diff --git a/.github/ISSUE_TEMPLATE/general.md b/.github/ISSUE_TEMPLATE/general.md new file mode 100644 index 000000000..625a8edd7 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/general.md @@ -0,0 +1,4 @@ +--- +name: General question or documentation update +about: If you have a general question around PowerStig or documentation update. +--- diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 000000000..002359c91 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,20 @@ + + +**Pull Request (PR) description:** + +**This Pull Request (PR) fixes the following issues:** + +**Task list:** +- [] Change details added to Unreleased section of README.md (Not required for Convert modules)? +- [] Added/updated documentation, comment-based help and descriptions where appropriate? +- [] Examples appropriately updated? +- [] New/changed code adheres to [Style Guidelines](https://github.com/PowerShell/DscResources/blob/master/StyleGuidelines.md)? +- [] Unit and (optional) Integration tests created/updated where possible? diff --git a/.gitignore b/.gitignore index 6f4d0fcb4..142fc2435 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,8 @@ DSCResource.Tests PowerStig.Tests .vscode/ +.vs/ProjectSettings.json +.vs/VSWorkspaceState.json +.vs/slnx.sqlite +.vs/PowerStig/v15/.suo +.gitignore diff --git a/Module/Common/Common.psm1 b/Module/Common/Common.psm1 index 4e3b25876..c637ce525 100644 --- a/Module/Common/Common.psm1 +++ b/Module/Common/Common.psm1 @@ -1,7 +1,7 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. -#endregion +# Header + #region Enum <# STIGS have an associated severity that determines the impact of the finding if it diff --git a/Module/Common/Data.ps1 b/Module/Common/Data.ps1 index 4d024be57..6b15f3727 100644 --- a/Module/Common/Data.ps1 +++ b/Module/Common/Data.ps1 @@ -35,6 +35,8 @@ data RegularExpression # Windows Feature Rule Matches + WindowsFeatureName = Get-WindowsFeature\\s-Name\\s*\\w+.\\w+ + FeatureNameEquals = FeatureName\\s-eq\\s*\\S* FeatureNameSpaceColon = FeatureName\\s\\:\\s\\S* diff --git a/Module/Common/Function.RangeConversion.ps1 b/Module/Common/Function.RangeConversion.ps1 index a4dff8b4f..1b4d3411a 100644 --- a/Module/Common/Function.RangeConversion.ps1 +++ b/Module/Common/Function.RangeConversion.ps1 @@ -39,13 +39,14 @@ function Get-OrganizationValueTestString continue } { - (Test-StringIsLessThan -String $PSItem) -or - (Test-StringIsLessThanOrEqual -String $PSItem) -or - (Test-StringIsLessThanButNot -String $PSItem) -or - (Test-StringIsLessThanOrEqualButNot -String $PSItem) -or - (Test-StringIsGreaterThan -String $PSItem) -or - (Test-StringIsGreaterThanOrEqual -String $PSItem) -or - (Test-StringIsGreaterThanButNot -String $PSItem) -or + (Test-StringIsLessThan -String $PSItem) -or + (Test-StringIsLessThanOrEqual -String $PSItem) -or + (Test-StringIsLessThanButNot -String $PSItem) -or + (Test-StringIsLessThanOrEqualButNot -String $PSItem) -or + (Test-StringIsLessThanOrEqualExcluding -String $PSItem) -or + (Test-StringIsGreaterThan -String $PSItem) -or + (Test-StringIsGreaterThanOrEqual -String $PSItem) -or + (Test-StringIsGreaterThanButNot -String $PSItem) -or (Test-StringIsGreaterThanOrEqualButNot -String $PSItem) } { @@ -81,7 +82,14 @@ function Get-TestStringTokenNumbers if ($match) { - [convert]::ToInt32($match,16) + if ($number.count -gt 2) + { + $number[1, 2] + } + else + { + [convert]::ToInt32($match,16) + } } else { @@ -174,6 +182,10 @@ function ConvertTo-TestString { return "{0} -le '$($number[0])' -and {0} -gt '$($number[1])'" } + 'or less excluding' + { + return "{0} -le '$($number[0])' -and {0} -gt '$($number[1])'" + } } } @@ -209,7 +221,7 @@ function ConvertTo-HashTable #region Or <# .SYNOPSIS - Checks if a string is asking for a negative or evaluation. Applies a reagular expression against + Checks if a string is asking for a negative or evaluation. Applies a regular expression against the string to look for a known pattern asking for a value to not be equal to one of 2 values. .PARAMETER String @@ -251,16 +263,18 @@ function Test-StringIsNegativeOr } <# - .SYNOPSIS + .SYNOPSIS + Checks if a string is asking for a positive or evaluation. Applies a regular expression against + the string to look for a known pattern asking for a value to be equal to one of 2 values. - .PARAMETER string - The string data to evaluate. + .PARAMETER string + The string data to evaluate. - .EXAMPLE - An example + .EXAMPLE + An example - .NOTES - # This regex looks for patterns such as "1 (Lock Workstation) or 2 (Force Logoff)" + .NOTES + # This regex looks for patterns such as "1 (Lock Workstation) or 2 (Force Logoff)" #> function Test-StringIsPositiveOr { @@ -281,7 +295,7 @@ function Test-StringIsPositiveOr $optionalCharacter = "(\(|'|"")?" $regex = "^(\s*)(\d{1,})(\s*)$optionalCharacter.*$optionalCharacter" + - "(\s*)or(\s*)(\d{1,})(\s*)$optionalCharacter.*$optionalCharacter(\s*)$" + "(\s*)or(\s*)(\d{1,})(\s*)$optionalCharacter.*$optionalCharacter(\s*)$" if ($string -match $regex) { @@ -294,37 +308,37 @@ function Test-StringIsPositiveOr } <# - .SYNOPSIS - Converts English textual representation of a comparison to a PowerShell code representation. + .SYNOPSIS + Converts English textual representation of a comparison to a PowerShell code representation. - .DESCRIPTION - Using the Abstract Syntax Tree capability of PowerShell, the provided string is broken into - individual AST Tokens. Those tokens are then combined to form the PowerShell version of the - English text. + .DESCRIPTION + Using the Abstract Syntax Tree capability of PowerShell, the provided string is broken into + individual AST Tokens. Those tokens are then combined to form the PowerShell version of the + English text. - The output of this function is intended to be added to any STIG rule that is ambiguous due to - a range of possibilities be valid. The test string is used to determine if a local - organizational setting is within a valid range according to the STIG. + The output of this function is intended to be added to any STIG rule that is ambiguous due to + a range of possibilities be valid. The test string is used to determine if a local + organizational setting is within a valid range according to the STIG. - .PARAMETER String - The string to convert + .PARAMETER String + The string to convert - .EXAMPLE - This example returns the following comparison test + .EXAMPLE + This example returns the following comparison test - -ne '1|2' + -ne '1|2' - ConvertTo-OrTestString -String '1 or 2 = a Finding' -Operator NotEqual + ConvertTo-OrTestString -String '1 or 2 = a Finding' -Operator NotEqual - .EXAMPLE - This example returns the following comparison test + .EXAMPLE + This example returns the following comparison test - -eq '1|2' + -eq '1|2' - ConvertTo-OrTestString -String '1 (Lock Workstation) or 2 (Force Logoff)' -Operator Equal + ConvertTo-OrTestString -String '1 (Lock Workstation) or 2 (Force Logoff)' -Operator Equal - .NOTES - General notes + .NOTES + General notes #> function ConvertTo-OrTestString { @@ -362,20 +376,20 @@ function ConvertTo-OrTestString #region Greater Than <# - .SYNOPSIS - Converts English textual representation of numeric ranges into PowerShell equivalent - comparison statements. + .SYNOPSIS + Converts English textual representation of numeric ranges into PowerShell equivalent + comparison statements. - .PARAMETER string - The String to test. + .PARAMETER string + The String to test. - .EXAMPLE - This example returns $true + .EXAMPLE + This example returns $true - Test-StringIsGreaterThan -String '14 (or greater)' + Test-StringIsGreaterThan -String '14 (or greater)' - .NOTES - Sample STIG data would convert + .NOTES + Sample STIG data would convert #> function Test-StringIsGreaterThan { @@ -399,20 +413,20 @@ function Test-StringIsGreaterThan } <# - .SYNOPSIS - Converts English textual representation of numeric ranges into PowerShell equivalent - comparison statements. + .SYNOPSIS + Converts English textual representation of numeric ranges into PowerShell equivalent + comparison statements. - .PARAMETER string - The String to test. + .PARAMETER string + The String to test. - .EXAMPLE - This example returns $true + .EXAMPLE + This example returns $true - Test-StringIsGreaterThanOrEqual -String '0x00000032 (50) (or greater)' + Test-StringIsGreaterThanOrEqual -String '0x00000032 (50) (or greater)' - .NOTES - Sample STIG data would convert 0x00000032 (50) (or greater) into '-ge 50'" + .NOTES + Sample STIG data would convert 0x00000032 (50) (or greater) into '-ge 50'" #> function Test-StringIsGreaterThanOrEqual { @@ -436,20 +450,20 @@ function Test-StringIsGreaterThanOrEqual } <# - .SYNOPSIS - Converts English textual representation of numeric ranges into PowerShell equivalent - comparison statements. + .SYNOPSIS + Converts English textual representation of numeric ranges into PowerShell equivalent + comparison statements. - .PARAMETER string - The String to test. + .PARAMETER string + The String to test. - .EXAMPLE - This example returns $true + .EXAMPLE + This example returns $true - Test-StringIsGreaterThanButNot -String 'Greater than 30' + Test-StringIsGreaterThanButNot -String 'Greater than 30' - .NOTES - Sample STIG data would convert 30 (or greater, but not 100) + .NOTES + Sample STIG data would convert 30 (or greater, but not 100) #> function Test-StringIsGreaterThanButNot { @@ -473,20 +487,20 @@ function Test-StringIsGreaterThanButNot } <# - .SYNOPSIS - Converts English textual representation of numeric ranges into PowerShell equivalent - comparison statements. + .SYNOPSIS + Converts English textual representation of numeric ranges into PowerShell equivalent + comparison statements. - .PARAMETER string - The String to test. + .PARAMETER string + The String to test. - .EXAMPLE - This example returns $true + .EXAMPLE + This example returns $true - Test-StringIsGreaterThanOrEqualToButNot -String '0x00000032 (50) (or greater)' + Test-StringIsGreaterThanOrEqualToButNot -String '0x00000032 (50) (or greater)' - .NOTES - Sample STIG data + .NOTES + Sample STIG data #> function Test-StringIsGreaterThanOrEqualButNot { @@ -511,17 +525,17 @@ function Test-StringIsGreaterThanOrEqualButNot #endregion #region Less Than <# - .SYNOPSIS - Converts English textual representation of numeric ranges into PowerShell equivalent - comparison statements. + .SYNOPSIS + Converts English textual representation of numeric ranges into PowerShell equivalent + comparison statements. - .PARAMETER string - The String to test. + .PARAMETER string + The String to test. - .EXAMPLE - This example returns $true + .EXAMPLE + This example returns $true - Test-StringIsLessThan -String 'is less than "14"' + Test-StringIsLessThan -String 'is less than "14"' #> function Test-StringIsLessThan { @@ -545,17 +559,17 @@ function Test-StringIsLessThan } <# - .SYNOPSIS - Converts English textual representation of numeric ranges into PowerShell equivalent - comparison statements. + .SYNOPSIS + Converts English textual representation of numeric ranges into PowerShell equivalent + comparison statements. - .PARAMETER string - The String to test. + .PARAMETER string + The String to test. - .EXAMPLE - This example returns $true + .EXAMPLE + This example returns $true - Test-StringIsLessThanOrEqual -String '"4" logons or less' + Test-StringIsLessThanOrEqual -String '"4" logons or less' #> function Test-StringIsLessThanOrEqual { @@ -579,20 +593,20 @@ function Test-StringIsLessThanOrEqual } <# - .SYNOPSIS - Converts English textual representation of numeric ranges into PowerShell equivalent - comparison statements. + .SYNOPSIS + Converts English textual representation of numeric ranges into PowerShell equivalent + comparison statements. - .PARAMETER string - The String to test. + .PARAMETER string + The String to test. - .EXAMPLE - This example returns $true + .EXAMPLE + This example returns $true - Test-StringIsLessThanButNot -String 'Less than 30 (but not 0)' + Test-StringIsLessThanButNot -String 'Less than 30 (but not 0)' - .NOTES - Sample STIG data would convert "Less than 30 (but not 0)" into '$i -lt "30" -and $i -gt 0' + .NOTES + Sample STIG data would convert "Less than 30 (but not 0)" into '$i -lt "30" -and $i -gt 0' #> function Test-StringIsLessThanButNot { @@ -618,20 +632,26 @@ function Test-StringIsLessThanButNot } <# - .SYNOPSIS - Converts English textual representation of numeric ranges into PowerShell equivalent - comparison statements. + .SYNOPSIS + Converts English textual representation of numeric ranges into PowerShell equivalent + comparison statements. + + .PARAMETER string + The String to test. + + .EXAMPLE + This example returns $true - .PARAMETER string - The String to test. + Test-StringIsLessThanOrEqualToButNot -String '30 (or less, but not 0)' - .EXAMPLE - This example returns $true + .EXAMPLE + This example returns $true - Test-StringIsLessThanOrEqualToButNot -String '30 (or less, but not 0)' + Test-StringIsLessThanOrEqualToButNot -String '0x0000001e (30) (or less, but not 0)' - .NOTES - Sample STIG data would convert 30 (or less, but not 0) into '$i -le "30" -and $i -gt 0' + .NOTES + Sample STIG data would convert 30 (or less, but not 0) into '$i -le "30" -and $i -gt 0' + Sample STIG data would convert 0x0000001e (30) (or less, but not 0) into '$i -le "30" -and $i -gt 0' #> function Test-StringIsLessThanOrEqualButNot { @@ -644,7 +664,44 @@ function Test-StringIsLessThanOrEqualButNot $String ) - if ($string -match "^(\s*)(\d{1,})(\s*)(\()?or(\s*)less(\s*),(\s*)but(\s*)not(\s*)(\d{1,})(\))?(\s*)$") + if ($string -match "^(\s*)(\d{1,})(\s*)(\()?or(\s*)less(\s*),(\s*)but(\s*)not(\s*)(\d{1,})(\))?(\s*)$" -or + $string -match "(\s*)(\()(\d{1,})(\))(\s*)(\()?or(\s*)less(\s*),(\s*)but(\s*)not(\s*)(\d{1,})(\))?(\s*)$") + { + $true + } + else + { + $false + } +} +<# + .SYNOPSIS + Converts English textual representation of numeric ranges into PowerShell equivalent + comparison statements. + + .PARAMETER string + The String to test. + + .EXAMPLE + This example returns $true + + Test-StringIsLessThanOrEqualExcluding -String '0x0000001e (30) (or less, excluding 0)' + + .NOTES + Sample STIG data would convert 0x0000001e (30) (or less, excluding 0) into '$i -le "30" -and $i -gt 0' +#> +function Test-StringIsLessThanOrEqualExcluding +{ + [CmdletBinding()] + [OutputType([bool])] + param + ( + [parameter(Mandatory = $true)] + [string] + $String + ) + + if ($string -match "(\s*)(\()?(\d{1,})(\))?(\s*)(\()?or(\s*)less(\s*),(\s*)excluding(\s*)(\d{1,})(\))?(\s*)$") { $true } @@ -666,7 +723,6 @@ function Test-StringIsLessThanOrEqualButNot This example returns $true Test-StringIsMultipleValue -String 'Possible values are orange, lemon, cherry' - #> function Test-StringIsMultipleValue { @@ -700,7 +756,6 @@ function Test-StringIsMultipleValue This example returns "{0} -match 'orange|lemon|cherry'"" ConvertTo-MultipleValue -String 'Possible values are orange, lemon, cherry' - #> function ConvertTo-MultipleValue { diff --git a/Module/Convert.AccountPolicyRule/Convert.AccountPolicyRule.psm1 b/Module/Convert.AccountPolicyRule/Convert.AccountPolicyRule.psm1 index 51e8776b8..31a28bc76 100644 --- a/Module/Convert.AccountPolicyRule/Convert.AccountPolicyRule.psm1 +++ b/Module/Convert.AccountPolicyRule/Convert.AccountPolicyRule.psm1 @@ -1,4 +1,3 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 @@ -11,21 +10,49 @@ Foreach ($supportFile in $supportFileList) Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } -#endregion -#region Class +# Header + +<# + .SYNOPSIS + Convert the contents of an xccdf check-content element into an Account Policy object + .DESCRIPTION + The AccountPolicyRule class is used to extract the Account Policy Settings + from the check-content of the xccdf. Once a STIG rule is identifed as an + Account Policy rule, it is passed to the AccountPolicyRule class for parsing + and validation. + .PARAMETER PolicyName + The name of the account policy + .PARAMETER PolicyValue + The value the account policy should be set to. +#> Class AccountPolicyRule : STIG { - # Properties [string] $PolicyName [string] $PolicyValue - # Constructor + <# + .SYNOPSIS + Default constructor + .DESCRIPTION + Converts a xccdf stig rule element into a AccountPolicyRule + .PARAMETER StigRule + The STIG rule to convert + #> AccountPolicyRule ( [xml.xmlelement] $StigRule ) { $this.InvokeClass( $StigRule ) } - # Methods + #region Methods + + <# + .SYNOPSIS + Gets the account policy name from the xccdf content and sets the Policy Name. + .DESCRIPTION + Gets the account policy name from the xccdf content and sets the Policy Name. + If the account policy that is returned is not a valid account policy Name, the + parser status is set to fail. + #> [void] SetPolicyName () { $thisPolicyName = Get-AccountPolicyName -CheckContent $this.SplitCheckContent @@ -36,6 +63,13 @@ Class AccountPolicyRule : STIG } } + <# + .SYNOPSIS + Looks for a range of valid values + .DESCRIPTION + When a range of valid values is discovered, the range needs to be extracted out + so. This method tests for ranges in the check-content. + #> [bool] TestPolicyValueForRange () { if (Test-SecurityPolicyContainsRange -CheckContent $this.SplitCheckContent) @@ -48,6 +82,13 @@ Class AccountPolicyRule : STIG } } + <# + .SYNOPSIS + Gets the account policy value from the xccdf content and sets the Policy value. + .DESCRIPTION + Gets the account policy value from the xccdf content and sets the Policy value. + If the value is determined to be invalid, it sets the parser status to failed. + #> [void] SetPolicyValue () { $thisPolicyValue = Get-AccountPolicyValue -CheckContent $this.SplitCheckContent @@ -58,6 +99,14 @@ Class AccountPolicyRule : STIG } } + <# + .SYNOPSIS + Sets the organizational value with the correct range. + .DESCRIPTION + A range of valid values is supported with PowerShell expressions. If + a value is allowed to be between 1 and 3, then the PowerShell + equivalent needs to be applied to the organizational settings list. + #> [void] SetPolicyValueRange () { $this.set_OrganizationValueRequired($true) @@ -69,5 +118,5 @@ Class AccountPolicyRule : STIG $this.set_OrganizationValueTestString( $thisPolicyValueTestString ) } } + #endregion } -#endregion diff --git a/Module/Convert.AuditPolicyRule/Convert.AuditPolicyRule.psm1 b/Module/Convert.AuditPolicyRule/Convert.AuditPolicyRule.psm1 index 5509e2077..e8220db54 100644 --- a/Module/Convert.AuditPolicyRule/Convert.AuditPolicyRule.psm1 +++ b/Module/Convert.AuditPolicyRule/Convert.AuditPolicyRule.psm1 @@ -1,4 +1,3 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 @@ -11,20 +10,52 @@ Foreach ($supportFile in $supportFileList) Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } -#endregion -#region Class +# Header + +<# + .SYNOPSIS + Convert the contents of an xccdf check-content element into an Audit Policy object + .DESCRIPTION + The AuditPolicyRule class is used to extract the Audit Policy Settings + from the check-content of the xccdf. Once a STIG rule is identified as an + Audit Policy rule, it is passed to the AuditPolicyRule class for parsing + and validation. + .PARAMETER Subcategory + The name of the subcategory to configure + .PARAMETER AuditFlag + The Success or failure flag + .PARAMETER Ensure + A present or absent flag +#> Class AuditPolicyRule : STIG { [string] $Subcategory [string] $AuditFlag [string] $Ensure - # Constructor + <# + .SYNOPSIS + Default constructor + .DESCRIPTION + Converts an xccdf stig rule element into a AuditPolicyRule + .PARAMETER StigRule + The STIG rule to convert + #> AuditPolicyRule ( [xml.xmlelement] $StigRule ) { $this.InvokeClass( $StigRule ) } + #region Methods + + <# + .SYNOPSIS + Extracts the subcategory name from the check-content and sets the value + .DESCRIPTION + Gets the audit policy subcategory from the xccdf content and sets the + value. If the audit policy subcategory that is returned is not a + valid subcategory, the parser status is set to fail. + #> [void] SetSubcategory () { $thisSubcategory = Get-AuditPolicySubCategory -CheckContent $this.SplitCheckContent @@ -35,6 +66,14 @@ Class AuditPolicyRule : STIG } } + <# + .SYNOPSIS + Extracts the subcategory flag from the check-content and sets the value + .DESCRIPTION + Gets the audit policy flag from the xccdf content and sets the value. + If the audit policy flag that is returned is not a valid flag, the + parser status is set to fail. + #> [void] SetAuditFlag () { $thisAuditFlag = Get-AuditPolicyFlag -CheckContent $this.SplitCheckContent @@ -45,9 +84,17 @@ Class AuditPolicyRule : STIG } } + <# + .SYNOPSIS + Sets the ensure flag to the provided value + .DESCRIPTION + Sets the ensure flag to the provided value + .PARAMETER EnsureFlag + The value the Ensure flag should be set to + #> [void] SetEnsureFlag ( [Ensure] $EnsureFlag ) { $this.Ensure = $EnsureFlag } + #endregion } -#endregion diff --git a/Module/Convert.DnsServerRootHintRule/Convert.DnsServerRootHintRule.psm1 b/Module/Convert.DnsServerRootHintRule/Convert.DnsServerRootHintRule.psm1 index d8ac02ea3..9cad06776 100644 --- a/Module/Convert.DnsServerRootHintRule/Convert.DnsServerRootHintRule.psm1 +++ b/Module/Convert.DnsServerRootHintRule/Convert.DnsServerRootHintRule.psm1 @@ -1,4 +1,3 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 @@ -11,20 +10,37 @@ Foreach ($supportFile in $supportFileList) Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } -#endregion -#region Class +# Header + +<# + .SYNOPSIS + Convert the contents of an xccdf check-content element into an Dns Server + Root Hint object + .DESCRIPTION + The DnsServerRootHintRule class is used to extract the Dns Server Root Hints + from the check-content of the xccdf. Once a STIG rule is identified as a + DnsServerRootHint, it is passed to the DnsServerRootHintRule class for + parsing and validation. + .PARAMETER HostName + The host name of the root hint server + .PARAMETER IpAddress + The ip address of the root hint server +#> Class DnsServerRootHintRule : STIG { [string] $HostName [string] $IpAddress - # Constructors + <# + .SYNOPSIS + Default constructor + .DESCRIPTION + Converts a xccdf stig rule element into a DnsServerRootHintRule + .PARAMETER StigRule + The STIG rule to convert + #> DnsServerRootHintRule ( [xml.xmlelement] $StigRule ) { $this.InvokeClass( $StigRule ) } - - # Methods - } -#endregion diff --git a/Module/Convert.DnsServerSettingRule/Convert.DnsServerSettingRule.psm1 b/Module/Convert.DnsServerSettingRule/Convert.DnsServerSettingRule.psm1 index 70746b2e9..20c3fb37a 100644 --- a/Module/Convert.DnsServerSettingRule/Convert.DnsServerSettingRule.psm1 +++ b/Module/Convert.DnsServerSettingRule/Convert.DnsServerSettingRule.psm1 @@ -1,4 +1,3 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 @@ -11,19 +10,51 @@ Foreach ($supportFile in $supportFileList) Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } -#endregion -#region Class +# Header + +<# + .SYNOPSIS + Convert the contents of an xccdf check-content element into an Dns Server + Setting object + .DESCRIPTION + The DnsServerSettingRule class is used to extract the Dns Server settings + from the check-content of the xccdf. Once a STIG rule is identified as a + DNS server setting, it is passed to the DnsServerSettingRule class for + parsing and validation. + .PARAMETER PropertyName + The name of the property to configure + .PARAMETER PropertyValue + The value to set the proerty to +#> Class DnsServerSettingRule : STIG { [string] $PropertyName [string] $PropertyValue - # Constructors + <# + .SYNOPSIS + Default constructor + .DESCRIPTION + Converts a xccdf stig rule element into a DnsServerSettingRule + .PARAMETER StigRule + The STIG rule to convert + #> DnsServerSettingRule ( [xml.xmlelement] $StigRule ) { $this.InvokeClass( $StigRule ) } - # Methods + + #region Methods + + <# + .SYNOPSIS + Extracts the DNS server setting name from the check-content and sets + the value + .DESCRIPTION + Gets the DNS server setting name from the xccdf content and sets the + value. If the DNS server setting that is returned is not a valid name, + the parser status is set to fail. + #> [void] SetDnsServerPropertyName ( ) { $thisDnsServerSettingPropertyName = Get-DnsServerSettingProperty -CheckContent $this.SplitCheckContent @@ -34,6 +65,15 @@ Class DnsServerSettingRule : STIG } } + <# + .SYNOPSIS + Extracts the DNS server setting value from the check-content and + sets the value + .DESCRIPTION + Gets the DNS server setting value from the xccdf content and sets + the value. If the DNS server setting that is returned is not a valid + property, the parser status is set to fail. + #> [void] SetDnsServerPropertyValue ( ) { $thisDnsServerSettingPropertyValue = Get-DnsServerSettingPropertyValue -CheckContent $this.SplitCheckContent @@ -43,5 +83,5 @@ Class DnsServerSettingRule : STIG $this.set_PropertyValue($thisDnsServerSettingPropertyValue) } } + #endregion } -#endregion diff --git a/Module/Convert.DocumentRule/Convert.DocumentRule.psm1 b/Module/Convert.DocumentRule/Convert.DocumentRule.psm1 index b9d3b8ec1..5a18c1334 100644 --- a/Module/Convert.DocumentRule/Convert.DocumentRule.psm1 +++ b/Module/Convert.DocumentRule/Convert.DocumentRule.psm1 @@ -1,4 +1,3 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 @@ -11,16 +10,46 @@ Foreach ($supportFile in $supportFileList) Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } -#endregion -#region Class +# Header + +<# + .SYNOPSIS + Convert the contents of an xccdf check-content element into a document object + .DESCRIPTION + The DocumentRule class is used to extract the documentation requirements + from the check-content of the xccdf. Once a STIG rule is identified as a + document rule, it is passed to the DocumentRule class for parsing + and validation. +#> Class DocumentRule : STIG { - # Constructor + <# + .SYNOPSIS + Default constructor + .DESCRIPTION + Converts a xccdf stig rule element into a DocumentRule + .PARAMETER StigRule + The STIG rule to convert + #> DocumentRule ( [xml.xmlelement] $StigRule ) { $this.InvokeClass( $StigRule ) } + <# + .SYNOPSIS + Constructor that fully populates the required properties + .DESCRIPTION + Constructor that fully populates the required properties + .PARAMETER Id + The STIG ID + .PARAMETER Severity + The STIG Severity + .PARAMETER Title + The STIG Title + .PARAMETER RawString + The chcek-content element of the STIG xccdf + #> DocumentRule ( [string] $Id, [severity] $Severity, [string] $Title, [string] $RawString ) { $this.Id = $Id @@ -30,11 +59,19 @@ Class DocumentRule : STIG $this.SetStigRuleResource() } - # Methods + <# + .SYNOPSIS + Converts an existing rule into a document rule + .DESCRIPTION + Provides a way to convert stig rules that have already been parsed + into a document rule type. There are several instances where a STIG + rule needs to be documented if configure a certain way. + .PARAMETER RuleToConvert + A STIG rule that has already been parsed. + #> static [DocumentRule] ConvertFrom ( [object] $RuleToConvert ) { return [DocumentRule]::New($RuleToConvert.Id, $RuleToConvert.severity, - $RuleToConvert.title, $RuleToConvert.rawString) + $RuleToConvert.title, $RuleToConvert.rawString) } } -#endregion diff --git a/Module/Convert.GroupRule/Convert.GroupRule.psm1 b/Module/Convert.GroupRule/Convert.GroupRule.psm1 index 49f64cb41..e87a39752 100644 --- a/Module/Convert.GroupRule/Convert.GroupRule.psm1 +++ b/Module/Convert.GroupRule/Convert.GroupRule.psm1 @@ -1,4 +1,3 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 @@ -11,20 +10,49 @@ Foreach ($supportFile in $supportFileList) Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } -#endregion -#region Class +# Header + +<# + .SYNOPSIS + Convert the contents of an xccdf check-content element into a group object + .DESCRIPTION + The GroupRule class is used to extract the group membership settings + from the check-content of the xccdf. Once a STIG rule is identified as a + group rule, it is passed to the GroupRule class for parsing + and validation. + .PARAMETER GroupName + The Name of the group to configure + .PARAMETER MembersToExclude + The list of memmbers that are not allowed to be in the group +#> Class GroupRule : STIG { [string] $GroupName [string[]] $MembersToExclude - # Constructor + <# + .SYNOPSIS + Default constructor + .DESCRIPTION + Converts a xccdf stig rule element into a GroupRule + .PARAMETER StigRule + The STIG rule to convert + #> GroupRule ( [xml.xmlelement] $StigRule ) { $this.InvokeClass($StigRule) } - # Methods + #region Methods + + <# + .SYNOPSIS + Extracts the group name from the check-content and sets the value + .DESCRIPTION + Gets the group name from the xccdf content and sets the value. If + the group that is returned is not a valid name, the parser status + is set to fail. + #> [void] SetGroupName () { $thisGroupDetails = Get-GroupDetail -CheckContent $this.rawString @@ -35,6 +63,14 @@ Class GroupRule : STIG } } + <# + .SYNOPSIS + Extracts the list of group names from the check-content and sets the value + .DESCRIPTION + Gets the list of group name from the xccdf content and sets the value. + If the list that is returned is not a valid, the parser status is + set to fail + #> [void] SetMembersToExclude () { if ($this.rawString -match 'Domain Admins group must be replaced') @@ -50,5 +86,5 @@ Class GroupRule : STIG $this.set_MembersToExclude( $thisGroupMember ) } } + #endregion } -#endregion diff --git a/Module/Convert.IISLoggingRule/Convert.IISLoggingRule.psm1 b/Module/Convert.IISLoggingRule/Convert.IISLoggingRule.psm1 index faed6f970..46d4e81ef 100644 --- a/Module/Convert.IISLoggingRule/Convert.IISLoggingRule.psm1 +++ b/Module/Convert.IISLoggingRule/Convert.IISLoggingRule.psm1 @@ -1,4 +1,3 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 @@ -11,8 +10,28 @@ Foreach ($supportFile in $supportFileList) Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } -#endregion -#region Class +# Header + +<# + .SYNOPSIS + Convert the contents of an xccdf check-content element into an IIS + Logging object + .DESCRIPTION + The IisLoggingRule class is used to extract the IIS Log Settings from + the check-content of the xccdf. Once a STIG rule is identified as an + IIS Log rule, it is passed to the IisLoggingRule class for parsing + and validation. + .PARAMETER LogCustomFieldEntry + + .PARAMETER LogFlags + + .PARAMETER LogFormat + + .PARAMETER LogPeriod + + .PARAMETER LogTargetW3C + +#> Class IisLoggingRule : STIG { [object[]] $LogCustomFieldEntry @@ -21,20 +40,43 @@ Class IisLoggingRule : STIG [string] $LogPeriod [string] $LogTargetW3C - # Constructors + <# + .SYNOPSIS + Default constructor + .DESCRIPTION + Converts a xccdf stig rule element into a IisLoggingRule + .PARAMETER StigRule + The STIG rule to convert + #> IisLoggingRule ( [xml.xmlelement] $StigRule ) { $this.InvokeClass( $StigRule ) } - [void] SetLogCustomFields ( ) + <# + .SYNOPSIS + Extracts the log custom field from the check-content and sets the value + .DESCRIPTION + Gets the log custom field from the xccdf content and sets the value. + If the log custom field that is returned is not valid, the parser + status is set to fail + #> + [void] SetLogCustomFields () { $thisLogCustomField = Get-LogCustomFieldEntry -CheckContent $this.SplitCheckContent $this.set_LogCustomFieldEntry( $thisLogCustomField ) } - [void] SetLogFlags ( ) + <# + .SYNOPSIS + Extracts the log flag from the check-content and sets the value + .DESCRIPTION + Gets the log flag from the xccdf content and sets the value. If the + log flag that is returned is not valid, the parser status is set + to fail + #> + [void] SetLogFlags () { $thisLogFlag = Get-LogFlag -CheckContent $this.SplitCheckContent @@ -44,7 +86,15 @@ Class IisLoggingRule : STIG } } - [void] SetLogFormat ( ) + <# + .SYNOPSIS + Extracts the log format from the check-content and sets the value + .DESCRIPTION + Gets the log format from the xccdf content and sets the value. If the + log format that is returned is not valid, the parser status is set + to fail. + #> + [void] SetLogFormat () { $thisLogFormat = Get-LogFormat -CheckContent $this.SplitCheckContent @@ -54,7 +104,15 @@ Class IisLoggingRule : STIG } } - [void] SetLogPeriod ( ) + <# + .SYNOPSIS + Extracts the log period from the check-content and sets the value + .DESCRIPTION + Gets the log period from the xccdf content and sets the value. If the + log period that is returned is not valid, the parser status is set + to fail. + #> + [void] SetLogPeriod () { $thisLogPeriod = Get-LogPeriod -CheckContent $this.SplitCheckContent @@ -64,7 +122,15 @@ Class IisLoggingRule : STIG } } - [void] SetLogTargetW3C ( ) + <# + .SYNOPSIS + Extracts the log target from the check-content and sets the value + .DESCRIPTION + Gets the log target from the xccdf content and sets the value. If the + log target that is returned is not valid, the parser status is set + to fail. + #> + [void] SetLogTargetW3C () { $thisLogTargetW3C = Get-LogTargetW3C -CheckContent $this.SplitCheckContent @@ -74,7 +140,14 @@ Class IisLoggingRule : STIG } } - [void] SetStatus ( ) + <# + .SYNOPSIS + Validates the parsed data and sets the parser status + .DESCRIPTION + Compares the created rule object against and base stig object to + make sure that all of the properties have be set to valid values. + #> + [void] SetStatus () { $baseStig = [Stig]::New() $referenceProperties = ( $baseStig | Get-Member -MemberType Property ).Name @@ -96,5 +169,7 @@ Class IisLoggingRule : STIG $this.conversionstatus = [status]::fail } } + + #endregion } -#endregion + diff --git a/Module/Convert.Main/Data.ps1 b/Module/Convert.Main/Data.ps1 index 4088bf625..ed1f42644 100644 --- a/Module/Convert.Main/Data.ps1 +++ b/Module/Convert.Main/Data.ps1 @@ -28,3 +28,29 @@ data xmlElement organizationalSettingChild = OrganizationalSetting '@ } + +data DscResourceModule +{ + ConvertFrom-StringData -stringdata @' + AccountPolicyRule = SecurityPolicyDsc + AuditPolicyRule = AuditPolicyDsc + DnsServerSettingRule = xDnsServer + DnsServerRootHintRule = PSDesiredStateConfiguration + DocumentRule = None + IisLoggingRule = xWebAdministration + MimeTypeRule = xWebAdministration + ManualRule = None + PermissionRule = AccessControlDsc + ProcessMitigationRule = ProcessMitigationDsc + RegistryRule = PSDesiredStateConfiguration + SecurityOptionRule = SecurityPolicyDsc + ServiceRule = xPSDesiredStateConfiguration + SqlScriptQueryRule = SqlServerDsc + UserRightRule = SecurityPolicyDsc + WebAppPoolRule = xWebAdministration + WebConfigurationPropertyRule = xWebAdministration + WindowsFeatureRule = PSDesiredStateConfiguration + WinEventLogRule = xWinEventLog + WmiRule = PSDesiredStateConfiguration +'@ +} diff --git a/Module/Convert.ManualRule/Convert.ManualRule.psm1 b/Module/Convert.ManualRule/Convert.ManualRule.psm1 index 4af280c5a..38309ab4d 100644 --- a/Module/Convert.ManualRule/Convert.ManualRule.psm1 +++ b/Module/Convert.ManualRule/Convert.ManualRule.psm1 @@ -1,4 +1,3 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 @@ -11,16 +10,28 @@ Foreach ($supportFile in $supportFileList) Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } -#endregion -#region Class +# Header + +<# + .SYNOPSIS + Convert the contents of an xccdf check-content element into a Manual check object + .DESCRIPTION + The ManualRule class is used to extract the manual checks from the + check-content of the xccdf. Once a STIG rule is identifed as a manual + rule, it is passed to the ManualRule class for parsing and validation. +#> Class ManualRule : STIG { - # Constructor + <# + .SYNOPSIS + Default constructor + .DESCRIPTION + Converts a xccdf stig rule element into a ManualRule + .PARAMETER StigRule + The STIG rule to convert + #> ManualRule ( [xml.xmlelement] $StigRule ) { $this.InvokeClass( $StigRule ) } - - # Methods } -#endregion diff --git a/Module/Convert.MimeTypeRule/Convert.MimeTypeRule.psm1 b/Module/Convert.MimeTypeRule/Convert.MimeTypeRule.psm1 index 0f1d78d94..9f978c32c 100644 --- a/Module/Convert.MimeTypeRule/Convert.MimeTypeRule.psm1 +++ b/Module/Convert.MimeTypeRule/Convert.MimeTypeRule.psm1 @@ -1,4 +1,3 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 @@ -11,22 +10,53 @@ Foreach ($supportFile in $supportFileList) Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } -#endregion -#region Class +# Header + +<# + .SYNOPSIS + Convert the contents of an xccdf check-content element into a mime type object + .DESCRIPTION + The MimeTypeRule class is used to extract mime types from the + check-content of the xccdf. Once a STIG rule is identifed as an + mime type rule, it is passed to the MimeTypeRule class for parsing + and validation. + .PARAMETER Extension + The Name of the extension + .PARAMETER MimeType + The mime type + .PARAMETER Ensure + A present or absent flag +#> Class MimeTypeRule : STIG { [string] $Extension [string] $MimeType [string] $Ensure - # Constructors + <# + .SYNOPSIS + Default constructor + .DESCRIPTION + Converts a xccdf stig rule element into a MimeTypeRule + .PARAMETER StigRule + The STIG rule to convert + #> MimeTypeRule ( [xml.xmlelement] $StigRule ) { $this.InvokeClass( $StigRule ) } - # Methods - [void] SetExtension ( ) + #region Methods + + <# + .SYNOPSIS + Extracts the extension name from the check-content and sets the value + .DESCRIPTION + Gets the extension name from the xccdf content and sets the value. + If the extension name that is returned is not valid, the parser + status is set to fail + #> + [void] SetExtension () { $thisExtension = Get-Extension -CheckContent $this.SplitCheckContent @@ -36,7 +66,15 @@ Class MimeTypeRule : STIG } } - [void] SetMimeType ( ) + <# + .SYNOPSIS + Extracts the mime type from the check-content and sets the value + .DESCRIPTION + Gets the mime type from the xccdf content and sets the value. + If the mime type that is returned is not valid, the parser + status is set to fail + #> + [void] SetMimeType () { $thisMimeType = Get-MimeType -Extension $this.Extension @@ -46,7 +84,13 @@ Class MimeTypeRule : STIG } } - [void] SetEnsure ( ) + <# + .SYNOPSIS + Sets the ensure flag to the provided value + .DESCRIPTION + Sets the ensure flag to the provided value + #> + [void] SetEnsure () { $thisEnsure = Get-Ensure -CheckContent $this.SplitCheckContent @@ -56,15 +100,37 @@ Class MimeTypeRule : STIG } } + <# + .SYNOPSIS + Tests if a rule contains multiple checks + .DESCRIPTION + Search the rule text to determine if multiple mime types are defined + .PARAMETER CheckContent + The rule text from the check-content element in the xccdf + #> static [bool] HasMultipleRules ( [string] $CheckContent ) { return Test-MultipleMimeTypeRule -CheckContent ( [STIG]::SplitCheckContent( $CheckContent ) ) } + <# + .SYNOPSIS + Splits a rule into multiple checks + .DESCRIPTION + Once a rule has been found to have multiple checks, the rule needs + to be split. This method splits a mime type into multiple rules. Each + split rule id is appended with a dot and letter to keep reporting + per the ID consistent. An example would be is V-1000 contained 2 + checks, then SplitMultipleRules would return 2 objects with rule ids + V-1000.a and V-1000.b + .PARAMETER CheckContent + The rule text from the check-content element in the xccdf + #> + static [string[]] SplitMultipleRules ( [string] $CheckContent ) { return ( Split-MultipleMimeTypeRule -CheckContent ( [STIG]::SplitCheckContent( $CheckContent ) ) ) } + #endregion } -#endregion diff --git a/Module/Convert.PermissionRule/Convert.PermissionRule.psm1 b/Module/Convert.PermissionRule/Convert.PermissionRule.psm1 index 3f2e586d0..04c139c13 100644 --- a/Module/Convert.PermissionRule/Convert.PermissionRule.psm1 +++ b/Module/Convert.PermissionRule/Convert.PermissionRule.psm1 @@ -1,4 +1,3 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 @@ -11,14 +10,37 @@ Foreach ($supportFile in $supportFileList) Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } -#endregion -#region Class +# Header + +<# + .SYNOPSIS + Convert the contents of an xccdf check-content element into a permission object + .DESCRIPTION + The PermissionRule class is used to extract the permission settings + from the check-content of the xccdf. Once a STIG rule is identified a + permission rule, it is passed to the PermissionRule class for parsing + and validation. + .PARAMETER Path + The path to the object the permissions apply to + .PARAMETER AccessControlEntry + The ACE to be set on the path property + .PARAMETER Force + A flag that will overwrite the current ACE in the ACL instead of merge +#> Class PermissionRule : STIG { [string] $Path [object[]] $AccessControlEntry [bool] $Force + <# + .SYNOPSIS + Default constructor + .DESCRIPTION + Converts an xccdf stig rule element into a PermissionRule + .PARAMETER StigRule + The STIG rule to convert + #> PermissionRule ( [xml.xmlelement] $StigRule ) { $this.InvokeClass($StigRule) @@ -26,6 +48,14 @@ Class PermissionRule : STIG # Methods + <# + .SYNOPSIS + Extracts the object path from the check-content and sets the value + .DESCRIPTION + Gets the object path from the xccdf content and sets the value. + If the object path that is returned is not valid, the parser + status is set to fail + #> [void] SetPath ( ) { $thisPath = Get-PermissionTargetPath -StigString $this.SplitCheckContent @@ -36,19 +66,32 @@ Class PermissionRule : STIG } } + <# + .SYNOPSIS + Sets the force flag + .DESCRIPTION + For now we're setting a default value. Later there could be + additional logic here + #> [void] SetForce ( ) { - # For now we're setting a default value. Later there could be additional logic here $this.set_Force($true) } + <# + .SYNOPSIS + Extracts the ACE from the check-content and sets the value + .DESCRIPTION + Gets the ACE from the xccdf content and sets the value. If the ACE + that is returned is not valid, the parser status is set to fail + #> [void] SetAccessControlEntry ( ) { $thisAccessControlEntry = Get-PermissionAccessControlEntry -StigString $this.SplitCheckContent if ( -not $this.SetStatus( $thisAccessControlEntry ) ) { - foreach( $principal in $thisAccessControlEntry.Principal ) + foreach ( $principal in $thisAccessControlEntry.Principal ) { $this.SetStatus( $principal ) } @@ -67,15 +110,38 @@ Class PermissionRule : STIG } } + <# + .SYNOPSIS + Tests if a rules contains more than one check + .DESCRIPTION + Gets the path defined in the rule from the xccdf content and then + checks for the existance of multuple entries. + .PARAMETER CheckContent + The rule text from the check-content element in the xccdf + #> static [bool] HasMultipleRules ( [string] $CheckContent ) { $permissionPaths = Get-PermissionTargetPath -StigString ([STIG]::SplitCheckContent( $CheckContent ) ) return ( Test-MultiplePermissionRule -PermissionPath $permissionPaths ) } + <# + .SYNOPSIS + Splits mutiple paths from a singel rule into multiple rules + .DESCRIPTION + Once a rule has been found to have multiple checks, the rule needs + to be split. This method splits a permission check into multiple rules. + Each split rule id is appended with a dot and letter to keep reporting + per the ID consistent. An example would be is V-1000 contained 2 + checks, then SplitMultipleRules would return 2 objects with rule ids + V-1000.a and V-1000.b + .PARAMETER CheckContent + The rule text from the check-content element in the xccdf + #> static [string[]] SplitMultipleRules ( [string] $CheckContent ) { return ( Split-MultiplePermissionRule -CheckContent ([STIG]::SplitCheckContent( $CheckContent ) ) ) } + + #endregion } -#endregion diff --git a/Module/Convert.ProcessMitigationRule/Convert.ProcessMitigationRule.psm1 b/Module/Convert.ProcessMitigationRule/Convert.ProcessMitigationRule.psm1 index 85f6c76de..78b21a083 100644 --- a/Module/Convert.ProcessMitigationRule/Convert.ProcessMitigationRule.psm1 +++ b/Module/Convert.ProcessMitigationRule/Convert.ProcessMitigationRule.psm1 @@ -1,4 +1,3 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 @@ -11,21 +10,54 @@ Foreach ($supportFile in $supportFileList) Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } -#endregion -#region Class -Class ProcessMitigationRule:STIG +# Header + +<# + .SYNOPSIS + Convert the contents of an xccdf check-content element into a process + mitigation object + .DESCRIPTION + The ProcessMitigationRule class is used to extract the process mitigation + settings from the check-content of the xccdf. Once a STIG rule is identified + a process Mitigation rule, it is passed to the ProcessMitigationRule class + for parsing and validation. + .PARAMETER MitigationTarget + The object the mitigation applies to + .PARAMETER Enable + A flag to enable the mitigation rule + .PARAMETER Disable + A flag to disable the mitigation rule +#> +Class ProcessMitigationRule : STIG { [string] $MitigationTarget [string] $Enable [string] $Disable - # Constructor + <# + .SYNOPSIS + Default constructor + .DESCRIPTION + Converts a xccdf stig rule element into a ProcessMitigationRule + .PARAMETER StigRule + The STIG rule to convert + #> ProcessMitigationRule ( [xml.xmlelement] $StigRule ) { $this.InvokeClass( $StigRule ) } - # Methods + #region Methods + + <# + .SYNOPSIS + Extracts the mitigation target name from the check-content and sets + the value + .DESCRIPTION + Gets the mitigation target name from the xccdf content and sets the + value. If the mitigation target name that is returned is not valid, + the parser status is set to fail + #> [void] SetMitigationTargetName () { $thisMitigationTargetName = Get-MitigationTargetName -CheckContent $this.SplitCheckContent @@ -36,6 +68,13 @@ Class ProcessMitigationRule:STIG } } + <# + .SYNOPSIS + Enables the mitigation target + .DESCRIPTION + Sets the mitigation target to enabled. If the mitigation target is + not set to enabled, it is set to disabled + #> [void] SetMitigationToEnable () { $thisMitigation = Get-MitigationPolicyToEnable -CheckContent $this.SplitCheckContent @@ -46,14 +85,36 @@ Class ProcessMitigationRule:STIG } } + <# + .SYNOPSIS + Tests if a rule contains multiple checks + .DESCRIPTION + Search the rule text to determine if multiple mitigationsare defined + .PARAMETER MitigationTarget + The object the mitigation applies to + #> static [bool] HasMultipleRules ( [string] $MitigationTarget ) { return ( Test-MultipleProcessMitigationRule -MitigationTarget $MitigationTarget ) } + <# + .SYNOPSIS + Splits a rule into multiple checks + .DESCRIPTION + Once a rule has been found to have multiple checks, the rule needs + to be split. This method splits a {0} into multiple rules. Each + split rule id is appended with a dot and letter to keep reporting + per the ID consistent. An example would be is V-1000 contained 2 + checks, then SplitMultipleRules would return 2 objects with rule ids + V-1000.a and V-1000.b + .PARAMETER MitigationTarget + The object the mitigation applies to + #> static [string[]] SplitMultipleRules ( [string] $MitigationTarget ) { return ( Split-ProcessMitigationRule -MitigationTarget $MitigationTarget ) } + + #endregion } -#endregion diff --git a/Module/Convert.RegistryRule/Convert.RegistryRule.psm1 b/Module/Convert.RegistryRule/Convert.RegistryRule.psm1 index 5c04a718f..1b6670258 100644 --- a/Module/Convert.RegistryRule/Convert.RegistryRule.psm1 +++ b/Module/Convert.RegistryRule/Convert.RegistryRule.psm1 @@ -1,4 +1,3 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 @@ -11,27 +10,59 @@ Foreach ($supportFile in $supportFileList) Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } -#endregion -#region Class +# Header + +<# + .SYNOPSIS + Convert the contents of an xccdf check-content element into a RegistryRule + .DESCRIPTION + The RegistryRule class is used to extract the registry settings + from the check-content of the xccdf. Once a STIG rule is identified a + registry rule, it is passed to the RegistryRule class for parsing + and validation. + .PARAMETER Key + The registry key to be evaluated + .PARAMETER ValueName + The registry value name to be evaluated + .PARAMETER ValueData + The value data that should be appiled to the the ValueName + .PARAMETER ValueType + The type of registry value + .PARAMETER Ensure + A present or absent flag +#> Class RegistryRule : STIG { [string] $Key - [string] $ValueName - [string[]] $ValueData - [string] $ValueType - [ensure] $Ensure - # Constructors + <# + .SYNOPSIS + Default constructor + .DESCRIPTION + Converts a xccdf stig rule element into a RegistryRule + .PARAMETER StigRule + The STIG rule to convert + #> RegistryRule ( [xml.xmlelement] $StigRule ) { $this.InvokeClass( $StigRule ) } - [void] SetKey ( ) + #region Methods + + <# + .SYNOPSIS + Extracts the registry key from the check-content and sets the value + .DESCRIPTION + Gets the registry key from the xccdf content and sets the value. If + the registry key that is returned is not valid, the parser status is + set to fail. + #> + [void] SetKey () { $thisKey = Get-RegistryKey -CheckContent $this.SplitCheckContent @@ -41,7 +72,16 @@ Class RegistryRule : STIG } } - [void] SetValueName ( ) + <# + .SYNOPSIS + Extracts the registry value name from the check-content and sets + the value + .DESCRIPTION + Gets the registry value name from the xccdf content and sets the + value. If the registry value name that is returned is not valid, + the parser status is set to fail. + #> + [void] SetValueName () { $thisValueName = Get-RegistryValueName -CheckContent $this.SplitCheckContent @@ -51,7 +91,16 @@ Class RegistryRule : STIG } } - [void] SetValueType ( ) + <# + .SYNOPSIS + Extracts the registry value type from the check-content and sets + the value + .DESCRIPTION + Gets the registry value type from the xccdf content and sets the + value. If the registry value type that is returned is not valid, + the parser status is set to fail. + #> + [void] SetValueType () { $thisValueType = Get-RegistryValueType -CheckContent $this.SplitCheckContent @@ -62,79 +111,211 @@ Class RegistryRule : STIG $this.set_ValueType( $thisValueType ) } } - else { + else + { $this.SetEnsureFlag([Ensure]::Absent) } } + <# + .SYNOPSIS + Tests the value data for a range of valid values + .DESCRIPTION + Tests the value data string for text that describes a list of valid + values + .PARAMETER ValueDataString + The text to test + #> [bool] TestValueDataStringForRange ( [string] $ValueDataString ) { return Test-RegistryValueDataContainsRange -ValueDataString $ValueDataString } - [string] GetValueData ( ) + <# + .SYNOPSIS + Extracts the registry value data from the check-content and sets + the value + .DESCRIPTION + Gets the registry value data from the xccdf content and sets the + value. If the registry value data that is returned is not valid, + the parser status is set to fail. + #> + + [string] GetValueData () { return Get-RegistryValueData -CheckContent $this.SplitCheckContent } + <# + .SYNOPSIS + Tests if the value data is supposed to be blank + .DESCRIPTION + Some stig settings state that a registry value, if it exists, is set + to an empty value + .PARAMETER ValueDataString + The text to test + #> [bool] IsDataBlank ( [string] $ValueDataString ) { return Test-RegistryValueDataIsBlank -ValueDataString $ValueDataString } + <# + .SYNOPSIS + Tests if the value data is an enabled or disabled + .DESCRIPTION + Checks if a string contains the literal word Enabled or Disabled + .PARAMETER ValueDataString + The text to test + #> [bool] IsDataEnabledOrDisabled ( [string] $ValueDataString ) { return Test-RegistryValueDataIsEnabledOrDisabled -ValueDataString $ValueDataString } + <# + .SYNOPSIS + Get the valid version of the enabled or disabled + .DESCRIPTION + Get the valid version of the enabled or disabled, based on the the + value type. A binary enabled, cannot accept the enabled string so + the valid vaule needs to be returnd. + .PARAMETER ValueType + The value tyoe to evaluate + .PARAMETER ValueData + The value data to evaluate + #> [string] GetValidEnabledOrDisabled ( [string] $ValueType, [string] $ValueData ) { return Get-ValidEnabledOrDisabled -ValueType $ValueType -ValueData $ValueData } + <# + .SYNOPSIS + Checks if a string contains a hexadecimal number + .DESCRIPTION + Checks if a string contains a hexadecimal number + .PARAMETER ValueDataString + The text to test + #> [bool] IsDataHexCode ( [string] $ValueDataString ) { return Test-RegistryValueDataIsHexCode -ValueDataString $ValueDataString } + <# + .SYNOPSIS + Returns the integer of a hexadecimal number + .DESCRIPTION + Extracts the hex code if it exists, convert to int32 and set the + output value. This ignores the int that usually accompanies the + hex value in parentheses. + .PARAMETER ValueDataString + The text to test + #> [int] GetIntegerFromHex ( [string] $ValueDataString ) { return Get-IntegerFromHex -ValueDataString $ValueDataString } + <# + .SYNOPSIS + Tests if the registry value is an integer + .DESCRIPTION + This will match any lines that start with an integer (of any length) + as the value to be set + .PARAMETER ValueDataString + The text to test + #> [bool] IsDataInteger ( [string] $ValueDataString ) { return Test-RegistryValueDataIsInteger -ValueDataString $ValueDataString } + <# + .SYNOPSIS + Returns the number from a string + .DESCRIPTION + Returns the number from a string + .PARAMETER ValueDataString + The text to test + #> [string] GetNumberFromString ( [string] $ValueDataString ) { return Get-NumberFromString -ValueDataString $ValueDataString } + <# + .SYNOPSIS + Formats a string value into a multiline string + .DESCRIPTION + Formats a string value into a multiline string by spliting it on a + space or comma space format + .PARAMETER ValueDataString + The text to test + #> [string[]] FormatMultiStringRegistryData ( [string] $ValueDataString ) { return Format-MultiStringRegistryData -ValueDataString $ValueDataString } + <# + .SYNOPSIS + Get the multi-value string data + .DESCRIPTION + Get the multi-value string data + .PARAMETER CheckStrings + The rule text from the check-content element in the xccdf + #> [string[]] GetMultiValueRegistryStringData ( [string[]] $CheckStrings ) { return Get-MultiValueRegistryStringData -CheckStrings $CheckStrings } + <# + .SYNOPSIS + Sets the ensure flag to the provided value + .DESCRIPTION + Sets the ensure flag to the provided value + .PARAMETER EnsureFlag + The value the Ensure flag should be set to + #> [void] SetEnsureFlag ( [Ensure] $Ensure ) { $this.Ensure = $Ensure } + <# + .SYNOPSIS + Tests if a rule contains multiple checks + .DESCRIPTION + Search the rule text to determine if multiple registry paths are defined + .PARAMETER CheckContent + The rule text from the check-content element in the xccdf + #> static [bool] HasMultipleRules ( [string] $CheckContent ) { return Test-MultipleRegistryEntries -CheckContent ( [STIG]::SplitCheckContent( $CheckContent ) ) } + <# + .SYNOPSIS + Splits a rule into multiple checks + .DESCRIPTION + Once a rule has been found to have multiple checks, the rule needs + to be split. This method splits registry paths into multiple rules. + Each split rule id is appended with a dot and letter to keep reporting + per the ID consistent. An example would be is V-1000 contained 2 + checks, then SplitMultipleRules would return 2 objects with rule ids + V-1000.a and V-1000.b + .PARAMETER CheckContent + The rule text from the check-content element in the xccdf + #> static [string[]] SplitMultipleRules ( [string] $CheckContent ) { return ( Split-MultipleRegistryEntries -CheckContent ( [STIG]::SplitCheckContent( $CheckContent ) ) ) } + + #endregion } -#endregion + diff --git a/Module/Convert.RegistryRule/Functions.SingleLine.ps1 b/Module/Convert.RegistryRule/Functions.SingleLine.ps1 index 277b2c08d..bccdc0409 100644 --- a/Module/Convert.RegistryRule/Functions.SingleLine.ps1 +++ b/Module/Convert.RegistryRule/Functions.SingleLine.ps1 @@ -1,10 +1,5 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. -#using module .\..\..\Public\Class\Common.Enum.psm1 -#using module .\..\..\Public\Data\Convert.Data.psm1 -# Class module -#endregion #region Main Functions <# .SYNOPSIS diff --git a/Module/Convert.RegistryRule/Functions.ps1 b/Module/Convert.RegistryRule/Functions.ps1 index 2f65cf932..e6986b7a9 100644 --- a/Module/Convert.RegistryRule/Functions.ps1 +++ b/Module/Convert.RegistryRule/Functions.ps1 @@ -1,11 +1,5 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. -#using module .\..\..\Public\Class\Common.Enum.psm1 -#using module .\..\..\Public\Data\Convert.Data.psm1 -# Class module -#using module .\..\..\Public\Class\Convert.RegistryRule.psm1 -#endregion Header #region Main Functions <# The registry is a major target for the STIG and has quite a few twists and turns when it comes to diff --git a/Module/Convert.SecurityOptionRule/Convert.SecurityOptionRule.psm1 b/Module/Convert.SecurityOptionRule/Convert.SecurityOptionRule.psm1 index 9c2c10625..2b8cff1d6 100644 --- a/Module/Convert.SecurityOptionRule/Convert.SecurityOptionRule.psm1 +++ b/Module/Convert.SecurityOptionRule/Convert.SecurityOptionRule.psm1 @@ -1,4 +1,3 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 @@ -11,22 +10,49 @@ Foreach ($supportFile in $supportFileList) Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } -#endregion -#region Class +# Header + +<# + .SYNOPSIS + Extracts the security option from the check-content and sets the value + .DESCRIPTION + Gets the security option from the xccdf content and sets the value. If + the security option that is returned is not valid, the parser status is + set to fail. + .PARAMETER OptionName + The security option name + .PARAMETER OptionValue + The security option value +#> Class SecurityOptionRule : STIG { - # Properties [ValidateNotNullOrEmpty()] [string] $OptionName [ValidateNotNullOrEmpty()] [string] $OptionValue - # Constructor + <# + .SYNOPSIS + Default constructor + .DESCRIPTION + Converts a xccdf STIG rule element into a SecurityOptionRule + .PARAMETER StigRule + The STIG rule to convert + #> SecurityOptionRule ( [xml.xmlelement] $StigRule ) { $this.InvokeClass( $StigRule ) } - # Methods - [void] SetOptionName ( ) + #region Methods + + <# + .SYNOPSIS + Extracts the security option name from the check-content and sets the value + .DESCRIPTION + Gets the security option name from the xccdf content and sets the + value. If the name that is returned is not valid, the parser status + is set to fail. + #> + [void] SetOptionName () { $thisName = Get-SecurityOptionName -CheckContent $this.SplitCheckContent if ( -not $this.SetStatus( $thisName ) ) @@ -35,6 +61,14 @@ Class SecurityOptionRule : STIG } } + <# + .SYNOPSIS + Checks the string for text that indicates a range of acceptable + acceptable values are allowed by the STIG. + .DESCRIPTION + Checks the string for text that indicates a range of acceptable + acceptable values are allowed by the STIG. + #> [bool] TestOptionValueForRange () { if ( Test-SecurityPolicyContainsRange -CheckContent $this.SplitCheckContent ) @@ -45,7 +79,15 @@ Class SecurityOptionRule : STIG return $false } - [void] SetOptionValue ( ) + <# + .SYNOPSIS + Extracts the security option value from the check-content and sets the value + .DESCRIPTION + Gets the security option value from the xccdf content and sets the + value. If the value that is returned is not valid, the parser status + is set to fail. + #> + [void] SetOptionValue () { $thisValue = Get-SecurityOptionValue -CheckContent $this.SplitCheckContent @@ -55,6 +97,15 @@ Class SecurityOptionRule : STIG } } + <# + .SYNOPSIS + Extracts the security option value range from the check-content and + sets the organizational test string + .DESCRIPTION + Gets the security option value range from the xccdf content and sets + the organizational test string. If the organizational value that is + returned is not valid, the parser status is set to fail. + #> [void] SetOptionValueRange () { $this.set_OrganizationValueRequired($true) @@ -66,5 +117,6 @@ Class SecurityOptionRule : STIG $this.set_OrganizationValueTestString( $thisPolicyValueTestString ) } } + + #endregion } -#endregion diff --git a/Module/Convert.ServiceRule/Convert.ServiceRule.psm1 b/Module/Convert.ServiceRule/Convert.ServiceRule.psm1 index ea83049b2..727a3b219 100644 --- a/Module/Convert.ServiceRule/Convert.ServiceRule.psm1 +++ b/Module/Convert.ServiceRule/Convert.ServiceRule.psm1 @@ -1,4 +1,3 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 @@ -11,8 +10,24 @@ Foreach ($supportFile in $supportFileList) Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } -#endregion -#region Class +# Header + +<# + .SYNOPSIS + Convert the contents of an xccdf check-content element into a ServiceRule object + .DESCRIPTION + The ServiceRule class is used to extract the Service settings from the + check-content of the xccdf. Once a STIG rule is identified a service rule, + it is passed to the ServiceRule class for parsing and validation. + .PARAMETER ServiceName + The service name + .PARAMETER ServiceState + The state the service should be in + .PARAMETER StartupType + The startup type of the service + .PARAMETER Ensure + A present or absent flag +#> Class ServiceRule : STIG { [string] $ServiceName @@ -20,13 +35,29 @@ Class ServiceRule : STIG [string] $StartupType [ensure] $Ensure - # Constructor + <# + .SYNOPSIS + Default constructor + .DESCRIPTION + Converts a xccdf STIG rule element into a ServiceRule + .PARAMETER StigRule + The STIG rule to convert + #> ServiceRule ( [xml.xmlelement] $StigRule ) { $this.InvokeClass( $StigRule ) } - # Methods + #region Methods + + <# + .SYNOPSIS + Extracts the service name from the check-content and sets the value + .DESCRIPTION + Gets the service name from the xccdf content and sets the value. If + the name that is returned is not valid, the parser status is set to + fail. + #> [void] SetServiceName () { $thisServiceName = Get-ServiceName -CheckContent $this.SplitCheckContent @@ -36,9 +67,16 @@ Class ServiceRule : STIG $this.set_ServiceName( $thisServiceName ) $this.set_Ensure( [ensure]::Present ) } - } + <# + .SYNOPSIS + Extracts the service state from the check-content and sets the value + .DESCRIPTION + Gets the service state from the xccdf content and sets the value. If + the state that is returned is not valid, the parser status is set to + fail. + #> [void] SetServiceState () { $thisServiceState = Get-ServiceState -CheckContent $this.SplitCheckContent @@ -49,6 +87,15 @@ Class ServiceRule : STIG } } + <# + .SYNOPSIS + Extracts the service startup type from the check-content and sets + the value + .DESCRIPTION + Gets the service startup type from the xccdf content and sets the + value. If the startup type that is returned is not valid, the parser + status is set to fail. + #> [void] SetStartupType () { $thisServiceStartupType = Get-ServiceStartupType -CheckContent $this.SplitCheckContent @@ -59,14 +106,36 @@ Class ServiceRule : STIG } } + <# + .SYNOPSIS + Tests if a rule contains multiple checks + .DESCRIPTION + Search the rule text to determine if multiple services are defined + .PARAMETER CheckContent + The rule text from the check-content element in the xccdf + #> static [bool] HasMultipleRules ( [string] $Servicename ) { return ( Test-MultipleServiceRule -ServiceName $Servicename ) } + <# + .SYNOPSIS + Splits a rule into multiple checks + .DESCRIPTION + Once a rule has been found to have multiple checks, the rule needs + to be split. This method splits a services into multiple rules. Each + split rule id is appended with a dot and letter to keep reporting + per the ID consistent. An example would be is V-1000 contained 2 + checks, then SplitMultipleRules would return 2 objects with rule ids + V-1000.a and V-1000.b + .PARAMETER CheckContent + The rule text from the check-content element in the xccdf + #> static [string[]] SplitMultipleRules ( [string] $ServiceName ) { return ( Split-MultipleServiceRule -ServiceName $Servicename ) } + + #endregion } -#endregion diff --git a/Module/Convert.SqlScriptQueryRule/Convert.SqlScriptQueryRule.psm1 b/Module/Convert.SqlScriptQueryRule/Convert.SqlScriptQueryRule.psm1 index 39134c3c9..12dfd2f77 100644 --- a/Module/Convert.SqlScriptQueryRule/Convert.SqlScriptQueryRule.psm1 +++ b/Module/Convert.SqlScriptQueryRule/Convert.SqlScriptQueryRule.psm1 @@ -1,4 +1,3 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 @@ -11,22 +10,55 @@ Foreach ($supportFile in $supportFileList) Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } -#endregion -#region Class +# Header + + <# + .SYNOPSIS + Convert the contents of an xccdf check-content element into a + SqlScriptQueryRule object + .DESCRIPTION + The SqlScriptQueryRule class is used to extract the SQL Server settings + from the check-content of the xccdf. Once a STIG rule is identified as a + SQL script query rule, it is passed to the SqlScriptQueryRule class for + parsing and validation. + .PARAMETER GetScript + The Get script content + .PARAMETER TestScript + The test script content + .PARAMETER SetScript + The set script content + #> Class SqlScriptQueryRule : STIG { [string] $GetScript - [string] $TestScript - [string] $SetScript - # Constructors + <# + .SYNOPSIS + Default constructor + .DESCRIPTION + Converts a xccdf STIG rule element into a SqlScriptQueryRule + .PARAMETER StigRule + The STIG rule to convert + #> SqlScriptQueryRule ( [xml.xmlelement] $StigRule ) { $this.InvokeClass( $StigRule ) } + #region Methods + + <# + .SYNOPSIS + Extracts the get script from the check-content and sets the value + .DESCRIPTION + Gets the get script from the xccdf content and sets the value. If + the script that is returned is not valid, the parser status is set + to fail. + .PARAMETER RuleType + The type of rule to get the get script for + #> [void] SetGetScript ( [string] $RuleType ) { $thisGetScript = & Get-$($RuleType)GetScript -CheckContent $this.SplitCheckContent @@ -37,6 +69,16 @@ Class SqlScriptQueryRule : STIG } } + <# + .SYNOPSIS + Extracts the test script from the check-content and sets the value + .DESCRIPTION + Gets the test script from the xccdf content and sets the value. If + the script that is returned is not valid, the parser status is set + to fail. + .PARAMETER RuleType + The type of rule to get the test script for + #> [void] SetTestScript ( $RuleType ) { $thisTestScript = & Get-$($RuleType)TestScript -CheckContent $this.SplitCheckContent @@ -47,6 +89,18 @@ Class SqlScriptQueryRule : STIG } } + <# + .SYNOPSIS + Extracts the set script from the check-content and sets the value + .DESCRIPTION + Gets the set script from the xccdf content and sets the value. If + the script that is returned is not valid, the parser status is set + to fail. + .PARAMETER RuleType + The type of rule to get the set script for + .PARAMETER FixText + The set script to run + #> [void] SetSetScript ( [string] $RuleType, [string[]] $FixText ) { $checkContent = $this.SplitCheckContent @@ -59,11 +113,20 @@ Class SqlScriptQueryRule : STIG } } + <# + .SYNOPSIS + Extracts the rule type from the check-content and sets the value + .DESCRIPTION + Gets the rule type from the xccdf content and sets the value + .PARAMETER CheckContent + The rule text from the check-content element in the xccdf + #> [string] GetRuleType ( [string[]] $CheckContent ) { $ruleType = Get-SqlRuleType -CheckContent $CheckContent return $ruleType } + + #endregion } -#endregion diff --git a/Module/Convert.Stig/Convert.Stig.psm1 b/Module/Convert.Stig/Convert.Stig.psm1 index c40fd3bc0..0a6de7eb0 100644 --- a/Module/Convert.Stig/Convert.Stig.psm1 +++ b/Module/Convert.Stig/Convert.Stig.psm1 @@ -1,4 +1,3 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 @@ -10,47 +9,71 @@ Foreach ($supportFile in $supportFileList) Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } -#endregion -#region Class Definition +# Header + +<# + .SYNOPSIS + The base class for all STIG rule types + .DESCRIPTION + The base class for all STIG rule types to support a common initializer and + set of methods that apply to all rule types. PowerShell does not support + abstract classes, but this class is not intended to be used directly. + .PARAMETER Id + The STIG ID + .PARAMETER Title + Title string from STIG + .PARAMETER Severity + Severity data from STIG + .PARAMETER ConversionStatus + Module processing status of the raw string + .PARAMETER RawString + The raw string from the check-content element of the STIG item + .PARAMETER SplitCheckContent + The raw check string split into multiple lines for pattern matching + .PARAMETER IsNullOrEmpty + A flag to determine if a value is supposed to be empty or not. + Some items should be empty, but there needs to be a way to validate that empty is on purpose. + .PARAMETER OrganizationValueRequired + A flag to determine if a local organizational setting is required. + .PARAMETER OrganizationValueTestString + A string that can be invoked to test the chosen organizational value. + .PARAMETER DscResource + Defines the DSC resource used to configure the rule +#> Class STIG : ICloneable { - # The STIG ID - [String] $id - - # Title string from STIG - [String] $title - - # Severity data from STIG - [severity] $severity - - # Module processing status of the raw string - [status] $conversionstatus - - # The raw string from the check-content element of the STIG item - [String] $rawString - - # The raw check string split into multiple lines for pattern matching + [String] $Id + [String] $Title + [severity] $Severity + [status] $ConversionStatus + [String] $RawString hidden [string[]] $SplitCheckContent - - # A flag to determine if a value is supposed to be empty or not. - # Some items should be empty, but there needs to be a way to validate that empty is on purpose. [Boolean] $IsNullOrEmpty - - # A flag to determine if a local organizational setting is required. [Boolean] $OrganizationValueRequired - - # A string that can be invoked to test the chosen organizational value. [String] $OrganizationValueTestString - - # Defines the DSC resource used to configure the rule - [String] $dscresource - - # Constructors + [String] $DscResource + + <# + .SYNOPSIS + Default constructor + .DESCRIPTION + This is the base class constructor + #> STIG () { } - # Methods + #region Methods + + <# + .SYNOPSIS + The class initializer + .DESCRIPTION + Extracts all of the settings from the xccdf rule that are needed to + instantiate the base class + .PARAMETER StigRule + The STIG rule to convert + #> hidden [void] InvokeClass ( [xml.xmlelement] $StigRule ) { $this.Id = $StigRule.id @@ -70,8 +93,8 @@ Class STIG : ICloneable <# This hidden property is used by all of the methods and passed to subfunctions instead of - splitting the sting in every function. THe Select-String removes any blank lines, so - that the Mandatory parameter validataion does not fail and to prevent the need for a + splitting the sting in every function. The Select-String removes any blank lines, so + that the Mandatory parameter validation does not fail and to prevent the need for a work around by allowing empty strings in mandatory parameters. #> $this.SplitCheckContent = [STIG]::SplitCheckContent( $this.rawString ) @@ -81,22 +104,49 @@ Class STIG : ICloneable $this.OrganizationValueRequired = $false } + <# + .SYNOPSIS + Creates a shallow copy of the current + .DESCRIPTION + Creates a shallow copy of the current + #> [Object] Clone () { return $this.MemberwiseClone() } + <# + .SYNOPSIS + Tests if the rule already exists + .DESCRIPTION + Compares the rule with existing converted rules + .PARAMETER ReferenceObject + The existing converted rules + #> [Boolean] IsDuplicateRule ( [object] $ReferenceObject ) { return Test-DuplicateRule -ReferenceObject $ReferenceObject -DifferenceObject $this } + <# + .SYNOPSIS + Tags a rule as being duplicate + .DESCRIPTION + Is a rule is a duplicate, tag the title for easy filtering and reporting + #> [void] SetDuplicateTitle () { $this.title = $this.title + ' Duplicate' } - # Fail a rule conversion if a property is null or empty + <# + .SYNOPSIS + Sets the conversion status + .DESCRIPTION + Sets the conversion status + .PARAMETER Value + The value to be tested + #> [Boolean] SetStatus ( [String] $Value ) { if ( [String]::IsNullOrEmpty( $Value ) ) @@ -110,7 +160,16 @@ Class STIG : ICloneable } } - # Fail a rule conversion if a property is null or empty and not specifically allowed to be + <# + .SYNOPSIS + Sets the conversion status with an allowed blank value + .DESCRIPTION + Sets the conversion status with an allowed blank value + .PARAMETER Value + The value to be tested + .PARAMETER AllowNullOrEmpty + A flag to allow blank values + #> [Boolean] SetStatus ( [String] $Value, [Boolean] $AllowNullOrEmpty ) { if ( [String]::IsNullOrEmpty( $Value ) -and -not $AllowNullOrEmpty ) @@ -124,26 +183,58 @@ Class STIG : ICloneable } } + <# + .SYNOPSIS + Sets the IsNullOrEmpty value to true + .DESCRIPTION + Sets the IsNullOrEmpty value to true + #> [void] SetIsNullOrEmpty () { $this.IsNullOrEmpty = $true } + <# + .SYNOPSIS + Sets the OrganizationValueRequired value to true + .DESCRIPTION + Sets the OrganizationValueRequired value to true + #> [void] SetOrganizationValueRequired () { $this.OrganizationValueRequired = $true } - [String] GetOrganizationValueTestString ( [String] $testString ) + <# + .SYNOPSIS + Gets the organization value test string + .DESCRIPTION + Gets the organization value test string + .PARAMETER TestString + The string to extract the + #> + [String] GetOrganizationValueTestString ( [String] $TestString ) { return Get-OrganizationValueTestString -String $testString } + <# + .SYNOPSIS + Converts the object into a hashtable + .DESCRIPTION + Converts the object into a hashtable + #> [hashtable] ConvertToHashTable () { return ConvertTo-HashTable -InputObject $this } + <# + .SYNOPSIS + Sets the Dsc resource that can use the object + .DESCRIPTION + Sets the Dsc resource that can use the object + #> [void] SetStigRuleResource () { $thisDscResource = Get-StigRuleResource -RuleType $this.GetType().ToString() @@ -154,55 +245,120 @@ Class STIG : ICloneable } } + <# + .SYNOPSIS + Splits the check-content element in the xccdf into an array + .DESCRIPTION + Splits the check-content element in the xccdf into an array + .PARAMETER CheckContent + The rule text from the check-content element in the xccdf + #> static [string[]] SplitCheckContent ( [String] $CheckContent ) { return ( $CheckContent -split '\n' | Select-String -Pattern "\w" | - ForEach-Object { $PSitem.ToString().Trim() } + ForEach-Object { $PSitem.ToString().Trim() } ) } + <# + .SYNOPSIS + Get the fixtext from the xccdf + .DESCRIPTION + Get the fixtext from the xccdf + .PARAMETER StigRule + The StigRule to extract the fix text from + #> static [string[]] GetFixText ( [xml.xmlelement] $StigRule ) { $fullFix = $StigRule.Rule.fixtext.'#text' $return = $fullFix -split '\n' | - Select-String -Pattern "\w" | - ForEach-Object { $PSitem.ToString().Trim() } + Select-String -Pattern "\w" | + ForEach-Object { $PSitem.ToString().Trim() } return $return } + <# + .SYNOPSIS + Returns the rule type that is should be converted to + .DESCRIPTION + Looks at the check-content data and returns the rule type that is should be converted to. + .PARAMETER CheckContent + The rule text from the check-content element in the xccdf + #> static [RuleType[]] GetRuleTypeMatchList ( [String] $CheckContent ) { return Get-RuleTypeMatchList -CheckContent $CheckContent } + <# + .SYNOPSIS + Looks for the rule to see if it already exists + .DESCRIPTION + Looks for the rule to see if it already exists + .PARAMETER RuleCollection + The global rule collection + #> [Boolean] IsExistingRule ( [object] $RuleCollection ) { return Test-ExistingRule -RuleCollection $RuleCollection $this } + + #endregion #region Hard coded Methods + + <# + .SYNOPSIS + Checks to see if the STIG is a hard coded return value + .DESCRIPTION + Accepts defeat in that the STIG string data for a select few checks + are too unwieldy to parse properly. The OVAL data does not provide + much more help in a few of the cases, so the STIG Id's for these + checks are hardcoded here to force a fixed value to be returned. + #> [Boolean] IsHardCoded () { return Test-ValueDataIsHardCoded -StigId $this.id } + <# + .SYNOPSIS + Returns a hard coded conversion value + .DESCRIPTION + Returns a hard coded conversion value + #> [String] GetHardCodedString () { return Get-HardCodedString -StigId $this.id } + <# + .SYNOPSIS + Checks to see if the STIG org value is a hard coded return value + .DESCRIPTION + Accepts defeat in that the STIG string data for a select few checks + are too unwieldy to parse properly. The OVAL data does not provide + much more help in a few of the cases, so the STIG Id's for these + checks are hardcoded here to force a fixed value to be returned. + #> [Boolean] IsHardCodedOrganizationValueTestString () { return Test-IsHardCodedOrganizationValueTestString -StigId $this.id } + <# + .SYNOPSIS + Returns a hard coded org value + .DESCRIPTION + Returns a hard coded org value + #> [String] GetHardCodedOrganizationValueTestString () { return Get-HardCodedOrganizationValueTestString -StigId $this.id } + #endregion } -#endregion diff --git a/Module/Convert.Stig/Data.ps1 b/Module/Convert.Stig/Data.ps1 index 50aff5022..2fae937fb 100644 --- a/Module/Convert.Stig/Data.ps1 +++ b/Module/Convert.Stig/Data.ps1 @@ -1,32 +1,6 @@ # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. -data DscResourceModule -{ - ConvertFrom-StringData -stringdata @' - AccountPolicyRule = SecurityPolicyDsc - AuditPolicyRule = AuditPolicyDsc - DnsServerSettingRule = xDnsServer - DnsServerRootHintRule = PSDesiredStateConfiguration - DocumentRule = None - IisLoggingRule = xWebAdministration - MimeTypeRule = xWebAdministration - ManualRule = None - PermissionRule = AccessControlDsc - ProcessMitigationRule = ProcessMitigationDsc - RegistryRule = PSDesiredStateConfiguration - SecurityOptionRule = SecurityPolicyDsc - ServiceRule = xPSDesiredStateConfiguration - SqlScriptQueryRule = SqlServerDsc - UserRightRule = SecurityPolicyDsc - WebAppPoolRule = xWebAdministration - WebConfigurationPropertyRule = xWebAdministration - WindowsFeatureRule = PSDesiredStateConfiguration - WinEventLogRule = xWinEventLog - WmiRule = PSDesiredStateConfiguration -'@ -} - data DscResource { ConvertFrom-StringData -stringdata @' diff --git a/Module/Convert.Stig/Functions.ps1 b/Module/Convert.Stig/Functions.ps1 index c12b9a504..d57558448 100644 --- a/Module/Convert.Stig/Functions.ps1 +++ b/Module/Convert.Stig/Functions.ps1 @@ -39,6 +39,7 @@ function Test-ValueDataIsHardCoded ) $stigIds = @( + 'V-30935', # DotNet4 - Registry Setting 'V-1089', # Windows Server - Legal Notice Display 'V-63675', # Windows Client - Legal Notice Display 'V-26359', # Windows Server - Legal Banner Dialog Box Title @@ -96,7 +97,7 @@ function Get-HardCodedString continue } - {$PSItem -match 'V-21954'} + {$PSItem -match 'V-(21954|30935)'} { Write-Verbose -Message "[$($MyInvocation.MyCommand.Name)] SupportedEncryptionTypes : $true" $hardCodedString = $script:supportedEncryptionTypes diff --git a/Module/Convert.Stig/Methods.ps1 b/Module/Convert.Stig/Methods.ps1 index e1a47330c..61e75e4cb 100644 --- a/Module/Convert.Stig/Methods.ps1 +++ b/Module/Convert.Stig/Methods.ps1 @@ -190,7 +190,8 @@ function Get-RuleTypeMatchList $PSItem -NotMatch 'verify the certificate path is to a DoD root CA' -and $PSItem -NotMatch 'HKLM' -and $PSItem -NotMatch 'Authorization Rules' -and - $PSItem -NotMatch 'regedit ' + $PSItem -NotMatch 'regedit ' -and + $PSItem -NotMatch 'Enable proxy' ) } { diff --git a/Module/Convert.Template/Convert.Template.psm1 b/Module/Convert.Template/Convert.Template.psm1 index 2434ce970..f400bfbb2 100644 --- a/Module/Convert.Template/Convert.Template.psm1 +++ b/Module/Convert.Template/Convert.Template.psm1 @@ -1,4 +1,3 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 @@ -11,7 +10,38 @@ Foreach ($supportFile in $supportFileList) Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } -#endregion -#region Class +# Header -#endregion + <# + .SYNOPSIS + + .DESCRIPTION + + .PARAMETER template + + .EXAMPLE + #> + +Class Tempalte +{ + [string] $template + + <# + .SYNOPSIS + Default constructor + + .DESCRIPTION + Converts a xccdf stig rule element into a {0} + + .PARAMETER StigRule + The STIG rule to convert + #> + Tempalte() + { + + } + + #region Methods + + #endregion +} diff --git a/Module/Convert.UserRightsAssignmentRule/Convert.UserRightsAssignmentRule.psm1 b/Module/Convert.UserRightsAssignmentRule/Convert.UserRightsAssignmentRule.psm1 index 003e5e685..e1879beec 100644 --- a/Module/Convert.UserRightsAssignmentRule/Convert.UserRightsAssignmentRule.psm1 +++ b/Module/Convert.UserRightsAssignmentRule/Convert.UserRightsAssignmentRule.psm1 @@ -1,4 +1,3 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 @@ -11,8 +10,25 @@ Foreach ($supportFile in $supportFileList) Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } -#endregion -#region Class +# Header + +<# + .SYNOPSIS + Convert the contents of an xccdf check-content element into a user right object + .DESCRIPTION + The UserRightRule class is used to extract the {} settings from the + check-content of the xccdf. Once a STIG rule is identified a + user right rule, it is passed to the UserRightRule class for parsing + and validation. + .PARAMETER DisplayName + The user right display name + .PARAMETER Constant + The user right constant + .PARAMETER Identity + The identitys that should have the user right + .PARAMETER Force + A flag that replaces the identities vs append +#> Class UserRightRule : STIG { [ValidateNotNullOrEmpty()] [string] $DisplayName @@ -20,13 +36,28 @@ Class UserRightRule : STIG [ValidateNotNullOrEmpty()] [string] $Identity [bool] $Force = $false - # Constructor + <# + .SYNOPSIS + Default constructor + .DESCRIPTION + Converts a xccdf STIG rule element into a UserRightRule + .PARAMETER StigRule + The STIG rule to convert + #> UserRightRule ( [xml.xmlelement] $StigRule ) { $this.InvokeClass( $StigRule ) } - # Methods + #region Methods + + <# + .SYNOPSIS + Extracts the display name from the check-content and sets the value + .DESCRIPTION + Gets the display name from the xccdf content and sets the value. If + the name that is returned is not valid, the parser status is set to fail. + #> [void] SetDisplayName () { $thisDisplayName = Get-UserRightDisplayName -CheckContent $this.SplitCheckContent @@ -37,6 +68,14 @@ Class UserRightRule : STIG } } + <# + .SYNOPSIS + Extracts the user right constant from the check-content and sets the value + .DESCRIPTION + Gets the user right constant from the xccdf content and sets the + value. If the constant that is returned is not valid, the parser + status is set to fail. + #> [void] SetConstant () { $thisConstant = Get-UserRightConstant -UserRightDisplayName $this.DisplayName @@ -47,6 +86,14 @@ Class UserRightRule : STIG } } + <# + .SYNOPSIS + Extracts the user right identity from the check-content and sets the value + .DESCRIPTION + Gets the user right identity from the xccdf content and sets the + value. If the identity that is returned is not valid, the parser + status is set to fail. + #> [void] SetIdentity () { $thisIdentity = Get-UserRightIdentity -CheckContent $this.SplitCheckContent @@ -71,6 +118,12 @@ Class UserRightRule : STIG #return $return } + <# + .SYNOPSIS + Extracts the force flag from the check-content and sets the value + .DESCRIPTION + Gets the force flag from the xccdf content and sets the value + #> [void] SetForce () { if ( Test-SetForceFlag -CheckContent $this.SplitCheckContent ) @@ -83,6 +136,15 @@ Class UserRightRule : STIG } } + <# + .SYNOPSIS + Tests if a rule contains multiple checks + .DESCRIPTION + Search the rule text to determine if multiple user rights are defined + .PARAMETER CheckContent + The rule text from the check-content element in the xccdf + #> + static [bool] HasMultipleRules ( [string] $CheckContent ) { if ( Test-MultipleUserRightsAssignment -CheckContent ( [STIG]::SplitCheckContent( $CheckContent ) ) ) @@ -93,9 +155,23 @@ Class UserRightRule : STIG return $false } + <# + .SYNOPSIS + Splits a rule into multiple checks + .DESCRIPTION + Once a rule has been found to have multiple checks, the rule needs + to be split. This method splits a user right into multiple rules. Each + split rule id is appended with a dot and letter to keep reporting + per the ID consistent. An example would be is V-1000 contained 2 + checks, then SplitMultipleRules would return 2 objects with rule ids + V-1000.a and V-1000.b + .PARAMETER CheckContent + The rule text from the check-content element in the xccdf + #> static [string[]] SplitMultipleRules ( [string] $CheckContent ) { return ( Split-MultipleUserRightsAssignment -CheckContent ( [STIG]::SplitCheckContent( $CheckContent ) ) ) } + + #endregion } -#endregion diff --git a/Module/Convert.WebAppPoolRule/Convert.WebAppPoolRule.psm1 b/Module/Convert.WebAppPoolRule/Convert.WebAppPoolRule.psm1 index 852d1d8cb..f60952a71 100644 --- a/Module/Convert.WebAppPoolRule/Convert.WebAppPoolRule.psm1 +++ b/Module/Convert.WebAppPoolRule/Convert.WebAppPoolRule.psm1 @@ -1,4 +1,3 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 @@ -11,20 +10,50 @@ Foreach ($supportFile in $supportFileList) Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } -#endregion -#region Class +# Header + +<# + .SYNOPSIS + Convert the contents of an xccdf check-content element into a WebAppPoolRule object + .DESCRIPTION + The WebAppPoolRule class is used to extract the webapp pool settings + from the check-content of the xccdf. Once a STIG rule is identified as a + webapp rule, it is passed to the WebAppPoolRule class for parsing + and validation. + .PARAMETER Key + The name of the key in the web.config file + .PARAMETER Value + The value the web.config key should be set to +#> Class WebAppPoolRule : STIG { [string] $Key [string] $Value - # Constructors + <# + .SYNOPSIS + Default constructor + .DESCRIPTION + Converts a xccdf STIG rule element into a WebAppPoolRule + .PARAMETER StigRule + The STIG rule to convert + #> WebAppPoolRule ( [xml.xmlelement] $StigRule ) { $this.InvokeClass( $StigRule ) } - [void] SetKeyValuePair ( ) + #region Methods + + <# + .SYNOPSIS + Extracts the key value pair from the check-content and sets the value + .DESCRIPTION + Gets the key value pair from the xccdf content and sets the value. + If the value that is returned is not valid, the parser status is + set to fail. + #> + [void] SetKeyValuePair () { $thisKeyValuePair = Get-KeyValuePair -CheckContent $this.SplitCheckContent @@ -35,7 +64,13 @@ Class WebAppPoolRule : STIG } } - [Boolean] IsOrganizationalSetting ( ) + <# + .SYNOPSIS + Tests if and organizational value is required + .DESCRIPTION + Tests if and organizational value is required + #> + [Boolean] IsOrganizationalSetting () { if ( -not [String]::IsNullOrEmpty( $this.key ) -and [String]::IsNullOrEmpty( $this.value ) ) { @@ -43,11 +78,17 @@ Class WebAppPoolRule : STIG } else { - return $false + return $false } } - [void] SetOrganizationValueTestString ( ) + <# + .SYNOPSIS + Set the organizational value + .DESCRIPTION + Extracts the organizational value from the key and then sets the value + #> + [void] SetOrganizationValueTestString () { $thisOrganizationValueTestString = Get-OrganizationValueTestString -Key $this.key @@ -57,5 +98,6 @@ Class WebAppPoolRule : STIG $this.set_OrganizationValueRequired( $true ) } } + + #endregion } -#endregion diff --git a/Module/Convert.WebConfigurationPropertyRule/Convert.WebConfigurationPropertyRule.psm1 b/Module/Convert.WebConfigurationPropertyRule/Convert.WebConfigurationPropertyRule.psm1 index 4514c5bac..906a617fc 100644 --- a/Module/Convert.WebConfigurationPropertyRule/Convert.WebConfigurationPropertyRule.psm1 +++ b/Module/Convert.WebConfigurationPropertyRule/Convert.WebConfigurationPropertyRule.psm1 @@ -1,4 +1,3 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 @@ -11,22 +10,54 @@ Foreach ($supportFile in $supportFileList) Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } -#endregion -#region Class +# Header + +<# + .SYNOPSIS + Convert the contents of an xccdf check-content element into a + WebConfigurationPropertyRule object + .DESCRIPTION + The WebConfigurationPropertyRule class is used to extract the web + configuration settings from the check-content of the xccdf. Once a STIG + rule is identified as a web configuration property rule, it is passed + to the WebConfigurationPropertyRule class for parsing and validation. + .PARAMETER ConfigSection + The section of the web.config to evaluate + .PARAMETER Key + The key in the web.config to evaluate + .PARAMETER Value + The value the web.config key should be set to +#> Class WebConfigurationPropertyRule : STIG { [string] $ConfigSection [string] $Key [string] $Value - # Constructors + <# + .SYNOPSIS + Default constructor + .DESCRIPTION + Converts a xccdf STIG rule element into a WebConfigurationPropertyRule + .PARAMETER StigRule + The STIG rule to convert + #> WebConfigurationPropertyRule ( [xml.xmlelement] $StigRule ) { $this.InvokeClass( $StigRule ) } - # Methods - [void] SetConfigSection ( ) + #region Methods + + <# + .SYNOPSIS + Extracts the config section from the check-content and sets the value + .DESCRIPTION + Gets the config section from the xccdf content and sets the value. + If the section that is returned is not valid, the parser status is + set to fail. + #> + [void] SetConfigSection () { $thisConfigSection = Get-ConfigSection -CheckContent $this.SplitCheckContent @@ -36,7 +67,15 @@ Class WebConfigurationPropertyRule : STIG } } - [void] SetKeyValuePair ( ) + <# + .SYNOPSIS + Extracts the key value pair from the check-content and sets the value + .DESCRIPTION + Gets the key value pair from the xccdf content and sets the value. + If the value that is returned is not valid, the parser status is + set to fail. + #> + [void] SetKeyValuePair () { $thisKeyValuePair = Get-KeyValuePair -CheckContent $this.SplitCheckContent @@ -47,7 +86,13 @@ Class WebConfigurationPropertyRule : STIG } } - [Boolean] IsOrganizationalSetting ( ) + <# + .SYNOPSIS + Tests if and organizational value is required + .DESCRIPTION + Tests if and organizational value is required + #> + [Boolean] IsOrganizationalSetting () { if ( -not [String]::IsNullOrEmpty( $this.key ) -and [String]::IsNullOrEmpty( $this.value ) ) { @@ -59,7 +104,13 @@ Class WebConfigurationPropertyRule : STIG } } - [void] SetOrganizationValueTestString ( ) + <# + .SYNOPSIS + Set the organizational value + .DESCRIPTION + Extracts the organizational value from the key and then sets the value + #> + [void] SetOrganizationValueTestString () { $thisOrganizationValueTestString = Get-OrganizationValueTestString -Key $this.key @@ -70,14 +121,36 @@ Class WebConfigurationPropertyRule : STIG } } + <# + .SYNOPSIS + Tests if a rule contains multiple checks + .DESCRIPTION + Search the rule text to determine if multiple web configurations are defined + .PARAMETER CheckContent + The rule text from the check-content element in the xccdf + #> static [bool] HasMultipleRules ( [string] $CheckContent ) { return Test-MultipleWebConfigurationPropertyRule -CheckContent ( [STIG]::SplitCheckContent( $CheckContent ) ) } + <# + .SYNOPSIS + Splits a rule into multiple checks + .DESCRIPTION + Once a rule has been found to have multiple checks, the rule needs + to be split. This method splits a web configuration into multiple rules. + Each split rule id is appended with a dot and letter to keep reporting + per the ID consistent. An example would be is V-1000 contained 2 + checks, then SplitMultipleRules would return 2 objects with rule ids + V-1000.a and V-1000.b + .PARAMETER CheckContent + The rule text from the check-content element in the xccdf + #> static [string[]] SplitMultipleRules ( [string] $CheckContent ) { return ( Split-MultipleWebConfigurationPropertyRule -CheckContent ( [STIG]::SplitCheckContent( $CheckContent ) ) ) } + + #endregion } -#endregion diff --git a/Module/Convert.WebConfigurationPropertyRule/Methods.ps1 b/Module/Convert.WebConfigurationPropertyRule/Methods.ps1 index 16de7ee6c..ab7bfcd78 100644 --- a/Module/Convert.WebConfigurationPropertyRule/Methods.ps1 +++ b/Module/Convert.WebConfigurationPropertyRule/Methods.ps1 @@ -85,10 +85,6 @@ function Get-ConfigSection { $configSection = '/system.web/sessionState' } - { $cleanCheckContent -match 'Application Request Routing' } - { - $configSection = '/system.webServer/proxy' - } } if ($null -ne $configSection) @@ -215,7 +211,7 @@ function Get-KeyValuePair { $CheckContent -match $script:webRegularExpression.useCookies } { $key = 'cookieless' - $value = '1' + $value = 'UseCookies' } { $CheckContent -match $script:webRegularExpression.expiredSession } { @@ -227,13 +223,8 @@ function Get-KeyValuePair $key = 'timeout' $value = $null } - { $CheckContent -match 'Server Proxy Settings' } - { - $key = 'enable' - $value = 'false' - } - } + if ($null -ne $key) { Write-Verbose -Message $("[$($MyInvocation.MyCommand.Name)] Found Key: {0}, value: {1}" -f $key, $value) diff --git a/Module/Convert.WinEventLogRule/Convert.WinEventLogRule.psm1 b/Module/Convert.WinEventLogRule/Convert.WinEventLogRule.psm1 index 05e2becca..4056d60d8 100644 --- a/Module/Convert.WinEventLogRule/Convert.WinEventLogRule.psm1 +++ b/Module/Convert.WinEventLogRule/Convert.WinEventLogRule.psm1 @@ -1,4 +1,3 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 @@ -11,21 +10,51 @@ Foreach ($supportFile in $supportFileList) Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } -#endregion -#region Class +# Header + +<# + .SYNOPSIS + Convert the contents of an xccdf check-content element into a + WinEventLogRule object + .DESCRIPTION + The WinEventLogRule class is used to extract the windows event log settings + from the check-content of the xccdf. Once a STIG rule is identified as a + windows event log rule, it is passed to the WinEventLogRule class for + parsing and validation. + .PARAMETER LogName + The name of the log + .PARAMETER IsEnabled + The enabled status of the log +#> Class WinEventLogRule : STIG { [string] $LogName - [bool] $IsEnabled + [bool] $IsEnabled - # Constructors + <# + .SYNOPSIS + Default constructor + .DESCRIPTION + Converts a xccdf STIG rule element into a WinEventLogRule + .PARAMETER StigRule + The STIG rule to convert + #> WinEventLogRule ( [xml.xmlelement] $StigRule ) { $this.InvokeClass( $StigRule ) } - # Methods - [void] SetWinEventLogName ( ) + #region Methods + + <# + .SYNOPSIS + Extracts the event log from the check-content and sets the value + .DESCRIPTION + Gets the event log from the xccdf content and sets the value. If + the name that is returned is not valid, the parser status is set + to fail. + #> + [void] SetWinEventLogName () { $thisDnsWinEventLogName = Get-DnsServerWinEventLogName -StigString $this.SplitCheckContent @@ -35,11 +64,20 @@ Class WinEventLogRule : STIG } } - [void] SetWinEventLogIsEnabled ( ) + <# + .SYNOPSIS + Extracts the event log enabled status from the check-content and + sets the value + .DESCRIPTION + Gets the event log enabled status from the xccdf content and sets the + value. If the enabled status that is returned is not valid, the + parser status is set to fail. + #> + [void] SetWinEventLogIsEnabled () { - # the dns stig always sets this to true + # The DNS STIG always sets this to true $this.IsEnabled = $true } + #endregion } -#endregion diff --git a/Module/Convert.WindowsFeatureRule/Convert.WindowsFeatureRule.psm1 b/Module/Convert.WindowsFeatureRule/Convert.WindowsFeatureRule.psm1 index 95aee6710..f93ad7894 100644 --- a/Module/Convert.WindowsFeatureRule/Convert.WindowsFeatureRule.psm1 +++ b/Module/Convert.WindowsFeatureRule/Convert.WindowsFeatureRule.psm1 @@ -1,4 +1,3 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 @@ -11,23 +10,49 @@ Foreach ($supportFile in $supportFileList) Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } -#endregion -#region Class +# Header + +<# + .SYNOPSIS + Convert the contents of an xccdf check-content element into a windows + feature object + .DESCRIPTION + The WindowsFeatureRule class is used to extract the windows feature from + the check-content of the xccdf. Once a STIG rule is identified as a + windows feature rule, it is passed to the WindowsFeatureRule class for + parsing and validation. + .PARAMETER FeatureName + The windows feature name + .PARAMETER InstallState + The state the windows feature should be in +#> Class WindowsFeatureRule : STIG { - [string] - $FeatureName - - [string] - $InstallState + [string] $FeatureName + [string] $InstallState - # Constructor + <# + .SYNOPSIS + Default constructor + .DESCRIPTION + Converts a xccdf STIG rule element into a WindowsFeatureRule + .PARAMETER StigRule + The STIG rule to convert + #> WindowsFeatureRule ( [xml.xmlelement] $StigRule ) { $this.InvokeClass($StigRule) } - # Methods + #region Methods + + <# + .SYNOPSIS + Extracts the feature name from the check-content and sets the value + .DESCRIPTION + Gets the feature name from the xccdf content and sets the value. If + the name that is returned is not valid, the parser status is set to fail. + #> [void] SetFeatureName () { $thisFeatureName = Get-WindowsFeatureName -CheckContent $this.RawString @@ -38,6 +63,13 @@ Class WindowsFeatureRule : STIG } } + <# + .SYNOPSIS + Extracts the feature state from the check-content and sets the value + .DESCRIPTION + Gets the feature state from the xccdf content and sets the value. If + the state that is returned is not valid, the parser status is set to fail. + #> [void] SetFeatureInstallState () { $thisInstallState = Get-FeatureInstallState -CheckContent $this.RawString @@ -48,14 +80,37 @@ Class WindowsFeatureRule : STIG } } + <# + .SYNOPSIS + Tests if a rule contains multiple checks + .DESCRIPTION + Search the rule text to determine if multiple {0} are defined + .PARAMETER FeatureName + The feature name from the rule text from the check-content element + in the xccdf + #> static [bool] HasMultipleRules ( [string] $FeatureName ) { return ( Test-MultipleWindowsFeatureRule -FeatureName $FeatureName ) } + <# + .SYNOPSIS + Splits a rule into multiple checks + .DESCRIPTION + Once a rule has been found to have multiple checks, the rule needs + to be split. This method splits a windows feature into multiple rules. + Each split rule id is appended with a dot and letter to keep reporting + per the ID consistent. An example would be is V-1000 contained 2 + checks, then SplitMultipleRules would return 2 objects with rule ids + V-1000.a and V-1000.b + .PARAMETER CheckContent + The rule text from the check-content element in the xccdf + #> static [string[]] SplitMultipleRules ( [string] $FeatureName ) { return ( Split-WindowsFeatureRule -FeatureName $FeatureName ) } + + #endregion } -#endregion diff --git a/Module/Convert.WindowsFeatureRule/Methods.ps1 b/Module/Convert.WindowsFeatureRule/Methods.ps1 index 3684ded23..440f17daa 100644 --- a/Module/Convert.WindowsFeatureRule/Methods.ps1 +++ b/Module/Convert.WindowsFeatureRule/Methods.ps1 @@ -25,6 +25,11 @@ function Get-WindowsFeatureName { switch ($CheckContent) { + { $PSItem -match $script:regularExpression.WindowsFeatureName } + { + $matches = $CheckContent | Select-String -Pattern $script:regularExpression.WindowsFeatureName + $windowsFeatureName += ( $matches.Matches.Value -replace 'Get-WindowsFeature\s-Name' ).Trim() + } { $PSItem -match $script:regularExpression.FeatureNameEquals } { $matches = $CheckContent | Select-String -Pattern $script:regularExpression.FeatureNameEquals diff --git a/Module/Convert.WmiRule/Convert.WmiRule.psm1 b/Module/Convert.WmiRule/Convert.WmiRule.psm1 index a0f1373cd..5eda71495 100644 --- a/Module/Convert.WmiRule/Convert.WmiRule.psm1 +++ b/Module/Convert.WmiRule/Convert.WmiRule.psm1 @@ -1,4 +1,3 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 @@ -11,8 +10,25 @@ Foreach ($supportFile in $supportFileList) Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } -#endregion -#region Class +# Header + +<# + .SYNOPSIS + Convert the contents of an xccdf check-content element into a WmiRule object + .DESCRIPTION + The WmiRule class is used to extract the settings from rules that don't have + and dedicated method of evaluation from the check-content of the xccdf. + Once a STIG rule is identified as a WMI rule, it is passed to the WmiRule + class for parsing and validation. + .PARAMETER Query + The WMI class query + .PARAMETER Property + The class property + .PARAMETER Value + The value the property should be set to + .PARAMETER Operator + The PowerShell equivalent operator +#> Class WmiRule : STIG { [string] $Query @@ -20,10 +36,16 @@ Class WmiRule : STIG [string] $Value [string] $Operator - # Constructor + <# + .SYNOPSIS + Default constructor + .DESCRIPTION + Converts a xccdf STIG rule element into a WmiRule + .PARAMETER StigRule + The STIG rule to convert + #> WmiRule ( [xml.xmlelement] $StigRule ) { $this.InvokeClass( $StigRule ) } } -#endregion diff --git a/Module/Stig.Main/Stig.Main.psm1 b/Module/Stig.Main/Stig.Main.psm1 index 11c558cad..a6fb7fab8 100644 --- a/Module/Stig.Main/Stig.Main.psm1 +++ b/Module/Stig.Main/Stig.Main.psm1 @@ -1,18 +1,14 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 -#endregion -#region Class +# Header # This file is not currently in use, but is provided as part of the standard module structure. -#endregion -#region Footer +# Footer Foreach ($supportFile in (Get-ChildItem -Path $PSScriptRoot -Exclude $MyInvocation.MyCommand.Name)) { Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } Export-ModuleMember -Function '*' -Variable '*' -#endregion diff --git a/Module/Stig.OrganizationalSetting/Stig.OrganizationalSetting.psm1 b/Module/Stig.OrganizationalSetting/Stig.OrganizationalSetting.psm1 index 0f68672c8..6748d60b0 100644 --- a/Module/Stig.OrganizationalSetting/Stig.OrganizationalSetting.psm1 +++ b/Module/Stig.OrganizationalSetting/Stig.OrganizationalSetting.psm1 @@ -1,9 +1,8 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 -#endregion -#region Class +# Header + <# .SYNOPSIS This class describes an OrganizationalSetting @@ -14,6 +13,12 @@ using module .\..\Common\Common.psm1 values specific to the implementing organization. This Xml file will subsequently be transformed into OrganizationalSetting objects to be passed into and used in the StigData class constructor. + .PARAMETER StigRuleId + The Id of an individual Stig Rule + + .PARAMETER Value + The specific organizational value to set for the associated Stig rule + .EXAMPLE $organizationalSetting = [OrganizationalSetting]::new('V-1090', '4') @@ -22,37 +27,28 @@ using module .\..\Common\Common.psm1 #> Class OrganizationalSetting { - #region Properties - <# - .DESCRIPTION - The Id of an individual Stig Rule - #> [string] $StigRuleId - - <# - .DESCRIPTION - The specific organizational value to set for the associated Stig rule - #> [string] $Value - #endregion + #region Constructors + <# .SYNOPSIS - Parameterless constructor + DO NOT USE - For testing only .DESCRIPTION A parameterless constructor for OrganizationalSetting. To be used only for build/unit testing purposes as Pester currently requires it in order to test static methods on powershell classes #> - OrganizationalSetting() + OrganizationalSetting () { Write-Warning "This constructor is for build testing only." } <# .SYNOPSIS - Constructor + A constructor for OrganizationalSetting. Returns a ready to use instance of OrganizationalSetting. .DESCRIPTION A constructor for OrganizationalSetting. Returns a ready to use instance @@ -64,13 +60,15 @@ Class OrganizationalSetting .PARAMETER Value The specific organizational value to set for the associated Stig rule #> - OrganizationalSetting([string] $StigRuleId, [string] $Value) + OrganizationalSetting ([string] $StigRuleId, [string] $Value) { $this.StigRuleId = $StigRuleId $this.Value = $Value } + #endregion #region Static Methods + <# .SYNOPSIS The mapping of Stig rule types to the property needing to be modified @@ -80,10 +78,10 @@ Class OrganizationalSetting This method returns a Hashtable containing a mapping between a specific Stig rule type and the property of that Stig rule type that needs to be modified by the organizational setting - + .NOTES - This method calls the Get-PropertyMap function which simply returns a variable that is - only available in the module scope. This eliminates the need to load the module just to + This method calls the Get-PropertyMap function which simply returns a variable that is + only available in the module scope. This eliminates the need to load the module just to get access to a variable. #> static [Hashtable] PropertyMap () @@ -171,14 +169,14 @@ Class OrganizationalSetting return $orgSettings } + #endregion } -#endregion -#region Footer + +# Footer Foreach ($supportFile in (Get-ChildItem -Path $PSScriptRoot -Exclude $MyInvocation.MyCommand.Name)) { Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } Export-ModuleMember -Function '*' -Variable '*' -#endregion diff --git a/Module/Stig.SkippedRule/Stig.SkippedRule.psm1 b/Module/Stig.SkippedRule/Stig.SkippedRule.psm1 index d6dde40d4..48ff818ea 100644 --- a/Module/Stig.SkippedRule/Stig.SkippedRule.psm1 +++ b/Module/Stig.SkippedRule/Stig.SkippedRule.psm1 @@ -1,9 +1,8 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 -#endregion -#region Class +# Header + <# .SYNOPSIS This class describes a SkippedRule @@ -13,6 +12,9 @@ using module .\..\Common\Common.psm1 processed. The SkippedRule class instance will move the specific Stig rule into a SkippedRule section of the StigData output Xml so that it is documented as having been skipped. + .PARAMETER StigRuleId + The Id of an individual Stig Rule + .EXAMPLE $skippedRule = [SkippedRule]::new('V-1090') @@ -21,31 +23,27 @@ using module .\..\Common\Common.psm1 #> Class SkippedRule { - #region Properties - <# - .DESCRIPTION - The Id of an individual Stig Rule - #> [string] $StigRuleId - #endregion Properties + #region Constructor + <# .SYNOPSIS - Parameterless constructor + DO NOT USE - For testing only .DESCRIPTION A parameterless constructor for SkippedRule. To be used only for build/unit testing purposes as Pester currently requires it in order to test static methods on powershell classes #> - SkippedRule() + SkippedRule () { Write-Warning "This constructor is for build testing only." } <# .SYNOPSIS - Constructor + A constructor for SkippedRule. Returns a ready to use instance of SkippedRule. .DESCRIPTION A constructor for SkippedRule. Returns a ready to use instance @@ -54,12 +52,14 @@ Class SkippedRule .PARAMETER StigRuleId The Id of an individual Stig Rule #> - SkippedRule([string] $StigRuleId) + SkippedRule ([string] $StigRuleId) { $this.StigRuleId = $StigRuleId } + #endregion #region Static Methods + <# .SYNOPSIS Converts a provided string array of Stig rule ids into a SkippedRule array @@ -97,14 +97,14 @@ Class SkippedRule return $skips } + #endregion } -#endregion -#region Footer + +# Footer Foreach ($supportFile in (Get-ChildItem -Path $PSScriptRoot -Exclude $MyInvocation.MyCommand.Name)) { Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } Export-ModuleMember -Function '*' -Variable '*' -#endregion diff --git a/Module/Stig.SkippedRuleType/Stig.SkippedRuleType.psm1 b/Module/Stig.SkippedRuleType/Stig.SkippedRuleType.psm1 index a564574ab..12ca3a850 100644 --- a/Module/Stig.SkippedRuleType/Stig.SkippedRuleType.psm1 +++ b/Module/Stig.SkippedRuleType/Stig.SkippedRuleType.psm1 @@ -1,9 +1,8 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 -#endregion -#region Class +# Header + <# .SYNOPSIS This class describes a SkippedRuleType @@ -13,6 +12,9 @@ using module .\..\Common\Common.psm1 from the Stigs that need to be processed. The SkippedRuleType class instance will move all of the Stig rules under that type into a SkippedRule section of the StigData output Xml so that it is documented as having been skipped. + .PARAMETER StigRultType + The name of the type of Stig rule + .EXAMPLE $skippedRuleType = [SkippedRuleType]::new('AccountPolicyRule') @@ -21,45 +23,42 @@ using module .\..\Common\Common.psm1 #> Class SkippedRuleType { - #region Properties - <# - .DESCRIPTION - The name of the type of Stig rule - #> [RuleType] $StigRuleType - #endregion Properties + #region Constructors + <# .SYNOPSIS - Parameterless constructor + DO NOT USE - For testing only .DESCRIPTION A parameterless constructor for SkippedRuleType. To be used only for build/unit testing purposes as Pester currently requires it in order to test static methods on powershell classes #> - SkippedRuleType() + SkippedRuleType () { Write-Warning "This constructor is for build testing only." } <# .SYNOPSIS - Constructor + A constructor for SkippedRuleType. Returns a ready to use instance of SkippedRuleType. .DESCRIPTION - A constructor for SkippedRuleType. Returns a ready to use instance - of SkippedRuleType. + A constructor for SkippedRuleType. Returns a ready to use instance of SkippedRuleType. .PARAMETER StigRuleType The name of the type of Stig rule from the StigRuleType Enum #> - SkippedRuleType([RuleType] $StigRuleType) + SkippedRuleType ([RuleType] $StigRuleType) { $this.StigRuleType = $StigRuleType } + #endregion #region Static Methods + <# .SYNOPSIS Converts a provided string array of Stig rule types into a SkippedRuleType array @@ -100,14 +99,14 @@ Class SkippedRuleType return $skips } + #endregion } -#endregion -#region Footer + +# Footer Foreach ($supportFile in (Get-ChildItem -Path $PSScriptRoot -Exclude $MyInvocation.MyCommand.Name)) { Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } Export-ModuleMember -Function '*' -Variable '*' -#endregion diff --git a/Module/Stig.StigData/Stig.StigData.psm1 b/Module/Stig.StigData/Stig.StigData.psm1 index 1edec399d..35373e4fc 100644 --- a/Module/Stig.StigData/Stig.StigData.psm1 +++ b/Module/Stig.StigData/Stig.StigData.psm1 @@ -1,4 +1,3 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 @@ -8,8 +7,8 @@ using module .\..\Stig.SkippedRule\Stig.SkippedRule.psm1 using module .\..\Stig.OrganizationalSetting\Stig.OrganizationalSetting.psm1 using module .\..\Stig.TechnologyRole\Stig.TechnologyRole.psm1 using module .\..\Stig.TechnologyVersion\Stig.TechnologyVersion.psm1 -#endregion -#region Class +# Header + <# .SYNOPSIS This class describes a StigData @@ -20,6 +19,36 @@ using module .\..\Stig.TechnologyVersion\Stig.TechnologyVersion.psm1 the given technology and the implementing organizations specific settings, exceptions, and rules to skip. Upon creation of a StigData instance, the resulting Xml is immediately available for those preconditions. + .PARAMETER StigVersion + The document/published version of the Stig to select + + .PARAMETER OrganizationalSettings + An array of settings/values specific to an organization to apply to specific rules + + .PARAMETER Technology + The type of the technology of the Stig to select + + .PARAMETER TechnologyRole + The role of the technology of the Stig to select + + .PARAMETER TechnologyVersion + The version of the technology of the Stig to select + + .PARAMETER StigExceptions + An array of names of Stig exceptions to apply to specific rules + + .PARAMETER SkippedRuleTypes + An array of names of rule types to skip all rules of + + .PARAMETER SkippedRules + An array of Stig rules to skip and move into the SkipRule rule type + + .PARAMETER StigXml + The loaded Xml document of the Stig loaded from StigPath + + .PARAMETER StigPath + The file path to the Stig Xml file in the StigData directory + .EXAMPLE $stigData = [StigData]::new([string] $StigVersion, [OrganizationalSetting[]] $OrganizationalSettings, [Technology] $Technology, [TechnologyRole] $TechnologyRole, [TechnologyVersion] $TechnologyVersion, [StigException[]] $StigExceptions, [SkippedRuleType[]] $SkippedRuleTypes, [SkippedRule[]] $SkippedRules) @@ -28,89 +57,40 @@ using module .\..\Stig.TechnologyVersion\Stig.TechnologyVersion.psm1 #> Class StigData { - #region Properties - <# - .DESCRIPTION - The document/published version of the Stig to select - #> [Version] $StigVersion - - <# - .DESCRIPTION - An array of settings/values specific to an organization to apply to specific rules - #> [OrganizationalSetting[]] $OrganizationalSettings - - <# - .DESCRIPTION - The type of the technology of the Stig to select - #> [Technology] $Technology - - <# - .DESCRIPTION - The role of the technology of the Stig to select - #> [TechnologyRole] $TechnologyRole - - <# - .DESCRIPTION - The version of the technology of the Stig to select - #> [TechnologyVersion] $TechnologyVersion - - <# - .DESCRIPTION - An array of names of Stig exceptions to apply to specific rules - #> [StigException[]] $StigExceptions - - <# - .DESCRIPTION - An array of names of rule types to skip all rules of - #> [SkippedRuleType[]] $SkippedRuleTypes - - <# - .DESCRIPTION - An array of Stig rules to skip and move into the SkipRule rule type - #> [SkippedRule[]] $SkippedRules - - <# - .DESCRIPTION - The loaded Xml document of the Stig loaded from StigPath - #> [xml] $StigXml - - <# - .DESCRIPTION - The file path to the Stig Xml file in the StigData directory - #> [string] $StigPath - #endregion + + #region Constructor + <# .SYNOPSIS - Parameterless constructor + DO NOT USE - For testing only .DESCRIPTION A parameterless constructor for StigData. To be used only for build/unit testing purposes as Pester currently requires it in order to test static methods on powershell classes #> - StigData() + StigData () { Write-Warning "This constructor is for build testing only." } <# .SYNOPSIS - Constructor + A constructor for StigData. Returns a ready to use instance of StigData. .DESCRIPTION - A constructor for StigData. Returns a ready to use instance - of StigData. + A constructor for StigData. Returns a ready to use instance of StigData. .PARAMETER StigVersion The document/published version of the Stig to select @@ -136,7 +116,7 @@ Class StigData .PARAMETER SkippedRules An array of Stig rules to skip and move into the SkipRule rule type #> - StigData([string] $StigVersion, [OrganizationalSetting[]] $OrganizationalSettings, [Technology] $Technology, [TechnologyRole] $TechnologyRole, [TechnologyVersion] $TechnologyVersion, [StigException[]] $StigExceptions, [SkippedRuleType[]] $SkippedRuleTypes, [SkippedRule[]] $SkippedRules) + StigData ([string] $StigVersion, [OrganizationalSetting[]] $OrganizationalSettings, [Technology] $Technology, [TechnologyRole] $TechnologyRole, [TechnologyVersion] $TechnologyVersion, [StigException[]] $StigExceptions, [SkippedRuleType[]] $SkippedRuleTypes, [SkippedRule[]] $SkippedRules) { if (($null -eq $Technology) -or !($TechnologyRole) -or !($TechnologyVersion)) { throw("Technology, TechnologyVersion, and TechnologyRole must be provided.") @@ -163,8 +143,10 @@ Class StigData $this.SetStigPath() $this.ProcessStigData() } + #endregion #region Methods + <# .SYNOPSIS Determines and sets the StigPath @@ -384,8 +366,10 @@ Class StigData } } } + #endregion #region Static Methods + <# .SYNOPSIS Returns the root path to the StigData directory @@ -467,14 +451,14 @@ Class StigData return $returnList } + #endregion } -#endregion -#region Footer + +# Footer Foreach ($supportFile in (Get-ChildItem -Path $PSScriptRoot -Exclude $MyInvocation.MyCommand.Name)) { Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } Export-ModuleMember -Function '*' -Variable '*' -#endregion diff --git a/Module/Stig.StigException/Stig.StigException.psm1 b/Module/Stig.StigException/Stig.StigException.psm1 index 9435d5aab..0cf706d3e 100644 --- a/Module/Stig.StigException/Stig.StigException.psm1 +++ b/Module/Stig.StigException/Stig.StigException.psm1 @@ -1,10 +1,9 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 -#endregion using module .\..\Stig.StigProperty\Stig.StigProperty.psm1 -#region Class +# Header + <# .SYNOPSIS This class describes a StigException @@ -12,6 +11,12 @@ using module .\..\Stig.StigProperty\Stig.StigProperty.psm1 .DESCRIPTION The StigException class describes a StigException, the collection of StigProperty to override on a specific Stig rule. + .PARAMETER StigRuleId + The Id of an individual Stig Rule + + .PARAMETER Properties + An array of properties and their values to override on a Stig rule + .EXAMPLE $stigException = [StigException]::new([string] $StigRuleId, [StigProperty[]] $Properties) @@ -20,41 +25,32 @@ using module .\..\Stig.StigProperty\Stig.StigProperty.psm1 #> Class StigException { - #region Properties - <# - .DESCRIPTION - The Id of an individual Stig Rule - #> [string] $StigRuleId - <# - .DESCRIPTION - An array of properties and their values to override on a Stig rule - #> [StigProperty[]] $Properties - #endregion + #region Constructors + <# .SYNOPSIS - Parameterless constructor + DO NOT USE - For testing only .DESCRIPTION A parameterless constructor for StigException. To be used only for build/unit testing purposes as Pester currently requires it in order to test static methods on powershell classes #> - StigException() + StigException () { Write-Warning "This constructor is for build testing only." } <# .SYNOPSIS - Constructor + A constructor for StigException. Returns a ready to use instance of StigException. .DESCRIPTION - A constructor for StigException. Returns a ready to use instance - of StigException. + A constructor for StigException. Returns a ready to use instance of StigException. .PARAMETER StigRuleId The Id of an individual Stig Rule @@ -62,13 +58,15 @@ Class StigException .PARAMETER Properties An array of properties and their values to override on a Stig rule #> - StigException([string] $StigRuleId, [StigProperty[]] $Properties) + StigException ([string] $StigRuleId, [StigProperty[]] $Properties) { $this.StigRuleId = $StigRuleId $this.Properties = $Properties } + #endregion #region Methods + <# .SYNOPSIS Adds a StigPropery instance to the StigException Properties property @@ -101,8 +99,10 @@ Class StigException { $this.Properties += [StigProperty]::new($Name, $Value) } + #endregion Methods #region Static Methods + <# .SYNOPSIS Converts a provided hashtable of Stig exceptions into a StigException array @@ -141,14 +141,14 @@ Class StigException return $stigExceptions } + #endregion } -#endregion -#region Footer + +# Footer Foreach ($supportFile in (Get-ChildItem -Path $PSScriptRoot -Exclude $MyInvocation.MyCommand.Name)) { Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } Export-ModuleMember -Function '*' -Variable '*' -#endregion diff --git a/Module/Stig.StigProperty/Stig.StigProperty.psm1 b/Module/Stig.StigProperty/Stig.StigProperty.psm1 index 598e68333..685843271 100644 --- a/Module/Stig.StigProperty/Stig.StigProperty.psm1 +++ b/Module/Stig.StigProperty/Stig.StigProperty.psm1 @@ -1,9 +1,8 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 -#endregion -#region Class +# Header + <# .SYNOPSIS This class describes a StigProperty @@ -13,6 +12,12 @@ using module .\..\Common\Common.psm1 instances combine to for a complete description of a Stig rule. StigException instances are made up of a collection of StigProperty in order to override the existing values of those properties. + .PARAMETER Name + The name of an individual property on a Stig Rule + + .PARAMETER Value + The value of an individual property on a Stig Rule + .EXAMPLE $stigProperty = [StigProperty]::new([string] $Name, [string] $Value) @@ -21,41 +26,32 @@ using module .\..\Common\Common.psm1 #> Class StigProperty { - #region Properties - <# - .DESCRIPTION - The name of an individual property on a Stig Rule - #> [string] $Name - <# - .DESCRIPTION - The value of an individual property on a Stig Rule - #> [string] $Value - #endregion + #region Constructors + <# .SYNOPSIS - Parameterless constructor + DO NOT USE - For testing only .DESCRIPTION A parameterless constructor for StigProperty. To be used only for build/unit testing purposes as Pester currently requires it in order to test static methods on powershell classes #> - StigProperty() + StigProperty () { Write-Warning "This constructor is for build testing only." } - <#s + <# .SYNOPSIS - Constructor + A constructor for StigProperty. Returns a ready to use instance of StigProperty. .DESCRIPTION - A constructor for StigProperty. Returns a ready to use instance - of StigProperty. + A constructor for StigProperty. Returns a ready to use instance of StigProperty. .PARAMETER Name The name of an individual property on a Stig Rule @@ -68,14 +64,14 @@ Class StigProperty $this.Name = $Name $this.Value = $Value } + #endregion } -#endregion -#region Footer + +# Footer Foreach ($supportFile in (Get-ChildItem -Path $PSScriptRoot -Exclude $MyInvocation.MyCommand.Name)) { Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } Export-ModuleMember -Function '*' -Variable '*' -#endregion diff --git a/Module/Stig.TechnologyRole/Stig.TechnologyRole.psm1 b/Module/Stig.TechnologyRole/Stig.TechnologyRole.psm1 index 9673f166d..09bd7bb12 100644 --- a/Module/Stig.TechnologyRole/Stig.TechnologyRole.psm1 +++ b/Module/Stig.TechnologyRole/Stig.TechnologyRole.psm1 @@ -1,10 +1,9 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 using module .\..\Stig.TechnologyVersion\Stig.TechnologyVersion.psm1 -#endregion -#region Class +# Header + <# .SYNOPSIS This class describes a TechnologyRole @@ -14,6 +13,12 @@ using module .\..\Stig.TechnologyVersion\Stig.TechnologyVersion.psm1 the Stig applies to. The TechnologyRole is one of a few Technology focused classes that work together to form a complete description of the Stig required by the user or application creating the StigData instance. + .PARAMETER Name + The name of a role of technology of the Stig to select + + .PARAMETER TechnologyVersion + The TechnologyVersion instance for the selected role + .EXAMPLE $technologyRole = [TechnologyRole]::new([string] $Name, [TechnologyVersion] $TechnologyVersion) @@ -22,17 +27,7 @@ using module .\..\Stig.TechnologyVersion\Stig.TechnologyVersion.psm1 #> Class TechnologyRole { - #region Properties - <# - .DESCRIPTION - The name of a role of technology of the Stig to select - #> [string] $Name - - <# - .DESCRIPTION - The TechnologyVersion instance for the selected role - #> [TechnologyVersion] $TechnologyVersion <# @@ -44,29 +39,30 @@ Class TechnologyRole All = ADDomain, ADForest, FW, IE11, DotNet4 2012 = Instance, Database "@ - #endregion + #region Constructors + <# .SYNOPSIS - Parameterless constructor + DO NOT USE - For testing only .DESCRIPTION A parameterless constructor for TechnologyRole. To be used only for build/unit testing purposes as Pester currently requires it in order to test static methods on powershell classes #> - TechnologyRole() + TechnologyRole () { Write-Warning "This constructor is for build testing only." } <# .SYNOPSIS - Constructor + A constructor for TechnologyRole. Returns a ready to use instance of TechnologyRole. + .DESCRIPTION - A constructor for TechnologyRole. Returns a ready to use instance - of TechnologyRole. + A constructor for TechnologyRole. Returns a ready to use instance of TechnologyRole. .PARAMETER Name The name of a role of technology of the Stig to select @@ -84,8 +80,10 @@ All = ADDomain, ADForest, FW, IE11, DotNet4 throw("The specified Role name is not valid. Please check for available Roles.") } } + #endregion #region Methods + <# .SYNOPSIS Validates the provided name @@ -108,8 +106,7 @@ All = ADDomain, ADForest, FW, IE11, DotNet4 return $false } } - #endregion - #region Static Methods + <# .SYNOPSIS Returns available TechnologyRoles @@ -133,14 +130,14 @@ All = ADDomain, ADForest, FW, IE11, DotNet4 throw("No Roles are available for the Version you have specified. Please check available Versions and run again.") } } + #endregion } -#endregion -#region Footer + +# Footer Foreach ($supportFile in (Get-ChildItem -Path $PSScriptRoot -Exclude $MyInvocation.MyCommand.Name)) { Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } Export-ModuleMember -Function '*' -Variable '*' -#endregion diff --git a/Module/Stig.TechnologyVersion/Stig.TechnologyVersion.psm1 b/Module/Stig.TechnologyVersion/Stig.TechnologyVersion.psm1 index 6bc837591..829a3e378 100644 --- a/Module/Stig.TechnologyVersion/Stig.TechnologyVersion.psm1 +++ b/Module/Stig.TechnologyVersion/Stig.TechnologyVersion.psm1 @@ -1,9 +1,8 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. using module .\..\Common\Common.psm1 -#endregion -#region Class +# Header + <# .SYNOPSIS This class describes a TechnologyVersion @@ -13,58 +12,49 @@ using module .\..\Common\Common.psm1 the Stig applies to. The TechnologyVersion is one of a few Technology focused classes that work together to form a complete description of the Stig required by the user or application creating the StigData instance. + .PARAMETER Name + The Technology for the selected version + + .PARAMETER Technology + The Technology instance for the selected version + .EXAMPLE $technologyVersion = [TechnologyVersion]::new([string] $Name, [Technology] $Technology) .NOTES This class requires PowerShell v5 or above. #> -Class TechnologyVersion +Class TechnologyVersion { - #region Properties - <# - .DESCRIPTION - The name of a version of technology of the Stig to select - #> [string] $Name - - <# - .DESCRIPTION - The Technology instance for the selected version - #> [Technology] $Technology - <# - .DESCRIPTION - The available versions for each technology currently in PowerStig - #> + # The available versions for each technology currently in PowerStig static $ValidateSet = @" Windows = All, 2012R2 SqlServer = 2012 "@ - #endregion - #region Constructors + <# .SYNOPSIS - Parameterless constructor + DO NOT USE - For testing only .DESCRIPTION A parameterless constructor for TechnologyVersion. To be used only for build/unit testing purposes as Pester currently requires it in order to test static methods on powershell classes #> - TechnologyVersion() + TechnologyVersion () { Write-Warning "This constructor is for build testing only." } <# .SYNOPSIS - Constructor + A constructor for TechnologyVersion. Returns a ready to use instance of TechnologyVersion. .DESCRIPTION - A constructor for TechnologyVersion. Returns a ready to use instance - of TechnologyVersion. + A constructor for TechnologyVersion. Returns a ready to use instance of TechnologyVersion. .PARAMETER Name The Technology for the selected version @@ -72,17 +62,18 @@ SqlServer = 2012 .PARAMETER Technology The Technology instance for the selected version #> - TechnologyVersion ([string] $Name, [Technology] $Technology) + TechnologyVersion ([string] $Name, [Technology] $Technology) { $this.Name = $Name $this.Technology = $Technology - if (!($this.Validate())) + if (!($this.Validate())) { throw("The specified Version name is not valid. Please check for available Versions.") } } - #endregion + #region Methods + <# .SYNOPSIS Validates the provided name @@ -91,22 +82,21 @@ SqlServer = 2012 This method validates that the provided name for the TechnologyVersion is available for a given Technology in PowerStig #> - [bool] Validate () + [bool] Validate () { $versions = [TechnologyVersion]::Available($this.Technology) - if ($versions -contains $this.Name) + if ($versions -contains $this.Name) { return $true } - else + else { Write-Warning -Message "The Versions currently available within PowerStig for $($this.Technology.Name) include:`n$($versions -join "`n")" return $false } } - #endregion - #region Static Methods + <# .SYNOPSIS Returns available TechnologyVersions @@ -117,28 +107,28 @@ SqlServer = 2012 .PARAMETER TechnologyVersion The Technology name #> - static [string[]] Available ([Technology] $Technology) + static [string[]] Available ([Technology] $Technology) { $versions = ConvertFrom-StringData -StringData $([TechnologyVersion]::ValidateSet) $technologyString = $Technology.ToString() - - if ($versions.$technologyString) + + if ($versions.$technologyString) { return $versions.$technologyString.Split(',').Trim() } - else + else { throw("No Versions are available for the Technology you have specified. Please check available Technologies and run again.") } } + #endregion } -#endregion -#region Footer + +# Footer Foreach ($supportFile in (Get-ChildItem -Path $PSScriptRoot -Exclude $MyInvocation.MyCommand.Name)) { Write-Verbose "Loading $($supportFile.FullName)" . $supportFile.FullName } Export-ModuleMember -Function '*' -Variable '*' -#endregion diff --git a/PowerStig.Convert.psm1 b/PowerStig.Convert.psm1 index 6ff0cfa86..5f92a41cb 100644 --- a/PowerStig.Convert.psm1 +++ b/PowerStig.Convert.psm1 @@ -31,6 +31,7 @@ using module .\Module\Convert.WindowsFeatureRule\Convert.WindowsFeatureRule.psm1 using module .\Module\Convert.WinEventLogRule\Convert.WinEventLogRule.psm1 using module .\Module\Convert.WmiRule\Convert.WmiRule.psm1 # load the public functions + Foreach ($supportFile in ( Get-ChildItem -Path "$PSScriptRoot\Module\Convert.Main" -Filter '*.ps1' ) ) { Write-Verbose "Loading $($supportFile.FullName)" diff --git a/PowerStig.psd1 b/PowerStig.psd1 index a14e3da17..2571f243d 100644 --- a/PowerStig.psd1 +++ b/PowerStig.psd1 @@ -6,7 +6,7 @@ RootModule = 'PowerStig.psm1' # Version number of this module. -ModuleVersion = '1.1.0.0' +ModuleVersion = '1.1.1.0' # ID used to uniquely identify this module GUID = 'a132f6a5-8f96-4942-be25-b213ee7e4af3' @@ -21,7 +21,12 @@ CompanyName = 'Microsoft Corporation' Copyright = '(c) 2017 Adam Haynes. All rights reserved.' # Description of the functionality provided by this module -Description = 'Module for managing the DISA STIGs' +Description = 'The PowerStig module provides a set of PowerShell classes to access DISA STIG settings extracted from the xccdf. The module provides a unified way to access the parsed STIG data by enabling the concepts of: +1. Exceptions (overriding and auto-documenting) +2. Ignoring a single or entire class of rules (auto-documenting) +3. Organizational settings to address STIG rules that have allowable ranges. + +This module is intended to be used by additional automation as a lightweight portable “database” to audit and enforce the parsed STIG data.' # Minimum version of the Windows PowerShell engine required by this module PowerShellVersion = '5.1' @@ -47,14 +52,7 @@ PrivateData = @{ ProjectUri = 'https://github.com/Microsoft/PowerStig' # ReleaseNotes of this module - ReleaseNotes = 'Added the following STIGs: - -* IIS 8.5 Server STIG V1R3 - -Updates - -* Updated SQL STIG code to account for SQL STIGS being added in PowerStigDsc -* Update to PowerStig.psm1 to fix issue were StigData class was not accessible to PowerStigDsc' + ReleaseNotes = 'Update IIS Server STIG V-76723.a with correct value' } # End of PSData hashtable } # End of PrivateData hashtable } diff --git a/README.md b/README.md index 79ce95f96..382261bf8 100644 --- a/README.md +++ b/README.md @@ -2,8 +2,8 @@ |Branch|Status| | ---- | ---- | -| Master | [![Build status](https://ci.appveyor.com/api/projects/status/9iuhve75mrjdxokb/branch/master?svg=true)](https://ci.appveyor.com/api/projects/status/9iuhve75mrjdxokb/branch/master?svg=true) | -| Dev | [![Build status](https://ci.appveyor.com/api/projects/status/9iuhve75mrjdxokb/branch/dev?svg=true)](https://ci.appveyor.com/api/projects/status/9iuhve75mrjdxokb/branch/dev?svg=true) | +| master | [![Build status](https://ci.appveyor.com/api/projects/status/9iuhve75mrjdxokb/branch/master?svg=true)](https://ci.appveyor.com/api/projects/status/9iuhve75mrjdxokb/branch/master?svg=true) | +| dev | [![Build status](https://ci.appveyor.com/api/projects/status/9iuhve75mrjdxokb/branch/dev?svg=true)](https://ci.appveyor.com/api/projects/status/9iuhve75mrjdxokb/branch/dev?svg=true) | ## Project List @@ -41,11 +41,30 @@ You are more than welcome to contribute to the development of PowerStig. There are several different ways you can help. You can create new convert modules, add test automation, improve documentation, fix existing issues, or open new ones. See our [contributing guide](CONTRIBUTING.md) for more info on how to become a contributor. +Thank you to everyone that has reviewed the project and provided feedback through issues. +We are especially thankful for those who have contributed pull requests to the code and documentation. + +### Contributors + +* [@athaynes](https://github.com/athaynes) (Adam Haynes) +* [@bgouldman](https://github.com/bgouldman) (Brian Gouldman) +* [@camusicjunkie](https://github.com/camusicjunkie) +* [@chasewilson](https://github.com/chasewilson) (Chase Wilson) +* [@clcaldwell](https://github.com/clcaldwell) (Coby Caldwell) +* [@jcwalker](https://github.com/jcwalker) (Jason Walker) +* [@ldillonel](https://github.com/ldillonel) +* [@mcollera](https://github.com/mcollera) +* [@nehrua](https://github.com/nehrua) (Nehru Ali) +* [@regedit32](https://github.com/regedit32) (Reggie Gibson) ## Versions ### Unreleased +### 1.1.1.0 + +Update IIS Server STIG V-76723.a with correct value + ### 1.1.0.0 Replaced Technology class with enumeration. This breaks PowerStigDsc < 1.1.0.0 diff --git a/StigData/Processed/Windows-2012R2-IISServer-1.3.org.default.xml b/StigData/Processed/Windows-2012R2-IISServer-1.3.org.default.xml index aa7beccd7..a9eb49f07 100644 --- a/StigData/Processed/Windows-2012R2-IISServer-1.3.org.default.xml +++ b/StigData/Processed/Windows-2012R2-IISServer-1.3.org.default.xml @@ -7,5 +7,5 @@ --> - + diff --git a/StigData/Processed/Windows-2012R2-IISServer-1.3.xml b/StigData/Processed/Windows-2012R2-IISServer-1.3.xml index 2a0087d56..b4d6c3d71 100644 --- a/StigData/Processed/Windows-2012R2-IISServer-1.3.xml +++ b/StigData/Processed/Windows-2012R2-IISServer-1.3.xml @@ -1,4 +1,4 @@ - + False @@ -529,6 +529,24 @@ Verify log files are backed up to an unrelated system or onto separate media tha If the paths of all log files are not part of the system backup and/or not backed up to a separate media, this is a finding. + + + False + False + + Open the IIS 8.5 Manager. + +Under the "Connections" pane on the left side of the management console, select the IIS 8.5 web server. + +If, under the IIS installed features, "Application Request Routing Cache" is not present, this is not a finding. + +If, under the IIS installed features, "Application Request Routing Cache" is present, double-click the icon to open the feature. + +From the right "Actions" pane, under "Proxy", select "Server Proxy Settings...". + +In the "Application Request Routing" settings window, verify whether "Enable proxy" is selected. + +If “Enable proxy" is selected under the "Application Request Routing" settings, this is a finding. False @@ -892,27 +910,6 @@ Creator/Owner: Special permissions to subkeys - - /system.webServer/proxy - False - enable - False - - Open the IIS 8.5 Manager. - -Under the "Connections" pane on the left side of the management console, select the IIS 8.5 web server. - -If, under the IIS installed features, "Application Request Routing Cache" is not present, this is not a finding. - -If, under the IIS installed features, "Application Request Routing Cache" is present, double-click the icon to open the feature. - -From the right "Actions" pane, under "Proxy", select "Server Proxy Settings...". - -In the "Application Request Routing" settings window, verify whether "Enable proxy" is selected. - -If “Enable proxy" is selected under the "Application Request Routing" settings, this is a finding. - false - /system.web/sessionState False @@ -921,7 +918,7 @@ If “Enable proxy" is selected under the "Application Request Routing" settings From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState". Verify "cookieless" is set to "UseCookies". - 1 + UseCookies /system.web/sessionState diff --git a/Tests/Integration/Convert.Main.Integration.tests.ps1 b/Tests/Integration/Convert.Main.Integration.tests.ps1 index 108301eb9..4864b7276 100644 --- a/Tests/Integration/Convert.Main.Integration.tests.ps1 +++ b/Tests/Integration/Convert.Main.Integration.tests.ps1 @@ -332,17 +332,17 @@ try DnsServerSettingRule = $null DocumentRule = 16 IisLoggingRule = 5 - ManualRule = 16 + ManualRule = 17 MimeTypeRule = 5 PermissionRule = 1 ProcessMitigationRule = $null RegistryRule = 5 SecurityOptionRule = $null ServiceRule = $null - SqlScriptQueryRule = $null + SqlScriptQueryRule = $null UserRightRule = $null WebAppPoolRule = $null - WebConfigurationPropertyRule = 10 + WebConfigurationPropertyRule = 9 WinEventLogRule = $null WindowsFeatureRule = 1 WmiRule = $null diff --git a/Tests/Integration/Convert.WindowsFeatureRule.Integration.tests.ps1 b/Tests/Integration/Convert.WindowsFeatureRule.Integration.tests.ps1 index 61807656a..c7f99e487 100644 --- a/Tests/Integration/Convert.WindowsFeatureRule.Integration.tests.ps1 +++ b/Tests/Integration/Convert.WindowsFeatureRule.Integration.tests.ps1 @@ -23,6 +23,20 @@ try If "SMB 1.0/CIFS File Sharing Support" is selected, this is a finding.' } + @{ + FeatureName = 'Powershell-v2' + InstallState = 'Absent' + OrganizationValueRequired = $false + CheckContent = 'Windows PowerShell 2.0 is not installed by default. + + Open "Windows PowerShell". + + Enter "Get-WindowsFeature -Name PowerShell-v2". + + If "Installed State" is "Installed", this is a finding. + + An Installed State of "Available" or "Removed" is not a finding.' + } ) #endregion #region Tests diff --git a/Tests/Unit/Module/Common.tests.ps1 b/Tests/Unit/Module/Common.tests.ps1 index f2170c5d7..8ae81209d 100644 --- a/Tests/Unit/Module/Common.tests.ps1 +++ b/Tests/Unit/Module/Common.tests.ps1 @@ -257,16 +257,18 @@ Describe 'Get-AvailableId' { #region Range Conversion Tests <# These are sample values that have been identified in the STIG so far. - Value: 1 or 2 = a Finding $i -notmatch "1|2" - Value: 14 (or greater) $i -gt "14" - Value: 30 (or less, but not 0) $i -le "30" -and $i -ne 0 - Value: 90 (or less) $i -le "90" - Value: 300000 (or less) $i -le "300000" - Value: 3 (or less) $i -le "3" - Value: 0x0000000f (15) (or less) $i -le "15" - Value: 0x00000384 (900) (or less) $i -le "900" - Value: 0x00008000 (32768) (or greater) $i -ge "32768" - Value: 0x00030000 (196608) (or greater) $i -ge "196608" + Value: 1 or 2 = a Finding $i -notmatch "1|2" + Value: 14 (or greater) $i -gt "14" + Value: 30 (or less, but not 0) $i -le "30" -and $i -ne 0 + Value: 0x0000001e (30) (or less, but not 0) $i -le "30" -and $i -gt 0 + Value: 0x0000001e (30) (or less, excluding 0) $i -le "30" -and $i -gt 0 + Value: 90 (or less) $i -le "90" + Value: 300000 (or less) $i -le "300000" + Value: 3 (or less) $i -le "3" + Value: 0x0000000f (15) (or less) $i -le "15" + Value: 0x00000384 (900) (or less) $i -le "900" + Value: 0x00008000 (32768) (or greater) $i -ge "32768" + Value: 0x00030000 (196608) (or greater) $i -ge "196608" #> #region Tests @@ -277,6 +279,7 @@ Describe 'Get-OrganizationValueTestString' { Mock Test-StringIsLessThanOrEqual -ModuleName Common Mock Test-StringIsLessThanButNot -ModuleName Common Mock Test-StringIsLessThanOrEqualButNot -ModuleName Common + Mock Test-StringIsLessThanOrEqualExcluding -ModuleName Common Mock Test-StringIsGreaterThan -ModuleName Common Mock Test-StringIsGreaterThanOrEqual -ModuleName Common Mock Test-StringIsGreaterThanButNot -ModuleName Common @@ -307,16 +310,18 @@ Describe 'Get-TestStringTokenNumbers' { } $Strings = @{ - 'Greater than 30' = "30" - '30 (or greater)' = "30" - 'Greater than 30 (but not 60)' = "30", "60" - '30 (or greater, but not 60)' = "30", "60" - 'less than 30' = "30" - '30 (or less)' = "30" - "Less than 30 (but not 0)" = "30", "0" - "30 (or less, but not 0)" = "30", "0" - "0x0000000f (15) (or less)" = "15" - "0x00008000 (32768) (or greater)" = "32768" + 'Greater than 30' = "30" + '30 (or greater)' = "30" + 'Greater than 30 (but not 60)' = "30", "60" + '30 (or greater, but not 60)' = "30", "60" + 'less than 30' = "30" + '30 (or less)' = "30" + "Less than 30 (but not 0)" = "30", "0" + "0x0000001e (30) (or less, but not 0)" = "30", "0" + "0x0000001e (30) (or less, excluding 0)" = "30", "0" + "30 (or less, but not 0)" = "30", "0" + "0x0000000f (15) (or less)" = "15" + "0x00008000 (32768) (or greater)" = "32768" } Foreach ($string in $strings.GetEnumerator()) @@ -335,16 +340,18 @@ Describe 'Get-TestStringTokenList' { Context 'CommandTokens ParameterSet' { $strings = @{ - 'Greater than 30' = "greater than" - '30 (or greater)' = "or greater" - 'Greater than 30 (but not 60)' = "greater than but not" - '30 (or greater, but not 60)' = "or greater but not" - 'less than 30' = "less than" - '30 (or less)' = "or less" - "Less than 30 (but not 0)" = "less than but not" - "30 (or less, but not 0)" = "or less but not" - " 0x0000000f (15) (or less)" = "or less" - "0x00008000 (32768) (or greater)" = "or greater" + 'Greater than 30' = "greater than" + '30 (or greater)' = "or greater" + 'Greater than 30 (but not 60)' = "greater than but not" + '30 (or greater, but not 60)' = "or greater but not" + 'less than 30' = "less than" + '30 (or less)' = "or less" + "Less than 30 (but not 0)" = "less than but not" + "30 (or less, but not 0)" = "or less but not" + "0x0000001e (30) (or less, but not 0)" = "or less but not" + "0x0000001e (30) (or less, excluding 0)" = "or less excluding" + " 0x0000000f (15) (or less)" = "or less" + "0x00008000 (32768) (or greater)" = "or greater" } Foreach ($string in $strings.GetEnumerator()) @@ -373,16 +380,18 @@ Describe 'Get-TestStringTokenList' { Describe 'ConvertTo-TestString' { $Strings = @{ - 'Greater than 30' = "{0} -gt '30'" - '30 (or greater)' = "{0} -ge '30'" - 'Greater than 30 (but not 60)' = "{0} -gt '30' -and {0} -lt '60'" - '30 (or greater, but not 60)' = "{0} -ge '30' -and {0} -lt '60'" - 'less than 30' = "{0} -lt '30'" - '30 (or less)' = "{0} -le '30'" - "Less than 30 (but not 0)" = "{0} -lt '30' -and {0} -gt '0'" - "30 (or less, but not 0)" = "{0} -le '30' -and {0} -gt '0'" - " 0x0000000f (15) (or less)" = "{0} -le '15'" - "0x00008000 (32768) (or greater)" = "{0} -ge '32768'" + 'Greater than 30' = "{0} -gt '30'" + '30 (or greater)' = "{0} -ge '30'" + 'Greater than 30 (but not 60)' = "{0} -gt '30' -and {0} -lt '60'" + '30 (or greater, but not 60)' = "{0} -ge '30' -and {0} -lt '60'" + 'less than 30' = "{0} -lt '30'" + '30 (or less)' = "{0} -le '30'" + "Less than 30 (but not 0)" = "{0} -lt '30' -and {0} -gt '0'" + "30 (or less, but not 0)" = "{0} -le '30' -and {0} -gt '0'" + "0x0000001e (30) (or less, but not 0)" = "{0} -le '30' -and {0} -gt '0'" + "0x0000001e (30) (or less, excluding 0)" = "{0} -le '30' -and {0} -gt '0'" + " 0x0000000f (15) (or less)" = "{0} -le '15'" + "0x00008000 (32768) (or greater)" = "{0} -ge '32768'" } Foreach ($string in $strings.GetEnumerator()) { @@ -653,6 +662,9 @@ Describe 'Test-StringIsLessThanOrEqualButNot' { '3 (or less, but not 1)', ' 3 (or less, but not 1)', ' 3 (or less, but not 1) ' + '0x0000001e (30) (or less, but not 0)', + ' 0x0000001e (30) (or less, but not 0)', + ' 0x0000001e (30) (or less, but not 0) ' ) Foreach ($string in $strings) @@ -662,6 +674,21 @@ Describe 'Test-StringIsLessThanOrEqualButNot' { } } } + +Describe 'Test-StringIsLessThanOrEqualExcluding' { + + $strings = @( + '0x0000001e (30) (or less, excluding 0)', + ' 0x0000001e (30) (or less, excluding 0)' + ) + + Foreach ($string in $strings) + { + It "Should return $true when given '$string'" { + Test-StringIsLessThanOrEqualExcluding -String $string | Should Be $true + } + } +} #endregion #region Multiple Values Describe 'Test-StringIsMultipleValue' { diff --git a/Tests/Unit/Module/Convert.RegistryRule.tests.ps1 b/Tests/Unit/Module/Convert.RegistryRule.tests.ps1 index b806fdcb6..c68b950ab 100644 --- a/Tests/Unit/Module/Convert.RegistryRule.tests.ps1 +++ b/Tests/Unit/Module/Convert.RegistryRule.tests.ps1 @@ -314,6 +314,8 @@ try 'Value: 300000 (or less)', 'Value: 30 (or less, but not 0)', 'Value: 0x000dbba0 (900000) or less but not 0', + 'Value: 0x0000001e (30) (or less, but not 0)', + 'Value: 0x0000001e (30) (or less, excluding 0)', 'Value: Possible values are NoSync,NTP,NT5DS, AllSync' ) diff --git a/appveyor.yml b/appveyor.yml index 84855e3f3..8d94be23a 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -1,8 +1,24 @@ +# Notes: +# - Minimal appveyor.yml file is an empty file. All sections are optional. +# - Indent each level of configuration with 2 spaces. Do not use tabs! +# - All section names are case-sensitive. +# - Section names should be unique on each level. + +#---------------------------------# +# general configuration # +#---------------------------------# + +version: 1.1.1.{build} + +skip_commits: + files: + - '**/*.md' + - .github/* + #---------------------------------# # environment configuration # #---------------------------------# -version: 1.1.0.{build} install: - git clone https://github.com/PowerShell/DscResource.Tests - git clone https://github.com/Microsoft/PowerStig.Tests