-
Notifications
You must be signed in to change notification settings - Fork 116
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update PowerSTIG to Parse/Apply Google Chrome V2R1 (#803)
* initial commit for Chrome * fixed parse error * fixed rule * added support for chrome * updated changelog * updated key, removed trailing " * removed tabs * updated resource * updated export function * updated * updated based on testing * Updated based on testing * updated tests * updated based on test failure * updated based on testing * updated based on testing * added registry policy file to schema * update based on feedback * updated based on feedback
- Loading branch information
Showing
15 changed files
with
1,919 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
configuration Chrome_config | ||
{ | ||
param | ||
( | ||
[Parameter()] | ||
[AllowNull()] | ||
[string] | ||
$TechnologyVersion, | ||
|
||
[Parameter()] | ||
[AllowNull()] | ||
[string] | ||
$TechnologyRole, | ||
|
||
[Parameter(Mandatory = $true)] | ||
[version] | ||
$StigVersion, | ||
|
||
[Parameter()] | ||
[string[]] | ||
$SkipRule, | ||
|
||
[Parameter()] | ||
[string[]] | ||
$SkipRuleType, | ||
|
||
[Parameter()] | ||
[string[]] | ||
$SkipRuleSeverity, | ||
|
||
[Parameter()] | ||
[hashtable] | ||
$Exception, | ||
|
||
[Parameter()] | ||
[object] | ||
$OrgSettings, | ||
|
||
[Parameter()] | ||
[string[]] | ||
$ResourceParameters | ||
) | ||
|
||
Import-DscResource -ModuleName PowerStig | ||
|
||
Node localhost | ||
{ | ||
$psboundParams = $PSBoundParameters | ||
$psboundParams.Remove('TechnologyRole') | ||
$psboundParams.Remove('ConfigurationData') | ||
$psboundParams.Remove('TechnologyVersion') | ||
|
||
$resourceParamString = New-ResourceParameterString -ResourceParameters $ResourceParameters -PSBoundParams $psboundParams | ||
$resourceScriptBlockString = New-ResourceString -ResourceParameterString $resourceParamString -ResourceName Chrome | ||
& ([scriptblock]::Create($resourceScriptBlockString)) | ||
} | ||
} |
47 changes: 47 additions & 0 deletions
47
Tests/Integration/DSCResources/Chrome.integration.tests.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
using module .\helper.psm1 | ||
|
||
$script:DSCCompositeResourceName = ($MyInvocation.MyCommand.Name -split '\.')[0] | ||
. $PSScriptRoot\.tests.header.ps1 | ||
|
||
$configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" | ||
. $configFile | ||
|
||
$script:DSCCompositeResourceNameUpdate = "Google-{0}" -f ($MyInvocation.MyCommand.Name -split '\.')[0] | ||
$stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceNameUpdate | ||
$resourceInformation = $global:getDscResource | Where-Object -FilterScript {$PSItem.Name -eq $script:DSCCompositeResourceName} | ||
$resourceParameters = $resourceInformation.Properties.Name | ||
|
||
foreach ($stig in $stigList) | ||
{ | ||
$orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') | ||
$blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath | ||
$powerstigXml = [xml](Get-Content -Path $stig.Path) | | ||
Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath | ||
|
||
$skipRule = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id | ||
$skipRuleType = $null | ||
$expectedSkipRuleTypeCount = 0 + $blankSkipRuleId.Count | ||
|
||
$skipRuleMultiple = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id -Count 2 | ||
$skipRuleTypeMultiple = $null | ||
$expectedSkipRuleTypeMultipleCount = 0 + $blankSkipRuleId.Count | ||
|
||
$singleSkipRuleSeverity = 'CAT_I' | ||
$multipleSkipRuleSeverity = 'CAT_I', 'CAT_II' | ||
$expectedSingleSkipRuleSeverity = Get-CategoryRule -PowerStigXml $powerstigXml -RuleCategory $singleSkipRuleSeverity | ||
$expectedSingleSkipRuleSeverityCount = ($expectedSingleSkipRuleSeverity | Measure-Object).Count + $blankSkipRuleId.Count | ||
$expectedMultipleSkipRuleSeverity = Get-CategoryRule -PowerStigXml $powerstigXml -RuleCategory $multipleSkipRuleSeverity | ||
$expectedMultipleSkipRuleSeverityCount = ($expectedMultipleSkipRuleSeverity | Measure-Object).Count + $blankSkipRuleId.Count | ||
|
||
$getRandomExceptionRuleParams = @{ | ||
RuleType = 'RegistryRule' | ||
PowerStigXml = $powerstigXml | ||
ParameterValue = 1234567 | ||
} | ||
$exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 | ||
$exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 | ||
$backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility | ||
$backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility | ||
|
||
. "$PSScriptRoot\Common.integration.ps1" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
# Copyright (c) Microsoft Corporation. All rights reserved. | ||
# Licensed under the MIT License. | ||
|
||
@{ | ||
|
||
# Script module or binary module file associated with this manifest. | ||
RootModule = 'Chrome.schema.psm1' | ||
|
||
# Version number of this module. | ||
ModuleVersion = '1.0.0.0' | ||
|
||
# ID used to uniquely identify this module | ||
GUID = '30cee7e3-aa8b-4f11-bcfa-01b851eecae5' | ||
|
||
# Author of this module | ||
Author = 'Microsoft Corporation' | ||
|
||
# Company or vendor of this module | ||
CompanyName = 'Microsoft Corporation' | ||
|
||
# Copyright statement for this module | ||
Copyright = '(c) 2020 Microsoft Corporation. All rights reserved.' | ||
|
||
# Description of the functionality provided by this module | ||
Description = 'Composite DSC Resource for managing Google Chrome related DISA STIGs' | ||
|
||
# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. | ||
FunctionsToExport = @('Chrome') | ||
|
||
# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. | ||
CmdletsToExport = @() | ||
|
||
# Variables to export from this module | ||
VariablesToExport = '*' | ||
|
||
# Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. | ||
AliasesToExport = @() | ||
|
||
# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. | ||
PrivateData = @{ | ||
|
||
PSData = @{ | ||
|
||
} # End of PSData hashtable | ||
|
||
} # End of PrivateData hashtable | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
# Copyright (c) Microsoft Corporation. All rights reserved. | ||
# Licensed under the MIT License. | ||
|
||
using module ..\helper.psm1 | ||
using module ..\..\PowerStig.psm1 | ||
|
||
<# | ||
.SYNOPSIS | ||
A composite DSC resource to manage the Chrome STIG settings | ||
.PARAMETER BrowserVersion | ||
The version of the Browser the STIG applies to | ||
.PARAMETER StigVersion | ||
The version of the STIG to apply and monitor | ||
.PARAMETER Exception | ||
A hash table of key value pairs that are injected into the STIG data and applied to | ||
the target node. The title of STIG setting is tagged with the text 'Exception' to identify | ||
the exceptions to policy across the data center when you centralize DSC log collection. | ||
.PARAMETER OrgSettings | ||
The path to the xml file that contains the local organizations preferred settings for STIG | ||
items that have allowable ranges. The OrgSettings parameter also accepts a hashtable for | ||
values that need to be modified. When a hashtable is used, the specified values take | ||
presidence over the values defined in the org.default.xml file. | ||
.PARAMETER SkipRule | ||
The SkipRule Node is injected into the STIG data and applied to the target node. The title | ||
of STIG settings are tagged with the text 'Skip' to identify the skips to policy across the | ||
data center when you centralize DSC log collection. | ||
.PARAMETER SkipRuleType | ||
All STIG rule IDs of the specified type are collected in an array and passed to the Skip-Rule | ||
function. Each rule follows the same process as the SkipRule parameter. | ||
#> | ||
configuration Chrome | ||
{ | ||
[CmdletBinding()] | ||
param | ||
( | ||
[Parameter()] | ||
[ValidateNotNullOrEmpty()] | ||
[version] | ||
$StigVersion, | ||
|
||
[Parameter()] | ||
[ValidateNotNullOrEmpty()] | ||
[hashtable] | ||
$Exception, | ||
|
||
[Parameter()] | ||
[ValidateNotNullOrEmpty()] | ||
[object] | ||
$OrgSettings, | ||
|
||
[Parameter()] | ||
[ValidateNotNullOrEmpty()] | ||
[string[]] | ||
$SkipRule, | ||
|
||
[Parameter()] | ||
[ValidateNotNullOrEmpty()] | ||
[string[]] | ||
$SkipRuleType, | ||
|
||
[Parameter()] | ||
[ValidateSet('CAT_I', 'CAT_II', 'CAT_III')] | ||
[string[]] | ||
$SkipRuleSeverity | ||
) | ||
|
||
##### BEGIN DO NOT MODIFY ##### | ||
$stig = [STIG]::New('Google','Chrome', $StigVersion) | ||
$stig.LoadRules($OrgSettings, $Exception, $SkipRule, $SkipRuleType, $SkipRuleSeverity) | ||
##### END DO NOT MODIFY ##### | ||
|
||
Import-DscResource -ModuleName GPRegistryPolicyDsc -ModuleVersion 1.2.0 | ||
Import-DscResource -ModuleName PSDSCresources -ModuleVersion 2.12.0.0 | ||
. "$resourcePath\windows.Registry.ps1" | ||
. "$resourcePath\windows.Script.skip.ps1" | ||
. "$resourcePath\windows.RefreshRegistryPolicy.ps1" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
# Copyright (c) Microsoft Corporation. All rights reserved. | ||
# Licensed under the MIT License. | ||
|
||
<# | ||
Instructions: Use this file to add/update/delete regsitry expressions that are used accross | ||
multiple technologies files that are considered commonly used. Ensure expressions are listed | ||
from MOST Restrive to LEAST Restrictive, similar to exception handling. Also, ensure only | ||
UNIQUE Keys are used in each hashtable to prevent errors and conflicts. | ||
#> | ||
|
||
$global:SingleLineRegistryValueName += [ordered]@{ | ||
Chrome1 = @{ | ||
Select = '(?<=3. If the\s|\s")\w+(?=("\s|\s)value name|\skey)' | ||
} | ||
} | ||
|
||
$global:SingleLineRegistryValueData += [ordered]@{ | ||
Chrome1 = @{ | ||
Select = "(?<=entries 1 set to )\w+\:\/\/\*" | ||
} | ||
Chrome2 = @{ | ||
Select = '(?<=its value data is not set to\s|\s\")\d+|\*' | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -156,7 +156,6 @@ function Get-RegistryRuleExpressions | |
{ | ||
$spInclude += "Data.Mcafee.ps1" | ||
} | ||
|
||
} | ||
} | ||
else | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
14 changes: 14 additions & 0 deletions
14
source/StigData/Archive/Chrome/U_Google_Chrome_STIG_V2R1_Manual-xccdf.log
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
V-221561::3. If the value name DefaultPopupsSetting::3. If the DefaultPopupsSetting value name | ||
V-221562::3. If the a registry value name of 1 does not exist under that key or its value is not set to *::3. If the 1 value name does not exist under that key or its value data is not set to * | ||
V-221582::3. If this key "DefaultPluginsSetting"::3. If the "DefaultPluginsSetting" value name | ||
V-221597::3. If the “::3. If the " | ||
V-221599::3. If the key "DeveloperToolsAvailability"::3. If the "DeveloperToolsAvailability" value name | ||
V-221596::3. If the “AutoplayWhitelist” key::If the "AutoplayWhitelist" value name | ||
V-221563::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallWhitelist'; ValueName = 'ExtensionInstallWhitelist'; ValueType = 'MultiString'; ValueData = $null; OrganizationValueTestString = "{0} -eq '1 | oiigbmnaadbkfbmpbfijlflahbdbdgdf | a list of administrator-approved extension IDs'"} | ||
V-221564::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome'; ValueName = 'DefaultSearchProviderName'; ValueType = 'String'; ValueData = $null; OrganizationValueTestString = "{0} -eq 'an organization approved encrypted search provider'"} | ||
V-221565::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome'; ValueName = 'DefaultSearchProviderSearchURL'; ValueType = 'String'; ValueData = $null; OrganizationValueTestString = "{0} -eq 'an organization-approved encrypted search string'"} | ||
V-221585::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome'; ValueName = 'PluginsAllowedForUrls'; ValueType = 'MultiString'; ValueData = $null; OrganizationValueTestString = "{0} -eq 'a list of administrator approved URLs'"} | ||
V-221588::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome'; ValueName = 'DownloadRestrictions'; ValueType = 'Dword'; ValueData = $null; OrganizationValueTestString = "{0} -eq '1|2'"} | ||
V-221596::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome'; ValueName = 'AutoplayWhitelist'; ValueType = 'MultiString'; ValueData = $null; OrganizationValueTestString = "{0} -eq 'a list of administrator-approved URLs"} | ||
V-221589::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome'; ValueName = 'SSLVersionMin'; ValueType = 'String'; ValueData = 'tls1.1'} | ||
V-221583::*::HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Absent'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CookiesSessionOnlyForUrls'} |
611 changes: 611 additions & 0 deletions
611
source/StigData/Archive/Chrome/U_Google_Chrome_STIG_V2R1_Manual-xccdf.xml
Large diffs are not rendered by default.
Oops, something went wrong.
21 changes: 21 additions & 0 deletions
21
source/StigData/Processed/Google-Chrome-2.1.org.default.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
<!-- | ||
The organizational settings file is used to define the local organizations | ||
preferred setting within an allowed range of the STIG. | ||
Each setting in this file is linked by STIG ID and the valid range is in an | ||
associated comment. | ||
--> | ||
<OrganizationalSettings fullversion="2.1"> | ||
<!-- Ensure 'V-221563' -eq '1 | oiigbmnaadbkfbmpbfijlflahbdbdgdf | a list of administrator-approved extension IDs'--> | ||
<OrganizationalSetting id="V-221563" ValueData="1" /> | ||
<!-- Ensure 'V-221564' -eq 'an organization approved encrypted search provider'--> | ||
<OrganizationalSetting id="V-221564" ValueData="" /> | ||
<!-- Ensure 'V-221565' -eq 'an organization-approved encrypted search string'--> | ||
<OrganizationalSetting id="V-221565" ValueData="" /> | ||
<!-- Ensure 'V-221585' -eq 'a list of administrator approved URLs'--> | ||
<OrganizationalSetting id="V-221585" ValueData="" /> | ||
<!-- Ensure 'V-221588' -eq '1|2'--> | ||
<OrganizationalSetting id="V-221588" ValueData="1" /> | ||
<!-- Ensure 'V-221596' -eq 'a list of administrator-approved URLs--> | ||
<OrganizationalSetting id="V-221596" ValueData="" /> | ||
</OrganizationalSettings> |
Oops, something went wrong.