Module/Rule.Permission/Convert/PermissionRule.Convert.psm1
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 |
# Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\..\Common\Common.psm1 using module .\..\PermissionRule.psm1 $exclude = @($MyInvocation.MyCommand.Name,'Template.*.txt') $supportFileList = Get-ChildItem -Path $PSScriptRoot -Exclude $exclude foreach ($supportFile in $supportFileList) { Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } # Header <# .SYNOPSIS Convert the contents of an xccdf check-content element into a permission object .DESCRIPTION The PermissionRule class is used to extract the permission settings from the check-content of the xccdf. Once a STIG rule is identified a permission rule, it is passed to the PermissionRule class for parsing and validation. #> class PermissionRuleConvert : PermissionRule { <# .SYNOPSIS Empty constructor for SplitFactory #> PermissionRuleConvert () { } <# .SYNOPSIS Converts an xccdf stig rule element into a Permission Rule .PARAMETER XccdfRule The STIG rule to convert #> PermissionRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) { $this.SetPath() $this.SetDscResource() $this.SetForce() $this.SetAccessControlEntry() $this.SetDuplicateRule() $this.SetDscResource() $this.SetOrganizationValueRequired() } # Methods <# .SYNOPSIS Extracts the object path from the check-content and sets the value .DESCRIPTION Gets the object path from the xccdf content and sets the value. If the object path that is returned is not valid, the parser status is set to fail #> [void] SetPath () { $thisPath = Get-PermissionTargetPath -StigString $this.SplitCheckContent if (-not $this.SetStatus($thisPath)) { $this.set_Path($thisPath) } } <# .SYNOPSIS Sets the force flag .DESCRIPTION For now we're setting a default value. Later there could be additional logic here #> [void] SetForce () { $this.set_Force($true) if ($this.RawString -match 'Auditing Tab') { $this.set_Force($false) } } <# .SYNOPSIS Extracts the ACE from the check-content and sets the value .DESCRIPTION Gets the ACE from the xccdf content and sets the value. If the ACE that is returned is not valid, the parser status is set to fail #> [void] SetAccessControlEntry () { $thisAccessControlEntry = Get-PermissionAccessControlEntry -StigString $this.SplitCheckContent if (-not $this.SetStatus($thisAccessControlEntry)) # why can't this be $null -eq $thisAccessControlEntry ?? { foreach ($principal in $thisAccessControlEntry.Principal) { $this.SetStatus($principal) } foreach ($right in $thisAccessControlEntry.Rights) { if ($right -eq 'blank') { $this.SetStatus("", $true) continue } $this.SetStatus($right) } $this.set_AccessControlEntry($thisAccessControlEntry) } } hidden [void] SetDscResource () { if ($null -eq $this.DuplicateOf) { if ($this.Path) { switch ($this.Path) { {$PSItem -match '{domain}'} { $this.DscResource = "ActiveDirectoryAuditRuleEntry" } {$PSItem -match 'HKLM:\\'} { $this.DscResource = 'RegistryAccessEntry' } {$PSItem -match '(%windir%)|(ProgramFiles)|(%SystemDrive%)|(%ALLUSERSPROFILE%)'} { $this.DscResource = 'NTFSAccessEntry' } } } elseif ($this.RawString -match 'Auditing Tab') { $this.DscResource = 'FileSystemAuditRuleEntry' } } else { $this.DscResource = 'None' } } static [bool] Match ([string] $CheckContent) { if ( ($CheckContent -Match 'permission(s|)' -or $CheckContent -Match 'On the Security tab, click Advanced. On the Auditing tab') -and $CheckContent -NotMatch 'Forward\sLookup\sZones|Devices\sand\sPrinters|Shared\sFolders' -and $CheckContent -NotMatch 'Verify(ing)? the ((permissions .* ((G|g)roup (P|p)olicy|OU|ou))|auditing .* ((G|g)roup (P|p)olicy))' -and $CheckContent -NotMatch 'Open "Active Directory Users and Computers"' -and $CheckContent -NotMatch 'Windows Registry Editor' -and $CheckContent -NotMatch '(ID|id)s? .* (A|a)uditors?,? (SA|sa)s?,? .* (W|w)eb (A|a)dministrators? .* access to log files?' -and $CheckContent -NotMatch '\n*\.NET Trust Level' -and $CheckContent -NotMatch 'IIS 8\.5 web|IIS 10\.0 web' -and $CheckContent -cNotmatch 'SELECT' -and $CheckContent -NotMatch 'SQL Server' -and $CheckContent -NotMatch 'user\srights\sand\spermissions' -and $CheckContent -NotMatch 'Query the SA' -and $CheckContent -NotMatch "caspol\.exe" -and $CheckContent -NotMatch "Select the Group Policy Object item in the left pane" -and $CheckContent -NotMatch "Deny log on through Remote Desktop Services" -and $CheckContent -NotMatch "Interview the IAM" -and $CheckContent -NotMatch "InetMgr\.exe" -and $CheckContent -NotMatch "Register the required DLL module by typing the following at a command line ""regsvr32 schmmgmt.dll""." -and $CheckContent -NotMatch 'If any private assets' -and $CheckContent -NotMatch "roles.sql" -and $CheckContent -NotMatch '#.*\s+grep\s+.*' ) { return $true } return $false } <# .SYNOPSIS Tests if a rules contains more than one check .DESCRIPTION Gets the path defined in the rule from the xccdf content and then checks for the existance of multuple entries. .PARAMETER CheckContent The rule text from the check-content element in the xccdf #> <#{TODO}#> # HasMultipleRules is implemented inconsistently. static [bool] HasMultipleRules ([string] $CheckContent) { $permissionPaths = Get-PermissionTargetPath -StigString ([PermissionRule]::SplitCheckContent($CheckContent)) return (Test-MultiplePermissionRule -PermissionPath $permissionPaths) } <# .SYNOPSIS Splits mutiple paths from a singel rule into multiple rules .DESCRIPTION Once a rule has been found to have multiple checks, the rule needs to be split. This method splits a permission check into multiple rules. Each split rule id is appended with a dot and letter to keep reporting per the ID consistent. An example would be is V-1000 contained 2 checks, then SplitMultipleRules would return 2 objects with rule ids V-1000.a and V-1000.b .PARAMETER CheckContent The rule text from the check-content element in the xccdf #> static [string[]] SplitMultipleRules ([string] $CheckContent) { return (Split-MultiplePermissionRule -CheckContent ([PermissionRule]::SplitCheckContent($CheckContent))) } <# .SYNOPSIS Checks if a conversionStatus is passing and the for 1 null property. If those conditions are meet an OrganizationValue is required. #> [void] SetOrganizationValueRequired () { $propertyNames = @('Path','AccessControlEntry','Force') $nullPropertyCount = ($propertyNames | Where-Object -FilterScript {$null -eq $this.$PSItem}).Count if ($this.ConversionStatus -eq 'pass' -and $nullPropertyCount -eq 1) { $this.set_OrganizationValueRequired($true) } } #endregion } |