Module/Rule.UserRight/Convert/Methods.ps1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 |
# Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. #region Method Functions <# .SYNOPSIS Gets the User Rights Assignment Display Name from the check-content that are assigned to the User Rights Assignment policy #> function Get-UserRightDisplayName { [CmdletBinding()] [OutputType([string])] param ( [Parameter(Mandatory = $true)] [string[]] $CheckContent ) Write-Verbose "[$($MyInvocation.MyCommand.Name)]" # Use a regular expression to pull the userright string from between the quotes $userRightDisplayNameSearch = ( $checkContent | Select-String -Pattern ([RegularExpression]::TextBetweenQuotes) -AllMatches ) [string[]] $userRightDisplayName = $userRightDisplayNameSearch.matches.Groups.Value | Where-Object { $userRightNameToConstant.Keys -contains $PSItem } if ( $null -ne $userRightDisplayName ) { Write-Verbose "[$($MyInvocation.MyCommand.Name)] UserRightDisplayName : $UserRightDisplayName " return $userRightDisplayName[0] } else { Write-Verbose "[$($MyInvocation.MyCommand.Name)] UserRightDisplayName : Not Found" } } <# .SYNOPSIS Enumerates User Rights Assignment Policy display names and converts them to the matching constant #> function Get-UserRightConstant { [CmdletBinding()] [OutputType([string])] param ( [Parameter(Mandatory = $true)] [string] $UserRightDisplayName ) Write-Verbose "[$($MyInvocation.MyCommand.Name)]" $userRightConstant = $userRightNameToConstant.$UserRightDisplayName if ( $null -ne $userRightConstant ) { Write-Verbose "[$($MyInvocation.MyCommand.Name)] Found: $UserRightDisplayName : $userRightConstant " $userRightConstant } else { Write-Verbose "[$($MyInvocation.MyCommand.Name)] Not Found : $UserRightDisplayName " } } <# .SYNOPSIS Gets the Identity from the check-content that are assigned to the User Rights Assignment policy #> function Get-UserRightIdentity { [CmdletBinding()] [OutputType([string[]])] param ( [Parameter(Mandatory = $true)] [string[]] $CheckContent ) Write-Verbose "[$($MyInvocation.MyCommand.Name)]" <# Select the line that contains the User Right one entry contains multiple lines with the same user right so select the first index #> $return = [System.Collections.ArrayList] @() if ($checkContent -Match "Administrators\sAuditors\s" -and $checkContent -Match "DNS\sServer\slog\sfile" ) { [void] $return.Add('Administrators') } elseif ($checkContent -Match "If (any|the following){1} (accounts or groups|groups or accounts) (other than the following|are not defined){1}.*this is a finding") { Write-Verbose "[$($MyInvocation.MyCommand.Name)] Ensure : Present" # There is an edge case where multiple finding statements are made, so a zero index is needed. [int] $lineNumber = (($checkContent | Select-String "this is a finding")[0]).LineNumber # Set the negative index number of the first group to process. $startLine = $lineNumber - $checkContent.Count foreach ($line in $checkContent[$startLine..-1]) { <# The Windows Server 2016 STIG prepends each identity with a dash space (- ) that needs to be trimmed from the results before they are returned. #> $line = $line -replace '^\s*-\s*', '' if ( $line.Trim() -notmatch ":|^If|^Microsoft|^Organizations|^Vendor|^The|^(Systems|Workstations)\sDedicated|Privileged Access" -and -not [string]::IsNullOrEmpty( $line.Trim() ) ) { <# There are a few entries that add the word 'group' to the end of the group name, so they need to be cleaned up. #> if ($line.Trim() -match "Hyper-V") { [void] $return.Add("{Hyper-V}") } elseif ($line.Trim() -match "(^Enterprise|^Domain) (Admins|Admin)|^Guests") { if ($line -match '\sAdmin\s') { $line = $line -replace 'Admin', 'Admins' } # .Trim method is case sensitive, so the replace operator is used instead [void] $return.Add($($line.Trim() -replace ' Group').Trim()) } elseif ($line.Trim() -match '"Local account and member of Administrators group" or "Local account"') { [void] $return.Add('(Local account and member of Administrators group|Local account)') } else { <# The below regex with remove anything between parentheses. This address the edge case where parentheses are used to add a note following the identity #> [void] $return.Add( ($line -replace '\([\s\S]*?\)').Trim() ) } } } } elseif ($checkContent -Match "If any (accounts or groups|groups or accounts).*are (granted|defined).*this is a finding") { Write-Verbose "[$($MyInvocation.MyCommand.Name)] Ensure : Absent" [void] $return.Add("NULL") } $return } <# .SYNOPSIS Looks in the Check-Content element to see if it matches any scrict User Rights Assignments. #> function Test-SetForceFlag { [CmdletBinding()] [OutputType([bool])] param ( [Parameter(Mandatory = $true)] [string[]] $CheckContent ) if ($checkContent -match 'If any (accounts or groups|groups or accounts) other than the following') { return $true } elseif ($checkContent -match 'If any (accounts or groups|groups or accounts)\s*(\(.*\),)?\s*are (granted|defined)') { return $true } return $false } <# .SYNOPSIS Supports the ContainsMultipleRules statis method to test for multiple user rights assignment rules #> function Test-MultipleUserRightsAssignment { [CmdletBinding()] [OutputType([bool])] param ( [Parameter(Mandatory = $true)] [AllowEmptyString()] [string[]] $CheckContent ) Write-Verbose "[$($MyInvocation.MyCommand.Name)]" $userRightMatches = $checkContent | Select-String -Pattern 'local computer policy' if ( $userRightMatches.count -gt 1 ) { return $true } return $false } <# .SYNOPSIS Parses STIG check-content to return text pertaining to individual UserRightAssignment rules #> function Split-MultipleUserRightsAssignment { [CmdletBinding()] [OutputType([string[]])] param ( [Parameter(Mandatory = $true)] [AllowEmptyString()] [string[]] $CheckContent ) Write-Verbose "[$($MyInvocation.MyCommand.Name)]" $userRightMatches = $checkContent | Select-String -Pattern 'local computer policy' $i = 1 foreach ( $match in $userRightMatches ) { $stringBuilder = New-Object System.Text.StringBuilder if ($i -ne $userRightMatches.count) { [string[]] $content = $checkContent[($match.lineNumber)..($userRightMatches[$i].lineNumber - 2 )] } else { [string[]] $content = $checkContent[($match.lineNumber)..$checkContent.Length] } foreach ( $line in $content ) { [void] $stringBuilder.Append("$line`r`n") } $i++ $stringBuilder.ToString() } } #endregion |