test_baseline.rb

# Password policy
control 'cis-password-policy-1' do
  impact 1.0
  title 'Password history >= N'
  describe security_policy do
    its('PasswordHistorySize') { should be >= input('password_history_size_min') }
  end
end

control 'cis-password-policy-2' do
  impact 1.0
  title 'Minimum password length >= N'
  describe security_policy do
    its('MinimumPasswordLength') { should be >= input('min_password_length') }
  end
end

control 'cis-password-policy-3' do
  impact 1.0
  title 'Password complexity enabled'
  describe security_policy do
    its('PasswordComplexity') { should eq 1 }
  end
end

control 'cis-password-policy-4' do
  impact 0.7
  title 'Account lockout threshold >= N'
  describe security_policy do
    its('LockoutBadCount') { should be >= input('lockout_threshold_min') }
  end
end

control 'cis-password-policy-5' do
  impact 0.5
  title 'Maximum password age (days) <= N'
  describe security_policy do
    its('MaximumPasswordAge') { should be <= input('max_password_age_days') }
  end
end

# RDP hardening
control 'cis-rdp-1' do
  impact 1.0
  title 'Remote Desktop disabled (if policy requires)'
  describe registry_key('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server') do
    its('fDenyTSConnections') { should eq input('rdp_disabled') }
  end
end

control 'cis-rdp-2' do
  impact 1.0
  title 'Require Network Level Authentication for RDP'
  describe registry_key('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp') do
    its('UserAuthentication') { should eq input('rdp_nla_required') }
  end
end

# SMB signing (server & client)
control 'cis-smb-signing-1' do
  impact 0.9
  title 'SMB server requires signing'
  describe registry_key('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters') do
    its('RequireSecuritySignature') { should eq 1 }
  end
end

control 'cis-smb-signing-2' do
  impact 0.7
  title 'SMB client requires signing'
  describe registry_key('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters') do
    its('RequireSecuritySignature') { should eq 1 }
  end
end

# LM hashes & NTLM policy
control 'cis-lmhash-1' do
  impact 1.0
  title 'Do not store LM hash'
  describe registry_key('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa') do
    its('NoLMHash') { should eq 1 }
  end
end

control 'cis-lmhash-2' do
  impact 0.9
  title 'LAN Manager authentication level (>= 5)'
  describe registry_key('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa') do
    its('LmCompatibilityLevel') { should be >= input('lm_compat_min') }
  end
end

# Anonymous / null session restrictions
control 'cis-anon-1' do
  impact 0.9
  title 'Do not allow anonymous enumeration of SAM accounts'
  describe registry_key('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa') do
    its('RestrictAnonymousSAM') { should eq 1 }
  end
end

control 'cis-anon-2' do
  impact 0.9
  title 'Do not allow anonymous enumeration of SAM accounts and shares'
  describe registry_key('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa') do
    its('RestrictAnonymous') { should be_in [1,2] } # 1 or 2 depending on policy
  end
end

control 'cis-anon-3' do
  impact 0.7
  title 'EveryoneIncludesAnonymous disabled'
  describe registry_key('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa') do
    its('EveryoneIncludesAnonymous') { should eq 0 }
  end
end

# Audit policy (examples)
control 'cis-audit-1' do
  impact 0.8
  title 'Advanced Audit: Logon - Success and Failure'
  logon = powershell('auditpol /get /subcategory:"Logon"').stdout
  describe logon do
    it { should match /Success/i }
    it { should match /Failure/i }
  end
end

control 'cis-audit-2' do
  impact 0.8
  title 'Advanced Audit: Credential Validation - Success and Failure'
  cv = powershell('auditpol /get /subcategory:"Credential Validation"').stdout
  describe cv do
    it { should match /Success/i }
    it { should match /Failure/i }
  end
end

control 'cis-audit-3' do
  impact 0.6
  title 'Advanced Audit: Audit Policy Change - Success and Failure'
  apc = powershell('auditpol /get /subcategory:"Audit Policy Change"').stdout
  describe apc do
    it { should match /Success/i }
    it { should match /Failure/i }
  end
end