DSCResources/Resources/windows.AccessControl.ps1
|
# Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. $rules = $stig.RuleList | Select-Rule -Type PermissionRule foreach ($rule in $rules) { # Determine PermissionRule type and handle switch ($rule.dscresource) { 'RegistryAccessEntry' { $ruleForce = $null [void][bool]::TryParse($rule.Force, [ref]$ruleForce) RegistryAccessEntry (Get-ResourceTitle -Rule $rule) { Path = $rule.Path Force = $ruleForce AccessControlList = @( foreach ($acentry in $rule.AccessControlEntry.Entry) { $aceEntryForcePrincipal = $null [void][bool]::TryParse($acentry.ForcePrincipal, [ref]$aceEntryForcePrincipal) AccessControlList { Principal = $acentry.Principal ForcePrincipal = $aceEntryForcePrincipal AccessControlEntry = @( AccessControlEntry { AccessControlType = $( if (-not ([string]::IsNullOrEmpty($acentry.Type))) { $acentry.Type } else { 'Allow' } ) Inheritance = $( if (-not ([string]::IsNullOrEmpty($acentry.Inheritance))) { $acentry.Inheritance } else { 'This Key and Subkeys' } ) Rights = $acentry.Rights.Split(',') Ensure = 'Present' } ) } } ) } break } 'NTFSAccessEntry' { $ruleForce = $null [void][bool]::TryParse($rule.Force, [ref]$ruleForce) NTFSAccessEntry (Get-ResourceTitle -Rule $rule) { Path = $rule.Path Force = $ruleForce AccessControlList = @( foreach ($acentry in $rule.AccessControlEntry.Entry) { $aceEntryForcePrincipal = $null [void][bool]::TryParse($acentry.ForcePrincipal, [ref]$aceEntryForcePrincipal) NTFSAccessControlList { Principal = $acentry.Principal ForcePrincipal = $aceEntryForcePrincipal AccessControlEntry = @( NTFSAccessControlEntry { AccessControlType = $( if (-not ([string]::IsNullOrEmpty($acentry.Type))) { $acentry.Type } else { 'Allow' } ) Inheritance = $( if (-not ([string]::IsNullOrEmpty($acentry.Inheritance))) { $acentry.Inheritance } else { 'This folder only' } ) FileSystemRights = $acentry.Rights.Split(',') Ensure = 'Present' } ) } } ) } break } 'FileSystemAuditRuleEntry' { $ruleForce = $null [void][bool]::TryParse($rule.Force, [ref]$ruleForce) FileSystemAuditRuleEntry (Get-ResourceTitle -Rule $rule) { Path = $rule.Path Force = $ruleForce AuditRuleList = @( foreach ($acentry in $rule.AccessControlEntry.Entry) { FileSystemAuditRuleList { Principal = $acentry.Principal ForcePrincipal = $false AuditRuleEntry = @( FileSystemAuditRule { AuditFlags = 'Success' FileSystemRights = $acentry.Rights.Split(',') Inheritance = $( if (-not ([string]::IsNullOrEmpty($acentry.Inheritance))) { $acentry.Inheritance } else { 'This folder only' } ) Ensure = 'Present' } FileSystemAuditRule { AuditFlags = 'Failure' FileSystemRights = $acentry.Rights.Split(',') Inheritance = $( if (-not ([string]::IsNullOrEmpty($acentry.Inheritance))) { $acentry.Inheritance } else { 'This folder only' } ) Ensure = 'Present' } ) } } ) } break } } } |