-
Notifications
You must be signed in to change notification settings - Fork 54
/
instructions.en.yaml
270 lines (245 loc) · 12.1 KB
/
instructions.en.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
organization: Stethoscope
version: "1.0"
policyFormat: "1.0"
strings:
ok: This device is properly configured
warning: >
The security settings on this device could be improved.
Click the arrow next to each recommendation for instructions.
critical: >
The security settings on this device should be improved.
Click the arrow next to each recommendation for instructions.
policyDescription: baseline policy
rescanButton: rescan
lastScan: Last scanned by
practices:
firewall:
title: >
{{#if passing}}
Your Firewall is enabled
{{else}}
Your Firewall should be enabled
{{/if}}
description: >
Firewalls control network traffic into and out of a system. Enabling the firewall on your device can prevent network-based attacks on your system, and is especially important if you make use of insecure wireless networks (such as at coffee shops and airports).
directions:
darwin: |
1. Choose System Preferences from the Apple menu.
1. Click [Security or Security & Privacy](x-apple.systempreferences:com.apple.preference.security).
1. Click the [Firewall](x-apple.systempreferences:com.apple.preference.security?Firewall) tab.
1. Unlock the pane by clicking the lock in the lower-left corner and enter the administrator username and password.
1. Click "Turn On Firewall" or "Start" to enable the firewall.
1. Click Advanced to customize the firewall configuration.
win32: |
1. Open [Windows Firewall Settings](ps://wf.msc)
1. Click "Windows Defender Firewall Properties" in the center pane
1. Ensure "Firewall state" is set to "On (recommended)" on the Domain, Public, and Private Profile tabs
1. Click OK
linux: |
1. Open a terminal.
1. Enter the command: "sudo ufw enable".
stethoscopeVersion:
title: >
{{#if passing}}
Stethoscope is up-to-date
{{else}}
Stethoscope needs to be updated
{{/if}}
description: >
Keeping the Stethoscope app up-to-date gives you access to the latest features, security patches, and performance improvements.
directions:
darwin: |
<a href='stethoscope://update' class="btn">Update Stethoscope</a>
win32: |
<a href='stethoscope://update' class="btn">Update Stethoscope</a>.
linux: |
<a href='stethoscope://update' class="btn">Update Stethoscope</a>.
remoteLogin:
title: >
{{#if passing}}
Remote Login is disabled
{{else}}
Remote Login should be disabled
{{/if}}
description: >
The 'Remote Login' setting on your device controls whether users can login remotely to the system. If you don't know what this is or why you would want it, you should disable 'Remote Login'.
directions:
darwin: |
1. Choose System Preferences from the Apple menu.
1. Click [Sharing](x-apple.systempreferences:com.apple.preferences.sharing?Services_RemoteLogin).
1. Uncheck "Remote Login" on the left.
win32: |
1. Open [Advanced System Preferences](ps://SystemPropertiesRemote).
1. Under "Remote Desktop" heading, select "Don't allow remote connections to this computer".
1. Click Apply.
1. Click OK.
diskEncryption:
title: >
{{#if passing}}
Disk Encryption is enabled
{{else}}
Disk Encryption should be enabled
{{/if}}
description: >
Full-disk encryption protects data at rest from being accessed by a party who does not know the password or decryption key. Systems containing internal data should be encrypted. It is every employee's responsibility to keep internal data safe.
directions:
darwin: |
1. Choose System Preferences from the Apple menu.
1. Click [Security or Security & Privacy](x-apple.systempreferences:com.apple.preference.security).
1. Click the [FileVault](x-apple.systempreferences:com.apple.preference.security?FDE) tab.
1. Unlock the pane by clicking the lock in the lower-left corner and enter the administrator username and password.
1. Click "Turn On FileVault" to start the process.
{{#each disks}}
<li>
{{#if this.encrypted}}
{{{okIcon this.label}}}
{{else}}
{{{warnIcon this.label}}}
{{/if}}
</li>
{{/each}}
win32: |
1. Open [BitLocker Drive Encryption](prefs://BitLocker).
1. Click "Turn on BitLocker".
linux: |
1. See the [CryptoRoot section of this guide](https://help.ubuntu.com/community/FullDiskEncryptionHowto).
automaticUpdates:
title: >
{{#if passing}}
Automatic Updates are enabled
{{else}}
Automatic Updates should be enabled
{{/if}}
description: >
One of the most important things you can do to secure your device(s) is to keep your operating system and software up to date. New vulnerabilities and weaknesses are found every day, so frequent updates are essential to ensuring your device(s) include the latest fixes and preventative measures. Enabling automatic updating helps ensure your machine is up-to-date without having to manually install updates.
directions:
darwin: |
1. Choose System Preferences from the Apple menu.
{{#if mojaveOrLater}}
1. Click [Software Update](x-apple.systempreferences:com.apple.preferences.softwareupdate)
{{else}}
1. Click [App Store](prefs://com.apple.preferences.appstore).
{{/if}}
1. Click "Automatically check for updates"
{{#unless passing}}
1. Make sure the following are checked:
- {{{statusIcon automaticCheckEnabled 'Automatically check for updates'}}}
- {{{statusIcon automaticDownloadUpdates 'Download new updates when available'}}}
- {{{statusIcon automaticOsUpdates 'Install macOS updates'}}}
- {{{statusIcon automaticAppUpdates 'Install app updates from the App Store'}}}
- {{{statusIcon automaticSecurityUpdates 'Install system data files and \*security updates\*'}}}
{{/unless}}
win32: |
1. Open [Services](ps://services.msc) (Start > Run > services.msc).
1. Scroll down to find "Windows Update" and double-click the name.
1. Change "Startup Type" from "DISABLED" to "MANUAL" or "AUTOMATIC".
1. Click "Apply".
1. Click "OK".
If you manually disabled Windows Update using Group Policy Editor:
1. Open [Local Group Policy Editor](ps://gpedit.msc) (Start > Run > gpedit.msc)
1. Expand: Computer Configuration > Administrative Templates > Windows Components > Windows Update
1. Find and double-click on "Configure Automatic Updates"
1. Select "Enabled" or "Not Configured" to turn automatic updates back on
screenLock:
title: >
{{#if passing}}
Screen Lock is enabled
{{else}}
Screen Lock should be enabled
{{/if}}
description: >
Screen locks, or screen saver locks, prevent unauthorized third-parties from accessing your laptop when unattended by requiring a password to dismiss the screen saver or wake from "sleep" mode.
directions:
darwin: |
1. Choose System Preferences from the Apple menu.
1. Click [Security or Security & Privacy](x-apple.systempreferences:com.apple.preference.security).
1. Select the [General](x-apple.systempreferences:com.apple.preference.security?General) tab.
1. Unlock the pane by clicking the lock in the lower-left corner and enter the administrator username and password.
1. Check the "Require password" box and set the pull down menu to to "immediately" after sleep or screen saver begins.
win32: |
Standard settings:
1. Open [Lock screen settings](ms-settings:lockscreen).
1. Scroll down and click on "Screen timeout settings".
1. Ensure that Screen settings for "On battery power" and "When plugged in" are less than or equal to 10 minutes.
If fixing the standard settings doesn't resolve the issue:
1. Open [User Account Settings](ps://netplwiz).
1. Ensure that "Users must enter a user name and password to use this computer" is checked.
1. Click "Apply".
1. Click "OK".
linux: |
1. From the upper-right drop-down menu, click the Settings icon.
1. In the left-hand pane, select Privacy.
1. Click on ScreenLock
1. Ensure that "Automatic Screen Lock" is set to ON.
screenIdle:
title: >
{{#if passing}}
Screen will lock when system is idle for too long.
{{else}}
Screen should lock when system is idle for too long.
{{/if}}
description: >
Screens which lock automatically when your laptop is unattended prevent unauthorized access from third-parties by requiring a password to dismiss the screen saver or wake from "sleep" mode. Your timeout setting should be equal to or less than the suggested setting below.
directions:
darwin: |
1. Choose [System Preferences](x-apple.systempreferences:com.apple.systempreferences) from the Apple menu.
1. Click Desktop & Screen Saver.
1. Click the [Screen Saver](open:///System/Library/PreferencePanes/DesktopScreenEffectsPref.prefPane/) tab.
1. Adjust the "Start after" dropdown to less than or equal to the number of seconds shown below.
{{securitySetting "screenIdle"}}
linux: |
1. From the upper-right drop-down menu, click the Settings icon.
1. In the left-hand pane, select Privacy.
1. Click on ScreenLock
1. Adjust the "Lock screen after blank" dropdown to less than or equal to the number of seconds shown below.
{{securitySetting "screenIdle"}}
osVersion:
title: >
{{#if passing}}
System is up-to-date
{{else}}
System needs to be updated
{{/if}}
description: >
One of the most important things you can do to secure your device(s) is to keep your operating system and software up to date. New vulnerabilities and weaknesses are found every day, so frequent updates are essential to ensuring your device(s) include the latest fixes and preventative measures.
directions:
darwin: |
1. Open the [App Store](app://App%20Store) app.
1. Click [Updates](macappstore://showUpdatesPage) on the top of the app window.
1. Install any outstanding updates.
If you don't see any available updates, you may need the next major version of MacOS. New releases are featured on the [App Store](app://App%20Store) home screen.
{{requirement "osVersion" "darwin"}}
win32: |
1. Open [Windows Update](ms-settings:windowsupdate) in the Settings.
1. Click "Restart now"
{{requirement "osVersion" "win32"}}
applications:
title: >
{{#if passing}}
Applications are following requirements
{{else}}
Applications are not following requirements
{{/if}}
description: >
Certain applications have been designated as required or prohibited by your organization. Required applications may also have acceptable versions.
directions:
darwin: |
See the following requirements:
win32: |
See the following requirements:
openWifiConnections:
title: >
{{#if passing}}
There are no open Wi-Fi networks cached locally
{{else}}
There are open Wi-Fi networks cached locally
{{/if}}
description: >
Unprotected Wi-Fi networks are a common attack vector for man-in-the-middle attacks. If you connect to an unprotected Wi-Fi hotspot once, your computer will then try to connect to any access point with a matching name in the future. An attacker can then simply spoof that network name and proxy all of the network traffic from the computer.
directions:
darwin: |
1. Choose [System Preferences](x-apple.systempreferences:com.apple.systempreferences) from the Apple menu.
1. Click Network.
1. Click on the Wi-Fi connection in the left pane
1. Click on "Advanced..."
1. Find and remove the networks that has Security set to "None"