Module/Rule.nxService/Convert/nxServiceRule.Convert.psm1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
# Copyright (c) Microsoft Corporation. All rights reserved.
# Licensed under the MIT License.
using module .\..\..\Common\Common.psm1
using module .\..\nxServiceRule.psm1

$exclude = @($MyInvocation.MyCommand.Name,'Template.*.txt')
$supportFileList = Get-ChildItem -Path $PSScriptRoot -Exclude $exclude
foreach ($supportFile in $supportFileList)
{
    Write-Verbose "Loading $($supportFile.FullName)"
    . $supportFile.FullName
}

<#
    .SYNOPSIS
        Convert the contents of an xccdf check-content and/or fixtext element
        into a Linux Service object.
    .DESCRIPTION
        The nxServiceRuleConvert class is used to extract the Linux Service from
        the check-content of the xccdf. Once a STIG rule is identified as a
        nx Service rule, it is passed to the nxServiceRuleConvert class for
        parsing and validation.
#>

class nxServiceRuleConvert : nxServiceRule
{
    <#
        .SYNOPSIS
            Empty constructor for SplitFactory.
    #>

    nxServiceRuleConvert ()
    {
    }

    <#
        .SYNOPSIS
            Converts a xccdf STIG rule element into a nxServiceRule.
        .PARAMETER XccdfRule
            The STIG rule to convert.
    #>

    nxServiceRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true)
    {
        $fixText = [nxServiceRule]::GetFixText($XccdfRule)
        $this.SetServiceName($fixText)
        $this.SetServiceEnabled($fixText)
        $this.SetServiceState($fixText)
        if ($this.conversionstatus -eq 'pass')
        {
            $this.SetDuplicateRule()
        }

        $this.SetDscResource()
    }

    <#
        .SYNOPSIS
            Extracts the Service name from the check-content and sets the value.
        .DESCRIPTION
            Gets the Service name from the xccdf content and sets the value. If
            the name that is returned is not valid, the parser status is set to fail.
    #>

    [void] SetServiceName ([string] $FixText)
    {
        $serviceName = Get-nxServiceName -FixText $FixText

        if (-not $this.SetStatus($serviceName))
        {
            $this.set_Name($serviceName)
        }
    }

    <#
        .SYNOPSIS
            Extracts the Service enablement from the check-content and sets the value.
        .DESCRIPTION
            Gets the Service enablement from the xccdf content and sets the value. If
            the enablement returned is not valid, the parser status is set to fail.
    #>

    [void] SetServiceEnabled ([string] $FixText)
    {
        $serviceEnabled = Get-nxServiceEnabled -FixText $FixText

        if (-not $this.SetStatus($serviceEnabled))
        {
            $this.set_Enabled($serviceEnabled)
        }
    }

    <#
        .SYNOPSIS
            Extracts the Service state from the check-content and sets the value.
        .DESCRIPTION
            Gets the Service state from the xccdf content and sets the value. If
            the state that is returned is not valid, the parser status is set to fail.
    #>

    [void] SetServiceState ([string] $FixText)
    {
        if ($this.Enabled -eq $false)
        {
            return
        }

        $serviceState = Get-nxServiceState -FixText $FixText

        if ($this.Enabled -eq $true -and $null -eq $serviceState)
        {
            $serviceState = 'Running'
        }

        if (-not $this.SetStatus($serviceState))
        {
            $this.set_State($serviceState)
        }
    }

    static [bool] Match ([string] $CheckContent)
    {
        if
        (
            $CheckContent -Match 'systemctl\s*(is-enabled|is-active|status)' -and
            (
                $CheckContent -Match 'If\s+(?:|the\s+)"\w*".*status.*,\s*this\s*is\s*a\s*finding' -or
                $CheckContent -Match 'If\s*the.*command.*returns.*,\s*this\s*is\s*a\s*finding.' -or
                $CheckContent -Match 'If\s*".*"\s*is\s*not\s*active\s*or\s*loaded,\s*this\s*is\s*a\s*finding.' -or
                $CheckContent -Match 'If\s*something\s*other\s*than\s*".*"\s*is\s*returned,\s*this\s*is\s*a\s*finding.' -or
                $CheckContent -Match 'If\s*the\s*service\s*is\s*active\s*and\s*is\s*not\s*documented,\s*this\s*is\s*a\s*finding.'
            )
        )
        {
            return $true
        }

        return $false
    }

    <#
        .SYNOPSIS
            Tests if a rule contains multiple checks.
        .DESCRIPTION
            Search the rule text to determine if multiple {0} are defined. For
            possible future use, as of 4.4.0 all STIGs have one Service per rule.
        .PARAMETER Name
            The Service name from the rule text from the check-content element
            in the xccdf.
    #>

    [bool] HasMultipleRules ()
    {
        return $false
    }

    hidden [void] SetDscResource ()
    {
        if ($null -eq $this.DuplicateOf)
        {
            $this.DscResource = 'nxService'
        }
        else
        {
            $this.DscResource = 'None'
        }
    }
}