PowerSTIG

4.4.2

Module/Rule.ProcessMitigation/Convert/Methods.ps1

# Copyright (c) Microsoft Corporation. All rights reserved.
# Licensed under the MIT License.
#region Method Functions
<#
    .SYNOPSIS
        Retreives the mitigation target name from the check-content element in the xccdf
 
    .PARAMETER CheckContent
        Specifies the check-content element in the xccdf
#>
function Get-MitigationTargetName
{
    [CmdletBinding()]
    [OutputType([string])]
    param
    (
        [Parameter(Mandatory = $true)]
        [AllowEmptyString()]
        [string[]]
        $CheckContent
    )

    Write-Verbose "[$($MyInvocation.MyCommand.Name)]"

    try
    {
        switch ($checkContent)
        {
            { $PSItem -match '-System' }
            {
                return 'System'
            }
            { $PSItem -match '-Name' }
            {
                # Grab all the text that starts on a new line or with whitespace and ends in .exe
                $executableMatches = $checkContent | Select-String -Pattern '(^|\s)\S*?\.exe' -AllMatches
                return ( $executableMatches.Matches.Value.Trim() ) -join ','

            }
        }
    }
    catch
    {
        Write-Verbose "[$($MyInvocation.MyCommand.Name)] Mitigation Target Name : Not Found"
        return $null
    }
}

<#
    .SYNOPSIS
        Retreives the mitigation policy name from the check-content element in the xccdf
 
    .PARAMETER CheckContent
        Specifies the check-content element in the xccdf
#>
function Get-MitigationPolicyToEnable
{
    [CmdletBinding()]
    [OutputType([string])]
    param
    (
        [Parameter(Mandatory = $true)]
        [AllowEmptyString()]
        [string[]]
        $CheckContent
    )

    Write-Verbose "[$($MyInvocation.MyCommand.Name)]"

    try
    {
        # Determine if the stig rule contains policies to be enabled
        if ( ( Test-PoliciesToEnable -CheckContent $checkContent ) -eq $false )
        {
            return $null
        }

        $result = @()
        foreach ($line in $checkContent)
        {
            switch ($line)
            {
                { $PSItem -match $regularExpression.IfTheStatusOf }
                {
                    <#
                    Grab the line that has "If the status of" then grab the text inbetween " and :
                    Check to see if the line was the word 'Enable' in it
                    #>
                    if ($PSItem -match 'Enable')
                    {
                        $result += ( ( $line | Select-String -Pattern $regularExpression.TextBetweenDoubleQuoteAndColon ).Matches.Value -replace '"' -replace ':' ).Trim()
                    }
                    else
                    {
                        $result += ( ( $line | Select-String -Pattern $regularExpression.TextBetweenColonAndDoubleQuote ).Matches.Value -replace '"' -replace ':' ).Trim()
                    }
                }
                { $PSItem -match $regularExpression.ColonSpaceOn }
                {
                    <#
                        This address the edge case where the mitigation is specified to be enabled on a seperate line example (DEP):
                        DEP:
                        Enable: ON
 
                        ASLR:
                        BottomUp: ON
                        ForceRelocateImages: ON
                    #>
                    if ( $line -match $regularExpression.EnableColon )
                    {
                        $enableLineMatch = ( $checkContent | Select-String -Pattern $line ).LineNumber
                        $result += ( ( $checkContent[$enableLineMatch - 2] ) -replace ':' ).Trim()
                    }
                    else
                    {
                        $result += ( $line -replace $regularExpression.ColonSpaceOn ).Trim()
                    }
                }
            }
        }
        return $result -join ','
    }
    catch
    {
        Write-Verbose "[$($MyInvocation.MyCommand.Name)] Mitigation Policy : Not Found"
        return $null
    }
}

<#
    .SYNOPSIS
        Test if the check-content contains mitigations polices to enable.
 
    .PARAMETER CheckContent
        Specifies the check-content element in the xccdf
 
    .NOTES
        Currently all rules in the STIG state the policies referenced need to be enabled.
        However that could change in the future or in other STIGs so we need to check for both conditions (Enabled|Disabled)
#>
function Test-PoliciesToEnable
{
    [CmdletBinding()]
    [OutputType([bool])]
    param
    (
        [Parameter(Mandatory = $true)]
        [AllowEmptyString()]
        [string[]]
        $CheckContent
    )

    foreach ( $line in $checkContent )
    {
        if ( $line -match $regularExpression.IfTheStatusOfIsOff )
        {
            return $true
        }

        if ( $line -match $regularExpression.NotHaveAStatusOfOn )
        {
            return $true
        }
    }
    return $false
}

<#
    .SYNOPSIS
        Consumes a list of mitigation targets seperated by a comma and outputs an array
#>
function Split-ProcessMitigationRule
{
    [CmdletBinding()]
    [OutputType([array])]
    param
    (
        [Parameter(Mandatory = $true)]
        [AllowEmptyString()]
        [string]
        $MitigationTarget
    )

    return ( $MitigationTarget -split ',' )
}

<#
    .SYNOPSIS
        Check if the string (MitigationTarget) contains a comma. If so the rule needs to be split
#>
function Test-MultipleProcessMitigationRule
{
    [CmdletBinding()]
    [OutputType([bool])]
    param
    (
        [Parameter(Mandatory = $true)]
        [AllowEmptyString()]
        [string]
        $MitigationTarget
    )

    if ( $MitigationTarget -match ',')
    {
        return $true
    }
    return $false
}
#endregion