This repository has been archived by the owner on Jun 3, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 35
/
Copy pathBitLocker.audit
129 lines (109 loc) · 6.11 KB
/
BitLocker.audit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
<check_type: "Windows" version: "2">
<group_policy: "Verifies BitLocker settings">
# Check for prerequisite that PowerShell must be installed
<custom_item>
type: FILE_CHECK
description: "Detects if powershell.exe exists."
info: "Detects if powershell.exe exists. PowerShell is required for other Nessus checks in this custom audit file as well as required for verifying Spectre and Meltdown operating system and firmware mitigations.
Looks for:
%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe
"
value_type: POLICY_TEXT
value_data: "%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe"
check_type: CHECK_EQUAL
file_option: MUST_EXIST
severity: HIGH
</custom_item>
# Check for prerequisite that PowerShell version 2.0 or later must be installed
<custom_item>
type: AUDIT_POWERSHELL
description: "Detects if PowerShell 2.0 or later is installed."
info: "
Detects if PowerShell 2.0 or later is installed.
Executes PowerShell code:
([System.Version]($PSVersionTable).PSVersion.ToString().SubString(0,3)).CompareTo([System.Version]'2.0') -ge 0
"
value_type: POLICY_TEXT
value_data: "True"
check_type: CHECK_EQUAL
powershell_args: "([System.Version]($PSVersionTable).PSVersion.ToString().SubString(0,3)).CompareTo([System.Version]'2.0') -ge 0"
ps_encoded_args: NO
only_show_cmd_output: NO
severity: HIGH
</custom_item>
# Check that BitLocker is not enabled yet
<if>
<condition type: "and">
<custom_item>
type: AUDIT_POWERSHELL
description: "Detects if BitLocker is enabled by using PowerShell"
info: "
The January 2018 patches must be installed for the SpeculationControl module to correctly detect the system configuration.
If this check fails, the check the following:
1. ensure the SpeculationControl module is installed
2. ensure the January 2018 Windows operating system patches are installed
3. ensure a firmware update has been installed
Executes PowerShell code:
$bitlocker = Get-WMIObject -Class 'Win32_EncryptableVolume' -Namespace 'root/CIMV2/Security/MicrosoftVolumeEncryption' -Filter "DriveLetter='$env:SystemDrive'"; $bitlocker.ProtectionStatus -eq 0
"
value_type: POLICY_TEXT
value_data: "True"
check_type: CHECK_EQUAL
powershell_args: "$bitlocker = Get-WMIObject -Class 'Win32_EncryptableVolume' -Namespace 'root/CIMV2/Security/MicrosoftVolumeEncryption' -Filter "\"DriveLetter='$env:SystemDrive'\""; $bitlocker.ProtectionStatus -eq 0"
ps_encoded_args: NO
only_show_cmd_output: NO
severity: HIGH
</custom_item>
</condition>
<then>
<custom_item>
type: REGISTRY_SETTING
description: "Detects if allowing standby state when on battery is disabled."
info: "
Detects if allowing standby state when on battery is disabled. The registry value data must be set to 0 for standby state when on battery to be disabled.
Key: HKLM\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab
Value Name: DCSettingIndex
Value Data: 0
Value Type: DWORD
Computer Configuration > System > Power Management > Sleep Settings
Allow standby states (S1-S3) when sleeping (on battery)
Disabled
"
value_type: POLICY_DWORD
value_data: 0
reg_key: "HKLM\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab"
reg_item: "DCSettingIndex"
reg_option: CAN_NOT_BE_NULL
severity: HIGH
</custom_item>
<custom_item>
type: REGISTRY_SETTING
description: "Detects if allowing standby state when plugged in is disabled."
info: "
Detects if allowing standby state when plugged in is disabled. The registry value data must be set to 0 for standby state when plugged in to be disabled.
Key: HKLM\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab
Value Name: ACSettingIndex
Value Data: 0
Value Type: DWORD
Computer Configuration > System > Power Management > Sleep Settings
Allow standby states (S1-S3) when sleeping (plugged in)
Disabled
"
value_type: POLICY_DWORD
value_data: 0
reg_key: "HKLM\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab"
reg_item: "DCSettingIndex"
reg_option: CAN_NOT_BE_NULL
severity: HIGH
</custom_item>
</then>
<else>
<report type: "PASSED">
description: "BitLocker not enabled."
info: "BitLocker not enabled
"
</report>
</else>
</if>
</group_policy>
</check_type>