Module/Rule.Permission/Convert/PermissionRule.Convert.psm1
|
# Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\..\Common\Common.psm1 using module .\..\PermissionRule.psm1 $exclude = @($MyInvocation.MyCommand.Name,'Template.*.txt') $supportFileList = Get-ChildItem -Path $PSScriptRoot -Exclude $exclude foreach ($supportFile in $supportFileList) { Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } # Header <# .SYNOPSIS Convert the contents of an xccdf check-content element into a permission object .DESCRIPTION The PermissionRule class is used to extract the permission settings from the check-content of the xccdf. Once a STIG rule is identified a permission rule, it is passed to the PermissionRule class for parsing and validation. #> class PermissionRuleConvert : PermissionRule { <# .SYNOPSIS Empty constructor for SplitFactory #> PermissionRuleConvert () { } <# .SYNOPSIS Converts an xccdf stig rule element into a Permission Rule .PARAMETER XccdfRule The STIG rule to convert #> PermissionRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) { $this.SetPath() $this.SetDscResource() $this.SetForce() $this.SetAccessControlEntry() $this.SetDuplicateRule() $this.SetDscResource() $this.SetOrganizationValueRequired() } # Methods <# .SYNOPSIS Extracts the object path from the check-content and sets the value .DESCRIPTION Gets the object path from the xccdf content and sets the value. If the object path that is returned is not valid, the parser status is set to fail #> [void] SetPath () { $thisPath = Get-PermissionTargetPath -StigString $this.SplitCheckContent if (-not $this.SetStatus($thisPath)) { $this.set_Path($thisPath) } } <# .SYNOPSIS Sets the force flag .DESCRIPTION For now we're setting a default value. Later there could be additional logic here #> [void] SetForce () { $this.set_Force($true) if ($this.RawString -match 'Auditing Tab') { $this.set_Force($false) } } <# .SYNOPSIS Extracts the ACE from the check-content and sets the value .DESCRIPTION Gets the ACE from the xccdf content and sets the value. If the ACE that is returned is not valid, the parser status is set to fail #> [void] SetAccessControlEntry () { $thisAccessControlEntry = Get-PermissionAccessControlEntry -StigString $this.SplitCheckContent if (-not $this.SetStatus($thisAccessControlEntry)) # why can't this be $null -eq $thisAccessControlEntry ?? { foreach ($principal in $thisAccessControlEntry.Principal) { $this.SetStatus($principal) } foreach ($right in $thisAccessControlEntry.Rights) { if ($right -eq 'blank') { $this.SetStatus("", $true) continue } $this.SetStatus($right) } $this.set_AccessControlEntry($thisAccessControlEntry) } } hidden [void] SetDscResource () { if ($null -eq $this.DuplicateOf) { if ($this.Path) { switch ($this.Path) { {$PSItem -match '{domain}'} { $this.DscResource = "ActiveDirectoryAuditRuleEntry" } {$PSItem -match 'HKLM:\\'} { $this.DscResource = 'RegistryAccessEntry' } {$PSItem -match '(%windir%)|(ProgramFiles)|(%SystemDrive%)|(%ALLUSERSPROFILE%)'} { $this.DscResource = 'NTFSAccessEntry' } } } elseif ($this.RawString -match 'Auditing Tab') { $this.DscResource = 'FileSystemAuditRuleEntry' } } else { $this.DscResource = 'None' } } static [bool] Match ([string] $CheckContent) { if ( ($CheckContent -Match 'permission(s|)' -or $CheckContent -Match 'On the Security tab, click Advanced. On the Auditing tab') -and $CheckContent -NotMatch 'Forward\sLookup\sZones|Devices\sand\sPrinters|Shared\sFolders' -and $CheckContent -NotMatch 'Verify(ing)? the ((permissions .* ((G|g)roup (P|p)olicy|OU|ou))|auditing .* ((G|g)roup (P|p)olicy))' -and $CheckContent -NotMatch 'Open "Active Directory Users and Computers"' -and $CheckContent -NotMatch 'Windows Registry Editor' -and $CheckContent -NotMatch '(ID|id)s? .* (A|a)uditors?,? (SA|sa)s?,? .* (W|w)eb (A|a)dministrators? .* access to log files?' -and $CheckContent -NotMatch '\n*\.NET Trust Level' -and $CheckContent -NotMatch 'IIS 8\.5 web|IIS 10\.0 web' -and $CheckContent -cNotmatch 'SELECT' -and $CheckContent -NotMatch 'SQL Server' -and $CheckContent -NotMatch 'user\srights\sand\spermissions' -and $CheckContent -NotMatch 'Query the SA' -and $CheckContent -NotMatch "caspol\.exe" -and $CheckContent -NotMatch "Select the Group Policy Object item in the left pane" -and $CheckContent -NotMatch "Deny log on through Remote Desktop Services" -and $CheckContent -NotMatch "Interview the IAM" -and $CheckContent -NotMatch "InetMgr\.exe" -and $CheckContent -NotMatch "Register the required DLL module by typing the following at a command line ""regsvr32 schmmgmt.dll""." -and $CheckContent -NotMatch 'If any private assets' -and $CheckContent -NotMatch "roles.sql" -and $CheckContent -NotMatch '#.*\s+grep\s+.*' ) { return $true } return $false } <# .SYNOPSIS Tests if a rules contains more than one check .DESCRIPTION Gets the path defined in the rule from the xccdf content and then checks for the existance of multuple entries. .PARAMETER CheckContent The rule text from the check-content element in the xccdf #> <#{TODO}#> # HasMultipleRules is implemented inconsistently. static [bool] HasMultipleRules ([string] $CheckContent) { $permissionPaths = Get-PermissionTargetPath -StigString ([PermissionRule]::SplitCheckContent($CheckContent)) return (Test-MultiplePermissionRule -PermissionPath $permissionPaths) } <# .SYNOPSIS Splits mutiple paths from a singel rule into multiple rules .DESCRIPTION Once a rule has been found to have multiple checks, the rule needs to be split. This method splits a permission check into multiple rules. Each split rule id is appended with a dot and letter to keep reporting per the ID consistent. An example would be is V-1000 contained 2 checks, then SplitMultipleRules would return 2 objects with rule ids V-1000.a and V-1000.b .PARAMETER CheckContent The rule text from the check-content element in the xccdf #> static [string[]] SplitMultipleRules ([string] $CheckContent) { return (Split-MultiplePermissionRule -CheckContent ([PermissionRule]::SplitCheckContent($CheckContent))) } <# .SYNOPSIS Checks if a conversionStatus is passing and the for 1 null property. If those conditions are meet an OrganizationValue is required. #> [void] SetOrganizationValueRequired () { $propertyNames = @('Path','AccessControlEntry','Force') $nullPropertyCount = ($propertyNames | Where-Object -FilterScript {$null -eq $this.$PSItem}).Count if ($this.ConversionStatus -eq 'pass' -and $nullPropertyCount -eq 1) { $this.set_OrganizationValueRequired($true) } } #endregion } |