Comments (5)
rx294
commented on May 26, 2024
@kkola found a hack for ConvertTo-Json to retain Enum strings ...
this would make for better reporting in inspec test reporting
because we can write test like its('AuditFlags'){ should cmp "success" }
PS C:\Users\Administrator> (Get-ACL -Audit -Path AD:\$dn).Audit | ConvertTo-Csv | ConvertFrom-Csv | ConvertTo-Json
[
{
"ActiveDirectoryRights": "GenericAll",
"InheritanceType": "All",
"ObjectType": "00000000-0000-0000-0000-000000000000",
"InheritedObjectType": "00000000-0000-0000-0000-000000000000",
"ObjectFlags": "None",
"AuditFlags": "Success, Failure",
"IdentityReference": "Everyone",
"IsInherited": "False",
"InheritanceFlags": "ContainerInherit",
"PropagationFlags": "None"
},
{
"ActiveDirectoryRights": "WriteProperty, WriteDacl, WriteOwner",
"InheritanceType": "None",
"ObjectType": "00000000-0000-0000-0000-000000000000",
"InheritedObjectType": "00000000-0000-0000-0000-000000000000",
"ObjectFlags": "None",
"AuditFlags": "Success",
"IdentityReference": "Everyone",
"IsInherited": "False",
"InheritanceFlags": "None",
"PropagationFlags": "None"
},
{
"ActiveDirectoryRights": "ExtendedRight",
"InheritanceType": "None",
"ObjectType": "00000000-0000-0000-0000-000000000000",
"InheritedObjectType": "00000000-0000-0000-0000-000000000000",
"ObjectFlags": "None",
"AuditFlags": "Success",
"IdentityReference": "BUILTIN\\Administrators",
"IsInherited": "False",
"InheritanceFlags": "None",
"PropagationFlags": "None"
},
{
"ActiveDirectoryRights": "ExtendedRight",
"InheritanceType": "None",
"ObjectType": "00000000-0000-0000-0000-000000000000",
"InheritedObjectType": "00000000-0000-0000-0000-000000000000",
"ObjectFlags": "None",
"AuditFlags": "Success",
"IdentityReference": "VSPHEREAD\\Domain Users",
"IsInherited": "False",
"InheritanceFlags": "None",
"PropagationFlags": "None"
},
{
"ActiveDirectoryRights": "WriteProperty",
"InheritanceType": "All",
"ObjectType": "f30e3bbf-9ff0-11d1-b603-0000f80367c1",
"InheritedObjectType": "bf967aa5-0de6-11d0-a285-00aa003049e2",
"ObjectFlags": "ObjectAceTypePresent, InheritedObjectAceTypePresent",
"AuditFlags": "Success",
"IdentityReference": "Everyone",
"IsInherited": "False",
"InheritanceFlags": "ContainerInherit",
"PropagationFlags": "None"
},
{
"ActiveDirectoryRights": "WriteProperty",
"InheritanceType": "All",
"ObjectType": "f30e3bbe-9ff0-11d1-b603-0000f80367c1",
"InheritedObjectType": "bf967aa5-0de6-11d0-a285-00aa003049e2",
"ObjectFlags": "ObjectAceTypePresent, InheritedObjectAceTypePresent",
"AuditFlags": "Success",
"IdentityReference": "Everyone",
"IsInherited": "False",
"InheritanceFlags": "ContainerInherit",
"PropagationFlags": "None"
}
]
from microsoft-windows-server-2016-stig-baseline.
kkola
commented on May 26, 2024
a2c8e5b and 8e8c1ba fixes issue #14 for V-73391
from microsoft-windows-server-2016-stig-baseline.
rx294
commented on May 26, 2024
Hey @kkola after discussion with the team, here is proposed to strategy for controls V-7339*
For the audit definitions defined for an entity, to be compliant at-least one should satisfy the following data points.
Required Audit data points
Type - Fail
Principal - Everyone
Access - Full Control
Inherited from - None
Applies to - This object only
Type - Fail
Type - Should be passed if it is set to Fail or Success or Fail(All)
https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.auditflags?view=netframework-4.8
Feild: AuditFlags
Failure 2
Failed access attempts are to be audited.
None 0
No access attempts are to be audited.
Success 1
Successful access attempts are to be audited.
Principal - Everyone
IdentityReference : Everyone
Access - Full Control
ActiveDirectoryRights : GenericAll
Inherited from - None
dont care⦠minimum possible is None, but it could be others but will be compliant
IsInherited : True
IsInherited : False
Applies to - This object only
InheritanceType - Should be passed if it is set to All || None || SelfAndChildren
https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectorysecurityinheritance?view=netframework-4.8
Field: InheritanceType
All 1
Indicates inheritance that includes the object to which the ACE is applied, the object's immediate children, and the descendents of the object's children.
Children 4
Indicates inheritance that includes the object's immediate children only, not the object itself or the descendents of its children.
Descendents 2
Indicates inheritance that includes the object's immediate children and the descendants of the object's children, but not the object itself.
None 0
Indicates no inheritance. The ACE information is only used on the object on which the ACE is set. ACE information is not inherited by any descendents of the object.
SelfAndChildren 3
Indicates inheritance that includes the object itself and its immediate children. It does not include the descendents of its children.
Proposed Inspec test code for V-73391
control "test" do
dn = command("(Get-ADDomain).DistinguishedName").stdout
audits = json(command: "(Get-ACL -Audit -Path 'AD:#{dn}').Audit | ConvertTo-Csv | ConvertFrom-Csv | ConvertTo-Json").params
describe.one do
audits.each do |audit|
describe "One of Audit Def" do
subject {audit}
its(["AuditFlags"]) {should match /Failure|Success, Failure/ }
its(["IdentityReference"]) {should cmp 'Everyone' }
its(["ActiveDirectoryRights"]) {should cmp 'GenericAll' }
its(["IsInherited"]) {should match /True|False/ }
its(["InheritanceType"]) {should match /All|None|SelfAndChildren/ }
end
end
end
end
if you agree u can adapt similar code for the other controls
from microsoft-windows-server-2016-stig-baseline.
rx294
commented on May 26, 2024
Also please note that when only one audit entry is defined
json(command: "(Get-ACL -Audit -Path 'AD:#{dn}').Audit | ConvertTo-Csv | ConvertFrom-Csv | ConvertTo-Json").params
returns a single hash instead of array hashes
that would require a special case when during the lines
describe.one do
audits.each do |audit|
from microsoft-windows-server-2016-stig-baseline.
kkola
commented on May 26, 2024
@rx294 the last few commits should resolve this issue
from microsoft-windows-server-2016-stig-baseline.
Related Issues (20)
- V-73607 Certificate expiration not checked HOT 1
- V-73611: Current test code error prone HOT 1
- unable to check HKLM:\Security ACL HOT 1
- V-73587 - Does not account for non-applicable case
- Command does not work
- Issue with V-73509 HOT 2
- V-73373 - Code does not take in account all GPO's HOT 1
- Standardize using V-92975 and V-92977 HOT 2
- V-73775.rb Skip Wording is confusing
- V-73533 - Add clause for standalone systems HOT 1
- incorporate attestations template and plugin to address manual controls HOT 1
- V-73387 Hardcodes Domain to "testdomain.com" HOT 3
- V-73307 Fails on Domain Controllers with PDC Emulator Role HOT 4
- V-73391 Performs Excessive Iterations HOT 1
- V-73389 Performs Excessive Iterations HOT 1
- V-73393 Performs Excessive Iterations HOT 1
- V-73393 Fails for Default Domain Inheritance of Infrastructure Object HOT 1
- Remove `desc` from control logic HOT 2
- Incorrect domain role condition
- Change `desc` to `skip`
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from microsoft-windows-server-2016-stig-baseline.