-69AE-11D9-BED3-505054503030} /success:enable /failure:enable - auditpol /set /subcategory:{0CCE9215-69AE-11D9-BED3-505054503030} /success:enable /failure:enable - auditpol /set /subcategory:{0CCE921C-69AE-11D9-BED3-505054503030} /success:enable /failure:enable - auditpol /set /subcategory:{0CCE921B-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + foreach ($policy in $auditPolicies) { + $successFlag = if ($policy.Success) { $policy.Success } else { "enable" } + $arguments = "/set /subcategory:$($policy.GUID) /success:$successFlag /failure:enable" + $process = Start-Process -FilePath "auditpol.exe" -ArgumentList $arguments -Wait -PassThru -NoNewWindow -RedirectStandardOutput "NUL" - # Object Access - auditpol /set /subcategory:{0CCE9221-69AE-11D9-BED3-505054503030} /success:enable /failure:enable - auditpol /set /subcategory:{0CCE9224-69AE-11D9-BED3-505054503030} /success:enable /failure:enable - auditpol /set /subcategory:{0CCE9226-69AE-11D9-BED3-505054503030} /success:enable /failure:enable - auditpol /set /subcategory:{0CCE9227-69AE-11D9-BED3-505054503030} /success:enable /failure:enable - auditpol /set /subcategory:{0CCE9245-69AE-11D9-BED3-505054503030} /success:enable /failure:enable - auditpol /set /subcategory:{0CCE9220-69AE-11D9-BED3-505054503030} /success:enable /failure:enable + if ($process.ExitCode -eq 0) { + Write-Host " [OK] $($policy.Category) - $($policy.Name)" + } + else { + Write-Host " [ERROR] $($policy.Category) - $($policy.Name) (ExitCode: $($process.ExitCode))" -ForegroundColor Red + } + } - # Policy Change - auditpol /set /subcategory:{0CCE922F-69AE-11D9-BED3-505054503030} /success:enable /failure:enable - auditpol /set /subcategory:{0CCE9230-69AE-11D9-BED3-505054503030} /success:enable /failure:enable - auditpol /set /subcategory:{0CCE9234-69AE-11D9-BED3-505054503030} /success:enable /failure:enable - - # Privilege Use - auditpol /set /subcategory:{0CCE9228-69AE-11D9-BED3-505054503030} /success:enable /failure:enable - - # System - auditpol /set /subcategory:{0CCE9214-69AE-11D9-BED3-505054503030} /success:disable /failure:enable - auditpol /set /subcategory:{0CCE9210-69AE-11D9-BED3-505054503030} /success:enable /failure:enable - auditpol /set /subcategory:{0CCE9211-69AE-11D9-BED3-505054503030} /success:enable /failure:enable - auditpol /set /subcategory:{0CCE9212-69AE-11D9-BED3-505054503030} /success:enable /failure:enable - - Write-Host "Configuration completed successfully" -ForegroundColor Green + Write-Host "" + Write-Host "Configuration completed successfully" } $logo = @" From ba3f13dbd25a865ee8cc1362d6bd9ddb19b3d3c4 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sun, 19 Oct 2025 14:15:28 +0900 Subject: [PATCH 03/19] feat: add configure command execution to check-audit.yml for PowerShell 5.1 --- .github/workflows/check-audit.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/check-audit.yml b/.github/workflows/check-audit.yml index 56ae008e..5c2a6b0e 100644 --- a/.github/workflows/check-audit.yml +++ b/.github/workflows/check-audit.yml @@ -43,6 +43,11 @@ jobs: $PSVersionTable.PSVersion shell: powershell + - name: Run congigure command(PowerShell 5.1) + run: | + ./WELA.ps1 configure + shell: powershell + - name: Run WELA.ps1 audit-settings(PowerShell 5.1) run: | ./WELA.ps1 audit-settings @@ -61,4 +66,4 @@ jobs: - name: Output UnUsableRules.csv(PowerShell 5.1) run: | Get-Content UnusableRules.csv - shell: powershell \ No newline at end of file + shell: powershell From fbfc5d608bc6016852ae03fafdbcd85a22809fff Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sun, 19 Oct 2025 14:17:54 +0900 Subject: [PATCH 04/19] fix: correct typo in check-audit.yml for configure command execution --- .github/workflows/check-audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check-audit.yml b/.github/workflows/check-audit.yml index 5c2a6b0e..996ff361 100644 --- a/.github/workflows/check-audit.yml +++ b/.github/workflows/check-audit.yml @@ -43,7 +43,7 @@ jobs: $PSVersionTable.PSVersion shell: powershell - - name: Run congigure command(PowerShell 5.1) + - name: Run congiure command(PowerShell 5.1) run: | ./WELA.ps1 configure shell: powershell From 3718495b72222af209e31a937eb02ba3452dab45 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sun, 19 Oct 2025 17:09:35 +0900 Subject: [PATCH 05/19] feat: enhance audit-settings gui --- WELA.ps1 | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index 72400724..832daba6 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -5175,13 +5175,21 @@ function AuditLogSetting { Write-Output "Audit check result saved to: WELA-Audit-Result.csv" } elseif ($outType -eq "gui") { $auditResult | Select-Object -Property Category, SubCategory, RuleCount, RuleCountByLevel, DefaultSetting, CurrentSetting, RecommendedSetting, Volume, Note | Out-GridView -Title "WELA Audit Result" + Write-Output "Audit check result saved to: WELA-Audit-Result.csv" } elseif ($outType -eq "table") { $auditResult | Select-Object -Property Category, SubCategory, RuleCount, DefaultSetting, CurrentSetting, RecommendedSetting, Volume | Format-Table } + $usableRules = $auditResult | Select-Object -ExpandProperty Rules | Where-Object { $_.applicable -eq $true } $unUsableRules = $auditResult | Select-Object -ExpandProperty Rules | Where-Object { $_.applicable -eq $false } $usableRules | Select-Object title, level, service, category, description, id | Export-Csv -Path "UsableRules.csv" -NoTypeInformation $unusableRules | Select-Object title, level, service, category, description, id | Export-Csv -Path "UnusableRules.csv" -NoTypeInformation + + if ($outType -eq "gui") { + $usableRules | Select-Object title, level, service, category, description, id | Out-GridView -Title "Usable Detection Rules" + $unUsableRules | Select-Object title, level, service, category, description, id | Out-GridView -Title "Unusable Detection Rules" + } + Write-Output "Usable detection rules list saved to: UsableRules.csv" Write-Output "Unusable detection rules list saved to: UnusableRules.csv" @@ -5191,7 +5199,6 @@ function AuditLogSetting { Export-MitreHeatmap -sigmaRules $sigma_rules -OutputPath "mitre-ttp-navigator-ideal.json" -UseIdealCount $true Write-Output "MITRE ATT&CK Navigator data(based on ideal settings) saved to: mitre-ttp-navigator-ideal.json" - $totalRulesCount = $auditResult | Select-Object -ExpandProperty Rules | Measure-Object | Select-Object -ExpandProperty Count $usableRulesCount = $usableRules | Measure-Object | Select-Object -ExpandProperty Count $utilizationPercentage = "{0:N2}" -f (($usableRulesCount / $totalRulesCount) * 100) @@ -5499,6 +5506,7 @@ function ConfigureAuditSettings { } # PowerShell ロギングの設定 + Write-Host "" Write-Host "Configuring PowerShell Logging..." $regPaths = @( @{Path = "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging"; Name = "EnableModuleLogging"; Value = 1}, @@ -5528,6 +5536,7 @@ function ConfigureAuditSettings { } # コマンドライン監査の有効化 + Write-Host "" Write-Host "Enabling Command Line Auditing..." $regPath = "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" $arguments = "add $regPath /v ProcessCreationIncludeCmdLine_Enabled /f /t REG_DWORD /d 1" @@ -5541,6 +5550,7 @@ function ConfigureAuditSettings { } # 監査ポリシーの設定 + Write-Host "" Write-Host "Configuring Audit Policies..." $auditPolicies = @( @{Category = "Account Logon"; Name = "Credential Validation"; GUID = "{0CCE923F-69AE-11D9-BED3-505054503030}"}, @@ -5590,7 +5600,7 @@ function ConfigureAuditSettings { } Write-Host "" - Write-Host "Configuration completed successfully" + Write-Host "Configuration completed successfully" -ForegroundColor Green } $logo = @" From f1be0ad4e13a92ee4d83be2a1d350bf363e52b38 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sun, 19 Oct 2025 17:27:15 +0900 Subject: [PATCH 06/19] feat: update WELA.ps1 to display audit results in GUI format --- WELA.ps1 | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index 832daba6..6012b72f 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -5173,9 +5173,6 @@ function AuditLogSetting { } $auditResult | Select-Object -Property Category, SubCategory, RuleCount, RuleCountByLevel, DefaultSetting, CurrentSetting, RecommendedSetting, Volume, Note | Export-Csv -Path "WELA-Audit-Result.csv" -NoTypeInformation Write-Output "Audit check result saved to: WELA-Audit-Result.csv" - } elseif ($outType -eq "gui") { - $auditResult | Select-Object -Property Category, SubCategory, RuleCount, RuleCountByLevel, DefaultSetting, CurrentSetting, RecommendedSetting, Volume, Note | Out-GridView -Title "WELA Audit Result" - Write-Output "Audit check result saved to: WELA-Audit-Result.csv" } elseif ($outType -eq "table") { $auditResult | Select-Object -Property Category, SubCategory, RuleCount, DefaultSetting, CurrentSetting, RecommendedSetting, Volume | Format-Table } @@ -5188,6 +5185,8 @@ function AuditLogSetting { if ($outType -eq "gui") { $usableRules | Select-Object title, level, service, category, description, id | Out-GridView -Title "Usable Detection Rules" $unUsableRules | Select-Object title, level, service, category, description, id | Out-GridView -Title "Unusable Detection Rules" + $auditResult | Select-Object -Property Category, SubCategory, RuleCount, RuleCountByLevel, DefaultSetting, CurrentSetting, RecommendedSetting, Volume, Note | Out-GridView -Title "WELA Audit Result" + Write-Output "Audit check result saved to: WELA-Audit-Result.csv" } Write-Output "Usable detection rules list saved to: UsableRules.csv" From 09363063d3c6022906115302a0bea096df41ce9b Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Tue, 21 Oct 2025 23:18:49 +0900 Subject: [PATCH 07/19] feat: add auto-configuration option to ConfigureAuditSettings in WELA.ps1 --- WELA.ps1 | 245 ++++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 207 insertions(+), 38 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index 6012b72f..21eb9e98 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -5425,7 +5425,8 @@ function UpdateRules { function ConfigureAuditSettings { param ( - [string] $Baseline = "YamatoSecurity" + [string] $Baseline = "YamatoSecurity", + [switch]$Auto ) # 管理者権限の確認 @@ -5449,12 +5450,31 @@ function ConfigureAuditSettings { foreach ($log in $largeLogs) { try { - wevtutil sl $log /ms:$oneGB 2>&1 | Out-Null - Write-Host " [OK] $log : 1 GB" + $logInfo = Get-WinEvent -ListLog $log -ErrorAction Stop + $currentSize = [math]::Floor($logInfo.MaximumSizeInBytes / 1MB) + $newSize = 1024 + Write-Host "Log: $log" + if ($currentSize -ge $newSize) { + Write-Host "[SKIPPED] $log : Current size ($currentSize MB) is already greater than or equal to $newSize MB." -ForegroundColor Yellow + Write-Host "" + continue + } + if ($Auto) { + $response = "Y" + } else { + $response = Read-Host "Your current setting is $currentSize MB. Do you want to change it to 1024 MB? (Y/n)" + } + if ($response -eq "" -or $response -eq "Y" -or $response -eq "y") { + wevtutil sl $log /ms:$oneGB 2>&1 | Out-Null + Write-Host "[OK] $log : 1 GB" -ForegroundColor Green + } else { + Write-Host "[SKIPPED] $log" -ForegroundColor Yellow + } } catch { - Write-Host " [ERROR] $log : $_" -ForegroundColor Red + Write-Host "[ERROR] $log : $_" -ForegroundColor Red } + Write-Host "" } # その他の重要なログを128MBに設定 @@ -5484,29 +5504,68 @@ function ConfigureAuditSettings { foreach ($log in $mediumLogs) { try { - wevtutil sl $log /ms:$oneTwentyEightMB 2>&1 | Out-Null - Write-Host " [OK] $log : 128 MB" + $logInfo = Get-WinEvent -ListLog $log -ErrorAction Stop + $currentSize = [math]::Floor($logInfo.MaximumSizeInBytes / 1MB) + $newSize = 128 + Write-Host "Log: $log" + if ($currentSize -ge $newSize) { + Write-Host "[SKIPPED] $log : Current size ($currentSize MB) is already greater than or equal to $newSize MB." -ForegroundColor Yellow + Write-Host "" + continue + } + if ($Auto) { + $response = "Y" + } else { + $response = Read-Host "Your current setting is $currentSize MB. Do you want to change it to 128 MB? (Y/n)" + } + if ($response -eq "" -or $response -eq "Y" -or $response -eq "y") { + wevtutil sl $log /ms:$oneTwentyEightMB 2>&1 | Out-Null + Write-Host "[OK] $log : 128 MB" -ForegroundColor Green + } else { + Write-Host "[SKIPPED] $log" -ForegroundColor Yellow + } } catch { - Write-Host " [ERROR] $log : $_" -ForegroundColor Red + Write-Host "[ERROR] $log : $_" -ForegroundColor Red } + Write-Host "" } # 特定のログの有効化 Write-Host "Enabling Event Logs..." + Write-Host "" foreach ($log in @("Microsoft-Windows-TaskScheduler/Operational", "Microsoft-Windows-DriverFrameworks-UserMode/Operational")) { try { - wevtutil sl $log /e:true 2>&1 | Out-Null - Write-Host " [OK] Enabled: $log" + $logInfo = Get-WinEvent -ListLog $log -ErrorAction Stop + $currentState = if ($logInfo.IsEnabled) { "Enabled" } else { "Disabled" } + $newState = "Enabled" + Write-Host "Log: $log" + if ($currentState -eq $newState) { + Write-Host "[SKIPPED] $log : Already Enabled." -ForegroundColor Yellow + Write-Host "" + continue + } + if ($Auto) { + $response = "Y" + } else { + $response = Read-Host "Your current setting is $currentState. Do you want to change it to Enabled? (Y/n)" + } + if ($response -eq "" -or $response -eq "Y" -or $response -eq "y") { + wevtutil sl $log /e:true 2>&1 | Out-Null + Write-Host "[OK] Enabled: $log" -ForegroundColor Green + } else { + Write-Host "[SKIPPED] $log" -ForegroundColor Yellow + } } catch { - Write-Host " [ERROR] Failed to enable $log : $_" -ForegroundColor Red + Write-Host "[ERROR] Failed to enable $log : $_" -ForegroundColor Red } + Write-Host "" } # PowerShell ロギングの設定 - Write-Host "" Write-Host "Configuring PowerShell Logging..." + Write-Host "" $regPaths = @( @{Path = "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging"; Name = "EnableModuleLogging"; Value = 1}, @{Path = "HKLM:\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"; Name = "EnableScriptBlockLogging"; Value = 1} @@ -5514,43 +5573,116 @@ function ConfigureAuditSettings { foreach ($reg in $regPaths) { try { - New-Item -Path $reg.Path -Force | Out-Null - Set-ItemProperty -Path $reg.Path -Name $reg.Name -Value $reg.Value -Type DWord - Write-Host " [OK] Set $($reg.Name)" + $currentValue = "Not Set" + if (Test-Path $reg.Path) { + $prop = Get-ItemProperty -Path $reg.Path -Name $reg.Name -ErrorAction SilentlyContinue + if ($prop) { + $currentValue = $prop.$($reg.Name) + } + } + Write-Host "Registry: $($reg.Path) Value: $($reg.Name)" + if ($currentValue -eq $reg.Value) { + Write-Host "[SKIPPED] $($reg.Name) : Already set to $($reg.Value)." -ForegroundColor Yellow + Write-Host "" + continue + } + if ($Auto) { + $response = "Y" + } else { + $response = Read-Host "Your current setting is $currentValue. Do you want to change it to $( $reg.Value )? (Y/n)" + } + if ($response -eq "" -or $response -eq "Y" -or $response -eq "y") { + New-Item -Path $reg.Path -Force | Out-Null + Set-ItemProperty -Path $reg.Path -Name $reg.Name -Value $reg.Value -Type DWord + Write-Host "[OK] Set $($reg.Name)" -ForegroundColor Green + } else { + Write-Host "[SKIPPED] $($reg.Name)" -ForegroundColor Yellow + } } catch { - Write-Host " [ERROR] Failed to set registry: $_" -ForegroundColor Red + Write-Host "[ERROR] Failed to set registry: $_" -ForegroundColor Red } + Write-Host "" } # モジュール名レジストリの設定 try { $moduleLoggingPath = "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames" - New-Item -Path $moduleLoggingPath -Force | Out-Null - Set-ItemProperty -Path $moduleLoggingPath -Name "*" -Value "*" -Type String - Write-Host " [OK] Module logging enabled for all modules" + $currentValue = "Not Set" + if (Test-Path $moduleLoggingPath) { + $prop = Get-ItemProperty -Path $moduleLoggingPath -Name "*" -ErrorAction SilentlyContinue + if ($prop) { + $currentValue = $prop."*" + } + } + Write-Host "Registry: $moduleLoggingPath" + if ($currentValue -eq "*") { + Write-Host "[SKIPPED] Module logging : Already set to * (all modules)." -ForegroundColor Yellow + Write-Host "" + return + } + if ($Auto) { + $response = "Y" + } else { + $response = Read-Host "Your current setting is $currentValue. Do you want to change it to * (all modules)? (Y/n)" + } + if ($response -eq "" -or $response -eq "Y" -or $response -eq "y") { + New-Item -Path $moduleLoggingPath -Force | Out-Null + Set-ItemProperty -Path $moduleLoggingPath -Name "*" -Value "*" -Type String + Write-Host "[OK] Module logging enabled for all modules" -ForegroundColor Green + } else { + Write-Host "[SKIPPED] Module logging" -ForegroundColor Yellow + } } catch { - Write-Host " [ERROR] Failed to configure module names: $_" -ForegroundColor Red + Write-Host "[ERROR] Failed to configure module names: $_" -ForegroundColor Red } + Write-Host "" # コマンドライン監査の有効化 - Write-Host "" Write-Host "Enabling Command Line Auditing..." + Write-Host "" $regPath = "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" - $arguments = "add $regPath /v ProcessCreationIncludeCmdLine_Enabled /f /t REG_DWORD /d 1" - $process = Start-Process -FilePath "reg.exe" -ArgumentList $arguments -Wait -PassThru -NoNewWindow -RedirectStandardOutput "NUL" - - if ($process.ExitCode -eq 0) { - Write-Host " [OK] Command line auditing enabled" + $valueName = "ProcessCreationIncludeCmdLine_Enabled" + try { + $currentValue = "Not Set" + if (Test-Path $regPath) { + $prop = Get-ItemProperty -Path $regPath -Name $valueName -ErrorAction SilentlyContinue + if ($prop) { + $currentValue = $prop.$valueName + } + } + Write-Host "Registry: $regPath" + if ($currentValue -eq 1) { + Write-Host "[SKIPPED] Command Line Auditing : Already Enabled." -ForegroundColor Yellow + Write-Host "" + return + } + if ($Auto) { + $response = "Y" + } else { + $response = Read-Host "Your current setting is $currentValue. Do you want to change it to 1 (Enabled)? (Y/n)" + } + if ($response -eq "" -or $response -eq "Y" -or $response -eq "y") { + $arguments = "add $regPath /v $valueName /f /t REG_DWORD /d 1" + $process = Start-Process -FilePath "reg.exe" -ArgumentList $arguments -Wait -PassThru -NoNewWindow -RedirectStandardOutput "NUL" + if ($process.ExitCode -eq 0) { + Write-Host "[OK] Command line auditing enabled" -ForegroundColor Green + } else { + Write-Host "[ERROR] Command line auditing failed (ExitCode: $($process.ExitCode))" -ForegroundColor Red + } + } else { + Write-Host "[SKIPPED] Command line auditing" -ForegroundColor Yellow + } } - else { - Write-Host " [ERROR] Command line auditing failed (ExitCode: $($process.ExitCode))" -ForegroundColor Red + catch { + Write-Host "[ERROR] Failed to check command line auditing: $_" -ForegroundColor Red } + Write-Host "" # 監査ポリシーの設定 - Write-Host "" Write-Host "Configuring Audit Policies..." + Write-Host "" $auditPolicies = @( @{Category = "Account Logon"; Name = "Credential Validation"; GUID = "{0CCE923F-69AE-11D9-BED3-505054503030}"}, @{Category = "Account Logon"; Name = "Kerberos Authentication Service"; GUID = "{0CCE9242-69AE-11D9-BED3-505054503030}"}, @@ -5585,20 +5717,56 @@ function ConfigureAuditSettings { @{Category = "System"; Name = "Other System Events"; GUID = "{0CCE9214-69AE-11D9-BED3-505054503030}"; Success = "disable"} ) - foreach ($policy in $auditPolicies) { - $successFlag = if ($policy.Success) { $policy.Success } else { "enable" } - $arguments = "/set /subcategory:$($policy.GUID) /success:$successFlag /failure:enable" - $process = Start-Process -FilePath "auditpol.exe" -ArgumentList $arguments -Wait -PassThru -NoNewWindow -RedirectStandardOutput "NUL" + # TODO + $currentAuditPol = @{} - if ($process.ExitCode -eq 0) { - Write-Host " [OK] $($policy.Category) - $($policy.Name)" + foreach ($policy in $auditPolicies) + { + $successFlag = if ($policy.Success) + { + $policy.Success } - else { - Write-Host " [ERROR] $($policy.Category) - $($policy.Name) (ExitCode: $($process.ExitCode))" -ForegroundColor Red + else + { + "enable" } + $newSetting = "Success: $successFlag, Failure: enable" + $currentSetting = if ( $currentAuditPol.ContainsKey($policy.GUID)) + { + $currentAuditPol[$policy.GUID] + } + else + { + "Unknown" + } + + Write-Host "Audit Policy: $( $policy.Category ) - $( $policy.Name )" + if ($currentSetting -eq $newSetting) + { + Write-Host "[SKIPPED] $( $policy.Category ) - $( $policy.Name ) : Already set to $newSetting." -ForegroundColor Yellow + Write-Host "" + continue + } + if ($Auto) { + $response = "Y" + } else { + $response = Read-Host "Your current setting is $currentSetting. Do you want to change it to $newSetting? (Y/n)" + } + if ($response -eq "" -or $response -eq "Y" -or $response -eq "y") { + $arguments = "/set /subcategory:$($policy.GUID) /success:$successFlag /failure:enable" + $process = Start-Process -FilePath "auditpol.exe" -ArgumentList $arguments -Wait -PassThru -NoNewWindow -RedirectStandardOutput "NUL" + + if ($process.ExitCode -eq 0) { + Write-Host "[OK] $($policy.Category) - $($policy.Name)" -ForegroundColor Green + } + else { + Write-Host "[ERROR] $($policy.Category) - $($policy.Name) (ExitCode: $($process.ExitCode))" -ForegroundColor Red + } + } else { + Write-Host "[SKIPPED] $($policy.Category) - $($policy.Name)" -ForegroundColor Yellow + } + Write-Host "" } - - Write-Host "" Write-Host "Configuration completed successfully" -ForegroundColor Green } @@ -5619,6 +5787,7 @@ Usage: ./WELA.ps1 audit-settings -Baseline ASD -OutType gui # Audit current setting and show in gui, save to csv ./WELA.ps1 audit-filesize -Baseline YamatoSecurity # Audit current file size and show in stdout, save to csv ./WELA.ps1 configure -Baseline YamatoSecurity # Configure audit settings based on the specified baseline + ./WELA.ps1 configure -Baseline YamatoSecurity -Auto # Configure audit settings automatically without prompts ./WELA.ps1 update-rules # Update rule config files from https://github.com/Yamato-Security/WELA ./WELA.ps1 help # Show this help "@ From e23e921382907ef9b89dd5c1abdf356e754f1002 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 22 Oct 2025 00:10:50 +0900 Subject: [PATCH 08/19] feat: add command execution for auditpol and improve module logging prompts in WELA.ps1 --- WELA.ps1 | 166 +++++++++++++++++++++++++++++-------------------------- 1 file changed, 89 insertions(+), 77 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index 21eb9e98..1cdad740 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -5435,6 +5435,11 @@ function ConfigureAuditSettings { exit 1 } + $autidpolTxt = "./auditpol.txt" + if (-not $debug) { + Start-Process -FilePath "cmd.exe" -ArgumentList "/c chcp 437 & auditpol /get /category:* /r" -NoNewWindow -Wait -RedirectStandardOutput $autidpolTxt + } + # ログサイズ定数 $oneGB = 1073741824 $oneTwentyEightMB = 134217728 @@ -5619,19 +5624,26 @@ function ConfigureAuditSettings { if ($currentValue -eq "*") { Write-Host "[SKIPPED] Module logging : Already set to * (all modules)." -ForegroundColor Yellow Write-Host "" - return - } - if ($Auto) { - $response = "Y" - } else { - $response = Read-Host "Your current setting is $currentValue. Do you want to change it to * (all modules)? (Y/n)" - } - if ($response -eq "" -or $response -eq "Y" -or $response -eq "y") { - New-Item -Path $moduleLoggingPath -Force | Out-Null - Set-ItemProperty -Path $moduleLoggingPath -Name "*" -Value "*" -Type String - Write-Host "[OK] Module logging enabled for all modules" -ForegroundColor Green - } else { - Write-Host "[SKIPPED] Module logging" -ForegroundColor Yellow + } else + { + if ($Auto) + { + $response = "Y" + } + else + { + $response = Read-Host "Your current setting is $currentValue. Do you want to change it to * (all modules)? (Y/n)" + } + if ($response -eq "" -or $response -eq "Y" -or $response -eq "y") + { + New-Item -Path $moduleLoggingPath -Force | Out-Null + Set-ItemProperty -Path $moduleLoggingPath -Name "*" -Value "*" -Type String + Write-Host "[OK] Module logging enabled for all modules" -ForegroundColor Green + } + else + { + Write-Host "[SKIPPED] Module logging" -ForegroundColor Yellow + } } } catch { @@ -5642,37 +5654,46 @@ function ConfigureAuditSettings { # コマンドライン監査の有効化 Write-Host "Enabling Command Line Auditing..." Write-Host "" - $regPath = "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" + $regPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" $valueName = "ProcessCreationIncludeCmdLine_Enabled" try { $currentValue = "Not Set" if (Test-Path $regPath) { $prop = Get-ItemProperty -Path $regPath -Name $valueName -ErrorAction SilentlyContinue - if ($prop) { - $currentValue = $prop.$valueName - } + $currentValue = $prop.$valueName } Write-Host "Registry: $regPath" if ($currentValue -eq 1) { Write-Host "[SKIPPED] Command Line Auditing : Already Enabled." -ForegroundColor Yellow Write-Host "" - return - } - if ($Auto) { - $response = "Y" - } else { - $response = Read-Host "Your current setting is $currentValue. Do you want to change it to 1 (Enabled)? (Y/n)" - } - if ($response -eq "" -or $response -eq "Y" -or $response -eq "y") { - $arguments = "add $regPath /v $valueName /f /t REG_DWORD /d 1" - $process = Start-Process -FilePath "reg.exe" -ArgumentList $arguments -Wait -PassThru -NoNewWindow -RedirectStandardOutput "NUL" - if ($process.ExitCode -eq 0) { - Write-Host "[OK] Command line auditing enabled" -ForegroundColor Green - } else { - Write-Host "[ERROR] Command line auditing failed (ExitCode: $($process.ExitCode))" -ForegroundColor Red + } else + { + if ($Auto) + { + $response = "Y" + } + else + { + $response = Read-Host "Your current setting is $currentValue. Do you want to change it to 1 (Enabled)? (Y/n)" + } + if ($response -eq "" -or $response -eq "Y" -or $response -eq "y") + { + $regPath = $regPath -replace "HKLM:", "HKLM" + $arguments = "add $regPath /v $valueName /f /t REG_DWORD /d 1" + $process = Start-Process -FilePath "reg.exe" -ArgumentList $arguments -Wait -PassThru -NoNewWindow -RedirectStandardOutput "NUL" + if ($process.ExitCode -eq 0) + { + Write-Host "[OK] Command line auditing enabled" -ForegroundColor Green + } + else + { + Write-Host "[ERROR] Command line auditing failed (ExitCode: $( $process.ExitCode ))" -ForegroundColor Red + } + } + else + { + Write-Host "[SKIPPED] Command line auditing" -ForegroundColor Yellow } - } else { - Write-Host "[SKIPPED] Command line auditing" -ForegroundColor Yellow } } catch { @@ -5684,54 +5705,45 @@ function ConfigureAuditSettings { Write-Host "Configuring Audit Policies..." Write-Host "" $auditPolicies = @( - @{Category = "Account Logon"; Name = "Credential Validation"; GUID = "{0CCE923F-69AE-11D9-BED3-505054503030}"}, - @{Category = "Account Logon"; Name = "Kerberos Authentication Service"; GUID = "{0CCE9242-69AE-11D9-BED3-505054503030}"}, - @{Category = "Account Logon"; Name = "Kerberos Service Ticket Operations"; GUID = "{0CCE9240-69AE-11D9-BED3-505054503030}"}, - @{Category = "Account Management"; Name = "Computer Account Management"; GUID = "{0CCE9236-69AE-11D9-BED3-505054503030}"}, - @{Category = "Account Management"; Name = "Other Account Management Events"; GUID = "{0CCE923A-69AE-11D9-BED3-505054503030}"}, - @{Category = "Account Management"; Name = "Security Group Management"; GUID = "{0CCE9237-69AE-11D9-BED3-505054503030}"}, - @{Category = "Account Management"; Name = "User Account Management"; GUID = "{0CCE9235-69AE-11D9-BED3-505054503030}"}, - @{Category = "Detailed Tracking"; Name = "Plug and Play"; GUID = "{0cce9248-69ae-11d9-bed3-505054503030}"}, - @{Category = "Detailed Tracking"; Name = "Process Creation"; GUID = "{0CCE922B-69AE-11D9-BED3-505054503030}"}, - @{Category = "Detailed Tracking"; Name = "RPC Events"; GUID = "{0CCE922E-69AE-11D9-BED3-505054503030}"}, - @{Category = "DS Access"; Name = "Directory Service Access"; GUID = "{0CCE923B-69AE-11D9-BED3-505054503030}"}, - @{Category = "DS Access"; Name = "Directory Service Changes"; GUID = "{0CCE923C-69AE-11D9-BED3-505054503030}"}, - @{Category = "Logon/Logoff"; Name = "Account Lockout"; GUID = "{0CCE9217-69AE-11D9-BED3-505054503030}"}, - @{Category = "Logon/Logoff"; Name = "Logoff"; GUID = "{0CCE9216-69AE-11D9-BED3-505054503030}"}, - @{Category = "Logon/Logoff"; Name = "Logon"; GUID = "{0CCE9215-69AE-11D9-BED3-505054503030}"}, - @{Category = "Logon/Logoff"; Name = "Other Logon/Logoff Events"; GUID = "{0CCE921C-69AE-11D9-BED3-505054503030}"}, - @{Category = "Logon/Logoff"; Name = "Special Logon"; GUID = "{0CCE921B-69AE-11D9-BED3-505054503030}"}, - @{Category = "Object Access"; Name = "Certification Services"; GUID = "{0CCE9221-69AE-11D9-BED3-505054503030}"}, - @{Category = "Object Access"; Name = "File Share"; GUID = "{0CCE9224-69AE-11D9-BED3-505054503030}"}, - @{Category = "Object Access"; Name = "Filtering Platform Connection"; GUID = "{0CCE9226-69AE-11D9-BED3-505054503030}"}, - @{Category = "Object Access"; Name = "Other Object Access Events"; GUID = "{0CCE9227-69AE-11D9-BED3-505054503030}"}, - @{Category = "Object Access"; Name = "Removable Storage"; GUID = "{0CCE9245-69AE-11D9-BED3-505054503030}"}, - @{Category = "Object Access"; Name = "SAM"; GUID = "{0CCE9220-69AE-11D9-BED3-505054503030}"}, - @{Category = "Policy Change"; Name = "Audit Policy Change"; GUID = "{0CCE922F-69AE-11D9-BED3-505054503030}"}, - @{Category = "Policy Change"; Name = "Authentication Policy Change"; GUID = "{0CCE9230-69AE-11D9-BED3-505054503030}"}, - @{Category = "Policy Change"; Name = "Other Policy Change Events"; GUID = "{0CCE9234-69AE-11D9-BED3-505054503030}"}, - @{Category = "Privilege Use"; Name = "Sensitive Privilege Use"; GUID = "{0CCE9228-69AE-11D9-BED3-505054503030}"}, - @{Category = "System"; Name = "Security State Change"; GUID = "{0CCE9210-69AE-11D9-BED3-505054503030}"; Success = "enable"}, - @{Category = "System"; Name = "Security System Extension"; GUID = "{0CCE9211-69AE-11D9-BED3-505054503030}"; Success = "enable"}, - @{Category = "System"; Name = "System Integrity"; GUID = "{0CCE9212-69AE-11D9-BED3-505054503030}"; Success = "enable"}, - @{Category = "System"; Name = "Other System Events"; GUID = "{0CCE9214-69AE-11D9-BED3-505054503030}"; Success = "disable"} + @{Category = "Account Logon"; Name = "Credential Validation"; GUID = "0CCE923F-69AE-11D9-BED3-505054503030"}, + @{Category = "Account Logon"; Name = "Kerberos Authentication Service"; GUID = "0CCE9242-69AE-11D9-BED3-505054503030"}, + @{Category = "Account Logon"; Name = "Kerberos Service Ticket Operations"; GUID = "0CCE9240-69AE-11D9-BED3-505054503030"}, + @{Category = "Account Management"; Name = "Computer Account Management"; GUID = "0CCE9236-69AE-11D9-BED3-505054503030"}, + @{Category = "Account Management"; Name = "Other Account Management Events"; GUID = "0CCE923A-69AE-11D9-BED3-505054503030"}, + @{Category = "Account Management"; Name = "Security Group Management"; GUID = "0CCE9237-69AE-11D9-BED3-505054503030"}, + @{Category = "Account Management"; Name = "User Account Management"; GUID = "0CCE9235-69AE-11D9-BED3-505054503030"}, + @{Category = "Detailed Tracking"; Name = "Plug and Play"; GUID = "0cce9248-69ae-11d9-bed3-505054503030"}, + @{Category = "Detailed Tracking"; Name = "Process Creation"; GUID = "0CCE922B-69AE-11D9-BED3-505054503030"}, + @{Category = "Detailed Tracking"; Name = "RPC Events"; GUID = "0CCE922E-69AE-11D9-BED3-505054503030"}, + @{Category = "DS Access"; Name = "Directory Service Access"; GUID = "0CCE923B-69AE-11D9-BED3-505054503030"}, + @{Category = "DS Access"; Name = "Directory Service Changes"; GUID = "0CCE923C-69AE-11D9-BED3-505054503030"}, + @{Category = "Logon/Logoff"; Name = "Account Lockout"; GUID = "0CCE9217-69AE-11D9-BED3-505054503030"}, + @{Category = "Logon/Logoff"; Name = "Logoff"; GUID = "0CCE9216-69AE-11D9-BED3-505054503030"}, + @{Category = "Logon/Logoff"; Name = "Logon"; GUID = "0CCE9215-69AE-11D9-BED3-505054503030"}, + @{Category = "Logon/Logoff"; Name = "Other Logon/Logoff Events"; GUID = "0CCE921C-69AE-11D9-BED3-505054503030"}, + @{Category = "Logon/Logoff"; Name = "Special Logon"; GUID = "0CCE921B-69AE-11D9-BED3-505054503030"}, + @{Category = "Object Access"; Name = "Certification Services"; GUID = "0CCE9221-69AE-11D9-BED3-505054503030"}, + @{Category = "Object Access"; Name = "File Share"; GUID = "0CCE9224-69AE-11D9-BED3-505054503030"}, + @{Category = "Object Access"; Name = "Filtering Platform Connection"; GUID = "0CCE9226-69AE-11D9-BED3-505054503030"}, + @{Category = "Object Access"; Name = "Other Object Access Events"; GUID = "0CCE9227-69AE-11D9-BED3-505054503030"}, + @{Category = "Object Access"; Name = "Removable Storage"; GUID = "0CCE9245-69AE-11D9-BED3-505054503030"}, + @{Category = "Object Access"; Name = "SAM"; GUID = "0CCE9220-69AE-11D9-BED3-505054503030"}, + @{Category = "Policy Change"; Name = "Audit Policy Change"; GUID = "0CCE922F-69AE-11D9-BED3-505054503030"}, + @{Category = "Policy Change"; Name = "Authentication Policy Change"; GUID = "0CCE9230-69AE-11D9-BED3-505054503030"}, + @{Category = "Policy Change"; Name = "Other Policy Change Events"; GUID = "0CCE9234-69AE-11D9-BED3-505054503030"}, + @{Category = "Privilege Use"; Name = "Sensitive Privilege Use"; GUID = "0CCE9228-69AE-11D9-BED3-505054503030"}, + @{Category = "System"; Name = "Security State Change"; GUID = "0CCE9210-69AE-11D9-BED3-505054503030"}, + @{Category = "System"; Name = "Security System Extension"; GUID = "0CCE9211-69AE-11D9-BED3-505054503030"}, + @{Category = "System"; Name = "System Integrity"; GUID = "0CCE9212-69AE-11D9-BED3-505054503030"}, + @{Category = "System"; Name = "Other System Events"; GUID = "0CCE9214-69AE-11D9-BED3-505054503030"} ) - # TODO - $currentAuditPol = @{} + $currentAuditPol = GetAuditpol foreach ($policy in $auditPolicies) { - $successFlag = if ($policy.Success) - { - $policy.Success - } - else - { - "enable" - } - $newSetting = "Success: $successFlag, Failure: enable" - $currentSetting = if ( $currentAuditPol.ContainsKey($policy.GUID)) + $newSetting = "Success and Failure" + $currentSetting = if ($currentAuditPol.ContainsKey($policy.GUID)) { $currentAuditPol[$policy.GUID] } @@ -5753,7 +5765,7 @@ function ConfigureAuditSettings { $response = Read-Host "Your current setting is $currentSetting. Do you want to change it to $newSetting? (Y/n)" } if ($response -eq "" -or $response -eq "Y" -or $response -eq "y") { - $arguments = "/set /subcategory:$($policy.GUID) /success:$successFlag /failure:enable" + $arguments = "/set /subcategory:{$($policy.GUID)} /success:enable /failure:enable" $process = Start-Process -FilePath "auditpol.exe" -ArgumentList $arguments -Wait -PassThru -NoNewWindow -RedirectStandardOutput "NUL" if ($process.ExitCode -eq 0) { From 50d010a94027610086564604969cfd41b5d286f8 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 22 Oct 2025 00:13:17 +0900 Subject: [PATCH 09/19] fix: update log size message from 1 GB to 1024 MB in WELA.ps1 --- WELA.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELA.ps1 b/WELA.ps1 index 1cdad740..7ffc4b12 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -5471,7 +5471,7 @@ function ConfigureAuditSettings { } if ($response -eq "" -or $response -eq "Y" -or $response -eq "y") { wevtutil sl $log /ms:$oneGB 2>&1 | Out-Null - Write-Host "[OK] $log : 1 GB" -ForegroundColor Green + Write-Host "[OK] $log : 1024 MB" -ForegroundColor Green } else { Write-Host "[SKIPPED] $log" -ForegroundColor Yellow } From 3f5b4ee2bbf0506b3fa1a19ee103367c7b967800 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 22 Oct 2025 00:18:41 +0900 Subject: [PATCH 10/19] fix: update log size message from 1 GB to 1024 MB in WELA.ps1 --- WELA.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELA.ps1 b/WELA.ps1 index 7ffc4b12..afd98e12 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -5827,7 +5827,7 @@ switch ($Cmd.ToLower()) { Write-Host "Invalid Guide specified. Valid options are: YamatoSecurity, ASD, Microsoft_Client, Microsoft_Server." break } - ConfigureAuditSettings $Baseline + ConfigureAuditSettings $Baseline $Auto } "update-rules" { From 93eac259b01e8b6583203a9447b006c44c0c274c Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 22 Oct 2025 00:20:35 +0900 Subject: [PATCH 11/19] fix: set default value for Auto parameter in ConfigureAuditSettings function --- WELA.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELA.ps1 b/WELA.ps1 index afd98e12..0ef01f34 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -5426,7 +5426,7 @@ function UpdateRules { function ConfigureAuditSettings { param ( [string] $Baseline = "YamatoSecurity", - [switch]$Auto + [switch]$Auto = $false ) # 管理者権限の確認 From cd5ad60449fa285e6b1e9d06a9519c071c137069 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 22 Oct 2025 00:23:28 +0900 Subject: [PATCH 12/19] fix: remove default value for Auto parameter in ConfigureAuditSettings function --- WELA.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WELA.ps1 b/WELA.ps1 index 0ef01f34..afd98e12 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -5426,7 +5426,7 @@ function UpdateRules { function ConfigureAuditSettings { param ( [string] $Baseline = "YamatoSecurity", - [switch]$Auto = $false + [switch]$Auto ) # 管理者権限の確認 From 88e7aa8c802633a3c3e98ddf579683f276e9b976 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 22 Oct 2025 00:27:24 +0900 Subject: [PATCH 13/19] fix: update parameter invocation for ConfigureAuditSettings function --- WELA.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index afd98e12..69bd6c0a 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -5426,7 +5426,7 @@ function UpdateRules { function ConfigureAuditSettings { param ( [string] $Baseline = "YamatoSecurity", - [switch]$Auto + [switch] $Auto ) # 管理者権限の確認 @@ -5827,7 +5827,7 @@ switch ($Cmd.ToLower()) { Write-Host "Invalid Guide specified. Valid options are: YamatoSecurity, ASD, Microsoft_Client, Microsoft_Server." break } - ConfigureAuditSettings $Baseline $Auto + ConfigureAuditSettings -Baseline $Baseline -Auto } "update-rules" { From 4413e317f0964d36786301e6bd3f9c7e3207000b Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 22 Oct 2025 00:29:55 +0900 Subject: [PATCH 14/19] fix: update ConfigureAuditSettings function to accept Auto parameter and add new audit policy configuration script --- WELA.ps1 | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index 69bd6c0a..24da6858 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -2,7 +2,8 @@ [string]$Cmd, [string]$OutType = "std", [string]$Baseline = "YamatoSecurity", - [bool]$Debug = $false + [bool]$Debug = $false, + [switch]$Auto ) class WELA { @@ -5827,7 +5828,7 @@ switch ($Cmd.ToLower()) { Write-Host "Invalid Guide specified. Valid options are: YamatoSecurity, ASD, Microsoft_Client, Microsoft_Server." break } - ConfigureAuditSettings -Baseline $Baseline -Auto + ConfigureAuditSettings -Baseline $Baseline -Auto:$Auto } "update-rules" { From 367cdef344964787bd74677fe3e89b444e69e2f8 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 22 Oct 2025 00:32:12 +0900 Subject: [PATCH 15/19] fix: update check-audit.yml to include -Auto parameter in configure command --- .github/workflows/check-audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check-audit.yml b/.github/workflows/check-audit.yml index 996ff361..ddfad943 100644 --- a/.github/workflows/check-audit.yml +++ b/.github/workflows/check-audit.yml @@ -45,7 +45,7 @@ jobs: - name: Run congiure command(PowerShell 5.1) run: | - ./WELA.ps1 configure + ./WELA.ps1 configure -Auto shell: powershell - name: Run WELA.ps1 audit-settings(PowerShell 5.1) From 010185e1adcfcaf4b5132c7d51cddc6a8a43ba5d Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 22 Oct 2025 23:09:02 +0900 Subject: [PATCH 16/19] fix: update WELA.ps1 to handle empty Baseline parameter and provide usage examples for configure command --- WELA.ps1 | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/WELA.ps1 b/WELA.ps1 index 24da6858..2688f4c8 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1,7 +1,6 @@ param ( [string]$Cmd, [string]$OutType = "std", - [string]$Baseline = "YamatoSecurity", [bool]$Debug = $false, [switch]$Auto ) @@ -5436,6 +5435,8 @@ function ConfigureAuditSettings { exit 1 } + + $autidpolTxt = "./auditpol.txt" if (-not $debug) { Start-Process -FilePath "cmd.exe" -ArgumentList "/c chcp 437 & auditpol /get /category:* /r" -NoNewWindow -Wait -RedirectStandardOutput $autidpolTxt @@ -5811,6 +5812,9 @@ Write-Host $logo -ForegroundColor Green switch ($Cmd.ToLower()) { "audit-settings" { + if ([string]::IsNullOrEmpty($Baseline)) { + $Baseline = "YamatoSecurity" + } $validGuides = @("YamatoSecurity", "ASD", "Microsoft_Client", "Microsoft_Server") if (-not ($validGuides -contains $Baseline.ToLower())) { Write-Host "Invalid Guide specified. Valid options are: YamatoSecurity, ASD, Microsoft_Client, Microsoft_Server." @@ -5823,9 +5827,13 @@ switch ($Cmd.ToLower()) { } "configure" { - $validGuides = @("YamatoSecurity", "ASD", "Microsoft_Client", "Microsoft_Server") - if (-not ($validGuides -contains $Baseline.ToLower())) { - Write-Host "Invalid Guide specified. Valid options are: YamatoSecurity, ASD, Microsoft_Client, Microsoft_Server." + if ([string]::IsNullOrEmpty($Baseline)) { + Write-Host "You need to specify a baseline. The following baselines are available:" + Write-Host " * YamatoSecurity" + Write-Host "" + Write-Host "Examples: " + Write-Host "./WELA.ps1 configure -Baseline YamatoSecurity" + Write-Host "./WELA.ps1 configure -Baseline YamatoSecurity -Auto" break } ConfigureAuditSettings -Baseline $Baseline -Auto:$Auto From 11beefd929059b579f9d26e5ff1790573f24db5b Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 22 Oct 2025 23:10:33 +0900 Subject: [PATCH 17/19] fix: add Baseline parameter to WELA.ps1 for enhanced configuration options --- WELA.ps1 | 1 + 1 file changed, 1 insertion(+) diff --git a/WELA.ps1 b/WELA.ps1 index 2688f4c8..cfe5709d 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -2,6 +2,7 @@ [string]$Cmd, [string]$OutType = "std", [bool]$Debug = $false, + [string]$Baseline, [switch]$Auto ) From c40d79b8c0dfa5e0cf3886af57f358a01d8096e8 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 22 Oct 2025 23:12:13 +0900 Subject: [PATCH 18/19] fix: update check-audit.yml to include Baseline parameter in configure command and add new audit policy configuration script --- .github/workflows/check-audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check-audit.yml b/.github/workflows/check-audit.yml index ddfad943..95b39283 100644 --- a/.github/workflows/check-audit.yml +++ b/.github/workflows/check-audit.yml @@ -45,7 +45,7 @@ jobs: - name: Run congiure command(PowerShell 5.1) run: | - ./WELA.ps1 configure -Auto + ./WELA.ps1 configure -Baseline YamatoSecurity -Auto shell: powershell - name: Run WELA.ps1 audit-settings(PowerShell 5.1) From 4b91959be0b4825db3a42fd9335e17e195c86f0e Mon Sep 17 00:00:00 2001 From: YamatoSecurity Date: Thu, 23 Oct 2025 09:20:30 +0900 Subject: [PATCH 19/19] update changelog --- CHANGELOG-Japanese.md | 1 + CHANGELOG.md | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index cedca664..64488cea 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -5,6 +5,7 @@ **新機能:** - MITRE ATT&CK Navigatorヒートマップに対応した。 (#11) (@fukusuket) +- Windows設定を様々なベースラインに構成するための`configure`コマンドを追加した。 (#12) (@fukusuket) **バグ修正:** diff --git a/CHANGELOG.md b/CHANGELOG.md index 5759f327..f20f45f9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ **New Features:** - Support for MITRE ATT&CK Navigator heatmaps. (#11) (@fukusuket) +- Added a `configure` command to configure Windows settings to various baselines. (#12) (@fukusuket) **Bug Fixes:**