feature: add windows resources

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2024-09-20 06:21:56 +00:00 · 2015-04-17 15:37:17 +02:00 · 2015-04-17 15:37:17 +02:00 · 21d604820a
commit 21d604820a
parent e87af25d07
5 changed files with 334 additions and 0 deletions
--- a/lib/resources/audit_policy.rb
+++ b/lib/resources/audit_policy.rb
@ -0,0 +1,136 @@
+## Advanced Auditing
+# As soon as you start applying Advanced Audit Configuration Policy, legacy policies will be completely ignored. 
+# reference: https://technet.microsoft.com/en-us/library/cc753632.aspx
+# use: 
+#  - list all categories: Auditpol /list /subcategory:* /r
+#  - list parameters: Auditpol /get /category:"System" /subcategory:"IPsec Driver"
+#  - list specific parameter: Auditpol /get /subcategory:"IPsec Driver"
+# 
+# @link: http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx 
+
+=begin
+Category/Subcategory,GUID
+System,{69979848-797A-11D9-BED3-505054503030}
+  Security State Change,{0CCE9210-69AE-11D9-BED3-505054503030}
+  Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030}
+  System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030}
+  IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030}
+  Other System Events,{0CCE9214-69AE-11D9-BED3-505054503030}
+Logon/Logoff,{69979849-797A-11D9-BED3-505054503030}
+  Logon,{0CCE9215-69AE-11D9-BED3-505054503030}
+  Logoff,{0CCE9216-69AE-11D9-BED3-505054503030}
+  Account Lockout,{0CCE9217-69AE-11D9-BED3-505054503030}
+  IPsec Main Mode,{0CCE9218-69AE-11D9-BED3-505054503030}
+  IPsec Quick Mode,{0CCE9219-69AE-11D9-BED3-505054503030}
+  IPsec Extended Mode,{0CCE921A-69AE-11D9-BED3-505054503030}
+  Special Logon,{0CCE921B-69AE-11D9-BED3-505054503030}
+  Other Logon/Logoff Events,{0CCE921C-69AE-11D9-BED3-505054503030}
+  Network Policy Server,{0CCE9243-69AE-11D9-BED3-505054503030}
+  User / Device Claims,{0CCE9247-69AE-11D9-BED3-505054503030}
+Object Access,{6997984A-797A-11D9-BED3-505054503030}
+  File System,{0CCE921D-69AE-11D9-BED3-505054503030}
+  Registry,{0CCE921E-69AE-11D9-BED3-505054503030}
+  Kernel Object,{0CCE921F-69AE-11D9-BED3-505054503030}
+  SAM,{0CCE9220-69AE-11D9-BED3-505054503030}
+  Certification Services,{0CCE9221-69AE-11D9-BED3-505054503030}
+  Application Generated,{0CCE9222-69AE-11D9-BED3-505054503030}
+  Handle Manipulation,{0CCE9223-69AE-11D9-BED3-505054503030}
+  File Share,{0CCE9224-69AE-11D9-BED3-505054503030}
+  Filtering Platform Packet Drop,{0CCE9225-69AE-11D9-BED3-505054503030}
+  Filtering Platform Connection,{0CCE9226-69AE-11D9-BED3-505054503030}
+  Other Object Access Events,{0CCE9227-69AE-11D9-BED3-505054503030}
+  Detailed File Share,{0CCE9244-69AE-11D9-BED3-505054503030}
+  Removable Storage,{0CCE9245-69AE-11D9-BED3-505054503030}
+  Central Policy Staging,{0CCE9246-69AE-11D9-BED3-505054503030}
+Privilege Use,{6997984B-797A-11D9-BED3-505054503030}
+  Sensitive Privilege Use,{0CCE9228-69AE-11D9-BED3-505054503030}
+  Non Sensitive Privilege Use,{0CCE9229-69AE-11D9-BED3-505054503030}
+  Other Privilege Use Events,{0CCE922A-69AE-11D9-BED3-505054503030}
+Detailed Tracking,{6997984C-797A-11D9-BED3-505054503030}
+  Process Creation,{0CCE922B-69AE-11D9-BED3-505054503030}
+  Process Termination,{0CCE922C-69AE-11D9-BED3-505054503030}
+  DPAPI Activity,{0CCE922D-69AE-11D9-BED3-505054503030}
+  RPC Events,{0CCE922E-69AE-11D9-BED3-505054503030}
+Policy Change,{6997984D-797A-11D9-BED3-505054503030}
+  Audit Policy Change,{0CCE922F-69AE-11D9-BED3-505054503030}
+  Authentication Policy Change,{0CCE9230-69AE-11D9-BED3-505054503030}
+  Authorization Policy Change,{0CCE9231-69AE-11D9-BED3-505054503030}
+  MPSSVC Rule-Level Policy Change,{0CCE9232-69AE-11D9-BED3-505054503030}
+  Filtering Platform Policy Change,{0CCE9233-69AE-11D9-BED3-505054503030}
+  Other Policy Change Events,{0CCE9234-69AE-11D9-BED3-505054503030}
+Account Management,{6997984E-797A-11D9-BED3-505054503030}
+  User Account Management,{0CCE9235-69AE-11D9-BED3-505054503030}
+  Computer Account Management,{0CCE9236-69AE-11D9-BED3-505054503030}
+  Security Group Management,{0CCE9237-69AE-11D9-BED3-505054503030}
+  Distribution Group Management,{0CCE9238-69AE-11D9-BED3-505054503030}
+  Application Group Management,{0CCE9239-69AE-11D9-BED3-505054503030}
+  Other Account Management Events,{0CCE923A-69AE-11D9-BED3-505054503030}
+DS Access,{6997984F-797A-11D9-BED3-505054503030}
+  Directory Service Access,{0CCE923B-69AE-11D9-BED3-505054503030}
+  Directory Service Changes,{0CCE923C-69AE-11D9-BED3-505054503030}
+  Directory Service Replication,{0CCE923D-69AE-11D9-BED3-505054503030}
+  Detailed Directory Service Replication,{0CCE923E-69AE-11D9-BED3-505054503030}
+Account Logon,{69979850-797A-11D9-BED3-505054503030}
+  Credential Validation,{0CCE923F-69AE-11D9-BED3-505054503030}
+  Kerberos Service Ticket Operations,{0CCE9240-69AE-11D9-BED3-505054503030}
+  Other Account Logon Events,{0CCE9241-69AE-11D9-BED3-505054503030}
+  Kerberos Authentication Service,{0CCE9242-69AE-11D9-BED3-505054503030}
+
+Valid values are:
+
+- "No Auditing"
+- "Not Specified"
+- "Success"
+- "Success and Failure"
+- "Failure"
+
+Further information is available at: https://msdn.microsoft.com/en-us/library/dd973859.aspx
+
+=end
+
+module Serverspec
+  module Type
+
+    class AuditPolicy < Base
+
+      def method_missing(method)
+        key = method.to_s
+
+        # expected result:
+        # Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting
+        # WIN-MB8NINQ388J,System,Kerberos Authentication Service,{0CCE9242-69AE-11D9-BED3-505054503030},No Auditing,
+        command_result ||= @runner.run_command("Auditpol /get /subcategory:'#{key}' /r")
+        result = command_result.stdout
+        result
+
+        # find line
+        target = nil
+        result.each_line {|s| 
+          target = s.strip if s.match(/\b.*#{key}.*\b/)
+        }
+
+        # extract value
+        if target != nil
+          # split csv values and return value
+          value = target.split(',')[4]
+        else 
+          value = nil
+        end
+
+        value
+      end
+
+      def to_s
+        %Q[Windows Advanced Auditing]
+      end
+
+    end
+
+    def audit_policy()
+      AuditPolicy.new()
+    end
+
+  end
+end
+
+include Serverspec::Type
--- a/lib/resources/group_policy.rb
+++ b/lib/resources/group_policy.rb
@ -0,0 +1,60 @@
+require 'json'
+
+# Group Policy
+module Serverspec
+  module Type
+
+    # return JSON object
+    def gpo (policy_path, policy_name)
+      file = ::File.read(::File.join ::File.dirname(__FILE__), "gpo.json")
+      gpo_hash = JSON.parse(file)      
+      key = "Machine--" + policy_path + "--" + policy_name
+      gpo_hash[key]
+    end
+
+    class GroupPolicy < Base
+
+      def getRegistryValue(entry)
+        keys = entry['registry_information'][0]
+        cmd = "(Get-Item 'Registry::#{keys['path']}').GetValue('#{keys['key']}')"
+        command_result ||= @runner.run_command(cmd)
+        val = { :exit_code => command_result.exit_status.to_i, :data => command_result.stdout }
+        val
+      end
+
+      def convertValue (value)
+        val = value.strip
+        val = val.to_i if val.match(/^\d+$/)
+      end
+
+      # returns nil, if not existant or value
+      def method_missing(meth)
+        # map gpo to registry key
+        entry = gpo(@name, meth.to_s)
+
+        # get data
+        val = getRegistryValue(entry)
+
+        # verify data
+        if (val[:exit_code] == 0)
+          val = convertValue(val[:data])
+        else
+          nil
+        end
+
+      end
+
+      def to_s
+        'Group Policy'
+      end
+
+    end
+
+    def group_policy(policy_path)
+      GroupPolicy.new(policy_path)
+    end
+
+  end
+end
+
+include Serverspec::Type
--- a/lib/resources/registry_key.rb
+++ b/lib/resources/registry_key.rb
@ -0,0 +1,60 @@
+require 'json'
+
+# Registry Key Helper
+module Serverspec
+  module Type
+
+    class RegistryKey < Base
+
+      attr_accessor :reg_key
+
+      def getRegistryValue(path, key)
+        cmd = "(Get-Item 'Registry::#{path}').GetValue('#{key}')"
+        command_result ||= @runner.run_command(cmd)
+        val = { :exit_code => command_result.exit_status.to_i, :data => command_result.stdout }
+        val
+      end
+
+      def convertValue (value)
+        val = value.strip
+        val = val.to_i if val.match(/^\d+$/)
+      end
+
+      # returns nil, if not existant or value
+      def method_missing(meth)
+
+        # get data
+        val = getRegistryValue(@reg_key, meth)
+
+        # verify data
+        if (val[:exit_code] == 0)
+          val = convertValue(val[:data])
+        else
+          nil
+        end
+
+      end
+
+      def to_s
+        "Registry Key #{@name}"
+      end
+
+    end
+
+    def registry_key(name, reg_key=nil)
+
+      # if we have one parameter, we use it as name
+      if reg_key == nil
+        reg_key = name
+      end
+
+      # initialize variable
+      i = RegistryKey.new(name)
+      i.reg_key = reg_key
+      i
+    end
+
+  end
+end
+
+include Serverspec::Type
--- a/lib/resources/security_policy.rb
+++ b/lib/resources/security_policy.rb
@ -0,0 +1,74 @@
+# Security Configuration and Analysis
+#
+# Export local security policy:
+# secedit /export /cfg secpol.cfg
+#
+# @link http://www.microsoft.com/en-us/download/details.aspx?id=25250
+# 
+# In Windows, some security options are managed differently that the local GPO
+# All local GPO parameters can be examined via Registry, but not all security 
+# parameters. Therefore we need a combination of Registry and secedit output
+
+module Serverspec
+  module Type
+     
+    class SecurityPolicy < Base
+
+      # static variable, shared across all instances
+      @@loaded = false
+      @@policy = nil
+      @@exit_status = nil
+      
+      # load security content
+      def load
+        # export the security policy
+        @runner.run_command('secedit /export /cfg win_secpol.cfg')
+        # store file content
+        command_result ||= @runner.run_command('type win_secpol.cfg')
+        # delete temp file
+        @runner.run_command('del win_secpol.cfg')
+
+        @@exit_status = command_result.exit_status.to_i
+        @@policy = command_result.stdout
+
+        @@loaded = true
+
+        # returns self
+        self
+      end
+
+      def method_missing(method)
+
+        # load data if needed
+        if (@@loaded == false)
+          load
+        end
+
+        # find line with key
+        key = method.to_s
+        target = ""
+        @@policy.each_line {|s| 
+          target = s.strip if s.match(/\b#{key}\s*=\s*(.*)\b/)
+        }
+
+        # extract variable value
+        result = target.match(/[=]{1}\s*(?<value>.*)/)
+        val = result[:value]
+        val = val.to_i if val.match(/^\d+$/)
+        val
+      end
+
+      def to_s
+        %Q[Security Policy]
+      end
+
+    end
+
+    def security_policy()
+      SecurityPolicy.new()
+    end
+
+  end
+end
+
+include Serverspec::Type
--- a/lib/vulcano.rb
+++ b/lib/vulcano.rb
@ -4,11 +4,15 @@

 require 'utils/spec_helper'

+require 'resources/audit_policy'
+require 'resources/group_policy'
 require 'resources/mysql_conf'
 require 'resources/mysql_session'
 require 'resources/postgres_conf'
 require 'resources/postgres_session'
 require 'resources/processes'
+require 'resources/registry_key'
+require 'resources/security_policy'
 require 'resources/ssh_conf'

 # Dummy module for handling additional attributes