mirror of
https://github.com/Yamato-Security/WELA.git
synced 2025-12-06 09:12:46 +01:00
Merge pull request #120 from Yamato-Security/12-configure-command
feat: Configure command
This commit is contained in:
Zach Mathis (田中ザック)
GitHub
7
.github/workflows/check-audit.yml
vendored
7
.github/workflows/check-audit.yml
vendored
@@ -43,6 +43,11 @@ jobs:
|
|||||||
$PSVersionTable.PSVersion
|
$PSVersionTable.PSVersion
|
||||||
shell: powershell
|
shell: powershell
|
||||||
|
|
||||||
|
- name: Run congiure command(PowerShell 5.1)
|
||||||
|
run: |
|
||||||
|
./WELA.ps1 configure -Baseline YamatoSecurity -Auto
|
||||||
|
shell: powershell
|
||||||
|
|
||||||
- name: Run WELA.ps1 audit-settings(PowerShell 5.1)
|
- name: Run WELA.ps1 audit-settings(PowerShell 5.1)
|
||||||
run: |
|
run: |
|
||||||
./WELA.ps1 audit-settings
|
./WELA.ps1 audit-settings
|
||||||
@@ -61,4 +66,4 @@ jobs:
|
|||||||
- name: Output UnUsableRules.csv(PowerShell 5.1)
|
- name: Output UnUsableRules.csv(PowerShell 5.1)
|
||||||
run: |
|
run: |
|
||||||
Get-Content UnusableRules.csv
|
Get-Content UnusableRules.csv
|
||||||
shell: powershell
|
shell: powershell
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
**新機能:**
|
**新機能:**
|
||||||
|
|
||||||
- MITRE ATT&CK Navigatorヒートマップに対応した。 (#11) (@fukusuket)
|
- MITRE ATT&CK Navigatorヒートマップに対応した。 (#11) (@fukusuket)
|
||||||
|
- Windows設定を様々なベースラインに構成するための`configure`コマンドを追加した。 (#12) (@fukusuket)
|
||||||
|
|
||||||
**バグ修正:**
|
**バグ修正:**
|
||||||
|
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
**New Features:**
|
**New Features:**
|
||||||
|
|
||||||
- Support for MITRE ATT&CK Navigator heatmaps. (#11) (@fukusuket)
|
- Support for MITRE ATT&CK Navigator heatmaps. (#11) (@fukusuket)
|
||||||
|
- Added a `configure` command to configure Windows settings to various baselines. (#12) (@fukusuket)
|
||||||
|
|
||||||
**Bug Fixes:**
|
**Bug Fixes:**
|
||||||
|
|
||||||
|
|||||||
396
WELA.ps1
396
WELA.ps1
@@ -1,8 +1,9 @@
|
|||||||
param (
|
param (
|
||||||
[string]$Cmd,
|
[string]$Cmd,
|
||||||
[string]$OutType = "std",
|
[string]$OutType = "std",
|
||||||
[string]$Baseline = "YamatoSecurity",
|
[bool]$Debug = $false,
|
||||||
[bool]$Debug = $false
|
[string]$Baseline,
|
||||||
|
[switch]$Auto
|
||||||
)
|
)
|
||||||
|
|
||||||
class WELA {
|
class WELA {
|
||||||
@@ -5173,15 +5174,22 @@ function AuditLogSetting {
|
|||||||
}
|
}
|
||||||
$auditResult | Select-Object -Property Category, SubCategory, RuleCount, RuleCountByLevel, DefaultSetting, CurrentSetting, RecommendedSetting, Volume, Note | Export-Csv -Path "WELA-Audit-Result.csv" -NoTypeInformation
|
$auditResult | Select-Object -Property Category, SubCategory, RuleCount, RuleCountByLevel, DefaultSetting, CurrentSetting, RecommendedSetting, Volume, Note | Export-Csv -Path "WELA-Audit-Result.csv" -NoTypeInformation
|
||||||
Write-Output "Audit check result saved to: WELA-Audit-Result.csv"
|
Write-Output "Audit check result saved to: WELA-Audit-Result.csv"
|
||||||
} elseif ($outType -eq "gui") {
|
|
||||||
$auditResult | Select-Object -Property Category, SubCategory, RuleCount, RuleCountByLevel, DefaultSetting, CurrentSetting, RecommendedSetting, Volume, Note | Out-GridView -Title "WELA Audit Result"
|
|
||||||
} elseif ($outType -eq "table") {
|
} elseif ($outType -eq "table") {
|
||||||
$auditResult | Select-Object -Property Category, SubCategory, RuleCount, DefaultSetting, CurrentSetting, RecommendedSetting, Volume | Format-Table
|
$auditResult | Select-Object -Property Category, SubCategory, RuleCount, DefaultSetting, CurrentSetting, RecommendedSetting, Volume | Format-Table
|
||||||
}
|
}
|
||||||
|
|
||||||
$usableRules = $auditResult | Select-Object -ExpandProperty Rules | Where-Object { $_.applicable -eq $true }
|
$usableRules = $auditResult | Select-Object -ExpandProperty Rules | Where-Object { $_.applicable -eq $true }
|
||||||
$unUsableRules = $auditResult | Select-Object -ExpandProperty Rules | Where-Object { $_.applicable -eq $false }
|
$unUsableRules = $auditResult | Select-Object -ExpandProperty Rules | Where-Object { $_.applicable -eq $false }
|
||||||
$usableRules | Select-Object title, level, service, category, description, id | Export-Csv -Path "UsableRules.csv" -NoTypeInformation
|
$usableRules | Select-Object title, level, service, category, description, id | Export-Csv -Path "UsableRules.csv" -NoTypeInformation
|
||||||
$unusableRules | Select-Object title, level, service, category, description, id | Export-Csv -Path "UnusableRules.csv" -NoTypeInformation
|
$unusableRules | Select-Object title, level, service, category, description, id | Export-Csv -Path "UnusableRules.csv" -NoTypeInformation
|
||||||
|
|
||||||
|
if ($outType -eq "gui") {
|
||||||
|
$usableRules | Select-Object title, level, service, category, description, id | Out-GridView -Title "Usable Detection Rules"
|
||||||
|
$unUsableRules | Select-Object title, level, service, category, description, id | Out-GridView -Title "Unusable Detection Rules"
|
||||||
|
$auditResult | Select-Object -Property Category, SubCategory, RuleCount, RuleCountByLevel, DefaultSetting, CurrentSetting, RecommendedSetting, Volume, Note | Out-GridView -Title "WELA Audit Result"
|
||||||
|
Write-Output "Audit check result saved to: WELA-Audit-Result.csv"
|
||||||
|
}
|
||||||
|
|
||||||
Write-Output "Usable detection rules list saved to: UsableRules.csv"
|
Write-Output "Usable detection rules list saved to: UsableRules.csv"
|
||||||
Write-Output "Unusable detection rules list saved to: UnusableRules.csv"
|
Write-Output "Unusable detection rules list saved to: UnusableRules.csv"
|
||||||
|
|
||||||
@@ -5191,7 +5199,6 @@ function AuditLogSetting {
|
|||||||
Export-MitreHeatmap -sigmaRules $sigma_rules -OutputPath "mitre-ttp-navigator-ideal.json" -UseIdealCount $true
|
Export-MitreHeatmap -sigmaRules $sigma_rules -OutputPath "mitre-ttp-navigator-ideal.json" -UseIdealCount $true
|
||||||
Write-Output "MITRE ATT&CK Navigator data(based on ideal settings) saved to: mitre-ttp-navigator-ideal.json"
|
Write-Output "MITRE ATT&CK Navigator data(based on ideal settings) saved to: mitre-ttp-navigator-ideal.json"
|
||||||
|
|
||||||
|
|
||||||
$totalRulesCount = $auditResult | Select-Object -ExpandProperty Rules | Measure-Object | Select-Object -ExpandProperty Count
|
$totalRulesCount = $auditResult | Select-Object -ExpandProperty Rules | Measure-Object | Select-Object -ExpandProperty Count
|
||||||
$usableRulesCount = $usableRules | Measure-Object | Select-Object -ExpandProperty Count
|
$usableRulesCount = $usableRules | Measure-Object | Select-Object -ExpandProperty Count
|
||||||
$utilizationPercentage = "{0:N2}" -f (($usableRulesCount / $totalRulesCount) * 100)
|
$utilizationPercentage = "{0:N2}" -f (($usableRulesCount / $totalRulesCount) * 100)
|
||||||
@@ -5417,6 +5424,367 @@ function UpdateRules {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function ConfigureAuditSettings {
|
||||||
|
param (
|
||||||
|
[string] $Baseline = "YamatoSecurity",
|
||||||
|
[switch] $Auto
|
||||||
|
)
|
||||||
|
|
||||||
|
# 管理者権限の確認
|
||||||
|
if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
|
||||||
|
Write-Error "This script requires Administrator privileges"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
$autidpolTxt = "./auditpol.txt"
|
||||||
|
if (-not $debug) {
|
||||||
|
Start-Process -FilePath "cmd.exe" -ArgumentList "/c chcp 437 & auditpol /get /category:* /r" -NoNewWindow -Wait -RedirectStandardOutput $autidpolTxt
|
||||||
|
}
|
||||||
|
|
||||||
|
# ログサイズ定数
|
||||||
|
$oneGB = 1073741824
|
||||||
|
$oneTwentyEightMB = 134217728
|
||||||
|
|
||||||
|
# セキュリティおよびPowerShellログを1GBに設定
|
||||||
|
Write-Host "Configuring Event Logs..."
|
||||||
|
Write-Host ""
|
||||||
|
$largeLogs = @(
|
||||||
|
"Security",
|
||||||
|
"Microsoft-Windows-PowerShell/Operational",
|
||||||
|
"Windows PowerShell"
|
||||||
|
)
|
||||||
|
|
||||||
|
foreach ($log in $largeLogs) {
|
||||||
|
try {
|
||||||
|
$logInfo = Get-WinEvent -ListLog $log -ErrorAction Stop
|
||||||
|
$currentSize = [math]::Floor($logInfo.MaximumSizeInBytes / 1MB)
|
||||||
|
$newSize = 1024
|
||||||
|
Write-Host "Log: $log"
|
||||||
|
if ($currentSize -ge $newSize) {
|
||||||
|
Write-Host "[SKIPPED] $log : Current size ($currentSize MB) is already greater than or equal to $newSize MB." -ForegroundColor Yellow
|
||||||
|
Write-Host ""
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if ($Auto) {
|
||||||
|
$response = "Y"
|
||||||
|
} else {
|
||||||
|
$response = Read-Host "Your current setting is $currentSize MB. Do you want to change it to 1024 MB? (Y/n)"
|
||||||
|
}
|
||||||
|
if ($response -eq "" -or $response -eq "Y" -or $response -eq "y") {
|
||||||
|
wevtutil sl $log /ms:$oneGB 2>&1 | Out-Null
|
||||||
|
Write-Host "[OK] $log : 1024 MB" -ForegroundColor Green
|
||||||
|
} else {
|
||||||
|
Write-Host "[SKIPPED] $log" -ForegroundColor Yellow
|
||||||
|
}
|
||||||
|
}
|
||||||
|
catch {
|
||||||
|
Write-Host "[ERROR] $log : $_" -ForegroundColor Red
|
||||||
|
}
|
||||||
|
Write-Host ""
|
||||||
|
}
|
||||||
|
|
||||||
|
# その他の重要なログを128MBに設定
|
||||||
|
$mediumLogs = @(
|
||||||
|
"System",
|
||||||
|
"Application",
|
||||||
|
"Microsoft-Windows-Windows Defender/Operational",
|
||||||
|
"Microsoft-Windows-Bits-Client/Operational",
|
||||||
|
"Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
|
||||||
|
"Microsoft-Windows-NTLM/Operational",
|
||||||
|
"Microsoft-Windows-Security-Mitigations/KernelMode",
|
||||||
|
"Microsoft-Windows-Security-Mitigations/UserMode",
|
||||||
|
"Microsoft-Windows-PrintService/Admin",
|
||||||
|
"Microsoft-Windows-PrintService/Operational",
|
||||||
|
"Microsoft-Windows-SmbClient/Security",
|
||||||
|
"Microsoft-Windows-AppLocker/MSI and Script",
|
||||||
|
"Microsoft-Windows-AppLocker/EXE and DLL",
|
||||||
|
"Microsoft-Windows-AppLocker/Packaged app-Deployment",
|
||||||
|
"Microsoft-Windows-AppLocker/Packaged app-Execution",
|
||||||
|
"Microsoft-Windows-CodeIntegrity/Operational",
|
||||||
|
"Microsoft-Windows-Diagnosis-Scripted/Operational",
|
||||||
|
"Microsoft-Windows-DriverFrameworks-UserMode/Operational",
|
||||||
|
"Microsoft-Windows-WMI-Activity/Operational",
|
||||||
|
"Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
|
||||||
|
"Microsoft-Windows-TaskScheduler/Operational"
|
||||||
|
)
|
||||||
|
|
||||||
|
foreach ($log in $mediumLogs) {
|
||||||
|
try {
|
||||||
|
$logInfo = Get-WinEvent -ListLog $log -ErrorAction Stop
|
||||||
|
$currentSize = [math]::Floor($logInfo.MaximumSizeInBytes / 1MB)
|
||||||
|
$newSize = 128
|
||||||
|
Write-Host "Log: $log"
|
||||||
|
if ($currentSize -ge $newSize) {
|
||||||
|
Write-Host "[SKIPPED] $log : Current size ($currentSize MB) is already greater than or equal to $newSize MB." -ForegroundColor Yellow
|
||||||
|
Write-Host ""
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if ($Auto) {
|
||||||
|
$response = "Y"
|
||||||
|
} else {
|
||||||
|
$response = Read-Host "Your current setting is $currentSize MB. Do you want to change it to 128 MB? (Y/n)"
|
||||||
|
}
|
||||||
|
if ($response -eq "" -or $response -eq "Y" -or $response -eq "y") {
|
||||||
|
wevtutil sl $log /ms:$oneTwentyEightMB 2>&1 | Out-Null
|
||||||
|
Write-Host "[OK] $log : 128 MB" -ForegroundColor Green
|
||||||
|
} else {
|
||||||
|
Write-Host "[SKIPPED] $log" -ForegroundColor Yellow
|
||||||
|
}
|
||||||
|
}
|
||||||
|
catch {
|
||||||
|
Write-Host "[ERROR] $log : $_" -ForegroundColor Red
|
||||||
|
}
|
||||||
|
Write-Host ""
|
||||||
|
}
|
||||||
|
|
||||||
|
# 特定のログの有効化
|
||||||
|
Write-Host "Enabling Event Logs..."
|
||||||
|
Write-Host ""
|
||||||
|
foreach ($log in @("Microsoft-Windows-TaskScheduler/Operational", "Microsoft-Windows-DriverFrameworks-UserMode/Operational")) {
|
||||||
|
try {
|
||||||
|
$logInfo = Get-WinEvent -ListLog $log -ErrorAction Stop
|
||||||
|
$currentState = if ($logInfo.IsEnabled) { "Enabled" } else { "Disabled" }
|
||||||
|
$newState = "Enabled"
|
||||||
|
Write-Host "Log: $log"
|
||||||
|
if ($currentState -eq $newState) {
|
||||||
|
Write-Host "[SKIPPED] $log : Already Enabled." -ForegroundColor Yellow
|
||||||
|
Write-Host ""
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if ($Auto) {
|
||||||
|
$response = "Y"
|
||||||
|
} else {
|
||||||
|
$response = Read-Host "Your current setting is $currentState. Do you want to change it to Enabled? (Y/n)"
|
||||||
|
}
|
||||||
|
if ($response -eq "" -or $response -eq "Y" -or $response -eq "y") {
|
||||||
|
wevtutil sl $log /e:true 2>&1 | Out-Null
|
||||||
|
Write-Host "[OK] Enabled: $log" -ForegroundColor Green
|
||||||
|
} else {
|
||||||
|
Write-Host "[SKIPPED] $log" -ForegroundColor Yellow
|
||||||
|
}
|
||||||
|
}
|
||||||
|
catch {
|
||||||
|
Write-Host "[ERROR] Failed to enable $log : $_" -ForegroundColor Red
|
||||||
|
}
|
||||||
|
Write-Host ""
|
||||||
|
}
|
||||||
|
|
||||||
|
# PowerShell ロギングの設定
|
||||||
|
Write-Host "Configuring PowerShell Logging..."
|
||||||
|
Write-Host ""
|
||||||
|
$regPaths = @(
|
||||||
|
@{Path = "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging"; Name = "EnableModuleLogging"; Value = 1},
|
||||||
|
@{Path = "HKLM:\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"; Name = "EnableScriptBlockLogging"; Value = 1}
|
||||||
|
)
|
||||||
|
|
||||||
|
foreach ($reg in $regPaths) {
|
||||||
|
try {
|
||||||
|
$currentValue = "Not Set"
|
||||||
|
if (Test-Path $reg.Path) {
|
||||||
|
$prop = Get-ItemProperty -Path $reg.Path -Name $reg.Name -ErrorAction SilentlyContinue
|
||||||
|
if ($prop) {
|
||||||
|
$currentValue = $prop.$($reg.Name)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
Write-Host "Registry: $($reg.Path) Value: $($reg.Name)"
|
||||||
|
if ($currentValue -eq $reg.Value) {
|
||||||
|
Write-Host "[SKIPPED] $($reg.Name) : Already set to $($reg.Value)." -ForegroundColor Yellow
|
||||||
|
Write-Host ""
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if ($Auto) {
|
||||||
|
$response = "Y"
|
||||||
|
} else {
|
||||||
|
$response = Read-Host "Your current setting is $currentValue. Do you want to change it to $( $reg.Value )? (Y/n)"
|
||||||
|
}
|
||||||
|
if ($response -eq "" -or $response -eq "Y" -or $response -eq "y") {
|
||||||
|
New-Item -Path $reg.Path -Force | Out-Null
|
||||||
|
Set-ItemProperty -Path $reg.Path -Name $reg.Name -Value $reg.Value -Type DWord
|
||||||
|
Write-Host "[OK] Set $($reg.Name)" -ForegroundColor Green
|
||||||
|
} else {
|
||||||
|
Write-Host "[SKIPPED] $($reg.Name)" -ForegroundColor Yellow
|
||||||
|
}
|
||||||
|
}
|
||||||
|
catch {
|
||||||
|
Write-Host "[ERROR] Failed to set registry: $_" -ForegroundColor Red
|
||||||
|
}
|
||||||
|
Write-Host ""
|
||||||
|
}
|
||||||
|
|
||||||
|
# モジュール名レジストリの設定
|
||||||
|
try {
|
||||||
|
$moduleLoggingPath = "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames"
|
||||||
|
$currentValue = "Not Set"
|
||||||
|
if (Test-Path $moduleLoggingPath) {
|
||||||
|
$prop = Get-ItemProperty -Path $moduleLoggingPath -Name "*" -ErrorAction SilentlyContinue
|
||||||
|
if ($prop) {
|
||||||
|
$currentValue = $prop."*"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
Write-Host "Registry: $moduleLoggingPath"
|
||||||
|
if ($currentValue -eq "*") {
|
||||||
|
Write-Host "[SKIPPED] Module logging : Already set to * (all modules)." -ForegroundColor Yellow
|
||||||
|
Write-Host ""
|
||||||
|
} else
|
||||||
|
{
|
||||||
|
if ($Auto)
|
||||||
|
{
|
||||||
|
$response = "Y"
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
$response = Read-Host "Your current setting is $currentValue. Do you want to change it to * (all modules)? (Y/n)"
|
||||||
|
}
|
||||||
|
if ($response -eq "" -or $response -eq "Y" -or $response -eq "y")
|
||||||
|
{
|
||||||
|
New-Item -Path $moduleLoggingPath -Force | Out-Null
|
||||||
|
Set-ItemProperty -Path $moduleLoggingPath -Name "*" -Value "*" -Type String
|
||||||
|
Write-Host "[OK] Module logging enabled for all modules" -ForegroundColor Green
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
Write-Host "[SKIPPED] Module logging" -ForegroundColor Yellow
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
catch {
|
||||||
|
Write-Host "[ERROR] Failed to configure module names: $_" -ForegroundColor Red
|
||||||
|
}
|
||||||
|
Write-Host ""
|
||||||
|
|
||||||
|
# コマンドライン監査の有効化
|
||||||
|
Write-Host "Enabling Command Line Auditing..."
|
||||||
|
Write-Host ""
|
||||||
|
$regPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit"
|
||||||
|
$valueName = "ProcessCreationIncludeCmdLine_Enabled"
|
||||||
|
try {
|
||||||
|
$currentValue = "Not Set"
|
||||||
|
if (Test-Path $regPath) {
|
||||||
|
$prop = Get-ItemProperty -Path $regPath -Name $valueName -ErrorAction SilentlyContinue
|
||||||
|
$currentValue = $prop.$valueName
|
||||||
|
}
|
||||||
|
Write-Host "Registry: $regPath"
|
||||||
|
if ($currentValue -eq 1) {
|
||||||
|
Write-Host "[SKIPPED] Command Line Auditing : Already Enabled." -ForegroundColor Yellow
|
||||||
|
Write-Host ""
|
||||||
|
} else
|
||||||
|
{
|
||||||
|
if ($Auto)
|
||||||
|
{
|
||||||
|
$response = "Y"
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
$response = Read-Host "Your current setting is $currentValue. Do you want to change it to 1 (Enabled)? (Y/n)"
|
||||||
|
}
|
||||||
|
if ($response -eq "" -or $response -eq "Y" -or $response -eq "y")
|
||||||
|
{
|
||||||
|
$regPath = $regPath -replace "HKLM:", "HKLM"
|
||||||
|
$arguments = "add $regPath /v $valueName /f /t REG_DWORD /d 1"
|
||||||
|
$process = Start-Process -FilePath "reg.exe" -ArgumentList $arguments -Wait -PassThru -NoNewWindow -RedirectStandardOutput "NUL"
|
||||||
|
if ($process.ExitCode -eq 0)
|
||||||
|
{
|
||||||
|
Write-Host "[OK] Command line auditing enabled" -ForegroundColor Green
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
Write-Host "[ERROR] Command line auditing failed (ExitCode: $( $process.ExitCode ))" -ForegroundColor Red
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
Write-Host "[SKIPPED] Command line auditing" -ForegroundColor Yellow
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
catch {
|
||||||
|
Write-Host "[ERROR] Failed to check command line auditing: $_" -ForegroundColor Red
|
||||||
|
}
|
||||||
|
Write-Host ""
|
||||||
|
|
||||||
|
# 監査ポリシーの設定
|
||||||
|
Write-Host "Configuring Audit Policies..."
|
||||||
|
Write-Host ""
|
||||||
|
$auditPolicies = @(
|
||||||
|
@{Category = "Account Logon"; Name = "Credential Validation"; GUID = "0CCE923F-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "Account Logon"; Name = "Kerberos Authentication Service"; GUID = "0CCE9242-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "Account Logon"; Name = "Kerberos Service Ticket Operations"; GUID = "0CCE9240-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "Account Management"; Name = "Computer Account Management"; GUID = "0CCE9236-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "Account Management"; Name = "Other Account Management Events"; GUID = "0CCE923A-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "Account Management"; Name = "Security Group Management"; GUID = "0CCE9237-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "Account Management"; Name = "User Account Management"; GUID = "0CCE9235-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "Detailed Tracking"; Name = "Plug and Play"; GUID = "0cce9248-69ae-11d9-bed3-505054503030"},
|
||||||
|
@{Category = "Detailed Tracking"; Name = "Process Creation"; GUID = "0CCE922B-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "Detailed Tracking"; Name = "RPC Events"; GUID = "0CCE922E-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "DS Access"; Name = "Directory Service Access"; GUID = "0CCE923B-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "DS Access"; Name = "Directory Service Changes"; GUID = "0CCE923C-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "Logon/Logoff"; Name = "Account Lockout"; GUID = "0CCE9217-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "Logon/Logoff"; Name = "Logoff"; GUID = "0CCE9216-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "Logon/Logoff"; Name = "Logon"; GUID = "0CCE9215-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "Logon/Logoff"; Name = "Other Logon/Logoff Events"; GUID = "0CCE921C-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "Logon/Logoff"; Name = "Special Logon"; GUID = "0CCE921B-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "Object Access"; Name = "Certification Services"; GUID = "0CCE9221-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "Object Access"; Name = "File Share"; GUID = "0CCE9224-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "Object Access"; Name = "Filtering Platform Connection"; GUID = "0CCE9226-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "Object Access"; Name = "Other Object Access Events"; GUID = "0CCE9227-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "Object Access"; Name = "Removable Storage"; GUID = "0CCE9245-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "Object Access"; Name = "SAM"; GUID = "0CCE9220-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "Policy Change"; Name = "Audit Policy Change"; GUID = "0CCE922F-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "Policy Change"; Name = "Authentication Policy Change"; GUID = "0CCE9230-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "Policy Change"; Name = "Other Policy Change Events"; GUID = "0CCE9234-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "Privilege Use"; Name = "Sensitive Privilege Use"; GUID = "0CCE9228-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "System"; Name = "Security State Change"; GUID = "0CCE9210-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "System"; Name = "Security System Extension"; GUID = "0CCE9211-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "System"; Name = "System Integrity"; GUID = "0CCE9212-69AE-11D9-BED3-505054503030"},
|
||||||
|
@{Category = "System"; Name = "Other System Events"; GUID = "0CCE9214-69AE-11D9-BED3-505054503030"}
|
||||||
|
)
|
||||||
|
|
||||||
|
$currentAuditPol = GetAuditpol
|
||||||
|
|
||||||
|
foreach ($policy in $auditPolicies)
|
||||||
|
{
|
||||||
|
$newSetting = "Success and Failure"
|
||||||
|
$currentSetting = if ($currentAuditPol.ContainsKey($policy.GUID))
|
||||||
|
{
|
||||||
|
$currentAuditPol[$policy.GUID]
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
"Unknown"
|
||||||
|
}
|
||||||
|
|
||||||
|
Write-Host "Audit Policy: $( $policy.Category ) - $( $policy.Name )"
|
||||||
|
if ($currentSetting -eq $newSetting)
|
||||||
|
{
|
||||||
|
Write-Host "[SKIPPED] $( $policy.Category ) - $( $policy.Name ) : Already set to $newSetting." -ForegroundColor Yellow
|
||||||
|
Write-Host ""
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if ($Auto) {
|
||||||
|
$response = "Y"
|
||||||
|
} else {
|
||||||
|
$response = Read-Host "Your current setting is $currentSetting. Do you want to change it to $newSetting? (Y/n)"
|
||||||
|
}
|
||||||
|
if ($response -eq "" -or $response -eq "Y" -or $response -eq "y") {
|
||||||
|
$arguments = "/set /subcategory:{$($policy.GUID)} /success:enable /failure:enable"
|
||||||
|
$process = Start-Process -FilePath "auditpol.exe" -ArgumentList $arguments -Wait -PassThru -NoNewWindow -RedirectStandardOutput "NUL"
|
||||||
|
|
||||||
|
if ($process.ExitCode -eq 0) {
|
||||||
|
Write-Host "[OK] $($policy.Category) - $($policy.Name)" -ForegroundColor Green
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
Write-Host "[ERROR] $($policy.Category) - $($policy.Name) (ExitCode: $($process.ExitCode))" -ForegroundColor Red
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
Write-Host "[SKIPPED] $($policy.Category) - $($policy.Name)" -ForegroundColor Yellow
|
||||||
|
}
|
||||||
|
Write-Host ""
|
||||||
|
}
|
||||||
|
Write-Host "Configuration completed successfully" -ForegroundColor Green
|
||||||
|
}
|
||||||
|
|
||||||
$logo = @"
|
$logo = @"
|
||||||
┏┓┏┓┏┳━━━┳┓ ┏━━━┓
|
┏┓┏┓┏┳━━━┳┓ ┏━━━┓
|
||||||
┃┃┃┃┃┃┏━━┫┃ ┃┏━┓┃
|
┃┃┃┃┃┃┏━━┫┃ ┃┏━┓┃
|
||||||
@@ -5433,6 +5801,8 @@ Usage:
|
|||||||
./WELA.ps1 audit-settings -Baseline YamatoSecurity # Audit current setting and show in stdout, save to csv
|
./WELA.ps1 audit-settings -Baseline YamatoSecurity # Audit current setting and show in stdout, save to csv
|
||||||
./WELA.ps1 audit-settings -Baseline ASD -OutType gui # Audit current setting and show in gui, save to csv
|
./WELA.ps1 audit-settings -Baseline ASD -OutType gui # Audit current setting and show in gui, save to csv
|
||||||
./WELA.ps1 audit-filesize -Baseline YamatoSecurity # Audit current file size and show in stdout, save to csv
|
./WELA.ps1 audit-filesize -Baseline YamatoSecurity # Audit current file size and show in stdout, save to csv
|
||||||
|
./WELA.ps1 configure -Baseline YamatoSecurity # Configure audit settings based on the specified baseline
|
||||||
|
./WELA.ps1 configure -Baseline YamatoSecurity -Auto # Configure audit settings automatically without prompts
|
||||||
./WELA.ps1 update-rules # Update rule config files from https://github.com/Yamato-Security/WELA
|
./WELA.ps1 update-rules # Update rule config files from https://github.com/Yamato-Security/WELA
|
||||||
./WELA.ps1 help # Show this help
|
./WELA.ps1 help # Show this help
|
||||||
"@
|
"@
|
||||||
@@ -5443,6 +5813,9 @@ Write-Host $logo -ForegroundColor Green
|
|||||||
|
|
||||||
switch ($Cmd.ToLower()) {
|
switch ($Cmd.ToLower()) {
|
||||||
"audit-settings" {
|
"audit-settings" {
|
||||||
|
if ([string]::IsNullOrEmpty($Baseline)) {
|
||||||
|
$Baseline = "YamatoSecurity"
|
||||||
|
}
|
||||||
$validGuides = @("YamatoSecurity", "ASD", "Microsoft_Client", "Microsoft_Server")
|
$validGuides = @("YamatoSecurity", "ASD", "Microsoft_Client", "Microsoft_Server")
|
||||||
if (-not ($validGuides -contains $Baseline.ToLower())) {
|
if (-not ($validGuides -contains $Baseline.ToLower())) {
|
||||||
Write-Host "Invalid Guide specified. Valid options are: YamatoSecurity, ASD, Microsoft_Client, Microsoft_Server."
|
Write-Host "Invalid Guide specified. Valid options are: YamatoSecurity, ASD, Microsoft_Client, Microsoft_Server."
|
||||||
@@ -5454,6 +5827,19 @@ switch ($Cmd.ToLower()) {
|
|||||||
AuditFileSize
|
AuditFileSize
|
||||||
}
|
}
|
||||||
|
|
||||||
|
"configure" {
|
||||||
|
if ([string]::IsNullOrEmpty($Baseline)) {
|
||||||
|
Write-Host "You need to specify a baseline. The following baselines are available:"
|
||||||
|
Write-Host " * YamatoSecurity"
|
||||||
|
Write-Host ""
|
||||||
|
Write-Host "Examples: "
|
||||||
|
Write-Host "./WELA.ps1 configure -Baseline YamatoSecurity"
|
||||||
|
Write-Host "./WELA.ps1 configure -Baseline YamatoSecurity -Auto"
|
||||||
|
break
|
||||||
|
}
|
||||||
|
ConfigureAuditSettings -Baseline $Baseline -Auto:$Auto
|
||||||
|
}
|
||||||
|
|
||||||
"update-rules" {
|
"update-rules" {
|
||||||
UpdateRules
|
UpdateRules
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user