From 21d604820a4286012913221ea8cc12c7d009afd0 Mon Sep 17 00:00:00 2001 From: Dominik Richter Date: Fri, 17 Apr 2015 15:37:17 +0200 Subject: [PATCH] feature: add windows resources Signed-off-by: Dominik Richter --- lib/resources/audit_policy.rb | 136 +++++++++++++++++++++++++++++++ lib/resources/group_policy.rb | 60 ++++++++++++++ lib/resources/registry_key.rb | 60 ++++++++++++++ lib/resources/security_policy.rb | 74 +++++++++++++++++ lib/vulcano.rb | 4 + 5 files changed, 334 insertions(+) create mode 100644 lib/resources/audit_policy.rb create mode 100644 lib/resources/group_policy.rb create mode 100644 lib/resources/registry_key.rb create mode 100644 lib/resources/security_policy.rb diff --git a/lib/resources/audit_policy.rb b/lib/resources/audit_policy.rb new file mode 100644 index 000000000..310aab8fb --- /dev/null +++ b/lib/resources/audit_policy.rb @@ -0,0 +1,136 @@ +## Advanced Auditing +# As soon as you start applying Advanced Audit Configuration Policy, legacy policies will be completely ignored. +# reference: https://technet.microsoft.com/en-us/library/cc753632.aspx +# use: +# - list all categories: Auditpol /list /subcategory:* /r +# - list parameters: Auditpol /get /category:"System" /subcategory:"IPsec Driver" +# - list specific parameter: Auditpol /get /subcategory:"IPsec Driver" +# +# @link: http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx + +=begin +Category/Subcategory,GUID +System,{69979848-797A-11D9-BED3-505054503030} + Security State Change,{0CCE9210-69AE-11D9-BED3-505054503030} + Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030} + System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030} + IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030} + Other System Events,{0CCE9214-69AE-11D9-BED3-505054503030} +Logon/Logoff,{69979849-797A-11D9-BED3-505054503030} + Logon,{0CCE9215-69AE-11D9-BED3-505054503030} + Logoff,{0CCE9216-69AE-11D9-BED3-505054503030} + Account Lockout,{0CCE9217-69AE-11D9-BED3-505054503030} + IPsec Main Mode,{0CCE9218-69AE-11D9-BED3-505054503030} + IPsec Quick Mode,{0CCE9219-69AE-11D9-BED3-505054503030} + IPsec Extended Mode,{0CCE921A-69AE-11D9-BED3-505054503030} + Special Logon,{0CCE921B-69AE-11D9-BED3-505054503030} + Other Logon/Logoff Events,{0CCE921C-69AE-11D9-BED3-505054503030} + Network Policy Server,{0CCE9243-69AE-11D9-BED3-505054503030} + User / Device Claims,{0CCE9247-69AE-11D9-BED3-505054503030} +Object Access,{6997984A-797A-11D9-BED3-505054503030} + File System,{0CCE921D-69AE-11D9-BED3-505054503030} + Registry,{0CCE921E-69AE-11D9-BED3-505054503030} + Kernel Object,{0CCE921F-69AE-11D9-BED3-505054503030} + SAM,{0CCE9220-69AE-11D9-BED3-505054503030} + Certification Services,{0CCE9221-69AE-11D9-BED3-505054503030} + Application Generated,{0CCE9222-69AE-11D9-BED3-505054503030} + Handle Manipulation,{0CCE9223-69AE-11D9-BED3-505054503030} + File Share,{0CCE9224-69AE-11D9-BED3-505054503030} + Filtering Platform Packet Drop,{0CCE9225-69AE-11D9-BED3-505054503030} + Filtering Platform Connection,{0CCE9226-69AE-11D9-BED3-505054503030} + Other Object Access Events,{0CCE9227-69AE-11D9-BED3-505054503030} + Detailed File Share,{0CCE9244-69AE-11D9-BED3-505054503030} + Removable Storage,{0CCE9245-69AE-11D9-BED3-505054503030} + Central Policy Staging,{0CCE9246-69AE-11D9-BED3-505054503030} +Privilege Use,{6997984B-797A-11D9-BED3-505054503030} + Sensitive Privilege Use,{0CCE9228-69AE-11D9-BED3-505054503030} + Non Sensitive Privilege Use,{0CCE9229-69AE-11D9-BED3-505054503030} + Other Privilege Use Events,{0CCE922A-69AE-11D9-BED3-505054503030} +Detailed Tracking,{6997984C-797A-11D9-BED3-505054503030} + Process Creation,{0CCE922B-69AE-11D9-BED3-505054503030} + Process Termination,{0CCE922C-69AE-11D9-BED3-505054503030} + DPAPI Activity,{0CCE922D-69AE-11D9-BED3-505054503030} + RPC Events,{0CCE922E-69AE-11D9-BED3-505054503030} +Policy Change,{6997984D-797A-11D9-BED3-505054503030} + Audit Policy Change,{0CCE922F-69AE-11D9-BED3-505054503030} + Authentication Policy Change,{0CCE9230-69AE-11D9-BED3-505054503030} + Authorization Policy Change,{0CCE9231-69AE-11D9-BED3-505054503030} + MPSSVC Rule-Level Policy Change,{0CCE9232-69AE-11D9-BED3-505054503030} + Filtering Platform Policy Change,{0CCE9233-69AE-11D9-BED3-505054503030} + Other Policy Change Events,{0CCE9234-69AE-11D9-BED3-505054503030} +Account Management,{6997984E-797A-11D9-BED3-505054503030} + User Account Management,{0CCE9235-69AE-11D9-BED3-505054503030} + Computer Account Management,{0CCE9236-69AE-11D9-BED3-505054503030} + Security Group Management,{0CCE9237-69AE-11D9-BED3-505054503030} + Distribution Group Management,{0CCE9238-69AE-11D9-BED3-505054503030} + Application Group Management,{0CCE9239-69AE-11D9-BED3-505054503030} + Other Account Management Events,{0CCE923A-69AE-11D9-BED3-505054503030} +DS Access,{6997984F-797A-11D9-BED3-505054503030} + Directory Service Access,{0CCE923B-69AE-11D9-BED3-505054503030} + Directory Service Changes,{0CCE923C-69AE-11D9-BED3-505054503030} + Directory Service Replication,{0CCE923D-69AE-11D9-BED3-505054503030} + Detailed Directory Service Replication,{0CCE923E-69AE-11D9-BED3-505054503030} +Account Logon,{69979850-797A-11D9-BED3-505054503030} + Credential Validation,{0CCE923F-69AE-11D9-BED3-505054503030} + Kerberos Service Ticket Operations,{0CCE9240-69AE-11D9-BED3-505054503030} + Other Account Logon Events,{0CCE9241-69AE-11D9-BED3-505054503030} + Kerberos Authentication Service,{0CCE9242-69AE-11D9-BED3-505054503030} + +Valid values are: + +- "No Auditing" +- "Not Specified" +- "Success" +- "Success and Failure" +- "Failure" + +Further information is available at: https://msdn.microsoft.com/en-us/library/dd973859.aspx + +=end + +module Serverspec + module Type + + class AuditPolicy < Base + + def method_missing(method) + key = method.to_s + + # expected result: + # Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting + # WIN-MB8NINQ388J,System,Kerberos Authentication Service,{0CCE9242-69AE-11D9-BED3-505054503030},No Auditing, + command_result ||= @runner.run_command("Auditpol /get /subcategory:'#{key}' /r") + result = command_result.stdout + result + + # find line + target = nil + result.each_line {|s| + target = s.strip if s.match(/\b.*#{key}.*\b/) + } + + # extract value + if target != nil + # split csv values and return value + value = target.split(',')[4] + else + value = nil + end + + value + end + + def to_s + %Q[Windows Advanced Auditing] + end + + end + + def audit_policy() + AuditPolicy.new() + end + + end +end + +include Serverspec::Type \ No newline at end of file diff --git a/lib/resources/group_policy.rb b/lib/resources/group_policy.rb new file mode 100644 index 000000000..4b4169495 --- /dev/null +++ b/lib/resources/group_policy.rb @@ -0,0 +1,60 @@ +require 'json' + +# Group Policy +module Serverspec + module Type + + # return JSON object + def gpo (policy_path, policy_name) + file = ::File.read(::File.join ::File.dirname(__FILE__), "gpo.json") + gpo_hash = JSON.parse(file) + key = "Machine--" + policy_path + "--" + policy_name + gpo_hash[key] + end + + class GroupPolicy < Base + + def getRegistryValue(entry) + keys = entry['registry_information'][0] + cmd = "(Get-Item 'Registry::#{keys['path']}').GetValue('#{keys['key']}')" + command_result ||= @runner.run_command(cmd) + val = { :exit_code => command_result.exit_status.to_i, :data => command_result.stdout } + val + end + + def convertValue (value) + val = value.strip + val = val.to_i if val.match(/^\d+$/) + end + + # returns nil, if not existant or value + def method_missing(meth) + # map gpo to registry key + entry = gpo(@name, meth.to_s) + + # get data + val = getRegistryValue(entry) + + # verify data + if (val[:exit_code] == 0) + val = convertValue(val[:data]) + else + nil + end + + end + + def to_s + 'Group Policy' + end + + end + + def group_policy(policy_path) + GroupPolicy.new(policy_path) + end + + end +end + +include Serverspec::Type diff --git a/lib/resources/registry_key.rb b/lib/resources/registry_key.rb new file mode 100644 index 000000000..646a0cd88 --- /dev/null +++ b/lib/resources/registry_key.rb @@ -0,0 +1,60 @@ +require 'json' + +# Registry Key Helper +module Serverspec + module Type + + class RegistryKey < Base + + attr_accessor :reg_key + + def getRegistryValue(path, key) + cmd = "(Get-Item 'Registry::#{path}').GetValue('#{key}')" + command_result ||= @runner.run_command(cmd) + val = { :exit_code => command_result.exit_status.to_i, :data => command_result.stdout } + val + end + + def convertValue (value) + val = value.strip + val = val.to_i if val.match(/^\d+$/) + end + + # returns nil, if not existant or value + def method_missing(meth) + + # get data + val = getRegistryValue(@reg_key, meth) + + # verify data + if (val[:exit_code] == 0) + val = convertValue(val[:data]) + else + nil + end + + end + + def to_s + "Registry Key #{@name}" + end + + end + + def registry_key(name, reg_key=nil) + + # if we have one parameter, we use it as name + if reg_key == nil + reg_key = name + end + + # initialize variable + i = RegistryKey.new(name) + i.reg_key = reg_key + i + end + + end +end + +include Serverspec::Type diff --git a/lib/resources/security_policy.rb b/lib/resources/security_policy.rb new file mode 100644 index 000000000..35f20eba6 --- /dev/null +++ b/lib/resources/security_policy.rb @@ -0,0 +1,74 @@ +# Security Configuration and Analysis +# +# Export local security policy: +# secedit /export /cfg secpol.cfg +# +# @link http://www.microsoft.com/en-us/download/details.aspx?id=25250 +# +# In Windows, some security options are managed differently that the local GPO +# All local GPO parameters can be examined via Registry, but not all security +# parameters. Therefore we need a combination of Registry and secedit output + +module Serverspec + module Type + + class SecurityPolicy < Base + + # static variable, shared across all instances + @@loaded = false + @@policy = nil + @@exit_status = nil + + # load security content + def load + # export the security policy + @runner.run_command('secedit /export /cfg win_secpol.cfg') + # store file content + command_result ||= @runner.run_command('type win_secpol.cfg') + # delete temp file + @runner.run_command('del win_secpol.cfg') + + @@exit_status = command_result.exit_status.to_i + @@policy = command_result.stdout + + @@loaded = true + + # returns self + self + end + + def method_missing(method) + + # load data if needed + if (@@loaded == false) + load + end + + # find line with key + key = method.to_s + target = "" + @@policy.each_line {|s| + target = s.strip if s.match(/\b#{key}\s*=\s*(.*)\b/) + } + + # extract variable value + result = target.match(/[=]{1}\s*(?.*)/) + val = result[:value] + val = val.to_i if val.match(/^\d+$/) + val + end + + def to_s + %Q[Security Policy] + end + + end + + def security_policy() + SecurityPolicy.new() + end + + end +end + +include Serverspec::Type diff --git a/lib/vulcano.rb b/lib/vulcano.rb index 26b94c47f..6acbf2544 100644 --- a/lib/vulcano.rb +++ b/lib/vulcano.rb @@ -4,11 +4,15 @@ require 'utils/spec_helper' +require 'resources/audit_policy' +require 'resources/group_policy' require 'resources/mysql_conf' require 'resources/mysql_session' require 'resources/postgres_conf' require 'resources/postgres_session' require 'resources/processes' +require 'resources/registry_key' +require 'resources/security_policy' require 'resources/ssh_conf' # Dummy module for handling additional attributes