mirror of
https://github.com/inspec/inspec
synced 2024-09-20 06:21:56 +00:00
feature: add windows resources
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
This commit is contained in:
parent
e87af25d07
commit
21d604820a
5 changed files with 334 additions and 0 deletions
136
lib/resources/audit_policy.rb
Normal file
136
lib/resources/audit_policy.rb
Normal file
|
@ -0,0 +1,136 @@
|
|||
## Advanced Auditing
|
||||
# As soon as you start applying Advanced Audit Configuration Policy, legacy policies will be completely ignored.
|
||||
# reference: https://technet.microsoft.com/en-us/library/cc753632.aspx
|
||||
# use:
|
||||
# - list all categories: Auditpol /list /subcategory:* /r
|
||||
# - list parameters: Auditpol /get /category:"System" /subcategory:"IPsec Driver"
|
||||
# - list specific parameter: Auditpol /get /subcategory:"IPsec Driver"
|
||||
#
|
||||
# @link: http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx
|
||||
|
||||
=begin
|
||||
Category/Subcategory,GUID
|
||||
System,{69979848-797A-11D9-BED3-505054503030}
|
||||
Security State Change,{0CCE9210-69AE-11D9-BED3-505054503030}
|
||||
Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030}
|
||||
System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030}
|
||||
IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030}
|
||||
Other System Events,{0CCE9214-69AE-11D9-BED3-505054503030}
|
||||
Logon/Logoff,{69979849-797A-11D9-BED3-505054503030}
|
||||
Logon,{0CCE9215-69AE-11D9-BED3-505054503030}
|
||||
Logoff,{0CCE9216-69AE-11D9-BED3-505054503030}
|
||||
Account Lockout,{0CCE9217-69AE-11D9-BED3-505054503030}
|
||||
IPsec Main Mode,{0CCE9218-69AE-11D9-BED3-505054503030}
|
||||
IPsec Quick Mode,{0CCE9219-69AE-11D9-BED3-505054503030}
|
||||
IPsec Extended Mode,{0CCE921A-69AE-11D9-BED3-505054503030}
|
||||
Special Logon,{0CCE921B-69AE-11D9-BED3-505054503030}
|
||||
Other Logon/Logoff Events,{0CCE921C-69AE-11D9-BED3-505054503030}
|
||||
Network Policy Server,{0CCE9243-69AE-11D9-BED3-505054503030}
|
||||
User / Device Claims,{0CCE9247-69AE-11D9-BED3-505054503030}
|
||||
Object Access,{6997984A-797A-11D9-BED3-505054503030}
|
||||
File System,{0CCE921D-69AE-11D9-BED3-505054503030}
|
||||
Registry,{0CCE921E-69AE-11D9-BED3-505054503030}
|
||||
Kernel Object,{0CCE921F-69AE-11D9-BED3-505054503030}
|
||||
SAM,{0CCE9220-69AE-11D9-BED3-505054503030}
|
||||
Certification Services,{0CCE9221-69AE-11D9-BED3-505054503030}
|
||||
Application Generated,{0CCE9222-69AE-11D9-BED3-505054503030}
|
||||
Handle Manipulation,{0CCE9223-69AE-11D9-BED3-505054503030}
|
||||
File Share,{0CCE9224-69AE-11D9-BED3-505054503030}
|
||||
Filtering Platform Packet Drop,{0CCE9225-69AE-11D9-BED3-505054503030}
|
||||
Filtering Platform Connection,{0CCE9226-69AE-11D9-BED3-505054503030}
|
||||
Other Object Access Events,{0CCE9227-69AE-11D9-BED3-505054503030}
|
||||
Detailed File Share,{0CCE9244-69AE-11D9-BED3-505054503030}
|
||||
Removable Storage,{0CCE9245-69AE-11D9-BED3-505054503030}
|
||||
Central Policy Staging,{0CCE9246-69AE-11D9-BED3-505054503030}
|
||||
Privilege Use,{6997984B-797A-11D9-BED3-505054503030}
|
||||
Sensitive Privilege Use,{0CCE9228-69AE-11D9-BED3-505054503030}
|
||||
Non Sensitive Privilege Use,{0CCE9229-69AE-11D9-BED3-505054503030}
|
||||
Other Privilege Use Events,{0CCE922A-69AE-11D9-BED3-505054503030}
|
||||
Detailed Tracking,{6997984C-797A-11D9-BED3-505054503030}
|
||||
Process Creation,{0CCE922B-69AE-11D9-BED3-505054503030}
|
||||
Process Termination,{0CCE922C-69AE-11D9-BED3-505054503030}
|
||||
DPAPI Activity,{0CCE922D-69AE-11D9-BED3-505054503030}
|
||||
RPC Events,{0CCE922E-69AE-11D9-BED3-505054503030}
|
||||
Policy Change,{6997984D-797A-11D9-BED3-505054503030}
|
||||
Audit Policy Change,{0CCE922F-69AE-11D9-BED3-505054503030}
|
||||
Authentication Policy Change,{0CCE9230-69AE-11D9-BED3-505054503030}
|
||||
Authorization Policy Change,{0CCE9231-69AE-11D9-BED3-505054503030}
|
||||
MPSSVC Rule-Level Policy Change,{0CCE9232-69AE-11D9-BED3-505054503030}
|
||||
Filtering Platform Policy Change,{0CCE9233-69AE-11D9-BED3-505054503030}
|
||||
Other Policy Change Events,{0CCE9234-69AE-11D9-BED3-505054503030}
|
||||
Account Management,{6997984E-797A-11D9-BED3-505054503030}
|
||||
User Account Management,{0CCE9235-69AE-11D9-BED3-505054503030}
|
||||
Computer Account Management,{0CCE9236-69AE-11D9-BED3-505054503030}
|
||||
Security Group Management,{0CCE9237-69AE-11D9-BED3-505054503030}
|
||||
Distribution Group Management,{0CCE9238-69AE-11D9-BED3-505054503030}
|
||||
Application Group Management,{0CCE9239-69AE-11D9-BED3-505054503030}
|
||||
Other Account Management Events,{0CCE923A-69AE-11D9-BED3-505054503030}
|
||||
DS Access,{6997984F-797A-11D9-BED3-505054503030}
|
||||
Directory Service Access,{0CCE923B-69AE-11D9-BED3-505054503030}
|
||||
Directory Service Changes,{0CCE923C-69AE-11D9-BED3-505054503030}
|
||||
Directory Service Replication,{0CCE923D-69AE-11D9-BED3-505054503030}
|
||||
Detailed Directory Service Replication,{0CCE923E-69AE-11D9-BED3-505054503030}
|
||||
Account Logon,{69979850-797A-11D9-BED3-505054503030}
|
||||
Credential Validation,{0CCE923F-69AE-11D9-BED3-505054503030}
|
||||
Kerberos Service Ticket Operations,{0CCE9240-69AE-11D9-BED3-505054503030}
|
||||
Other Account Logon Events,{0CCE9241-69AE-11D9-BED3-505054503030}
|
||||
Kerberos Authentication Service,{0CCE9242-69AE-11D9-BED3-505054503030}
|
||||
|
||||
Valid values are:
|
||||
|
||||
- "No Auditing"
|
||||
- "Not Specified"
|
||||
- "Success"
|
||||
- "Success and Failure"
|
||||
- "Failure"
|
||||
|
||||
Further information is available at: https://msdn.microsoft.com/en-us/library/dd973859.aspx
|
||||
|
||||
=end
|
||||
|
||||
module Serverspec
|
||||
module Type
|
||||
|
||||
class AuditPolicy < Base
|
||||
|
||||
def method_missing(method)
|
||||
key = method.to_s
|
||||
|
||||
# expected result:
|
||||
# Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting
|
||||
# WIN-MB8NINQ388J,System,Kerberos Authentication Service,{0CCE9242-69AE-11D9-BED3-505054503030},No Auditing,
|
||||
command_result ||= @runner.run_command("Auditpol /get /subcategory:'#{key}' /r")
|
||||
result = command_result.stdout
|
||||
result
|
||||
|
||||
# find line
|
||||
target = nil
|
||||
result.each_line {|s|
|
||||
target = s.strip if s.match(/\b.*#{key}.*\b/)
|
||||
}
|
||||
|
||||
# extract value
|
||||
if target != nil
|
||||
# split csv values and return value
|
||||
value = target.split(',')[4]
|
||||
else
|
||||
value = nil
|
||||
end
|
||||
|
||||
value
|
||||
end
|
||||
|
||||
def to_s
|
||||
%Q[Windows Advanced Auditing]
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def audit_policy()
|
||||
AuditPolicy.new()
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
include Serverspec::Type
|
60
lib/resources/group_policy.rb
Normal file
60
lib/resources/group_policy.rb
Normal file
|
@ -0,0 +1,60 @@
|
|||
require 'json'
|
||||
|
||||
# Group Policy
|
||||
module Serverspec
|
||||
module Type
|
||||
|
||||
# return JSON object
|
||||
def gpo (policy_path, policy_name)
|
||||
file = ::File.read(::File.join ::File.dirname(__FILE__), "gpo.json")
|
||||
gpo_hash = JSON.parse(file)
|
||||
key = "Machine--" + policy_path + "--" + policy_name
|
||||
gpo_hash[key]
|
||||
end
|
||||
|
||||
class GroupPolicy < Base
|
||||
|
||||
def getRegistryValue(entry)
|
||||
keys = entry['registry_information'][0]
|
||||
cmd = "(Get-Item 'Registry::#{keys['path']}').GetValue('#{keys['key']}')"
|
||||
command_result ||= @runner.run_command(cmd)
|
||||
val = { :exit_code => command_result.exit_status.to_i, :data => command_result.stdout }
|
||||
val
|
||||
end
|
||||
|
||||
def convertValue (value)
|
||||
val = value.strip
|
||||
val = val.to_i if val.match(/^\d+$/)
|
||||
end
|
||||
|
||||
# returns nil, if not existant or value
|
||||
def method_missing(meth)
|
||||
# map gpo to registry key
|
||||
entry = gpo(@name, meth.to_s)
|
||||
|
||||
# get data
|
||||
val = getRegistryValue(entry)
|
||||
|
||||
# verify data
|
||||
if (val[:exit_code] == 0)
|
||||
val = convertValue(val[:data])
|
||||
else
|
||||
nil
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def to_s
|
||||
'Group Policy'
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def group_policy(policy_path)
|
||||
GroupPolicy.new(policy_path)
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
include Serverspec::Type
|
60
lib/resources/registry_key.rb
Normal file
60
lib/resources/registry_key.rb
Normal file
|
@ -0,0 +1,60 @@
|
|||
require 'json'
|
||||
|
||||
# Registry Key Helper
|
||||
module Serverspec
|
||||
module Type
|
||||
|
||||
class RegistryKey < Base
|
||||
|
||||
attr_accessor :reg_key
|
||||
|
||||
def getRegistryValue(path, key)
|
||||
cmd = "(Get-Item 'Registry::#{path}').GetValue('#{key}')"
|
||||
command_result ||= @runner.run_command(cmd)
|
||||
val = { :exit_code => command_result.exit_status.to_i, :data => command_result.stdout }
|
||||
val
|
||||
end
|
||||
|
||||
def convertValue (value)
|
||||
val = value.strip
|
||||
val = val.to_i if val.match(/^\d+$/)
|
||||
end
|
||||
|
||||
# returns nil, if not existant or value
|
||||
def method_missing(meth)
|
||||
|
||||
# get data
|
||||
val = getRegistryValue(@reg_key, meth)
|
||||
|
||||
# verify data
|
||||
if (val[:exit_code] == 0)
|
||||
val = convertValue(val[:data])
|
||||
else
|
||||
nil
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def to_s
|
||||
"Registry Key #{@name}"
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def registry_key(name, reg_key=nil)
|
||||
|
||||
# if we have one parameter, we use it as name
|
||||
if reg_key == nil
|
||||
reg_key = name
|
||||
end
|
||||
|
||||
# initialize variable
|
||||
i = RegistryKey.new(name)
|
||||
i.reg_key = reg_key
|
||||
i
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
include Serverspec::Type
|
74
lib/resources/security_policy.rb
Normal file
74
lib/resources/security_policy.rb
Normal file
|
@ -0,0 +1,74 @@
|
|||
# Security Configuration and Analysis
|
||||
#
|
||||
# Export local security policy:
|
||||
# secedit /export /cfg secpol.cfg
|
||||
#
|
||||
# @link http://www.microsoft.com/en-us/download/details.aspx?id=25250
|
||||
#
|
||||
# In Windows, some security options are managed differently that the local GPO
|
||||
# All local GPO parameters can be examined via Registry, but not all security
|
||||
# parameters. Therefore we need a combination of Registry and secedit output
|
||||
|
||||
module Serverspec
|
||||
module Type
|
||||
|
||||
class SecurityPolicy < Base
|
||||
|
||||
# static variable, shared across all instances
|
||||
@@loaded = false
|
||||
@@policy = nil
|
||||
@@exit_status = nil
|
||||
|
||||
# load security content
|
||||
def load
|
||||
# export the security policy
|
||||
@runner.run_command('secedit /export /cfg win_secpol.cfg')
|
||||
# store file content
|
||||
command_result ||= @runner.run_command('type win_secpol.cfg')
|
||||
# delete temp file
|
||||
@runner.run_command('del win_secpol.cfg')
|
||||
|
||||
@@exit_status = command_result.exit_status.to_i
|
||||
@@policy = command_result.stdout
|
||||
|
||||
@@loaded = true
|
||||
|
||||
# returns self
|
||||
self
|
||||
end
|
||||
|
||||
def method_missing(method)
|
||||
|
||||
# load data if needed
|
||||
if (@@loaded == false)
|
||||
load
|
||||
end
|
||||
|
||||
# find line with key
|
||||
key = method.to_s
|
||||
target = ""
|
||||
@@policy.each_line {|s|
|
||||
target = s.strip if s.match(/\b#{key}\s*=\s*(.*)\b/)
|
||||
}
|
||||
|
||||
# extract variable value
|
||||
result = target.match(/[=]{1}\s*(?<value>.*)/)
|
||||
val = result[:value]
|
||||
val = val.to_i if val.match(/^\d+$/)
|
||||
val
|
||||
end
|
||||
|
||||
def to_s
|
||||
%Q[Security Policy]
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def security_policy()
|
||||
SecurityPolicy.new()
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
include Serverspec::Type
|
|
@ -4,11 +4,15 @@
|
|||
|
||||
require 'utils/spec_helper'
|
||||
|
||||
require 'resources/audit_policy'
|
||||
require 'resources/group_policy'
|
||||
require 'resources/mysql_conf'
|
||||
require 'resources/mysql_session'
|
||||
require 'resources/postgres_conf'
|
||||
require 'resources/postgres_session'
|
||||
require 'resources/processes'
|
||||
require 'resources/registry_key'
|
||||
require 'resources/security_policy'
|
||||
require 'resources/ssh_conf'
|
||||
|
||||
# Dummy module for handling additional attributes
|
||||
|
|
Loading…
Reference in a new issue