feature: add windows resources

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2024-11-10 07:04:15 +00:00 · 2015-04-17 15:37:17 +02:00 · 2015-04-17 15:37:17 +02:00 · 21d604820a
commit 21d604820a
parent e87af25d07
5 changed files with 334 additions and 0 deletions
--- a/lib/resources/audit_policy.rb
+++ b/lib/resources/audit_policy.rb
@ -0,0 +1,136 @@
 ## Advanced Auditing
 # As soon as you start applying Advanced Audit Configuration Policy, legacy policies will be completely ignored. 
 # reference: https://technet.microsoft.com/en-us/library/cc753632.aspx
 # use: 
 #  - list all categories: Auditpol /list /subcategory:* /r
 #  - list parameters: Auditpol /get /category:"System" /subcategory:"IPsec Driver"
 #  - list specific parameter: Auditpol /get /subcategory:"IPsec Driver"
 # 
 # @link: http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx 
 =begin
 Category/Subcategory,GUID
 System,{69979848-797A-11D9-BED3-505054503030}
  Security State Change,{0CCE9210-69AE-11D9-BED3-505054503030}
  Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030}
  System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030}
  IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030}
  Other System Events,{0CCE9214-69AE-11D9-BED3-505054503030}
 Logon/Logoff,{69979849-797A-11D9-BED3-505054503030}
  Logon,{0CCE9215-69AE-11D9-BED3-505054503030}
  Logoff,{0CCE9216-69AE-11D9-BED3-505054503030}
  Account Lockout,{0CCE9217-69AE-11D9-BED3-505054503030}
  IPsec Main Mode,{0CCE9218-69AE-11D9-BED3-505054503030}
  IPsec Quick Mode,{0CCE9219-69AE-11D9-BED3-505054503030}
  IPsec Extended Mode,{0CCE921A-69AE-11D9-BED3-505054503030}
  Special Logon,{0CCE921B-69AE-11D9-BED3-505054503030}
  Other Logon/Logoff Events,{0CCE921C-69AE-11D9-BED3-505054503030}
  Network Policy Server,{0CCE9243-69AE-11D9-BED3-505054503030}
  User / Device Claims,{0CCE9247-69AE-11D9-BED3-505054503030}
 Object Access,{6997984A-797A-11D9-BED3-505054503030}
  File System,{0CCE921D-69AE-11D9-BED3-505054503030}
  Registry,{0CCE921E-69AE-11D9-BED3-505054503030}
  Kernel Object,{0CCE921F-69AE-11D9-BED3-505054503030}
  SAM,{0CCE9220-69AE-11D9-BED3-505054503030}
  Certification Services,{0CCE9221-69AE-11D9-BED3-505054503030}
  Application Generated,{0CCE9222-69AE-11D9-BED3-505054503030}
  Handle Manipulation,{0CCE9223-69AE-11D9-BED3-505054503030}
  File Share,{0CCE9224-69AE-11D9-BED3-505054503030}
  Filtering Platform Packet Drop,{0CCE9225-69AE-11D9-BED3-505054503030}
  Filtering Platform Connection,{0CCE9226-69AE-11D9-BED3-505054503030}
  Other Object Access Events,{0CCE9227-69AE-11D9-BED3-505054503030}
  Detailed File Share,{0CCE9244-69AE-11D9-BED3-505054503030}
  Removable Storage,{0CCE9245-69AE-11D9-BED3-505054503030}
  Central Policy Staging,{0CCE9246-69AE-11D9-BED3-505054503030}
 Privilege Use,{6997984B-797A-11D9-BED3-505054503030}
  Sensitive Privilege Use,{0CCE9228-69AE-11D9-BED3-505054503030}
  Non Sensitive Privilege Use,{0CCE9229-69AE-11D9-BED3-505054503030}
  Other Privilege Use Events,{0CCE922A-69AE-11D9-BED3-505054503030}
 Detailed Tracking,{6997984C-797A-11D9-BED3-505054503030}
  Process Creation,{0CCE922B-69AE-11D9-BED3-505054503030}
  Process Termination,{0CCE922C-69AE-11D9-BED3-505054503030}
  DPAPI Activity,{0CCE922D-69AE-11D9-BED3-505054503030}
  RPC Events,{0CCE922E-69AE-11D9-BED3-505054503030}
 Policy Change,{6997984D-797A-11D9-BED3-505054503030}
  Audit Policy Change,{0CCE922F-69AE-11D9-BED3-505054503030}
  Authentication Policy Change,{0CCE9230-69AE-11D9-BED3-505054503030}
  Authorization Policy Change,{0CCE9231-69AE-11D9-BED3-505054503030}
  MPSSVC Rule-Level Policy Change,{0CCE9232-69AE-11D9-BED3-505054503030}
  Filtering Platform Policy Change,{0CCE9233-69AE-11D9-BED3-505054503030}
  Other Policy Change Events,{0CCE9234-69AE-11D9-BED3-505054503030}
 Account Management,{6997984E-797A-11D9-BED3-505054503030}
  User Account Management,{0CCE9235-69AE-11D9-BED3-505054503030}
  Computer Account Management,{0CCE9236-69AE-11D9-BED3-505054503030}
  Security Group Management,{0CCE9237-69AE-11D9-BED3-505054503030}
  Distribution Group Management,{0CCE9238-69AE-11D9-BED3-505054503030}
  Application Group Management,{0CCE9239-69AE-11D9-BED3-505054503030}
  Other Account Management Events,{0CCE923A-69AE-11D9-BED3-505054503030}
 DS Access,{6997984F-797A-11D9-BED3-505054503030}
  Directory Service Access,{0CCE923B-69AE-11D9-BED3-505054503030}
  Directory Service Changes,{0CCE923C-69AE-11D9-BED3-505054503030}
  Directory Service Replication,{0CCE923D-69AE-11D9-BED3-505054503030}
  Detailed Directory Service Replication,{0CCE923E-69AE-11D9-BED3-505054503030}
 Account Logon,{69979850-797A-11D9-BED3-505054503030}
  Credential Validation,{0CCE923F-69AE-11D9-BED3-505054503030}
  Kerberos Service Ticket Operations,{0CCE9240-69AE-11D9-BED3-505054503030}
  Other Account Logon Events,{0CCE9241-69AE-11D9-BED3-505054503030}
  Kerberos Authentication Service,{0CCE9242-69AE-11D9-BED3-505054503030}
 Valid values are:
 - "No Auditing"
 - "Not Specified"
 - "Success"
 - "Success and Failure"
 - "Failure"
 Further information is available at: https://msdn.microsoft.com/en-us/library/dd973859.aspx
 =end
 module Serverspec
  module Type
    class AuditPolicy < Base
      def method_missing(method)
        key = method.to_s
        # expected result:
        # Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting
        # WIN-MB8NINQ388J,System,Kerberos Authentication Service,{0CCE9242-69AE-11D9-BED3-505054503030},No Auditing,
        command_result ||= @runner.run_command("Auditpol /get /subcategory:'#{key}' /r")
        result = command_result.stdout
        result
        # find line
        target = nil
        result.each_line {|s| 
          target = s.strip if s.match(/\b.*#{key}.*\b/)
        }
        # extract value
        if target != nil
          # split csv values and return value
          value = target.split(',')[4]
        else 
          value = nil
        end
        value
      end
      def to_s
        %Q[Windows Advanced Auditing]
      end
    end
    def audit_policy()
      AuditPolicy.new()
    end
  end
 end
 include Serverspec::Type
--- a/lib/resources/group_policy.rb
+++ b/lib/resources/group_policy.rb
@ -0,0 +1,60 @@
 require 'json'
 # Group Policy
 module Serverspec
  module Type
    # return JSON object
    def gpo (policy_path, policy_name)
      file = ::File.read(::File.join ::File.dirname(__FILE__), "gpo.json")
      gpo_hash = JSON.parse(file)      
      key = "Machine--" + policy_path + "--" + policy_name
      gpo_hash[key]
    end
    class GroupPolicy < Base
      def getRegistryValue(entry)
        keys = entry['registry_information'][0]
        cmd = "(Get-Item 'Registry::#{keys['path']}').GetValue('#{keys['key']}')"
        command_result ||= @runner.run_command(cmd)
        val = { :exit_code => command_result.exit_status.to_i, :data => command_result.stdout }
        val
      end
      def convertValue (value)
        val = value.strip
        val = val.to_i if val.match(/^\d+$/)
      end
      # returns nil, if not existant or value
      def method_missing(meth)
        # map gpo to registry key
        entry = gpo(@name, meth.to_s)
        # get data
        val = getRegistryValue(entry)
        # verify data
        if (val[:exit_code] == 0)
          val = convertValue(val[:data])
        else
          nil
        end
      end
      def to_s
        'Group Policy'
      end
    end
    def group_policy(policy_path)
      GroupPolicy.new(policy_path)
    end
  end
 end
 include Serverspec::Type
--- a/lib/resources/registry_key.rb
+++ b/lib/resources/registry_key.rb
@ -0,0 +1,60 @@
 require 'json'
 # Registry Key Helper
 module Serverspec
  module Type
    class RegistryKey < Base
      attr_accessor :reg_key
      def getRegistryValue(path, key)
        cmd = "(Get-Item 'Registry::#{path}').GetValue('#{key}')"
        command_result ||= @runner.run_command(cmd)
        val = { :exit_code => command_result.exit_status.to_i, :data => command_result.stdout }
        val
      end
      def convertValue (value)
        val = value.strip
        val = val.to_i if val.match(/^\d+$/)
      end
      # returns nil, if not existant or value
      def method_missing(meth)
        # get data
        val = getRegistryValue(@reg_key, meth)
        # verify data
        if (val[:exit_code] == 0)
          val = convertValue(val[:data])
        else
          nil
        end
      end
      def to_s
        "Registry Key #{@name}"
      end
    end
    def registry_key(name, reg_key=nil)
      # if we have one parameter, we use it as name
      if reg_key == nil
        reg_key = name
      end
      # initialize variable
      i = RegistryKey.new(name)
      i.reg_key = reg_key
      i
    end
  end
 end
 include Serverspec::Type
--- a/lib/resources/security_policy.rb
+++ b/lib/resources/security_policy.rb
@ -0,0 +1,74 @@
 # Security Configuration and Analysis
 #
 # Export local security policy:
 # secedit /export /cfg secpol.cfg
 #
 # @link http://www.microsoft.com/en-us/download/details.aspx?id=25250
 # 
 # In Windows, some security options are managed differently that the local GPO
 # All local GPO parameters can be examined via Registry, but not all security 
 # parameters. Therefore we need a combination of Registry and secedit output
 module Serverspec
  module Type
    class SecurityPolicy < Base
      # static variable, shared across all instances
      @@loaded = false
      @@policy = nil
      @@exit_status = nil
      # load security content
      def load
        # export the security policy
        @runner.run_command('secedit /export /cfg win_secpol.cfg')
        # store file content
        command_result ||= @runner.run_command('type win_secpol.cfg')
        # delete temp file
        @runner.run_command('del win_secpol.cfg')
        @@exit_status = command_result.exit_status.to_i
        @@policy = command_result.stdout
        @@loaded = true
        # returns self
        self
      end
      def method_missing(method)
        # load data if needed
        if (@@loaded == false)
          load
        end
        # find line with key
        key = method.to_s
        target = ""
        @@policy.each_line {|s| 
          target = s.strip if s.match(/\b#{key}\s*=\s*(.*)\b/)
        }
        # extract variable value
        result = target.match(/[=]{1}\s*(?<value>.*)/)
        val = result[:value]
        val = val.to_i if val.match(/^\d+$/)
        val
      end
      def to_s
        %Q[Security Policy]
      end
    end
    def security_policy()
      SecurityPolicy.new()
    end
  end
 end
 include Serverspec::Type
--- a/lib/vulcano.rb
+++ b/lib/vulcano.rb
@ -4,11 +4,15 @@
 require 'utils/spec_helper'
 require 'resources/audit_policy'
 require 'resources/group_policy'
 require 'resources/mysql_conf'
 require 'resources/mysql_session'
 require 'resources/postgres_conf'
 require 'resources/postgres_session'
 require 'resources/processes'
 require 'resources/registry_key'
 require 'resources/security_policy'
 require 'resources/ssh_conf'
 # Dummy module for handling additional attributes