diff --git a/.MetaTestOptIn.json b/.MetaTestOptIn.json deleted file mode 100644 index 4c7c5a75d..000000000 --- a/.MetaTestOptIn.json +++ /dev/null @@ -1,5 +0,0 @@ -[ - "Common Tests - Validate Module Files", - "Common Tests - Validate Markdown Files", - "Common Tests - Validate Script Files" -] diff --git a/.NuspecFileList.json b/.NuspecFileList.json deleted file mode 100644 index 0358f500b..000000000 --- a/.NuspecFileList.json +++ /dev/null @@ -1,31 +0,0 @@ -[ - { - "src": "PowerStig.psd1", - "target": "" - }, - { - "src": "PowerStig.psm1", - "target": "" - }, - { - "src": "README.md", - "target": "" - }, - { - "src": "LICENSE*", - "target": "" - }, - { - "src": "DSCResources\\**", - "target": "DSCResources\\" - }, - { - "src": "StigData\\Processed\\**", - "target": "StigData\\Processed" - }, - { - "src": "Module\\**\\*.*", - "target": "Module", - "exclude": "**\\Convert\\**" - } -] diff --git a/.codecov.yml b/.codecov.yml deleted file mode 100644 index 29a05dd15..000000000 --- a/.codecov.yml +++ /dev/null @@ -1,24 +0,0 @@ -codecov: - notify: - require_ci_to_pass: no - -comment: - layout: "reach, diff" - behavior: default - -coverage: - range: 50..80 - round: down - precision: 0 - - status: - project: - default: - # Set the overall project code coverage requirement to 70% - target: 70 - patch: - default: - # Set the pull request requirement to not regress overall coverage by more than 5% - # and let codecov.io set the goal for the code changed in the patch. - target: auto - threshold: 5 diff --git a/.gitignore b/.gitignore index 4f3039eee..6265ce4e4 100644 --- a/.gitignore +++ b/.gitignore @@ -1,9 +1,15 @@ -# Cloned modules -DSCResource.Tests - # Editors .vscode/ .vs/ # local preference scripts/utilities .local/ + +# Build output folder +output/ + +# Dynamic test folder where class inport code is stored +.DynamicClassImport/ + +# RequiredModules.psd1 is created by the build script and should be git ignored +RequiredModules.psd1 \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index 5c60840a0..a3a472c38 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,24 @@ # Versions -## Unreleased - -## 4.3.0 +## [Unreleased] + +* Update PowerSTIG to successfully parse/apply MS SQL Server 2012 Instance Ver. 1 Rel. 20: [#639](https://github.com/microsoft/PowerStig/issues/639) +* Update PowerSTIG to successfully parse/apply MS SQL Server 2016 Instance Ver. 1 Rel. 9: [#636](https://github.com/microsoft/PowerStig/issues/636) +* Update PowerSTIG to successfully parse/apply Windows Server 2012 DNS STIG - Ver 1, Rel 14: [#633](https://github.com/microsoft/PowerStig/issues/633) +* Update PowerSTIG to successfully parse Microsoft IIS Server/Site 10.0 STIG STIG V1R1: [#632](https://github.com/microsoft/PowerStig/issues/632) +* Update PowerSTIG to successfully parse Microsoft Visio 2013 STIG V1R4: [#629](https://github.com/microsoft/PowerStig/issues/629) +* Update PowerSTIG to successfully parse/apply Windows Defender Antivirus STIG - V1R8: [#625](https://github.com/microsoft/PowerStig/issues/625) +* Update PowerSTIG to successfully parse Microsoft SQL Server 2012 Database STIG V1R20: [#618](https://github.com/microsoft/PowerStig/issues/618) +* Update PowerSTIG to successfully parse/apply Microsoft IIS Server/Site 8.5 STIG - Ver 1, Rel10: [#622](https://github.com/microsoft/PowerStig/issues/622) +* Update PowerSTIG to use Azure Pipelines and DSC Community based build logic: [#600](https://github.com/microsoft/PowerStig/issues/600) +* Update PowerSTIG to parse/convert the Vmware Vsphere 6.5 STIG V1R3: [#604](https://github.com/microsoft/PowerStig/issues/604) +* Update PowerSTIG to parse/convert the Vmware Vsphere 6.5 STIG V1R4: [#634](https://github.com/microsoft/PowerStig/issues/634) +* Fixed [#647](https://github.com/microsoft/PowerStig/issues/647): Conflict when configuring multiple databases +* Fixed [#616](https://github.com/microsoft/PowerStig/issues/616): Unable to Import PowerSTIG 4.4.0 Due to cyclic dependency Error +* Fixed [#632](https://github.com/microsoft/PowerStig/issues/632): Update PowerSTIG to allow for workgroup level scansr +* Fixed [#652](https://github.com/microsoft/PowerStig/issues/652): Invalid ValueName for InternetExplorer11 rules V-75169 and V-75171 + +## [4.3.0] - 2020-03-27 * Update PowerSTIG to Expand .NET STIG Automation: [#591](https://github.com/microsoft/PowerStig/issues/591) * Update PowerSTIG to parse and apply McAfee VirusScan 8.8 Local Client STIG V5R16: [#588](https://github.com/microsoft/PowerStig/issues/588) @@ -25,7 +41,7 @@ * Fixed [#401](https://github.com/microsoft/PowerStig/issues/401): Checklists generated by New-StigChecklist do not provide finding details. * Fixed [#593](https://github.com/microsoft/PowerStig/issues/593): Update PowerSTIG Convert naming conventions of output STIGs -## 4.2.0 +## [4.2.0] - 2019-12-20 * Update PowerSTIG parsing for IIS 8.5 STIG - Ver 1, Rel 9: [#530](https://github.com/microsoft/PowerStig/issues/530) * Update PowerSTIG to successfully parse Microsoft .Net Framework STIG 4.0 STIG - Ver 1, Rel 9: [535](https://github.com/microsoft/PowerStig/issues/535) @@ -45,18 +61,18 @@ * Fixed [#545](https://github.com/microsoft/PowerStig/issues/545): Need a test to verify the conversionstatus="fail" does not exist in processed STIGs * Fixed [#517](https://github.com/microsoft/PowerStig/issues/520): Need a test to verify the module version in the module manifest matches the DscResources. -## 4.1.1 +## [4.1.1] - 2019-10-31 * Fixed [#517](https://github.com/microsoft/PowerStig/issues/517): 4.1.0 GPRegistryPolicyDsc Module Version Issue -## 4.1.0 +## [4.1.0] - 2019-10-31 * Update PowerSTIG to enable Exception Parameter Backward Compatibility Feature Request: [506](https://github.com/microsoft/PowerStig/issues/506) * Update Enable Stig Checklist automation to include Status and Comments for manual checks: [#485](https://github.com/microsoft/PowerStig/issues/485) -## 4.0.0 +## [4.0.0] - 2019-09-23 -* Update PowerSTIG parsing for Windows Sever 2016 STIG - Ver 1, Rel 9 [#498] (https://github.com/microsoft/PowerStig/issues/498) +* Update PowerSTIG parsing for Windows Sever 2016 STIG - Ver 1, Rel 9 [#498] - (https://github.com/microsoft/PowerStig/issues/498) * Fixed [#507](https://github.com/microsoft/PowerStig/issues/507): Get-HardCodedRuleLogFileEntry Errors on RegistryRule * Update PowerSTIG to leverage the GPRegistryPolicyDsc resource for Local Group Policy automation: [#497](https://github.com/microsoft/PowerStig/issues/497) * Update PowerSTIG to enable the logfile framework to consume a hashtable for HardCodedRule: [#494](https://github.com/microsoft/PowerStig/issues/494) @@ -84,251 +100,3 @@ * Updated logfile in DotNet Framework STIG leveraging HardCodedRule to automate additional STIG rules. [#454](https://github.com/microsoft/PowerStig/issues/454) * Fixed [#493](https://github.com/microsoft/PowerStig/issues/493): IIS 8/5 Server STIG rule V-76745 is referencing the incorrect IIS default path * Fixed [#505](https://github.com/microsoft/PowerStig/issues/505): Missing reg key setting on V-76759 IIS Server 8.5 v1R7 - -## 3.3.0 - -UPDATES - -* Fixed [#419](https://github.com/Microsoft/PowerStig/issues/419): PowerStig is creating resource xSSLSettings with the wrong value for Name. -* Updated PowerSTIG to leverage AuditSetting instead of the Script resource. Additionally renamed WmiRule to AuditSettingRule [#431](https://github.com/Microsoft/PowerStig/issues/431) - -Added the following STIG - -* Added support for Windows 10, Version 1, Release 17 [#442](https://github.com/microsoft/PowerStig/issues/442) -* Added support for Windows Defender, Version 1, Release 5 [#393](https://github.com/microsoft/PowerStig/issues/393) -* Added support for Internet Explorer 11 Version 1, Release 17 [#422](https://github.com/Microsoft/PowerStig/issues/422) -* Added support for Server 2016 STIG, Version 1, Release 8 [#418](https://github.com/Microsoft/PowerStig/issues/418) - -## 3.2.0 - -* Added support for IIS 8.5 Server STIG, Version 1, Release 7 [#399](https://github.com/Microsoft/PowerStig/issues/399) -* Fixed [#373](https://github.com/Microsoft/PowerStig/issues/373): Registry resource does not handle null values for ValueData contained in Processed STIGs -* Fixed [#376](https://github.com/Microsoft/PowerStig/issues/376): SQL STIG Rules V-41021 (Instance STIG) and V-41402 (Database STIG) fail to apply when applying to a SQL instance that is NOT name the default (MSSQLSERVER). -* Fixed [#377](https://github.com/Microsoft/PowerStig/issues/377): SQL Instance Rule V-40936 fails when Set-TargertResource is ran -* Fixed [#280](https://github.com/Microsoft/PowerStig/issues/280): HKEY_CURRENT_USER is not needed with the cAdministrativeTemplateSetting composite resource. (Regression Issue) -* Fixed [#385](https://github.com/Microsoft/PowerStig/issues/385): IIS Server STIG V-76681 does not parse correctly -* Added support for Office 2016 STIGs [#370](https://github.com/Microsoft/PowerStig/issues/370) -* Added support to Automate Application Pool Recycling for IisSite_8.5 [#378](https://github.com/Microsoft/PowerStig/issues/378) -* Added support for Windows Server 2012R2 DC V2R16 [#398](https://github.com/Microsoft/PowerStig/issues/398) -* Added support for update Windows Server 2012 MS STIG v2r15 [#395](https://github.com/Microsoft/PowerStig/issues/395) -* Added support for Firefox STIG v4r25 [#389](https://github.com/Microsoft/PowerStig/issues/389) -* Added entry in log file for IISSite 1.7 so rule v-76819 parses as an xWebConfigurationProperty [#407](https://github.com/microsoft/PowerStig/issues/407) -* Added IISSite v1.7 [#400](https://github.com/microsoft/PowerStig/issues/400) -* Fixed [#403](https://github.com/microsoft/PowerStig/issues/403): DotNet STIG V1R7 update - -## 3.1.0 - -UPDATES - -* Removed duplicate code from rule class constructors -* Migrated from Get-WmiObject to Get-CimInstance to support PowerShell Core -* Migrated to PSDscResources [#345](https://github.com/Microsoft/PowerStig/issues/345) -* Migrated to ComputerManagementDsc [#342](https://github.com/Microsoft/PowerStig/issues/342) -* Fixed [#358](https://github.com/Microsoft/PowerStig/issues/358): Update PowerSTIG Duplicate Rule handling and capability - -Added the following STIG - -* Windows Defender V1R4 [#344](https://github.com/Microsoft/PowerStig/issues/344) - -## 3.0.1 - -* Fixed [#350](https://github.com/Microsoft/PowerStig/issues/350): Updates to fix Skip rules not working correctly -* Fixed [#348](https://github.com/Microsoft/PowerStig/issues/348): Update to DnsServer Schema to correct typo. - -## 3.0.0 - -* Introduces class support for each rule type -* The STIG class now contains an array of rule objects vs xml elements -* Orgsettings, Exceptions, and Rule skips are all supported by the Rule base class -* Rule help is provided for any loaded rule. - * See the [wiki](https://github.com/Microsoft/PowerStig/wiki/GettingRuleHelp) for more information. -* Major code refactor to simplify maintenance and usage -* [Breaking Change] The STIG class constructor no longer accepts Orgsettings, Exceptions, or Rule skips - * That functionality has move to the load rule method -* DSC composite resource parameter validation for version numbers has been removed - * The STIG class validates all input and will throw an error if invalid data is provided. -* The Get-StigList has be updated and renamed to Get-Stig to return the STIG class - -UPDATES - -* Fixed [#241](https://github.com/Microsoft/PowerStig/issues/241): [WindowsFeatureRule] PsDesiredStateConfiguration\WindowsOptionalFeature doesn't properly handle features that return $null -* Fixed [#258](https://github.com/Microsoft/PowerStig/issues/258): New-StigChecklist will not accept a path without an explicit filename -* Fixed [#243](https://github.com/Microsoft/PowerStig/issues/243): [V-46515] Windows-All-IE11-1.15 Rawstring typo -* Fixed [#289](https://github.com/Microsoft/PowerStig/issues/289): Updated DocumentRule and DocumentRuleConvert Classes to parse correctly. -* Fixed [#284](https://github.com/Microsoft/PowerStig/issues/284): [V-74415] [V-74413] Windows 10 STIG rule V-74415 and V-74413 should not contain white space in key -* Fixed [290](https://github.com/Microsoft/PowerStig/issues/290): [V-76731] IIS Server STIG V-76731 fails to properly set STIG guidance because rule is not split. -* Fixed [314](https://github.com/Microsoft/PowerStig/issues/314): Update PowerSTIG to Utilize LogTargetW3C parameter in xWebAdministration 2.5.0.0. -* Fixed [334](https://github.com/Microsoft/PowerStig/issues/334): Update PowerStig to utilize AccessControlDsc 1.3.0.0 -* Fixed [331](https://github.com/Microsoft/PowerStig/issues/331): 2012/R2 [V-39325] 2016 [V-73373], [V-73389] PermissionRule.Convert CheckContent Match Parser Update -* Fixed [320](https://github.com/Microsoft/PowerStig/issues/320): IIS Site STIG doesn't correctly convert STIGS that contain "SSL Settings" in raw string - -* Added the following STIGs - * IIS Site 8.5 V1R6 [#276](https://github.com/Microsoft/PowerStig/issues/276) - * Windows Firewall STIG V1R7 [#319](https://github.com/Microsoft/PowerStig/issues/319) - -* Removed the following STIGs - * Windows Server 2012 R2 DC 2.12 - * Windows Server 2012 R2 DSN 1.7 - * Active Directory Domain 2.9 - * IIS Server 8.5 1.3 - * IIS Site 8.5 1.2 - * Removed: Internet Explorer 1.13 - -## 2.4.0.0 - -* Fixed [#244](https://github.com/Microsoft/PowerStig/issues/244): IIS Server rule V-76727.b org setting test fails -* Fixed [#246](https://github.com/Microsoft/PowerStig/issues/246): IIS Server rule V-76737 contains an incorrect value -* Fixed [#225](https://github.com/Microsoft/PowerStig/issues/225): Update PowerStig integration tests to consolidate duplicate code. -* Fixed [#160](https://github.com/Microsoft/PowerStig/issues/160): PowerStig.Convert needs to handle new registry rules without affecting existing code -* Fixed [#201](https://github.com/Microsoft/PowerStig/issues/201): Update PowerStig integration tests to account for skips and exceptions. -* Fixed [#260](https://github.com/Microsoft/PowerStig/issues/260): FireFox Composite Resource configuration applies correctly, but never passes a Test-DscConfiguration. -* Fixed [#244](https://github.com/Microsoft/PowerStig/issues/244): IIS Server rule V-76727.b org setting test fails -* Fixed [#265](https://github.com/Microsoft/PowerStig/issues/265): Fixed UserRightsAssignment split rule bug. -* Fixed [#267](https://github.com/Microsoft/PowerStig/issues/267): Fixed winlogon registry path parser bug. -* Fixed [#238](https://github.com/Microsoft/PowerStig/issues/238): Adds regex tracker for RegistryRule regex's. -* Fixed [#274](https://github.com/Microsoft/PowerStig/issues/274): UserRightsAssignment composite resource does not leverage the Force Parameter. -* Fixed [#280](https://github.com/Microsoft/PowerStig/issues/280): HKEY_CURRENT_USER is not needed with the cAdministrativeTemplateSetting composite resource. - -* Windows Server 2012R2 Fixes - * V-36707 is now an org setting - * (DC only) V-2376 - V-2380 are migrated from manual to account policy rules. - -* Added the following STIGs - * SQL Server 2016 Instance V1R3 [#186](https://github.com/Microsoft/PowerStig/issues/186) - * Windows Defender Antivirus V1R4 [#236](https://github.com/microsoft/PowerStig/issues/236) - * Mozilla Firefox V4R24 [#261](https://github.com/Microsoft/PowerStig/issues/261) - * Windows Server 2016 V1R6 [#169](https://github.com/Microsoft/PowerStig/issues/169) - * Windows Server 2016 V1R7 [#251](https://github.com/Microsoft/PowerStig/issues/251) - * SQL Server 2012 Database V1R18 [#263](https://github.com/Microsoft/PowerStig/issues/263) - * Windows Server 2012R2 DC V2R15 [#267](https://github.com/Microsoft/PowerStig/issues/267) - * Windows 10 V1R16 [#269](https://github.com/Microsoft/PowerStig/issues/269) - * IIS Server 8.5 V1R6 [#256](https://github.com/Microsoft/PowerStig/issues/266) - * Windows Server 2012R2 DNS V1R11 STIG [#265](https://github.com/Microsoft/PowerStig/issues/265) - * AD Domain V2R12 [#270](https://github.com/Microsoft/PowerStig/issues/270) - -## 2.3.2.0 - -* Fixed [#215](https://github.com/Microsoft/PowerStig/issues/215): Org settings wont apply for DotNet STIG -* Fixed [#216](https://github.com/Microsoft/PowerStig/issues/216): DotNet STIGs are misnamed -* Fixed [#207](https://github.com/Microsoft/PowerStig/issues/207): SQL Server Database rules fail to apply -* Fixed [#208](https://github.com/Microsoft/PowerStig/issues/208): Update PowerSTIG to use SQLServerDsc 12.1.0.0 -* Fixed [#220](https://github.com/Microsoft/PowerStig/issues/220): Update PowerSTIG to use xWebAdministration 2.3.0.0 - -## 2.3.1.0 - -* Fixed [#212](https://github.com/Microsoft/PowerStig/issues/212): SDDL strings are incorrectly split in the xRegistry resource -* Fixed [#180](https://github.com/Microsoft/PowerStig/issues/180): IisSite SkipRuleType and SkipRule fail to skip rules - -## 2.3.0.0 - -* Windows 10 Fixes - * V-63795 - Changed from manual to registry rule ## HIGH IMPACT CHANGE ## - -* Windows Server 2012R2 Fixes - * V-1089 - Corrected text - * V-21954 - Changed from manual to registry rule ## HIGH IMPACT CHANGE ## - * V-26070 - Corrected key path - * V-36657 - Corrected key path - * V-36681 - Corrected key path - -* Added the following STIGs - * IIS Server 8.5 STIG V1R5 - * Microsoft Outlook 2013 STIG V1R13 - * DotNet Framework 4.0 STIG V1R6 - * IIS Site 8.5 STIG V1R5 - * Windows Domain V2R11 - * FireFox 4.23 STIG - * Windows Server 2012R2 DC V2R14 - * Windows Server 2012R2 MS V2R14 - * Windows 10 V1R15 - -## 2.2.0.0 - -* Added the following STIGs - * IIS Site 8.5 STIG V1R2 - * IIS Site 8.5 STIG V1R3 - * Oracle JRE 8 STIG V1R5 - * Microsoft Outlook 2013 STIG V1R12 - * Microsoft PowerPoint 2013 Stig V1R6 - * Microsoft Excel 2013 STIG V1R7 - * Microsoft Word 2013 STIG V1R6 - -* Added the following DSC Composite Resources - * Microsoft Office 2013 STIGs - * FireFox STIG - * IIS Site STIG - * IIS Server STIG - * Oracle JRE STIG - * Windows10 STIG - -* Newly required modules - * PolicyFileEditor - * FileContentDsc - * WindowsDefenderDSC - * xWebAdministration - * xWinEventLog - -* Updated required module versions - * xDnsServer from 1.9.0.0 to 1.11.0.0 - * SecurityPolicyDsc from 2.2.0.0 to 2.4.0.0 - -## 2.1.0.0 - -* Migrated Composite resources to the xRegistry resource -* Fixed 2012R2 V-15713 default org setting value -* Updated IE STIGs (V-46477) with the decimal value -* Updated New-StigCheckList to output StigViewer 2.7.1 ckl files -* Added SkipRule functionality to all composite resources -* Added StigData for FireFox STIG V4R21 -* Added Sql2012 1.17 to Archive and processed -* Updated Sql2012 1.16 to fix broken rules -* Removed Sql2012 1.14 from archives to comply with n-2 version policy -* Updated data for 2012R2 Stigs to fix broken rules - -## 2.0.0.0 - -* Added a Document module to automatically create a Stig Checklist (EXPERIMENTAL) -* Merged PowerStigDsc into PowerStig so there is only one module to maintain - * Replaced PowerStig Technology Class with Enumeration - * Added script module back to manifest - * Added DotNetFramework composite resource - -* Added the following STIGs - * Windows Server 2012R2 MS STIG V2R13 - * Windows Server 2012R2 DC STIG V2R13 - * Windows 2012 DNS V1R10 - * Windows Domain V2R10 - * Windows Forest V2R8 - * IE11-V1R16 - -* Corrected parsing of rule V-46477 in the IE STIGs - * Updated StigData - * Bug fixes - * Removed Windows Server 2012R2 MS and DC StigData v2.9 - -## 1.1.1.0 - -Update IIS Server STIG V-76723.a with correct value - -## 1.1.0.0 - -Replaced Technology class with enumeration. This breaks PowerStigDsc < 1.1.0.0 - -Added the following STIGs: - -* IIS 8.5 Server STIG V1R3 - -Updates - -* Updated SQL STIG code to account for SQL STIGS being added in PowerStigDsc -* Update to PowerStig.psm1 to fix issue were StigData class was not accessible to PowerStigDsc - -## 1.0.0.0 - -Added the following STIGs: - -* Windows Server 2012R2 MS STIG V2R12 -* Windows Server 2012R2 DC STIG V2R12 -* Windows Server DNS V1R9 -* Windows AD Domain V2R9 -* IE11 V1R15 diff --git a/DSCResources/Resources/windows.UserRightsAssignment.ps1 b/DSCResources/Resources/windows.UserRightsAssignment.ps1 deleted file mode 100644 index ae714b5b2..000000000 --- a/DSCResources/Resources/windows.UserRightsAssignment.ps1 +++ /dev/null @@ -1,62 +0,0 @@ -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. - -#region Header -$rules = $stig.RuleList | Select-Rule -Type UserRightRule - -$domainGroupTranslation = @{ - 'Administrators' = 'Builtin\Administrators' - 'Auditors' = '{0}\auditors' - 'Authenticated Users' = 'Authenticated Users' - 'Domain Admins' = '{0}\Domain Admins' - 'Guests' = 'Guests' - 'Local Service' = 'NT Authority\Local Service' - 'Network Service' = 'NT Authority\Network Service' - 'NT Service\WdiServiceHost' = 'NT Service\WdiServiceHost' - 'NULL' = '' - 'Security' = '{0}\security' - 'Service' = 'Service' - 'Window Manager\Window Manager Group' = 'Window Manager\Window Manager Group' -} - -$forestGroupTranslation = @{ - 'Enterprise Admins' = '{0}\Enterprise Admins' - 'Schema Admins' = '{0}\Schema Admins' -} - -# This requires a local forest and/or domain name to be injected to ensure a valid account name. -$DomainName = PowerStig\Get-DomainName -DomainName $DomainName -Format NetbiosName -$ForestName = PowerStig\Get-DomainName -ForestName $ForestName -Format NetbiosName - -#endregion Header - -foreach ($rule in $rules) -{ - Write-Verbose $rule - $identitySplit = $rule.Identity -split "," - [System.Collections.ArrayList] $identityList = @() - - foreach ($identity in $identitySplit) - { - if ($domainGroupTranslation.Contains($identity)) - { - [void] $identityList.Add($domainGroupTranslation.$identity -f $DomainName ) - } - elseif ($forestGroupTranslation.Contains($identity)) - { - [void] $identityList.Add($forestGroupTranslation.$identity -f $ForestName ) - } - # Default to adding the identify as provided for any non-default identities. - else - { - [void] $identityList.Add($identity) - } - } - - UserRightsAssignment (Get-ResourceTitle -Rule $rule) - { - Policy = ($rule.DisplayName -replace " ", "_") - Identity = $identityList - Force = [bool]$rule.Force - } -} diff --git a/FILEHASH.md b/FILEHASH.md index d8677d568..c6d50a03d 100644 --- a/FILEHASH.md +++ b/FILEHASH.md @@ -1,4 +1,4 @@ -# PowerSTIG File Hashes : Module Version 4.3.0 +# PowerSTIG File Hashes : Module Version 4.4.0 Hashes for **PowerSTIG** files are listed in the following table: @@ -14,18 +14,22 @@ Hashes for **PowerSTIG** files are listed in the following table: | FireFox-All-4.27.xml | 8F405BAA320B88226F9C38D87E8FD948324EC2D3E07982C31F2276773BF614C2 | 40846 | | FireFox-All-4.28.org.default.xml | 5FA83AAFCB1F569D382FC7F66F1BB5D4F245E3B2B5A336D8BA431C16AFC71A27 | 306 | | FireFox-All-4.28.xml | E84C9DB143EDA81131510607F0F667200BEF0950FF8E1FC4683C121489A8FCF5 | 38487 | -| IISServer-8.5-1.7.org.default.xml | ACF3A2FBF19D31CDE937C3680603C6CDE4A8BBC0AC579B363CC6D9E588C3E0ED | 438 | -| IISServer-8.5-1.7.xml | A47B96A37505F57592A33EC3F3DE0F2AED5FB173814A9C555E2A428355748418 | 126440 | +| IISServer-10.0-1.1.org.default.xml | 24A3BED5E504DAD377595158256A6A32871C72496118F5B396C3D696ADC99966 | 440 | +| IISServer-10.0-1.1.xml | 169A78FB169F315217E3B8EB8E28CA89439852F3ADF342A7F3DF544E0D8B5AF8 | 127945 | +| IISServer-8.5-1.10.org.default.xml | 074E6849FF56C54CD238DF75BEBCD9947D242E5EF716DD47EE15D8B2C710ACEC | 439 | +| IISServer-8.5-1.10.xml | D8B88D194BF358DAAEC09F658844F5DBAF6CCF1A7DAC6DD34A3C49F413BA93DA | 127204 | | IISServer-8.5-1.9.org.default.xml | 891D2D3DA53E8A1241DCE73BF5F02A23FB62F29FBCDC6BE27588C13FBB63E2C7 | 438 | | IISServer-8.5-1.9.xml | 954E722BAF59B51A1ED2DF701634A804810195F1FC62FFB377B94B29ABA85F0E | 126777 | -| IISSite-8.5-1.8.org.default.xml | 35CC6C2284E002B363F9D888AE20B2A66BD46DD9A80448BA0EAEF4D3B2B65CCE | 1491 | -| IISSite-8.5-1.8.xml | 4BD053CC13A64BB6751225D72F8F3B81B0AB7307F5AAAACE7D24FDDD32FE01DE | 130400 | +| IISSite-10.0-1.1.org.default.xml | 97A8C5398A15F92BD4EE7413A7B94D58DFD612D711C0313508F64A0F366AE4DB | 1420 | +| IISSite-10.0-1.1.xml | 521F35F019DCD068E7D431BE2358079948F2C43BBF2AEAEB3D52C208B4F138A7 | 118353 | +| IISSite-8.5-1.10.org.default.xml | 282999F209A372BDA77EFD1F8D5AC95AEA94801F64631D856197B6BD3DACED92 | 1492 | +| IISSite-8.5-1.10.xml | 74ABD5BAF3822C3C5BA95E438DA955C3D4EBF36B8796DECA65BD0095F759B796 | 127434 | | IISSite-8.5-1.9.org.default.xml | BDB889F63903637B7026F231685CC62767DF0B2BD96A6B34D9DCCB52982A4F15 | 1491 | | IISSite-8.5-1.9.xml | 308E6886D71CE588ABABD420E9F2A7282505E5FE8B2D162FFBFBE5FB55E06143 | 131381 | | InternetExplorer-11-1.17.org.default.xml | 8A5B2D74C0FB37EFBA5C75BADF21955074EA9338062E00BC3C3BF6238BF80F4A | 306 | -| InternetExplorer-11-1.17.xml | 7BFA9ED087E94EF8314CB6A4B5AE981125483F55CB9583A06D940D4A8D3B2964 | 330080 | +| InternetExplorer-11-1.17.xml | D033050A8F8037C06A094705CC5F103C94EACBDE93ACD283F5A4C53AE6347A74 | 329836 | | InternetExplorer-11-1.18.org.default.xml | 1095CEEAD18CBBAD9068326B97D520F7F76F1F71331618F17B2138DC8FE55ED4 | 306 | -| InternetExplorer-11-1.18.xml | 68D731BD29502EF9E519B318FFB4C0584AF92C734277F808D50FB80A87460180 | 332302 | +| InternetExplorer-11-1.18.xml | 7AB1611E525B8D257E722BE7175898F76EAC1C3AFD592C15738AC7EB365139D4 | 332058 | | McAfee-8.8-VirusScan-5.16.org.default.xml | 28792D63E69F797CA02CCAE52F537B1001D9069BD7DE4F5A73375424C19FE660 | 777 | | McAfee-8.8-VirusScan-5.16.xml | 22CAEE788CA69690819D46548D19E40163FD8EB799F8EC7FAA4E5FB714C4F445 | 244268 | | Office-Excel2013-1.7.org.default.xml | 6A8FBC7AD79015A5261C617A2EFC0084E58BCAFAAD3FA2B8E61BC01A860C102C | 429 | @@ -46,48 +50,54 @@ Hashes for **PowerSTIG** files are listed in the following table: | Office-System2013-1.9.xml | 346A48CA6FD98889F0E60928AA0E87E138CF4E8A45E1BDB82BB04005428638C5 | 122545 | | Office-System2016-1.1.org.default.xml | 1BC04F0B3B55ED751A1451845E35821A7A8DE2A9592ED63D70AD422E5B3BB1C4 | 305 | | Office-System2016-1.1.xml | 6ABE255AD940C70AA20E72B50FCE9E78BA3C3291C085EFF26581059445904229 | 63544 | +| Office-Visio2013-1.4.org.default.xml | DEB619FD6632472F27796C703DB93523035A5BCD84A2FE878DABBCFC968FFFD9 | 305 | +| Office-Visio2013-1.4.xml | 4DDEFCDD8E1D316BB2498D95CC033CBABD536A90EF9D6D1278127F4C4FF8DDA8 | 30296 | | Office-Word2013-1.6.org.default.xml | 737AEDF59D64684358B3E58ED4D0C42E5FD99AA4495489B8E625B79CE838E663 | 305 | | Office-Word2013-1.6.xml | 85E667D9899F3B98270275D1E2F1E5BEAF3AC39C0D8F3143E61F53FBA74263B9 | 81466 | | Office-Word2016-1.1.org.default.xml | 7C6CDD5943A445A748835DDAEA1C2AC2615A2BC21B0570751F234E5AB5D7B14B | 431 | | Office-Word2016-1.1.xml | 3309F6DCAFFDC4521E2B40CD6D1FC8DBEFB69972B64BBEC5C4C43BAF74542B84 | 88318 | | OracleJRE-8-1.5.org.default.xml | 9F29E6AA7A905712FC4BBA768764219CB4CD7F259A0515A486E0E9EE4BE03F66 | 502 | | OracleJRE-8-1.5.xml | D8D451B6E2B88C4F7FA14809CA7E6485E19C6295460342C01EF78E6787F073F3 | 45264 | -| SqlServer-2012-Database-1.18.org.default.xml | 393D9B940BD03BA8F5DB386964D00F1AD9CD195A62D0F654E8235AF8F8754D02 | 409 | -| SqlServer-2012-Database-1.18.xml | 6F8DFCC425DDDAB1F6712BE0BB7B996D9D4CA53B64129F3E03131A87186B1362 | 85242 | | SqlServer-2012-Database-1.19.org.default.xml | 68A05F4480CD66C7CB07BF7554A6FB580AD1D7826D56F3B399A164321A5904C5 | 409 | | SqlServer-2012-Database-1.19.xml | 73EBD394A734F4C66077BA9124FD69131986232BB8800EE88509D98CBC471FED | 85752 | -| SqlServer-2012-Instance-1.17.org.default.xml | 0F9DDEA039A26476C1437F44C9682229DFBAACC8DA9C928A5EA5853539AB7219 | 923 | -| SqlServer-2012-Instance-1.17.xml | C5B91C73E2119F6B0F82212A789571986D07C9479A234119A8B8424AD6FD964C | 712294 | +| SqlServer-2012-Database-1.20.org.default.xml | 47313880BA67BB11CB86B59D2C380B429C6CF8E5C59CD888B3334AD6F015E525 | 409 | +| SqlServer-2012-Database-1.20.xml | EF0C08AAD52F900B5B1BC6BEDB172F0B4BCBF6EC68603543EC865D0436F5DA9A | 85698 | | SqlServer-2012-Instance-1.19.org.default.xml | 9B26B9AFBF4300D9B66FE4A70D748E030F1F09B3C51D6D926A17A003A25EFC54 | 923 | | SqlServer-2012-Instance-1.19.xml | 490C90ADBB579E83F54F886CCBC9D62976119925E8D426F18FD8AA8F35D5996C | 719134 | -| SqlServer-2016-Instance-1.7.org.default.xml | 2E20F6E4ACCE26E9D252B8DBDB2DD8936486EA1BA62C2C2743BC16BB269604D1 | 305 | -| SqlServer-2016-Instance-1.7.xml | BF7EF1CAAF9F21EDE72591DADBFDB91C88CBC7422DA4F1D7AFAFA8F45E12C598 | 453883 | +| SqlServer-2012-Instance-1.20.org.default.xml | BF4B54ECA57950AB1EB48D43454B7B6F11FBBE9992981031E3DD1AFC0F3B1C49 | 923 | +| SqlServer-2012-Instance-1.20.xml | 78A5834304516003F2946217A0690EF602784F4A8D8FEAE43433DB762465CCF7 | 711671 | | SqlServer-2016-Instance-1.8.org.default.xml | 2AAB6EFB274E49F158E4B11E31F0A09ED905870C1969A0DD6CEFF1DB237F2A1A | 305 | | SqlServer-2016-Instance-1.8.xml | 55BD9E59908DBF1DC6F3D3D9B6D83745E8D98047263193362A5FFB6D800735DB | 456953 | -| WindowsClient-10-1.18.org.default.xml | EB1149A3E885C09AE0431A2C6F39FC7EB57C8F77BC7238AB6F54D30AF137004C | 3370 | -| WindowsClient-10-1.18.xml | 64A1FCB57220D56718557FEEAFCF2B067F69E556779FFE55AAEB7DBD72E8A5C4 | 581919 | +| SqlServer-2016-Instance-1.9.org.default.xml | F2F8E5C12242647D644BB273CBD98CA2A150BA4053A1EF4A83237D6C0DF824E9 | 305 | +| SqlServer-2016-Instance-1.9.xml | AC72FEEE7C5B60714D8B3962600A74E0269A5710DC952765BB05F2AD345485BF | 454928 | +| vSphere-6.5-1.3.org.default.xml | C990416E2E49502DADF351E07E50F01FDE10BDDADD940316F943BC31CA043BFA | 791 | +| vSphere-6.5-1.3.xml | 1DE6CB25FD5ACD705F0F7ED1AB8F062F75B00B85FFD6DD5688D81C51858043A2 | 168420 | +| Vsphere-6.5-1.4.org.default.xml | 0094C819CBDE50985DC324280712622E3ECAA46E45AFFFEAFB6C91A139B72627 | 791 | +| Vsphere-6.5-1.4.xml | D78A4D1192D4D0836A6A3FC945F06D4DF3F9EB36F35141A4BED8DC401AEB71DE | 143136 | | WindowsClient-10-1.19.org.default.xml | 37EFAFAD0D83AD985BA5665CDC056F0EAEB0C0E59A8F901F6A52375D6F12A240 | 3370 | -| WindowsClient-10-1.19.xml | 29EFB639C16BCACD2C91B2467084A52D223E52610D3DD96777AEB637131E2D51 | 581920 | -| WindowsDefender-All-1.6.org.default.xml | 99B065FCAFEED8B7B087E4AD34D2553A947E6ACD01C8D84BBD66AD8D67B7333A | 1071 | -| WindowsDefender-All-1.6.xml | 46AB44C20CAAEF6B5D52FA200564F43FA39D6D29A63AFC533060ED71872B7825 | 95036 | +| WindowsClient-10-1.19.xml | 311FAF48DFF288B66798CD47E60B96EC8EA68D46B0D5C9CA0ACD2B155845A1DB | 571026 | +| WindowsClient-10-1.21.org.default.xml | B4210F9E883D13D1878E25ABF7221CF467E9351B8CE38541810D68CC34F38207 | 3355 | +| WindowsClient-10-1.21.xml | E007E01ADF09F84B84A5A6AF26975BB1C07C378BD236868CC2FB5EA8F203ECFD | 579792 | | WindowsDefender-All-1.7.org.default.xml | C6D7C72A7EC7681FADC9F9CEACE9D7A7BF3391E26DE0E0F202C7C53EA2CD1C8C | 1170 | | WindowsDefender-All-1.7.xml | 9657199FA1B037CA49D274BE3B0960F6EF1590178991C9A4B346B5BC9E6BB945 | 95148 | -| WindowsDnsServer-2012R2-1.12.org.default.xml | 23FF97A3D83B61CF158A800002286DE35ABCE1E857557A9DB14234F177FA9B32 | 449 | -| WindowsDnsServer-2012R2-1.12.xml | 446F82639433F8D50D35642487948B7B4C7B5E61A81400EC36A793948A8AF2BB | 267981 | +| WindowsDefender-All-1.8.org.default.xml | C9609DE449345A4BE63AACBEF2EE44689852811ED2D4845F426945C5ADE25897 | 1071 | +| WindowsDefender-All-1.8.xml | F54DDC75434BF5CA58A57F2FC648A04F90FB7C0A6BC4C10B3BC00DFCF6BB71A5 | 94765 | | WindowsDnsServer-2012R2-1.13.org.default.xml | A3864DFF5420392168A937D6D6117BA45F6D2A970BC8CD4E4C094671CD8F323F | 449 | | WindowsDnsServer-2012R2-1.13.xml | B79AA5E6E222A7C831E91F46B20369D6C908C1331D834B137E2B3188DE60ED62 | 268259 | +| WindowsDnsServer-2012R2-1.14.org.default.xml | 86C7CD24C6B8436787923055218ADDEE00D4617C4311B644F3FF8DCED21CD172 | 449 | +| WindowsDnsServer-2012R2-1.14.xml | 19B0338C1F3E3234B6CA7C5AE37888DBF61AE75EAA35B398E1AA218FC0B85C0D | 268509 | | WindowsFirewall-All-1.6.org.default.xml | 129A5B9F20B27E36FED4C1AC470B7B7419B563A6B2733B7FC3112CAF682ABB77 | 966 | | WindowsFirewall-All-1.6.xml | 42FA28D3C4BA6387D3EA4F5DCB72F133F814D3A9854555498E22DDFD188194B7 | 65518 | | WindowsFirewall-All-1.7.org.default.xml | 64E9FFA9B456C36DD36B5824BF641E473931B5C350F473DDFFDF31B1B64DD016 | 966 | | WindowsFirewall-All-1.7.xml | BBB13C6D675EB591D972EF8AD9B46472CFE80FCAD76E9D453586E6BE430F01B6 | 65518 | | WindowsServer-2012R2-DC-2.18.org.default.xml | AB84D6DBD15D709B1710851F7D758120132ED1177AA5B52A118DE85B6971563A | 4532 | -| WindowsServer-2012R2-DC-2.18.xml | 02F450A63656DBD538F9381CD5E6C08F71EDFCBBAAC094DC8B79D81B1A10AE19 | 768234 | +| WindowsServer-2012R2-DC-2.18.xml | F268E71DD7BEB99615994427B4FC3C782C7F539045A9D9197DA6269942625F99 | 769366 | | WindowsServer-2012R2-DC-2.19.org.default.xml | 01BCAB269E9884E0DDD0AD629834E1390820568191FE003B95DF4A2F7C7CA621 | 4532 | -| WindowsServer-2012R2-DC-2.19.xml | BDBA848C1446D1919CEFB81CCDC9334BBBC1E085AEB9EAD0A275BFFF78844D60 | 768445 | +| WindowsServer-2012R2-DC-2.19.xml | 2E7E7A4F9709545056277B37C1C38C66F9113DD046F5344F17697826625B0EF1 | 769578 | | WindowsServer-2012R2-MS-2.16.org.default.xml | 506B11E8DF549F7303C929BE63FC567C69E31A0F80FA3BC712BDBAE2CF3723EB | 3988 | -| WindowsServer-2012R2-MS-2.16.xml | 35F9B511C263D257263C9C75E9C18F48B97A5DC3FF94AAD786ACF6FF814F9EA1 | 662064 | +| WindowsServer-2012R2-MS-2.16.xml | 755BC9A1B5C3699AB343EC667120C07F47ADE0E324A9A3C499F72926BDC7A1AC | 663198 | | WindowsServer-2012R2-MS-2.17.org.default.xml | 08D9CB2948D6070F75D95D7AE932E318265ECEFC58ED76C4BE416DDE82BC75A7 | 3988 | -| WindowsServer-2012R2-MS-2.17.xml | C3EEE623399D2D37379E5159280D77BFEE9A0B16D3D9CFE6D9F11F4818AE6E24 | 662162 | +| WindowsServer-2012R2-MS-2.17.xml | 7CD06DE12B31384CEE11B8609C71BFA4D988ABA317A8E8B4ED8D26BA7B0AB94B | 663295 | | WindowsServer-2016-DC-1.10.org.default.xml | 3FB21C1A859119EFBFD1893BA54EF16F99363397B347A935530EE7EAA57F97CA | 3673 | | WindowsServer-2016-DC-1.10.xml | FD96806231106514B2C52EF3498DE9AD05ED3D0D57CCC6C9A12FF01A62609D5A | 545357 | | WindowsServer-2016-DC-1.9.org.default.xml | 446EBD5DFB5C597A6095A1A98864DED1E7F2991022FD97B6C454902B10094DDB | 3672 | diff --git a/GitVersion.yml b/GitVersion.yml new file mode 100644 index 000000000..86fcd2b2b --- /dev/null +++ b/GitVersion.yml @@ -0,0 +1,38 @@ +mode: ContinuousDelivery +next-version: 4.3.0 +major-version-bump-message: '\s?(breaking|major|breaking\schange)' +minor-version-bump-message: '\s?(add|feature|minor)' +patch-version-bump-message: '\s?(fix|patch)' +no-bump-message: '\+semver:\s?(none|skip)' +assembly-informational-format: '{NuGetVersionV2}+Sha.{Sha}.Date.{CommitDate}' +branches: + master: + tag: preview + pull-request: + tag: PR + feature: + tag: useBranchName + increment: Minor + regex: f(eature(s)?)?[\/-] + source-branches: ['master'] + hotfix: + tag: fix + increment: Patch + regex: (hot)?fix(es)?[\/-] + source-branches: ['master'] + +ignore: + sha: [] +merge-message-formats: {} + + +# feature: +# tag: useBranchName +# increment: Minor +# regex: f(eature(s)?)?[/-] +# source-branches: ['master'] +# hotfix: +# tag: fix +# increment: Patch +# regex: (hot)?fix(es)?[/-] +# source-branches: ['master'] diff --git a/HISTORIC_CHANGELOG.md b/HISTORIC_CHANGELOG.md new file mode 100644 index 000000000..9c5f49d78 --- /dev/null +++ b/HISTORIC_CHANGELOG.md @@ -0,0 +1,254 @@ +# Historic change log for PowerSTIG + +The release notes in the PowerShell Module manifest cannot exceed 10000 +characters. Due to a bug in the CI deploy pipeline this is not handled. +This file is to temporary move the older change log history to keep the +change log short. + +## [3.3.0] - 2019-08-12 + +UPDATES + +* Fixed [#419](https://github.com/Microsoft/PowerStig/issues/419): PowerStig is creating resource xSSLSettings with the wrong value for Name. +* Updated PowerSTIG to leverage AuditSetting instead of the Script resource. Additionally renamed WmiRule to AuditSettingRule [#431](https://github.com/Microsoft/PowerStig/issues/431) + +Added the following STIG + +* Added support for Windows 10, Version 1, Release 17 [#442](https://github.com/microsoft/PowerStig/issues/442) +* Added support for Windows Defender, Version 1, Release 5 [#393](https://github.com/microsoft/PowerStig/issues/393) +* Added support for Internet Explorer 11 Version 1, Release 17 [#422](https://github.com/Microsoft/PowerStig/issues/422) +* Added support for Server 2016 STIG, Version 1, Release 8 [#418](https://github.com/Microsoft/PowerStig/issues/418) + +## [3.2.0] - 2019-05-24 + +* Added support for IIS 8.5 Server STIG, Version 1, Release 7 [#399](https://github.com/Microsoft/PowerStig/issues/399) +* Fixed [#373](https://github.com/Microsoft/PowerStig/issues/373): Registry resource does not handle null values for ValueData contained in Processed STIGs +* Fixed [#376](https://github.com/Microsoft/PowerStig/issues/376): SQL STIG Rules V-41021 (Instance STIG) and V-41402 (Database STIG) fail to apply when applying to a SQL instance that is NOT name the default (MSSQLSERVER). +* Fixed [#377](https://github.com/Microsoft/PowerStig/issues/377): SQL Instance Rule V-40936 fails when Set-TargertResource is ran +* Fixed [#280](https://github.com/Microsoft/PowerStig/issues/280): HKEY_CURRENT_USER is not needed with the cAdministrativeTemplateSetting composite resource. (Regression Issue) +* Fixed [#385](https://github.com/Microsoft/PowerStig/issues/385): IIS Server STIG V-76681 does not parse correctly +* Added support for Office 2016 STIGs [#370](https://github.com/Microsoft/PowerStig/issues/370) +* Added support to Automate Application Pool Recycling for IisSite_8.5 [#378](https://github.com/Microsoft/PowerStig/issues/378) +* Added support for Windows Server 2012R2 DC V2R16 [#398](https://github.com/Microsoft/PowerStig/issues/398) +* Added support for update Windows Server 2012 MS STIG v2r15 [#395](https://github.com/Microsoft/PowerStig/issues/395) +* Added support for Firefox STIG v4r25 [#389](https://github.com/Microsoft/PowerStig/issues/389) +* Added entry in log file for IISSite 1.7 so rule v-76819 parses as an xWebConfigurationProperty [#407](https://github.com/microsoft/PowerStig/issues/407) +* Added IISSite v1.7 [#400](https://github.com/microsoft/PowerStig/issues/400) +* Fixed [#403](https://github.com/microsoft/PowerStig/issues/403): DotNet STIG V1R7 update + +## [3.1.0] - 2019-04-01 + +UPDATES + +* Removed duplicate code from rule class constructors +* Migrated from Get-WmiObject to Get-CimInstance to support PowerShell Core +* Migrated to PSDscResources [#345](https://github.com/Microsoft/PowerStig/issues/345) +* Migrated to ComputerManagementDsc [#342](https://github.com/Microsoft/PowerStig/issues/342) +* Fixed [#358](https://github.com/Microsoft/PowerStig/issues/358): Update PowerSTIG Duplicate Rule handling and capability + +Added the following STIG + +* Windows Defender V1R4 [#344](https://github.com/Microsoft/PowerStig/issues/344) + +## [3.0.1] - 2019-03-11 + +* Fixed [#350](https://github.com/Microsoft/PowerStig/issues/350): Updates to fix Skip rules not working correctly +* Fixed [#348](https://github.com/Microsoft/PowerStig/issues/348): Update to DnsServer Schema to correct typo. + +## [3.0.0] - 2019-03-01 + +* Introduces class support for each rule type +* The STIG class now contains an array of rule objects vs xml elements +* Orgsettings, Exceptions, and Rule skips are all supported by the Rule base class +* Rule help is provided for any loaded rule. + * See the [wiki](https://github.com/Microsoft/PowerStig/wiki/GettingRuleHelp) for more information. +* Major code refactor to simplify maintenance and usage +* [Breaking Change] The STIG class constructor no longer accepts Orgsettings, Exceptions, or Rule skips + * That functionality has move to the load rule method +* DSC composite resource parameter validation for version numbers has been removed + * The STIG class validates all input and will throw an error if invalid data is provided. +* The Get-StigList has be updated and renamed to Get-Stig to return the STIG class + +UPDATES + +* Fixed [#241](https://github.com/Microsoft/PowerStig/issues/241): [WindowsFeatureRule] PsDesiredStateConfiguration\WindowsOptionalFeature doesn't properly handle features that return $null +* Fixed [#258](https://github.com/Microsoft/PowerStig/issues/258): New-StigChecklist will not accept a path without an explicit filename +* Fixed [#243](https://github.com/Microsoft/PowerStig/issues/243): [V-46515] Windows-All-IE11-1.15 Rawstring typo +* Fixed [#289](https://github.com/Microsoft/PowerStig/issues/289): Updated DocumentRule and DocumentRuleConvert Classes to parse correctly. +* Fixed [#284](https://github.com/Microsoft/PowerStig/issues/284): [V-74415] [V-74413] Windows 10 STIG rule V-74415 and V-74413 should not contain white space in key +* Fixed [290](https://github.com/Microsoft/PowerStig/issues/290): [V-76731] IIS Server STIG V-76731 fails to properly set STIG guidance because rule is not split. +* Fixed [314](https://github.com/Microsoft/PowerStig/issues/314): Update PowerSTIG to Utilize LogTargetW3C parameter in xWebAdministration 2.5.0.0. +* Fixed [334](https://github.com/Microsoft/PowerStig/issues/334): Update PowerStig to utilize AccessControlDsc 1.3.0.0 +* Fixed [331](https://github.com/Microsoft/PowerStig/issues/331): 2012/R2 [V-39325] 2016 [V-73373], [V-73389] PermissionRule.Convert CheckContent Match Parser Update +* Fixed [320](https://github.com/Microsoft/PowerStig/issues/320): IIS Site STIG doesn't correctly convert STIGS that contain "SSL Settings" in raw string + +* Added the following STIGs + * IIS Site 8.5 V1R6 [#276](https://github.com/Microsoft/PowerStig/issues/276) + * Windows Firewall STIG V1R7 [#319](https://github.com/Microsoft/PowerStig/issues/319) + +* Removed the following STIGs + * Windows Server 2012 R2 DC 2.12 + * Windows Server 2012 R2 DSN 1.7 + * Active Directory Domain 2.9 + * IIS Server 8.5 1.3 + * IIS Site 8.5 1.2 + * Removed: Internet Explorer 1.13 + +## [2.4.0.0] - 2019-02-07 + +* Fixed [#244](https://github.com/Microsoft/PowerStig/issues/244): IIS Server rule V-76727.b org setting test fails +* Fixed [#246](https://github.com/Microsoft/PowerStig/issues/246): IIS Server rule V-76737 contains an incorrect value +* Fixed [#225](https://github.com/Microsoft/PowerStig/issues/225): Update PowerStig integration tests to consolidate duplicate code. +* Fixed [#160](https://github.com/Microsoft/PowerStig/issues/160): PowerStig.Convert needs to handle new registry rules without affecting existing code +* Fixed [#201](https://github.com/Microsoft/PowerStig/issues/201): Update PowerStig integration tests to account for skips and exceptions. +* Fixed [#260](https://github.com/Microsoft/PowerStig/issues/260): FireFox Composite Resource configuration applies correctly, but never passes a Test-DscConfiguration. +* Fixed [#244](https://github.com/Microsoft/PowerStig/issues/244): IIS Server rule V-76727.b org setting test fails +* Fixed [#265](https://github.com/Microsoft/PowerStig/issues/265): Fixed UserRightsAssignment split rule bug. +* Fixed [#267](https://github.com/Microsoft/PowerStig/issues/267): Fixed winlogon registry path parser bug. +* Fixed [#238](https://github.com/Microsoft/PowerStig/issues/238): Adds regex tracker for RegistryRule regex's. +* Fixed [#274](https://github.com/Microsoft/PowerStig/issues/274): UserRightsAssignment composite resource does not leverage the Force Parameter. +* Fixed [#280](https://github.com/Microsoft/PowerStig/issues/280): HKEY_CURRENT_USER is not needed with the cAdministrativeTemplateSetting composite resource. + +* Windows Server 2012R2 Fixes + * V-36707 is now an org setting + * (DC only) V-2376 - V-2380 are migrated from manual to account policy rules. + +* Added the following STIGs + * SQL Server 2016 Instance V1R3 [#186](https://github.com/Microsoft/PowerStig/issues/186) + * Windows Defender Antivirus V1R4 [#236](https://github.com/microsoft/PowerStig/issues/236) + * Mozilla Firefox V4R24 [#261](https://github.com/Microsoft/PowerStig/issues/261) + * Windows Server 2016 V1R6 [#169](https://github.com/Microsoft/PowerStig/issues/169) + * Windows Server 2016 V1R7 [#251](https://github.com/Microsoft/PowerStig/issues/251) + * SQL Server 2012 Database V1R18 [#263](https://github.com/Microsoft/PowerStig/issues/263) + * Windows Server 2012R2 DC V2R15 [#267](https://github.com/Microsoft/PowerStig/issues/267) + * Windows 10 V1R16 [#269](https://github.com/Microsoft/PowerStig/issues/269) + * IIS Server 8.5 V1R6 [#256](https://github.com/Microsoft/PowerStig/issues/266) + * Windows Server 2012R2 DNS V1R11 STIG [#265](https://github.com/Microsoft/PowerStig/issues/265) + * AD Domain V2R12 [#270](https://github.com/Microsoft/PowerStig/issues/270) + +## [2.3.2.0] - 2018-12-18 + +* Fixed [#215](https://github.com/Microsoft/PowerStig/issues/215): Org settings wont apply for DotNet STIG +* Fixed [#216](https://github.com/Microsoft/PowerStig/issues/216): DotNet STIGs are misnamed +* Fixed [#207](https://github.com/Microsoft/PowerStig/issues/207): SQL Server Database rules fail to apply +* Fixed [#208](https://github.com/Microsoft/PowerStig/issues/208): Update PowerSTIG to use SQLServerDsc 12.1.0.0 +* Fixed [#220](https://github.com/Microsoft/PowerStig/issues/220): Update PowerSTIG to use xWebAdministration 2.3.0.0 + +## [2.3.1.0] - 2018-12-07 + +* Fixed [#212](https://github.com/Microsoft/PowerStig/issues/212): SDDL strings are incorrectly split in the xRegistry resource +* Fixed [#180](https://github.com/Microsoft/PowerStig/issues/180): IisSite SkipRuleType and SkipRule fail to skip rules + +## [2.3.0.0] - 2018-11-30 + +* Windows 10 Fixes + * V-63795 - Changed from manual to registry rule ## HIGH IMPACT CHANGE ## + +* Windows Server 2012R2 Fixes + * V-1089 - Corrected text + * V-21954 - Changed from manual to registry rule ## HIGH IMPACT CHANGE ## + * V-26070 - Corrected key path + * V-36657 - Corrected key path + * V-36681 - Corrected key path + +* Added the following STIGs + * IIS Server 8.5 STIG V1R5 + * Microsoft Outlook 2013 STIG V1R13 + * DotNet Framework 4.0 STIG V1R6 + * IIS Site 8.5 STIG V1R5 + * Windows Domain V2R11 + * FireFox 4.23 STIG + * Windows Server 2012R2 DC V2R14 + * Windows Server 2012R2 MS V2R14 + * Windows 10 V1R15 + +## [2.2.0.0] - 2018-10-10 + +* Added the following STIGs + * IIS Site 8.5 STIG V1R2 + * IIS Site 8.5 STIG V1R3 + * Oracle JRE 8 STIG V1R5 + * Microsoft Outlook 2013 STIG V1R12 + * Microsoft PowerPoint 2013 Stig V1R6 + * Microsoft Excel 2013 STIG V1R7 + * Microsoft Word 2013 STIG V1R6 + +* Added the following DSC Composite Resources + * Microsoft Office 2013 STIGs + * FireFox STIG + * IIS Site STIG + * IIS Server STIG + * Oracle JRE STIG + * Windows10 STIG + +* Newly required modules + * PolicyFileEditor + * FileContentDsc + * WindowsDefenderDSC + * xWebAdministration + * xWinEventLog + +* Updated required module versions + * xDnsServer from 1.9.0.0 to 1.11.0.0 + * SecurityPolicyDsc from 2.2.0.0 to 2.4.0.0 + +## [2.1.0.0] - 2018-09-05 + +* Migrated Composite resources to the xRegistry resource +* Fixed 2012R2 V-15713 default org setting value +* Updated IE STIGs (V-46477) with the decimal value +* Updated New-StigCheckList to output StigViewer 2.7.1 ckl files +* Added SkipRule functionality to all composite resources +* Added StigData for FireFox STIG V4R21 +* Added Sql2012 1.17 to Archive and processed +* Updated Sql2012 1.16 to fix broken rules +* Removed Sql2012 1.14 from archives to comply with n-2 version policy +* Updated data for 2012R2 Stigs to fix broken rules + +## [2.0.0.0] - 2018-08-17 + +* Added a Document module to automatically create a Stig Checklist (EXPERIMENTAL) +* Merged PowerStigDsc into PowerStig so there is only one module to maintain + * Replaced PowerStig Technology Class with Enumeration + * Added script module back to manifest + * Added DotNetFramework composite resource + +* Added the following STIGs + * Windows Server 2012R2 MS STIG V2R13 + * Windows Server 2012R2 DC STIG V2R13 + * Windows 2012 DNS V1R10 + * Windows Domain V2R10 + * Windows Forest V2R8 + * IE11-V1R16 + +* Corrected parsing of rule V-46477 in the IE STIGs + * Updated StigData + * Bug fixes + * Removed Windows Server 2012R2 MS and DC StigData v2.9 + +## [1.1.1.0] - 2018-08-13 + +Update IIS Server STIG V-76723.a with correct value + +## [1.1.0.0] - 2018-07-29 + +Replaced Technology class with enumeration. This breaks PowerStigDsc < 1.1.0.0 + +Added the following STIGs: + +* IIS 8.5 Server STIG V1R3 + +Updates + +* Updated SQL STIG code to account for SQL STIGS being added in PowerStigDsc +* Update to PowerStig.psm1 to fix issue were StigData class was not accessible to PowerStigDsc + +## [1.0.0.0] - 2018-07-01 + +Added the following STIGs: + +* Windows Server 2012R2 MS STIG V2R12 +* Windows Server 2012R2 DC STIG V2R12 +* Windows Server DNS V1R9 +* Windows AD Domain V2R9 +* IE11 V1R15 diff --git a/Module/Common/Convert/Data.ps1 b/Module/Common/Convert/Data.ps1 deleted file mode 100644 index c87d7fb9c..000000000 --- a/Module/Common/Convert/Data.ps1 +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. - -# This is used to exclude rules from the convert -data exclusionRuleList -{ - ConvertFrom-StringData -StringData @' - V-73523 = '' - V-6599 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' - V-6600 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' - V-6601 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' - V-6602 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' - V-6604 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' - V-6611 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' - V-6612 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' - V-6614 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' - V-6615 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' - V-6616 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' - V-6617 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' - V-6618 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' - V-6620 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' - V-6625 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' - V-6627 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' - V-14657 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' - V-14658 = 'McAfee: Not Applicable to 64-bit systems.' - V-14659 = 'McAfee: Not Applicable to 64-bit systems.' - V-14660 = 'McAfee: Not Applicable to 64-bit systems.' - V-14661 = 'McAfee: Not Applicable to 64-bit systems.' - V-42563 = 'McAfee:exclusions have been documented with, and approved by, the ISSO/ISSM/DAA' - V-42564 = 'McAfee:exclusions have been documented with, and approved by, the ISSO/ISSM/DAA' - V-42565 = 'McAfee:with the assistance of the System Administrator, review each GUID key's szTaskName' - V-42566 = 'McAfee:with the assistance of the System Administrator, review each GUID key's szTaskName' - V-42567 = 'McAfee:with the assistance of the System Administrator, review each GUID key's szTaskName' - V-42572 = 'McAfee:If the ExcludedURLs REG_MULTI_SZ has any entries, and the excluded URLs have not been documented with, and approved by, the ISSO/ISSM/DAA' - V-14654 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' -'@ -} diff --git a/Module/Rule/Rule.LoadFactory.psm1 b/Module/Rule/Rule.LoadFactory.psm1 deleted file mode 100644 index 52fdaf9f5..000000000 --- a/Module/Rule/Rule.LoadFactory.psm1 +++ /dev/null @@ -1,60 +0,0 @@ -using module .\..\Rule.AccountPolicy\AccountPolicyRule.psm1 -using module .\..\Rule.AuditPolicy\AuditPolicyRule.psm1 -using module .\..\Rule.DnsServerRootHint\DnsServerRootHintRule.psm1 -using module .\..\Rule.DnsServerSetting\DnsServerSettingRule.psm1 -using module .\..\Rule.Document\DocumentRule.psm1 -using module .\..\Rule.FileContent\FileContentRule.psm1 -using module .\..\Rule.Group\GroupRule.psm1 -using module .\..\Rule.IISLogging\IISLoggingRule.psm1 -using module .\..\Rule.Manual\ManualRule.psm1 -using module .\..\Rule.MimeType\MimeTypeRule.psm1 -using module .\..\Rule.Permission\PermissionRule.psm1 -using module .\..\Rule.ProcessMitigation\ProcessMitigationRule.psm1 -using module .\..\Rule.Registry\RegistryRule.psm1 -using module .\..\Rule.SecurityOption\SecurityOptionRule.psm1 -using module .\..\Rule.Service\ServiceRule.psm1 -using module .\..\Rule.SqlScriptQuery\SqlScriptQueryRule.psm1 -using module .\..\Rule.UserRight\UserRightRule.psm1 -using module .\..\Rule.WebAppPool\WebAppPoolRule.psm1 -using module .\..\Rule.WebConfigurationProperty\WebConfigurationPropertyRule.psm1 -using module .\..\Rule.WindowsFeature\WindowsFeatureRule.psm1 -using module .\..\Rule.WinEventLog\WinEventLogRule.psm1 -using module .\..\Rule.AuditSetting\AuditSettingRule.psm1 -using module .\..\Rule.SslSettings\SslSettingsRule.psm1 -#header - -class LoadFactory -{ - static [psobject] Rule ([xml.xmlelement] $Rule) - { - $return = $null - switch($Rule.ParentNode.Name) - { - 'AccountPolicyRule' {$return = [AccountPolicyRule]::new($Rule)} - 'AuditPolicyRule' {$return = [AuditPolicyRule]::new($Rule)} - 'DnsServerSettingRule' {$return = [DnsServerSettingRule]::new($Rule)} - 'DnsServerRootHintRule' {$return = [DnsServerRootHintRule]::new($Rule)} - 'DocumentRule' {$return = [DocumentRule]::new($Rule)} - 'FileContentRule' {$return = [FileContentRule]::new($Rule)} - 'GroupRule' {$return = [GroupRule]::new($Rule)} - 'IisLoggingRule' {$return = [IisLoggingRule]::new($Rule)} - 'MimeTypeRule' {$return = [MimeTypeRule]::new($Rule)} - 'ManualRule' {$return = [ManualRule]::new($Rule)} - 'PermissionRule' {$return = [PermissionRule]::new($Rule)} - 'ProcessMitigationRule' {$return = [ProcessMitigationRule]::new($Rule)} - 'RegistryRule' {$return = [RegistryRule]::new($Rule)} - 'SecurityOptionRule' {$return = [SecurityOptionRule]::new($Rule)} - 'ServiceRule' {$return = [ServiceRule]::new($Rule)} - 'SqlScriptQueryRule' {$return = [SqlScriptQueryRule]::new($Rule)} - 'UserRightRule' {$return = [UserRightRule]::new($Rule)} - 'WebAppPoolRule' {$return = [WebAppPoolRule]::new($Rule)} - 'WebConfigurationPropertyRule' {$return = [WebConfigurationPropertyRule]::new($Rule)} - 'WindowsFeatureRule' {$return = [WindowsFeatureRule]::new($Rule)} - 'WinEventLogRule' {$return = [WinEventLogRule]::new($Rule)} - 'AuditSettingRule' {$return = [AuditSettingRule]::new($Rule)} - 'SslSettingsRule' {$return = [SslSettingsRule]::new($Rule)} - } - - return $return - } -} diff --git a/Module/STIG/Convert/Data.ps1 b/Module/STIG/Convert/Data.ps1 deleted file mode 100644 index 74d34b617..000000000 --- a/Module/STIG/Convert/Data.ps1 +++ /dev/null @@ -1,45 +0,0 @@ -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. - -data xmlAttribute -{ - ConvertFrom-StringData -StringData @' - ruleId = id - ruleSeverity = severity - ruleConversionStatus = conversionstatus - ruleTitle = title - ruleDscResource = dscresource - ruleDscResourceModule = dscresourcemodule - - organizationalSettingValue = value -'@ -} - -data dscResourceModule -{ - ConvertFrom-StringData -StringData @' - AccountPolicyRule = SecurityPolicyDsc - AuditPolicyRule = AuditPolicyDsc - DnsServerSettingRule = xDnsServer - DnsServerRootHintRule = PSDscResources - DocumentRule = None - GroupRule = PSDscResources - IisLoggingRule = xWebAdministration - MimeTypeRule = xWebAdministration - ManualRule = None - PermissionRule = AccessControlDsc - ProcessMitigationRule = WindowsDefenderDsc - RegistryRule = PSDscResources - SecurityOptionRule = SecurityPolicyDsc - ServiceRule = PSDscResources - SqlScriptQueryRule = SqlServerDsc - UserRightRule = SecurityPolicyDsc - WebAppPoolRule = xWebAdministration - WebConfigurationPropertyRule = xWebAdministration - WindowsFeatureRule = PSDscResources - WinEventLogRule = xWinEventLog - SslSettingsRule = xWebAdministration - AuditSettingRule = AuditSystemDsc - FileContentRule = FileContentDsc -'@ -} diff --git a/Resolve-Dependency.ps1 b/Resolve-Dependency.ps1 new file mode 100644 index 000000000..4928e6242 --- /dev/null +++ b/Resolve-Dependency.ps1 @@ -0,0 +1,289 @@ +[CmdletBinding()] +param +( + + [Parameter()] + [String] + $DependencyFile = 'RequiredModules.psd1', + + [Parameter()] + [String] + # Path for PSDepend to be bootstrapped and save other dependencies. + # Can also be CurrentUser or AllUsers if you wish to install the modules in such scope + # Default to $PWD.Path/output/modules + $PSDependTarget = (Join-Path $PSScriptRoot './output/RequiredModules'), + + [Parameter()] + [uri] + # URI to use for Proxy when attempting to Bootstrap PackageProvider & PowerShellGet + $Proxy, + + [Parameter()] + # Credential to contact the Proxy when provided + [PSCredential]$ProxyCredential, + + [Parameter()] + [ValidateSet('CurrentUser', 'AllUsers')] + [String] + # Scope to bootstrap the PackageProvider and PSGet if not available + $Scope = 'CurrentUser', + + [Parameter()] + [String] + # Gallery to use when bootstrapping PackageProvider, PSGet and when calling PSDepend (can be overridden in Dependency files) + $Gallery = 'PSGallery', + + [Parameter()] + [PSCredential] + # Credentials to use with the Gallery specified above + $GalleryCredential, + + + [Parameter()] + [switch] + # Allow you to use a locally installed version of PowerShellGet older than 1.6.0 (not recommended, default to $False) + $AllowOldPowerShellGetModule, + + [Parameter()] + [String] + # Allow you to specify a minimum version fo PSDepend, if you're after specific features. + $MinimumPSDependVersion, + + [Parameter()] + [Switch] + $AllowPrerelease, + + [Parameter()] + [Switch] + $WithYAML +) + +# Load Defaults for parameters values from Resolve-Dependency.psd1 if not provided as parameter +try +{ + Write-Verbose -Message "Importing Bootstrap default parameters from '$PSScriptRoot/Resolve-Dependency.psd1'." + $ResolveDependencyDefaults = Import-PowerShellDataFile -Path (Join-Path $PSScriptRoot '.\Resolve-Dependency.psd1' -Resolve -ErrorAction Stop) + $ParameterToDefault = $MyInvocation.MyCommand.ParameterSets.Where{ $_.Name -eq $PSCmdlet.ParameterSetName }.Parameters.Keys + if ($ParameterToDefault.Count -eq 0) + { + $ParameterToDefault = $MyInvocation.MyCommand.Parameters.Keys + } + # Set the parameters available in the Parameter Set, or it's not possible to choose yet, so all parameters are an option + foreach ($ParamName in $ParameterToDefault) + { + if (-Not $PSBoundParameters.Keys.Contains($ParamName) -and $ResolveDependencyDefaults.ContainsKey($ParamName)) + { + Write-Verbose -Message "Setting $ParamName with $($ResolveDependencyDefaults[$ParamName])" + try + { + $variableValue = $ResolveDependencyDefaults[$ParamName] + if ($variableValue -is [string]) + { + $variableValue = $ExecutionContext.InvokeCommand.ExpandString($variableValue) + } + $PSBoundParameters.Add($ParamName, $variableValue) + Set-Variable -Name $ParamName -value $variableValue -Force -ErrorAction SilentlyContinue + } + catch + { + Write-Verbose -Message "Error adding default for $ParamName : $($_.Exception.Message)" + } + } + } +} +catch +{ + Write-Warning -Message "Error attempting to import Bootstrap's default parameters from $(Join-Path $PSScriptRoot '.\Resolve-Dependency.psd1'): $($_.Exception.Message)." +} + +Write-Progress -Activity "Bootstrap:" -PercentComplete 0 -CurrentOperation "NuGet Bootstrap" + +if (!(Get-PackageProvider -Name NuGet -ForceBootstrap -ErrorAction SilentlyContinue)) +{ + $providerBootstrapParams = @{ + Name = 'nuget' + force = $true + ForceBootstrap = $true + ErrorAction = 'Stop' + } + + switch ($PSBoundParameters.Keys) + { + 'Proxy' + { + $providerBootstrapParams.Add('Proxy', $Proxy) + } + 'ProxyCredential' + { + $providerBootstrapParams.Add('ProxyCredential', $ProxyCredential) + } + 'Scope' + { + $providerBootstrapParams.Add('Scope', $Scope) + } + } + + if ($AllowPrerelease) + { + $providerBootstrapParams.Add('AllowPrerelease', $true) + } + + Write-Information "Bootstrap: Installing NuGet Package Provider from the web (Make sure Microsoft addresses/ranges are allowed)" + $null = Install-PackageProvider @providerBootstrapParams + $latestNuGetVersion = (Get-PackageProvider -Name NuGet -ListAvailable | Select-Object -First 1).Version.ToString() + Write-Information "Bootstrap: Importing NuGet Package Provider version $latestNuGetVersion to current session." + $Null = Import-PackageProvider -Name NuGet -RequiredVersion $latestNuGetVersion -Force +} + +Write-Progress -Activity "Bootstrap:" -PercentComplete 10 -CurrentOperation "Ensuring Gallery $Gallery is trusted" + +# Fail if the given PSGallery is not Registered +$Policy = (Get-PSRepository $Gallery -ErrorAction Stop).InstallationPolicy +Set-PSRepository -Name $Gallery -InstallationPolicy Trusted -ErrorAction Ignore +try +{ + Write-Progress -Activity "Bootstrap:" -PercentComplete 25 -CurrentOperation "Checking PowerShellGet" + # Ensure the module is loaded and retrieve the version you have + $PowerShellGetVersion = (Import-Module PowerShellGet -PassThru -ErrorAction SilentlyContinue).Version + + Write-Verbose "Bootstrap: The PowerShellGet version is $PowerShellGetVersion" + # Versions below 1.6.0 are considered old, unreliable & not recommended + if (!$PowerShellGetVersion -or ($PowerShellGetVersion -lt [System.version]'1.6.0' -and !$AllowOldPowerShellGetModule)) + { + Write-Progress -Activity "Bootstrap:" -PercentComplete 40 -CurrentOperation "Installing newer version of PowerShellGet" + $InstallPSGetParam = @{ + Name = 'PowerShellGet' + Force = $True + SkipPublisherCheck = $true + AllowClobber = $true + Scope = $Scope + Repository = $Gallery + } + + switch ($PSBoundParameters.Keys) + { + 'Proxy' + { + $InstallPSGetParam.Add('Proxy', $Proxy) + } + 'ProxyCredential' + { + $InstallPSGetParam.Add('ProxyCredential', $ProxyCredential) + } + 'GalleryCredential' + { + $InstallPSGetParam.Add('Credential', $GalleryCredential) + } + } + + Install-Module @InstallPSGetParam + Remove-Module PowerShellGet -force -ErrorAction SilentlyContinue + Import-Module PowerShellGet -Force + $NewLoadedVersion = (Get-Module PowerShellGet).Version.ToString() + Write-Information "Bootstrap: PowerShellGet version loaded is $NewLoadedVersion" + Write-Progress -Activity "Bootstrap:" -PercentComplete 60 -CurrentOperation "Installing newer version of PowerShellGet" + } + + # Try to import the PSDepend module from the available modules + try + { + $ImportPSDependParam = @{ + Name = 'PSDepend' + ErrorAction = 'Stop' + Force = $true + } + + if ($MinimumPSDependVersion) + { + $ImportPSDependParam.add('MinimumVersion', $MinimumPSDependVersion) + } + $null = Import-Module @ImportPSDependParam + } + catch + { + # PSDepend module not found, installing or saving it + if ($PSDependTarget -in 'CurrentUser', 'AllUsers') + { + Write-Debug "PSDepend module not found. Attempting to install from Gallery $Gallery" + Write-Warning "Installing PSDepend in $PSDependTarget Scope" + $InstallPSDependParam = @{ + Name = 'PSDepend' + Repository = $Gallery + Force = $true + Scope = $PSDependTarget + SkipPublisherCheck = $true + AllowClobber = $true + } + + if ($MinimumPSDependVersion) + { + $InstallPSDependParam.add('MinimumVersion', $MinimumPSDependVersion) + } + + Write-Progress -Activity "Bootstrap:" -PercentComplete 75 -CurrentOperation "Installing PSDepend from $Gallery" + Install-Module @InstallPSDependParam + } + else + { + Write-Debug "PSDepend module not found. Attempting to Save from Gallery $Gallery to $PSDependTarget" + $SaveModuleParam = @{ + Name = 'PSDepend' + Repository = $Gallery + Path = $PSDependTarget + } + + if ($MinimumPSDependVersion) + { + $SaveModuleParam.add('MinimumVersion', $MinimumPSDependVersion) + } + + Write-Progress -Activity "Bootstrap:" -PercentComplete 75 -CurrentOperation "Saving & Importing PSDepend from $Gallery to $Scope" + Save-Module @SaveModuleParam + } + } + finally + { + Write-Progress -Activity "Bootstrap:" -PercentComplete 100 -CurrentOperation "Loading PSDepend" + # We should have successfully bootstrapped PSDepend. Fail if not available + Import-Module PSDepend -ErrorAction Stop + } + + if ($WithYAML) + { + if (-Not (Get-Module -ListAvailable -Name 'PowerShell-Yaml')) + { + Write-Verbose "PowerShell-Yaml module not found. Attempting to Save from Gallery $Gallery to $PSDependTarget" + $SaveModuleParam = @{ + Name = 'PowerShell-Yaml' + Repository = $Gallery + Path = $PSDependTarget + } + + Save-Module @SaveModuleParam + Import-Module "PowerShell-Yaml" -ErrorAction Stop + } + else + { + Write-Verbose "PowerShell-Yaml is already available" + } + } + + Write-Progress -Activity "PSDepend:" -PercentComplete 0 -CurrentOperation "Restoring Build Dependencies" + if (Test-Path $DependencyFile) + { + $PSDependParams = @{ + Force = $true + Path = $DependencyFile + } + + # TODO: Handle when the Dependency file is in YAML, and -WithYAML is specified + Invoke-PSDepend @PSDependParams + } + Write-Progress -Activity "PSDepend:" -PercentComplete 100 -CurrentOperation "Dependencies restored" -Completed +} +finally +{ + # Reverting the Installation Policy for the given gallery + Set-PSRepository -Name $Gallery -InstallationPolicy $Policy + Write-Verbose "Project Bootstrapped, returning to Invoke-Build" +} diff --git a/Resolve-Dependency.psd1 b/Resolve-Dependency.psd1 new file mode 100644 index 000000000..b0615a646 --- /dev/null +++ b/Resolve-Dependency.psd1 @@ -0,0 +1,6 @@ +@{ + Gallery = 'PSGallery' + AllowPrerelease = $false + WithYAML = $true # Will also bootstrap PowerShell-Yaml to read other config files +} + diff --git a/StigData/Archive/Windows.Client/U_MS_Windows_10_STIG_V1R18_Manual-xccdf.log b/StigData/Archive/Windows.Client/U_MS_Windows_10_STIG_V1R18_Manual-xccdf.log deleted file mode 100644 index ff187abb7..000000000 --- a/StigData/Archive/Windows.Client/U_MS_Windows_10_STIG_V1R18_Manual-xccdf.log +++ /dev/null @@ -1,7 +0,0 @@ -V-63423::"Minimum password length,"::"Minimum password length" -V-63429::"Store password using reversible encryption"::"Store passwords using reversible encryption" -V-68819::Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\::Registry Path: \SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ -V-74413::Registry Path: \SOFTWARE\Policies\Microsoft\ Cryptography\Configuration\SSL\00010002\::Registry Path: \SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002\ -V-74415::Registry Path: \SOFTWARE\Policies\Microsoft\MicrosoftEdge\ Privacy\::Registry Path: \SOFTWARE\Policies\Microsoft\MicrosoftEdge\Privacy\ -V-63685::Registry Hive: HKEY_LOCAL_MACHINE::'' -V-94861::*::HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\'; ValueData = $null; ValueName = 'MinimumPIN'; ValueType = 'DWord'; OrganizationValueTestString = 'ValueData is set to 0x00000006 (6) or greater '} diff --git a/Tests/Integration/.tests.header.ps1 b/Tests/Integration/.tests.header.ps1 deleted file mode 100644 index f91e172c9..000000000 --- a/Tests/Integration/.tests.header.ps1 +++ /dev/null @@ -1,8 +0,0 @@ -# Integration test header -$script:moduleRoot = Split-Path -Parent (Split-Path -Parent $PSScriptRoot) -$script:moduleName = 'PowerStig.Convert' -$script:modulePath = "$($script:moduleRoot)\$($script:moduleName).psm1" - -$helperModulePath = Join-Path -Path $script:moduleRoot -ChildPath 'Tools\TestHelper\TestHelper.psm1' -Import-Module $helperModulePath -Force -Import-Module $script:modulePath -Force diff --git a/Tests/Integration/DSCResources/.tests.header.ps1 b/Tests/Integration/DSCResources/.tests.header.ps1 index 95c1760fe..9b04c0b0c 100644 --- a/Tests/Integration/DSCResources/.tests.header.ps1 +++ b/Tests/Integration/DSCResources/.tests.header.ps1 @@ -1,18 +1,9 @@ -# Integration Test Template Version: 1.1.1 - $script:DSCModuleName = 'PowerStig' -[String] $script:moduleRoot = Split-Path -Parent ( Split-Path -Parent ( Split-Path -Parent $PSScriptRoot ) ) -if ( (-not (Test-Path -Path (Join-Path -Path $script:moduleRoot -ChildPath 'DSCResource.Tests'))) -or ` - (-not (Test-Path -Path (Join-Path -Path $script:moduleRoot -ChildPath 'DSCResource.Tests\TestHelper.psm1'))) ) -{ - & git @('clone','https://github.com/PowerShell/DscResource.Tests.git',(Join-Path -Path $script:moduleRoot -ChildPath '\DSCResource.Tests\')) -} +$script:projectRoot = Split-Path -Path (Split-Path -Path (Split-Path -Path $PSScriptRoot -Parent) -Parent) -Parent +$script:buildOutput = Join-Path -Path $projectRoot -ChildPath 'output' +$script:modulePath = (Get-ChildItem -Path $buildOutput -Filter 'PowerStig.psd1' -Recurse).FullName +$script:moduleRoot = Split-Path -Path $script:modulePath -Parent +$helperModulePath = Join-Path -Path $script:projectRoot -ChildPath 'Tools\TestHelper\TestHelper.psm1' -Import-Module (Join-Path -Path $script:moduleRoot -ChildPath 'Tools\TestHelper\TestHelper.psm1' ) -Force -Import-Module (Join-Path -Path $script:moduleRoot -ChildPath 'DSCResource.Tests\TestHelper.psm1') -Force -[Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseDeclaredVarsMoreThanAssignments",'')] -$TestEnvironment = Initialize-TestEnvironment ` - -DSCModuleName $script:DSCModuleName ` - -DSCResourceName $script:DSCCompositeResourceName ` - -TestType Integration +Import-Module -Name $helperModulePath -Force diff --git a/Tests/Integration/DSCResources/Adobe.integration.tests.ps1 b/Tests/Integration/DSCResources/Adobe.integration.tests.ps1 index 342275e9a..adfb70633 100644 --- a/Tests/Integration/DSCResources/Adobe.integration.tests.ps1 +++ b/Tests/Integration/DSCResources/Adobe.integration.tests.ps1 @@ -2,45 +2,36 @@ using module .\helper.psm1 $script:DSCCompositeResourceName = ($MyInvocation.MyCommand.Name -split '\.')[0] . $PSScriptRoot\.tests.header.ps1 -# Header -# Using try/finally to always cleanup even if something awful happens -try +$configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" +. $configFile + +$stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName + +foreach ($stig in $stigList) { - $configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" - . $configFile - - $stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName - - foreach ($stig in $stigList) - { - $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') - $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath - $powerstigXml = [xml](Get-Content -Path $stig.Path) | - Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath - - $skipRule = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id - $skipRuleType = $null - $expectedSkipRuleTypeCount = 0 + $blankSkipRuleId.Count - - $skipRuleMultiple = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id -Count 2 - $skipRuleTypeMultiple = $null - $expectedSkipRuleTypeMultipleCount = 0 + $blankSkipRuleId.Count - - $getRandomExceptionRuleParams = @{ - RuleType = 'RegistryRule' - PowerStigXml = $powerstigXml - ParameterValue = 1234567 - } - $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 - $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 - $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility - $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility - - . "$PSScriptRoot\Common.integration.ps1" + $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') + $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath + $powerstigXml = [xml](Get-Content -Path $stig.Path) | + Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath + + $skipRule = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id + $skipRuleType = $null + $expectedSkipRuleTypeCount = 0 + $blankSkipRuleId.Count + + $skipRuleMultiple = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id -Count 2 + $skipRuleTypeMultiple = $null + $expectedSkipRuleTypeMultipleCount = 0 + $blankSkipRuleId.Count + + $getRandomExceptionRuleParams = @{ + RuleType = 'RegistryRule' + PowerStigXml = $powerstigXml + ParameterValue = 1234567 } -} -finally -{ - Restore-TestEnvironment -TestEnvironment $TestEnvironment + $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 + $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 + $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility + $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility + + . "$PSScriptRoot\Common.integration.ps1" } diff --git a/Tests/Integration/DSCResources/DotNetFramework.integration.tests.ps1 b/Tests/Integration/DSCResources/DotNetFramework.integration.tests.ps1 index d361499f5..243e1018c 100644 --- a/Tests/Integration/DSCResources/DotNetFramework.integration.tests.ps1 +++ b/Tests/Integration/DSCResources/DotNetFramework.integration.tests.ps1 @@ -1,61 +1,51 @@ $script:DSCCompositeResourceName = ($MyInvocation.MyCommand.Name -split '\.')[0] . $PSScriptRoot\.tests.header.ps1 -# Header -# Using try/finally to always cleanup even if something awful happens. -try -{ - $configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" - . $configFile +$configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" +. $configFile - $stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName +$stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName - foreach ($stig in $stigList) - { - Describe "Framework $($stig.TechnologyVersion) $($stig.StigVersion) mof output" { +foreach ($stig in $stigList) +{ + Describe "Framework $($stig.TechnologyVersion) $($stig.StigVersion) mof output" { - It 'Should compile the MOF without throwing' { - { - & "$($script:DSCCompositeResourceName)_config" ` - -FrameworkVersion $stig.TechnologyVersion ` - -StigVersion $stig.StigVersion ` - -OutputPath $TestDrive - } | Should -Not -Throw - } + It 'Should compile the MOF without throwing' { + { + & "$($script:DSCCompositeResourceName)_config" ` + -FrameworkVersion $stig.TechnologyVersion ` + -StigVersion $stig.StigVersion ` + -OutputPath $TestDrive + } | Should -Not -Throw + } - [xml] $dscXml = Get-Content -Path $stig.Path + [xml] $dscXml = Get-Content -Path $stig.Path - if (Test-AutomatableRuleType -StigObject $dscXml) - { - $configurationDocumentPath = "$TestDrive\localhost.mof" + if (Test-AutomatableRuleType -StigObject $dscXml) + { + $configurationDocumentPath = "$TestDrive\localhost.mof" - $instances = [Microsoft.PowerShell.DesiredStateConfiguration.Internal.DscClassCache]::ImportInstances($configurationDocumentPath, 4) + $instances = [Microsoft.PowerShell.DesiredStateConfiguration.Internal.DscClassCache]::ImportInstances($configurationDocumentPath, 4) - Context 'Registry' { - $hasAllSettings = $true - $dscXml = @($dscXml.DISASTIG.RegistryRule.Rule) - $dscMof = $instances | - Where-Object {$PSItem.ResourceID -match '\[Registry\]|\[RegistryPolicyFile\]'} + Context 'Registry' { + $hasAllSettings = $true + $dscXml = @($dscXml.DISASTIG.RegistryRule.Rule) + $dscMof = $instances | + Where-Object {$PSItem.ResourceID -match '\[Registry\]|\[RegistryPolicyFile\]'} - foreach ($setting in $dscXml) + foreach ($setting in $dscXml) + { + If (-not ($dscMof.ResourceID -match $setting.Id) ) { - If (-not ($dscMof.ResourceID -match $setting.Id) ) - { - Write-Warning -Message "Missing registry Setting $($setting.Id)" - $hasAllSettings = $false - } + Write-Warning -Message "Missing registry Setting $($setting.Id)" + $hasAllSettings = $false } + } - It "Should have $($dscXml.Count) Registry settings" { - $hasAllSettings | Should Be $true - } + It "Should have $($dscXml.Count) Registry settings" { + $hasAllSettings | Should Be $true } } } } } -finally -{ - Restore-TestEnvironment -TestEnvironment $TestEnvironment -} - diff --git a/Tests/Integration/DSCResources/Firefox.integration.tests.ps1 b/Tests/Integration/DSCResources/Firefox.integration.tests.ps1 index 164ba800f..ccc6e5d80 100644 --- a/Tests/Integration/DSCResources/Firefox.integration.tests.ps1 +++ b/Tests/Integration/DSCResources/Firefox.integration.tests.ps1 @@ -2,45 +2,36 @@ using module .\helper.psm1 $script:DSCCompositeResourceName = ($MyInvocation.MyCommand.Name -split '\.')[0] . $PSScriptRoot\.tests.header.ps1 -# Header -# Using try/finally to always cleanup even if something awful happens. -try +$configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" +. $configFile + +$stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName + +foreach ($stig in $stigList) { - $configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" - . $configFile - - $stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName - - foreach ($stig in $stigList) - { - $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') - $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath - $powerstigXml = [xml](Get-Content -Path $stig.Path) | - Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath - - $skipRule = Get-Random -InputObject $powerstigXml.FileContentRule.Rule.id - $skipRuleType = $null - $expectedSkipRuleTypeCount = 0 + $blankSkipRuleId.Count - - $skipRuleMultiple = Get-Random -InputObject $powerstigXml.FileContentRule.Rule.id -Count 2 - $skipRuleTypeMultiple = $null - $expectedSkipRuleTypeMultipleCount = 0 + $blankSkipRuleId.Count - - $getRandomExceptionRuleParams = @{ - RuleType = 'FileContentRule' - PowerStigXml = $powerstigXml - ParameterValue = 1234567 - } - $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 - $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 - $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility - $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility - - . "$PSScriptRoot\Common.integration.ps1" + $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') + $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath + $powerstigXml = [xml](Get-Content -Path $stig.Path) | + Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath + + $skipRule = Get-Random -InputObject $powerstigXml.FileContentRule.Rule.id + $skipRuleType = $null + $expectedSkipRuleTypeCount = 0 + $blankSkipRuleId.Count + + $skipRuleMultiple = Get-Random -InputObject $powerstigXml.FileContentRule.Rule.id -Count 2 + $skipRuleTypeMultiple = $null + $expectedSkipRuleTypeMultipleCount = 0 + $blankSkipRuleId.Count + + $getRandomExceptionRuleParams = @{ + RuleType = 'FileContentRule' + PowerStigXml = $powerstigXml + ParameterValue = 1234567 } -} -finally -{ - Restore-TestEnvironment -TestEnvironment $TestEnvironment + $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 + $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 + $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility + $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility + + . "$PSScriptRoot\Common.integration.ps1" } diff --git a/Tests/Integration/DSCResources/IisServer.integration.tests.ps1 b/Tests/Integration/DSCResources/IisServer.integration.tests.ps1 index 8aca760dc..92b291b70 100644 --- a/Tests/Integration/DSCResources/IisServer.integration.tests.ps1 +++ b/Tests/Integration/DSCResources/IisServer.integration.tests.ps1 @@ -2,51 +2,42 @@ using module .\helper.psm1 $script:DSCCompositeResourceName = ($MyInvocation.MyCommand.Name -split '\.')[0] . $PSScriptRoot\.tests.header.ps1 -# Header -# Using try/finally to always cleanup even if something awful happens. -try -{ - $configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" - . $configFile - - $stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName +$configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" +. $configFile - $additionalTestParameterList = @{ - LogPath = $env:temp - } +$stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName - foreach ($stig in $stigList) - { - $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') - $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath - $powerstigXml = [xml](Get-Content -Path $stig.Path) | - Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath - - $skipRule = Get-Random -InputObject $powerstigXml.MimeTypeRule.Rule.id - $skipRuleType = "IisLoggingRule" - $expectedSkipRuleTypeCount = $powerstigXml.IisLoggingRule.Rule.Count + $blankSkipRuleId.Count - - $skipRuleMultiple = Get-Random -InputObject $powerstigXml.WebConfigurationPropertyRule.Rule.id -Count 2 - $skipRuleTypeMultiple = @('MimeTypeRule','IisLoggingRule') - $expectedSkipRuleTypeMultipleCount = $powerstigXml.MimeTypeRule.Rule.Count + - $powerstigXml.IisLoggingRule.Rule.Count + - $blankSkipRuleId.Count - - $getRandomExceptionRuleParams = @{ - RuleType = 'WebConfigurationPropertyRule' - PowerStigXml = $powerstigXml - ParameterValue = 1234567 - } - $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 - $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 - $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility - $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility - - . "$PSScriptRoot\Common.integration.ps1" - } +$additionalTestParameterList = @{ + LogPath = $env:temp } -finally + +foreach ($stig in $stigList) { - Restore-TestEnvironment -TestEnvironment $TestEnvironment + $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') + $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath + $powerstigXml = [xml](Get-Content -Path $stig.Path) | + Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath + + $skipRule = Get-Random -InputObject $powerstigXml.MimeTypeRule.Rule.id + $skipRuleType = "IisLoggingRule" + $expectedSkipRuleTypeCount = $powerstigXml.IisLoggingRule.Rule.Count + $blankSkipRuleId.Count + + $skipRuleMultiple = Get-Random -InputObject $powerstigXml.WebConfigurationPropertyRule.Rule.id -Count 2 + $skipRuleTypeMultiple = @('MimeTypeRule','IisLoggingRule') + $expectedSkipRuleTypeMultipleCount = $powerstigXml.MimeTypeRule.Rule.Count + + $powerstigXml.IisLoggingRule.Rule.Count + + $blankSkipRuleId.Count + + $getRandomExceptionRuleParams = @{ + RuleType = 'WebConfigurationPropertyRule' + PowerStigXml = $powerstigXml + ParameterValue = 1234567 + } + $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 + $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 + $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility + $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility + + . "$PSScriptRoot\Common.integration.ps1" } diff --git a/Tests/Integration/DSCResources/IisSite.integration.tests.ps1 b/Tests/Integration/DSCResources/IisSite.integration.tests.ps1 index b0e4d1cb8..8b7dc5427 100644 --- a/Tests/Integration/DSCResources/IisSite.integration.tests.ps1 +++ b/Tests/Integration/DSCResources/IisSite.integration.tests.ps1 @@ -2,53 +2,44 @@ using module .\helper.psm1 $script:DSCCompositeResourceName = ($MyInvocation.MyCommand.Name -split '\.')[0] . $PSScriptRoot\.tests.header.ps1 -# Header -# Using try/finally to always cleanup even if something awful happens. -try -{ - $configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" - . $configFile - - $stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName +$configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" +. $configFile - $additionalTestParameterList = @{ - WebsiteName = @('WarioSite', 'DKSite') - WebAppPool = @('MushroomBeach', 'ToadHarbor') - } +$stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName - foreach ($stig in $stigList) - { - $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') - $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath - $powerstigXml = [xml](Get-Content -Path $stig.Path) | - Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath - - $skipRule = Get-Random -InputObject $powerstigXml.WebConfigurationPropertyRule.Rule.id - $skipRuleType = "IisLoggingRule" - $expectedSkipRuleTypeCount = $powerstigXml.IisLoggingRule.Rule.Count + $blankSkipRuleId.Count - - $skipRuleMultiple = Get-Random -InputObject $powerstigXml.MimeTypeRule.Rule.id -Count 2 - $skipRuleTypeMultiple = @('WebAppPoolRule','IisLoggingRule') - $expectedSkipRuleTypeMultipleCount = $powerstigXml.WebAppPoolRule.Rule.Count + - $powerstigXml.IisLoggingRule.Rule.Count + - $blankSkipRuleId.Count - - $getRandomExceptionRuleParams = @{ - RuleType = 'WebConfigurationPropertyRule' - PowerStigXml = $powerstigXml - ParameterValue = 1234567 - } - $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 - $getRandomExceptionRuleParams.RuleType = 'WebAppPoolRule' - $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 - $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility - $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility - - . "$PSScriptRoot\Common.integration.ps1" - } +$additionalTestParameterList = @{ + WebsiteName = @('WarioSite', 'DKSite') + WebAppPool = @('MushroomBeach', 'ToadHarbor') } -finally + +foreach ($stig in $stigList) { - Restore-TestEnvironment -TestEnvironment $TestEnvironment + $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') + $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath + $powerstigXml = [xml](Get-Content -Path $stig.Path) | + Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath + + $skipRule = Get-Random -InputObject $powerstigXml.WebConfigurationPropertyRule.Rule.id + $skipRuleType = "IisLoggingRule" + $expectedSkipRuleTypeCount = $powerstigXml.IisLoggingRule.Rule.Count + $blankSkipRuleId.Count + + $skipRuleMultiple = Get-Random -InputObject $powerstigXml.MimeTypeRule.Rule.id -Count 2 + $skipRuleTypeMultiple = @('WebAppPoolRule','IisLoggingRule') + $expectedSkipRuleTypeMultipleCount = $powerstigXml.WebAppPoolRule.Rule.Count + + $powerstigXml.IisLoggingRule.Rule.Count + + $blankSkipRuleId.Count + + $getRandomExceptionRuleParams = @{ + RuleType = 'WebConfigurationPropertyRule' + PowerStigXml = $powerstigXml + ParameterValue = 1234567 + } + $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 + $getRandomExceptionRuleParams.RuleType = 'WebAppPoolRule' + $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 + $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility + $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility + + . "$PSScriptRoot\Common.integration.ps1" } diff --git a/Tests/Integration/DSCResources/InternetExplorer.integration.tests.ps1 b/Tests/Integration/DSCResources/InternetExplorer.integration.tests.ps1 index 5449d269c..adfb70633 100644 --- a/Tests/Integration/DSCResources/InternetExplorer.integration.tests.ps1 +++ b/Tests/Integration/DSCResources/InternetExplorer.integration.tests.ps1 @@ -2,45 +2,36 @@ using module .\helper.psm1 $script:DSCCompositeResourceName = ($MyInvocation.MyCommand.Name -split '\.')[0] . $PSScriptRoot\.tests.header.ps1 -# Header -# Using try/finally to always cleanup even if something awful happens. -try +$configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" +. $configFile + +$stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName + +foreach ($stig in $stigList) { - $configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" - . $configFile - - $stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName - - foreach ($stig in $stigList) - { - $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') - $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath - $powerstigXml = [xml](Get-Content -Path $stig.Path) | - Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath - - $skipRule = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id - $skipRuleType = $null - $expectedSkipRuleTypeCount = 0 + $blankSkipRuleId.Count - - $skipRuleMultiple = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id -Count 2 - $skipRuleTypeMultiple = $null - $expectedSkipRuleTypeMultipleCount = 0 + $blankSkipRuleId.Count - - $getRandomExceptionRuleParams = @{ - RuleType = 'RegistryRule' - PowerStigXml = $powerstigXml - ParameterValue = 1234567 - } - $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 - $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 - $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility - $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility - - . "$PSScriptRoot\Common.integration.ps1" + $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') + $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath + $powerstigXml = [xml](Get-Content -Path $stig.Path) | + Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath + + $skipRule = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id + $skipRuleType = $null + $expectedSkipRuleTypeCount = 0 + $blankSkipRuleId.Count + + $skipRuleMultiple = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id -Count 2 + $skipRuleTypeMultiple = $null + $expectedSkipRuleTypeMultipleCount = 0 + $blankSkipRuleId.Count + + $getRandomExceptionRuleParams = @{ + RuleType = 'RegistryRule' + PowerStigXml = $powerstigXml + ParameterValue = 1234567 } -} -finally -{ - Restore-TestEnvironment -TestEnvironment $TestEnvironment + $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 + $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 + $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility + $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility + + . "$PSScriptRoot\Common.integration.ps1" } diff --git a/Tests/Integration/DSCResources/McAfee.integration.tests.ps1 b/Tests/Integration/DSCResources/McAfee.integration.tests.ps1 index 76c8fd1cf..ffc5b1720 100644 --- a/Tests/Integration/DSCResources/McAfee.integration.tests.ps1 +++ b/Tests/Integration/DSCResources/McAfee.integration.tests.ps1 @@ -2,46 +2,37 @@ using module .\helper.psm1 $script:DSCCompositeResourceName = ($MyInvocation.MyCommand.Name -split '\.')[0] . $PSScriptRoot\.tests.header.ps1 -# Header -# Using try/finally to always cleanup even if something awful happens. -try +$configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" +. $configFile + +$stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName + +foreach ($stig in $stigList) { - $configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" - . $configFile - - $stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName - - foreach ($stig in $stigList) - { - $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') - $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath - $powerstigXml = [xml](Get-Content -Path $stig.Path) | - Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath - - $skipRule = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id - $skipRuleType = $null - $expectedSkipRuleTypeCount = 0 + $blankSkipRuleId.Count - - $skipRuleMultiple = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id -Count 2 - $skipRuleTypeMultiple = $null - $expectedSkipRuleTypeMultipleCount = 0 + $blankSkipRuleId.Count - - $getRandomExceptionRuleParams = @{ - RuleType = 'RegistryRule' - PowerStigXml = $powerstigXml - ParameterValue = 1234567 - } - - $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 - $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 - $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility - $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility - - . "$PSScriptRoot\Common.integration.ps1" + $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') + $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath + $powerstigXml = [xml](Get-Content -Path $stig.Path) | + Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath + + $skipRule = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id + $skipRuleType = $null + $expectedSkipRuleTypeCount = 0 + $blankSkipRuleId.Count + + $skipRuleMultiple = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id -Count 2 + $skipRuleTypeMultiple = $null + $expectedSkipRuleTypeMultipleCount = 0 + $blankSkipRuleId.Count + + $getRandomExceptionRuleParams = @{ + RuleType = 'RegistryRule' + PowerStigXml = $powerstigXml + ParameterValue = 1234567 } -} -finally -{ - Restore-TestEnvironment -TestEnvironment $TestEnvironment + + $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 + $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 + $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility + $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility + + . "$PSScriptRoot\Common.integration.ps1" } diff --git a/Tests/Integration/DSCResources/Office.integration.tests.ps1 b/Tests/Integration/DSCResources/Office.integration.tests.ps1 index 5449d269c..adfb70633 100644 --- a/Tests/Integration/DSCResources/Office.integration.tests.ps1 +++ b/Tests/Integration/DSCResources/Office.integration.tests.ps1 @@ -2,45 +2,36 @@ using module .\helper.psm1 $script:DSCCompositeResourceName = ($MyInvocation.MyCommand.Name -split '\.')[0] . $PSScriptRoot\.tests.header.ps1 -# Header -# Using try/finally to always cleanup even if something awful happens. -try +$configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" +. $configFile + +$stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName + +foreach ($stig in $stigList) { - $configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" - . $configFile - - $stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName - - foreach ($stig in $stigList) - { - $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') - $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath - $powerstigXml = [xml](Get-Content -Path $stig.Path) | - Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath - - $skipRule = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id - $skipRuleType = $null - $expectedSkipRuleTypeCount = 0 + $blankSkipRuleId.Count - - $skipRuleMultiple = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id -Count 2 - $skipRuleTypeMultiple = $null - $expectedSkipRuleTypeMultipleCount = 0 + $blankSkipRuleId.Count - - $getRandomExceptionRuleParams = @{ - RuleType = 'RegistryRule' - PowerStigXml = $powerstigXml - ParameterValue = 1234567 - } - $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 - $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 - $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility - $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility - - . "$PSScriptRoot\Common.integration.ps1" + $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') + $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath + $powerstigXml = [xml](Get-Content -Path $stig.Path) | + Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath + + $skipRule = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id + $skipRuleType = $null + $expectedSkipRuleTypeCount = 0 + $blankSkipRuleId.Count + + $skipRuleMultiple = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id -Count 2 + $skipRuleTypeMultiple = $null + $expectedSkipRuleTypeMultipleCount = 0 + $blankSkipRuleId.Count + + $getRandomExceptionRuleParams = @{ + RuleType = 'RegistryRule' + PowerStigXml = $powerstigXml + ParameterValue = 1234567 } -} -finally -{ - Restore-TestEnvironment -TestEnvironment $TestEnvironment + $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 + $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 + $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility + $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility + + . "$PSScriptRoot\Common.integration.ps1" } diff --git a/Tests/Integration/DSCResources/OracleJRE.integration.tests.ps1 b/Tests/Integration/DSCResources/OracleJRE.integration.tests.ps1 index 436bf4d2a..8dc14519c 100644 --- a/Tests/Integration/DSCResources/OracleJRE.integration.tests.ps1 +++ b/Tests/Integration/DSCResources/OracleJRE.integration.tests.ps1 @@ -2,50 +2,41 @@ using module .\helper.psm1 $script:DSCCompositeResourceName = ($MyInvocation.MyCommand.Name -split '\.')[0] . $PSScriptRoot\.tests.header.ps1 -# Header -# Using try/finally to always cleanup even if something awful happens. -try -{ - $configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" - . $configFile - - $stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName +$configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" +. $configFile - $additionalTestParameterList = @{ - configPath = 'C:\Windows\Sun\Java\Deployment\deployment.config' - propertiesPath = 'C:\Windows\Java\Deployment\deployment.properties' - } +$stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName - foreach ($stig in $stigList) - { - $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') - $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath - $powerstigXml = [xml](Get-Content -Path $stig.Path) | - Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath - - $skipRule = Get-Random -InputObject $powerstigXml.FileContentRule.Rule.id - $skipRuleType = $null - $expectedSkipRuleTypeCount = 0 + $blankSkipRuleId.Count - - $skipRuleMultiple = Get-Random -InputObject $powerstigXml.FileContentRule.Rule.id -Count 2 - $skipRuleTypeMultiple = $null - $expectedSkipRuleTypeMultipleCount = 0 + $blankSkipRuleId.Count - - $getRandomExceptionRuleParams = @{ - RuleType = 'FileContentRule' - PowerStigXml = $powerstigXml - ParameterValue = 1234567 - } - $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 - $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 - $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility - $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility - - . "$PSScriptRoot\Common.integration.ps1" - } +$additionalTestParameterList = @{ + configPath = 'C:\Windows\Sun\Java\Deployment\deployment.config' + propertiesPath = 'C:\Windows\Java\Deployment\deployment.properties' } -finally + +foreach ($stig in $stigList) { - Restore-TestEnvironment -TestEnvironment $TestEnvironment + $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') + $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath + $powerstigXml = [xml](Get-Content -Path $stig.Path) | + Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath + + $skipRule = Get-Random -InputObject $powerstigXml.FileContentRule.Rule.id + $skipRuleType = $null + $expectedSkipRuleTypeCount = 0 + $blankSkipRuleId.Count + + $skipRuleMultiple = Get-Random -InputObject $powerstigXml.FileContentRule.Rule.id -Count 2 + $skipRuleTypeMultiple = $null + $expectedSkipRuleTypeMultipleCount = 0 + $blankSkipRuleId.Count + + $getRandomExceptionRuleParams = @{ + RuleType = 'FileContentRule' + PowerStigXml = $powerstigXml + ParameterValue = 1234567 + } + $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 + $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 + $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility + $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility + + . "$PSScriptRoot\Common.integration.ps1" } diff --git a/Tests/Integration/DSCResources/SqlServer.config.ps1 b/Tests/Integration/DSCResources/SqlServer.config.ps1 index 67aaf0d72..b387ffad9 100644 --- a/Tests/Integration/DSCResources/SqlServer.config.ps1 +++ b/Tests/Integration/DSCResources/SqlServer.config.ps1 @@ -47,7 +47,7 @@ configuration SqlServer_config { SqlVersion = $TechnologyVersion SqlRole = '$TechnologyRole' - StigVersion = $StigVersion + StigVersion = '$StigVersion' ServerInstance = 'TestServer' $(if ($OrgSettings -is [hashtable]) { @@ -129,7 +129,7 @@ configuration SqlServerDatabase_config SqlRole = '$TechnologyRole' StigVersion = '$StigVersion' ServerInstance = 'TestServer' - Database = 'TestDataBase' + Database = @('TestDataBase','TestDataBase2') $(if ($null -ne $OrgSettings) { "Orgsettings = '$OrgSettings'" diff --git a/Tests/Integration/DSCResources/SqlServer.integration.tests.ps1 b/Tests/Integration/DSCResources/SqlServer.integration.tests.ps1 index 16fddf541..cb656d470 100644 --- a/Tests/Integration/DSCResources/SqlServer.integration.tests.ps1 +++ b/Tests/Integration/DSCResources/SqlServer.integration.tests.ps1 @@ -2,45 +2,36 @@ using module .\helper.psm1 $script:DSCCompositeResourceName = ($MyInvocation.MyCommand.Name -split '\.')[0] . $PSScriptRoot\.tests.header.ps1 -# Header -# Using try/finally to always cleanup even if something awful happens. -try +$configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" +. $configFile + +$stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName + +foreach ($stig in $stigList) { - $configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" - . $configFile - - $stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName - - foreach ($stig in $stigList) - { - $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') - $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath - $powerstigXml = [xml](Get-Content -Path $stig.Path) | - Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath - - $skipRule = Get-Random -InputObject $powerstigXml.SqlScriptQueryRule.Rule.id - $skipRuleType = "DocumentRule" - $expectedSkipRuleTypeCount = $powerstigXml.DocumentRule.Rule.Count + $blankSkipRuleId.Count - - $skipRuleMultiple = Get-Random -InputObject $powerstigXml.DocumentRule.Rule.id -Count 2 - $skipRuleTypeMultiple = $null - $expectedSkipRuleTypeMultipleCount = 0 + $blankSkipRuleId.Count - - $getRandomExceptionRuleParams = @{ - RuleType = 'SqlScriptQueryRule' - PowerStigXml = $powerstigXml - ParameterValue = $true - } - $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 - $exceptionMultiple = $null - $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility - $backCompatExceptionMultiple = $null - - . "$PSScriptRoot\Common.integration.ps1" + $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') + $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath + $powerstigXml = [xml](Get-Content -Path $stig.Path) | + Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath + + $skipRule = Get-Random -InputObject $powerstigXml.SqlScriptQueryRule.Rule.id + $skipRuleType = "DocumentRule" + $expectedSkipRuleTypeCount = $powerstigXml.DocumentRule.Rule.Count + $blankSkipRuleId.Count + + $skipRuleMultiple = Get-Random -InputObject $powerstigXml.DocumentRule.Rule.id -Count 2 + $skipRuleTypeMultiple = $null + $expectedSkipRuleTypeMultipleCount = 0 + $blankSkipRuleId.Count + + $getRandomExceptionRuleParams = @{ + RuleType = 'SqlScriptQueryRule' + PowerStigXml = $powerstigXml + ParameterValue = 1234567 } -} -finally -{ - Restore-TestEnvironment -TestEnvironment $TestEnvironment + $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 + $exceptionMultiple = $null + $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility + $backCompatExceptionMultiple = $null + + . "$PSScriptRoot\Common.integration.ps1" } diff --git a/Tests/Integration/DSCResources/Vsphere.config.ps1 b/Tests/Integration/DSCResources/Vsphere.config.ps1 new file mode 100644 index 000000000..78d714518 --- /dev/null +++ b/Tests/Integration/DSCResources/Vsphere.config.ps1 @@ -0,0 +1,91 @@ +configuration Vsphere_config +{ + [CmdletBinding()] + param + ( + [Parameter()] + [AllowNull()] + [string] + $TechnologyVersion, + + [Parameter()] + [AllowNull()] + [string] + $TechnologyRole, + + [Parameter(Mandatory = $true)] + [version] + $StigVersion, + + [Parameter()] + [hashtable] + $Exception, + + [Parameter()] + [hashtable] + $BackwardCompatibilityException, + + [Parameter()] + [string[]] + $SkipRule, + + [Parameter()] + [string[]] + $SkipRuleType, + + [Parameter()] + [object] + $OrgSettings, + + [Parameter(Mandatory = $true)] + [ValidateNotNullOrEmpty()] + [string] + $HostIP, + + [Parameter(Mandatory = $true)] + [ValidateNotNullOrEmpty()] + [string] + $ServerIP, + + [Parameter(Mandatory = $true)] + [ValidateNotNullOrEmpty()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [string[]] + $VirtualStandardSwitchGroup, + + [Parameter()] + [string[]] + $VmGroup + ) + + Import-DscResource -ModuleName PowerStig + + Node localhost + { + $psboundParams = $PSBoundParameters + $psboundParams.Remove('TechnologyRole') + $psboundParams.Remove('ConfigurationData') + $psboundParams.Version = $psboundParams['TechnologyVersion'] + $psboundParams.Remove('TechnologyVersion') + $resourceParameters = @( + 'Version' + 'StigVersion' + 'Exception' + 'SkipRule' + 'SkipRuleType' + 'OrgSettings' + 'HostIP' + 'ServerIP' + 'Credential' + 'VirtualStandardSwitchGroup' + 'VmGroup' + ) + + $resourceParamString = New-ResourceParameterString -ResourceParameters $resourceParameters -PSBoundParams $psboundParams + $resourceScriptBlockString = New-ResourceString -ResourceParameterString $resourceParamString -ResourceName Vsphere + & ([scriptblock]::Create($resourceScriptBlockString)) + } +} diff --git a/Tests/Integration/DSCResources/Vsphere.integration.tests.ps1 b/Tests/Integration/DSCResources/Vsphere.integration.tests.ps1 new file mode 100644 index 000000000..441ebc529 --- /dev/null +++ b/Tests/Integration/DSCResources/Vsphere.integration.tests.ps1 @@ -0,0 +1,60 @@ +using module .\helper.psm1 + +$script:DSCCompositeResourceName = ($MyInvocation.MyCommand.Name -split '\.')[0] +. $PSScriptRoot\.tests.header.ps1 + +$configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" +. $configFile + +$stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName + +$password = ConvertTo-SecureString -AsPlainText -Force -String 'ThisIsAPlaintextPassword' +$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList 'Admin', $password + +$additionalTestParameterList = @{ + HostIP = '10.10.10.10' + ServerIP = '10.10.10.12' + Credential = $credential + VmGroup = @('Vm1','Vm2') + VirtualStandardSwitchGroup = @('Switch1','Switch2') + ConfigurationData = @{ + AllNodes = @( + @{ + NodeName = 'localhost' + PSDscAllowDomainUser = $true + PSDscAllowPlainTextPassword = $true + } + ) + } +} + +foreach ($stig in $stigList) +{ + $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') + $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath + $powerstigXml = [xml](Get-Content -Path $stig.Path) | + Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath + + $skipRule = Get-Random -InputObject $powerstigXml.VsphereAdvancedSettingsRule.Rule.id + $skipRuleType = 'VsphereAdvancedSettingsRule' + $expectedSkipRuleTypeCount = $powerstigXml.VsphereAdvancedSettingsRule.Rule.Count + $blankSkipRuleId.Count + + $skipRuleMultiple = Get-Random -InputObject $powerstigXml.VsphereAdvancedSettingsRule.Rule.id -Count 2 + $skipRuleTypeMultiple = @('VsphereAdvancedSettingsRule','VsphereAcceptanceLevelRule') + $expectedSkipRuleTypeMultipleCount = ($powerstigXml.VsphereAdvancedSettingsRule.Rule | Measure-Object).Count + + ($powerstigXml.VsphereAcceptanceLevelRule.Rule | Measure-Object).Count + + ($blankSkipRuleId | Measure-Object).Count + + $getRandomExceptionRuleParams = @{ + RuleType = 'VsphereAdvancedSettingsRule' + PowerStigXml = $powerstigXml + ParameterValue = "'ExceptionKey' = 'ExceptionValue'" + } + + $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 + $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 + $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility + $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility + + . "$PSScriptRoot\Common.integration.ps1" +} diff --git a/Tests/Integration/DSCResources/WindowsClient.integration.tests.ps1 b/Tests/Integration/DSCResources/WindowsClient.integration.tests.ps1 index 7bcc1867b..90578f61e 100644 --- a/Tests/Integration/DSCResources/WindowsClient.integration.tests.ps1 +++ b/Tests/Integration/DSCResources/WindowsClient.integration.tests.ps1 @@ -2,52 +2,43 @@ using module .\helper.psm1 $script:DSCCompositeResourceName = ($MyInvocation.MyCommand.Name -split '\.')[0] . $PSScriptRoot\.tests.header.ps1 -# Header -# Using try/finally to always cleanup even if something awful happens. -try -{ - $configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" - . $configFile - - $stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName +$configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" +. $configFile - $additionalTestParameterList = @{ - ForestName = 'integration.test' - DomainName = 'integration.test' - } +$stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName - foreach ($stig in $stigList) - { - $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') - $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath - $powerstigXml = [xml](Get-Content -Path $stig.Path) | - Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath - - $skipRule = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id - $skipRuleType = "AuditPolicyRule" - $expectedSkipRuleTypeCount = $powerstigXml.AuditPolicyRule.Rule.Count + $blankSkipRuleId.Count - - $skipRuleMultiple = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id -Count 2 - $skipRuleTypeMultiple = @('AuditPolicyRule','AccountPolicyRule') - $expectedSkipRuleTypeMultipleCount = $powerstigXml.AuditPolicyRule.Rule.Count + - $powerstigXml.AccountPolicyRule.Rule.Count + - $blankSkipRuleId.Count - - $getRandomExceptionRuleParams = @{ - RuleType = 'RegistryRule' - PowerStigXml = $powerstigXml - ParameterValue = 1234567 - } - $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 - $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 - $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility - $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility - - . "$PSScriptRoot\Common.integration.ps1" - } +$additionalTestParameterList = @{ + ForestName = 'integration.test' + DomainName = 'integration.test' } -finally + +foreach ($stig in $stigList) { - Restore-TestEnvironment -TestEnvironment $TestEnvironment + $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') + $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath + $powerstigXml = [xml](Get-Content -Path $stig.Path) | + Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath + + $skipRule = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id + $skipRuleType = "AuditPolicyRule" + $expectedSkipRuleTypeCount = $powerstigXml.AuditPolicyRule.Rule.Count + $blankSkipRuleId.Count + + $skipRuleMultiple = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id -Count 2 + $skipRuleTypeMultiple = @('AuditPolicyRule','AccountPolicyRule') + $expectedSkipRuleTypeMultipleCount = $powerstigXml.AuditPolicyRule.Rule.Count + + $powerstigXml.AccountPolicyRule.Rule.Count + + $blankSkipRuleId.Count + + $getRandomExceptionRuleParams = @{ + RuleType = 'RegistryRule' + PowerStigXml = $powerstigXml + ParameterValue = 1234567 + } + $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 + $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 + $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility + $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility + + . "$PSScriptRoot\Common.integration.ps1" } diff --git a/Tests/Integration/DSCResources/WindowsDefender.integration.tests.ps1 b/Tests/Integration/DSCResources/WindowsDefender.integration.tests.ps1 index 474ee2e36..adfb70633 100644 --- a/Tests/Integration/DSCResources/WindowsDefender.integration.tests.ps1 +++ b/Tests/Integration/DSCResources/WindowsDefender.integration.tests.ps1 @@ -2,49 +2,36 @@ using module .\helper.psm1 $script:DSCCompositeResourceName = ($MyInvocation.MyCommand.Name -split '\.')[0] . $PSScriptRoot\.tests.header.ps1 -# Header -# Using try/finally to always cleanup even if something awful happens. -try +$configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" +. $configFile + +$stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName + +foreach ($stig in $stigList) { - #region Integration Tests - $configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" - . $configFile - - $stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName - - #region Integration Tests - - foreach ($stig in $stigList) - { - $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') - $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath - $powerstigXml = [xml](Get-Content -Path $stig.Path) | - Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath - - $skipRule = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id - $skipRuleType = $null - $expectedSkipRuleTypeCount = 0 + $blankSkipRuleId.Count - - $skipRuleMultiple = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id -Count 2 - $skipRuleTypeMultiple = $null - $expectedSkipRuleTypeMultipleCount = 0 + $blankSkipRuleId.Count - - $getRandomExceptionRuleParams = @{ - RuleType = 'RegistryRule' - PowerStigXml = $powerstigXml - ParameterValue = 1234567 - } - $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 - $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 - $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility - $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility - - . "$PSScriptRoot\Common.integration.ps1" + $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') + $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath + $powerstigXml = [xml](Get-Content -Path $stig.Path) | + Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath + + $skipRule = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id + $skipRuleType = $null + $expectedSkipRuleTypeCount = 0 + $blankSkipRuleId.Count + + $skipRuleMultiple = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id -Count 2 + $skipRuleTypeMultiple = $null + $expectedSkipRuleTypeMultipleCount = 0 + $blankSkipRuleId.Count + + $getRandomExceptionRuleParams = @{ + RuleType = 'RegistryRule' + PowerStigXml = $powerstigXml + ParameterValue = 1234567 } - #endregion Tests -} -finally -{ - Restore-TestEnvironment -TestEnvironment $TestEnvironment + $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 + $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 + $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility + $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility + + . "$PSScriptRoot\Common.integration.ps1" } diff --git a/Tests/Integration/DSCResources/WindowsDnsServer.integration.tests.ps1 b/Tests/Integration/DSCResources/WindowsDnsServer.integration.tests.ps1 index 53032d09c..c2be396ed 100644 --- a/Tests/Integration/DSCResources/WindowsDnsServer.integration.tests.ps1 +++ b/Tests/Integration/DSCResources/WindowsDnsServer.integration.tests.ps1 @@ -2,55 +2,46 @@ using module .\helper.psm1 $script:DSCCompositeResourceName = ($MyInvocation.MyCommand.Name -split '\.')[0] . $PSScriptRoot\.tests.header.ps1 -# Header -# Using try/finally to always cleanup even if something awful happens. -try -{ - $configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" - . $configFile - - $stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName +$configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" +. $configFile - $additionalTestParameterList = @{ - ForestName = 'integration.test' - DomainName = 'integration.test' - } +$stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName - foreach ($stig in $stigList) - { - $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') - $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath - $powerstigXml = [xml](Get-Content -Path $stig.Path) | - Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath - - $skipRule = Get-Random -InputObject ($powerstigXml.DnsServerSettingRule.Rule | - Where-Object {[string]::IsNullOrEmpty($PsItem.DuplicateOf)}).id - - $skipRuleType = "PermissionRule" - $expectedSkipRuleTypeCount = ($powerstigXml.PermissionRule.Rule | - Where-Object {[string]::IsNullOrEmpty($PsItem.DuplicateOf)}).Count + $blankSkipRuleId.Count - - $skipRuleMultiple = Get-Random -InputObject ($powerstigXml.DnsServerSettingRule.Rule | - Where-Object {[string]::IsNullOrEmpty($PsItem.DuplicateOf)}).id -Count 2 - $skipRuleTypeMultiple = @('PermissionRule','UserRightRule') - $expectedSkipRuleTypeMultipleCount = ($powerstigXml.PermissionRule.Rule + $powerstigXml.UserRightRule.Rule | - Where-Object {[string]::IsNullOrEmpty($PsItem.DuplicateOf)}).Count + $blankSkipRuleId.Count - - $getRandomExceptionRuleParams = @{ - RuleType = 'UserRightRule' - PowerStigXml = $powerstigXml - ParameterValue = 1234567 - } - $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 - $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 - $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility - $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility - - . "$PSScriptRoot\Common.integration.ps1" - } +$additionalTestParameterList = @{ + ForestName = 'integration.test' + DomainName = 'integration.test' } -finally + +foreach ($stig in $stigList) { - Restore-TestEnvironment -TestEnvironment $TestEnvironment + $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') + $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath + $powerstigXml = [xml](Get-Content -Path $stig.Path) | + Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath + + $skipRule = Get-Random -InputObject ($powerstigXml.DnsServerSettingRule.Rule | + Where-Object {[string]::IsNullOrEmpty($PsItem.DuplicateOf)}).id + + $skipRuleType = "PermissionRule" + $expectedSkipRuleTypeCount = ($powerstigXml.PermissionRule.Rule | + Where-Object {[string]::IsNullOrEmpty($PsItem.DuplicateOf)}).Count + $blankSkipRuleId.Count + + $skipRuleMultiple = Get-Random -InputObject ($powerstigXml.DnsServerSettingRule.Rule | + Where-Object {[string]::IsNullOrEmpty($PsItem.DuplicateOf)}).id -Count 2 + $skipRuleTypeMultiple = @('PermissionRule','UserRightRule') + $expectedSkipRuleTypeMultipleCount = ($powerstigXml.PermissionRule.Rule + $powerstigXml.UserRightRule.Rule | + Where-Object {[string]::IsNullOrEmpty($PsItem.DuplicateOf)}).Count + $blankSkipRuleId.Count + + $getRandomExceptionRuleParams = @{ + RuleType = 'UserRightRule' + PowerStigXml = $powerstigXml + ParameterValue = 1234567 + } + $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 + $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 + $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility + $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility + + . "$PSScriptRoot\Common.integration.ps1" } diff --git a/Tests/Integration/DSCResources/WindowsFirewall.integration.tests.ps1 b/Tests/Integration/DSCResources/WindowsFirewall.integration.tests.ps1 index 5449d269c..adfb70633 100644 --- a/Tests/Integration/DSCResources/WindowsFirewall.integration.tests.ps1 +++ b/Tests/Integration/DSCResources/WindowsFirewall.integration.tests.ps1 @@ -2,45 +2,36 @@ using module .\helper.psm1 $script:DSCCompositeResourceName = ($MyInvocation.MyCommand.Name -split '\.')[0] . $PSScriptRoot\.tests.header.ps1 -# Header -# Using try/finally to always cleanup even if something awful happens. -try +$configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" +. $configFile + +$stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName + +foreach ($stig in $stigList) { - $configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" - . $configFile - - $stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName - - foreach ($stig in $stigList) - { - $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') - $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath - $powerstigXml = [xml](Get-Content -Path $stig.Path) | - Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath - - $skipRule = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id - $skipRuleType = $null - $expectedSkipRuleTypeCount = 0 + $blankSkipRuleId.Count - - $skipRuleMultiple = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id -Count 2 - $skipRuleTypeMultiple = $null - $expectedSkipRuleTypeMultipleCount = 0 + $blankSkipRuleId.Count - - $getRandomExceptionRuleParams = @{ - RuleType = 'RegistryRule' - PowerStigXml = $powerstigXml - ParameterValue = 1234567 - } - $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 - $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 - $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility - $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility - - . "$PSScriptRoot\Common.integration.ps1" + $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') + $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath + $powerstigXml = [xml](Get-Content -Path $stig.Path) | + Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath + + $skipRule = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id + $skipRuleType = $null + $expectedSkipRuleTypeCount = 0 + $blankSkipRuleId.Count + + $skipRuleMultiple = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id -Count 2 + $skipRuleTypeMultiple = $null + $expectedSkipRuleTypeMultipleCount = 0 + $blankSkipRuleId.Count + + $getRandomExceptionRuleParams = @{ + RuleType = 'RegistryRule' + PowerStigXml = $powerstigXml + ParameterValue = 1234567 } -} -finally -{ - Restore-TestEnvironment -TestEnvironment $TestEnvironment + $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 + $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 + $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility + $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility + + . "$PSScriptRoot\Common.integration.ps1" } diff --git a/Tests/Integration/DSCResources/WindowsServer.integration.tests.ps1 b/Tests/Integration/DSCResources/WindowsServer.integration.tests.ps1 index b83590514..100f390d2 100644 --- a/Tests/Integration/DSCResources/WindowsServer.integration.tests.ps1 +++ b/Tests/Integration/DSCResources/WindowsServer.integration.tests.ps1 @@ -2,58 +2,49 @@ using module .\helper.psm1 $script:DSCCompositeResourceName = ($MyInvocation.MyCommand.Name -split '\.')[0] . $PSScriptRoot\.tests.header.ps1 -# Header -# Using try/finally to always cleanup even if something awful happens. -try -{ - $configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" - . $configFile +$configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" +. $configFile - $stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName +$stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceName - $additionalTestParameterList = @{ - ForestName = 'integration.test' - DomainName = 'integration.test' - } +$additionalTestParameterList = @{ + ForestName = 'integration.test' + DomainName = 'integration.test' +} - foreach ($stig in $stigList) +foreach ($stig in $stigList) +{ + $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') + $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath + $powerstigXml = [xml](Get-Content -Path $stig.Path) | + Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath + + if ($stig.TechnologyRole -eq 'Domain') { - $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') - $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath - $powerstigXml = [xml](Get-Content -Path $stig.Path) | - Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath - - if ($stig.TechnologyRole -eq 'Domain') - { - continue - } - else - { - $skipRule = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id - $skipRuleMultiple = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id -Count 2 - $skipRuleType = "AuditPolicyRule" - $expectedSkipRuleTypeCount = $powerstigXml.AuditPolicyRule.Rule.Count + $blankSkipRuleId.Count - $skipRuleTypeMultiple = @('AuditPolicyRule', 'AccountPolicyRule') - $expectedSkipRuleTypeMultipleCount = $powerstigXml.AuditPolicyRule.Rule.Count + - $powerstigXml.AccountPolicyRule.Rule.Count + - $blankSkipRuleId.Count - - $getRandomExceptionRuleParams = @{ - RuleType = 'RegistryRule' - PowerStigXml = $powerstigXml - ParameterValue = 1234567 - } - $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 - $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 - $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility - $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility + continue + } + else + { + $skipRule = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id + $skipRuleMultiple = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id -Count 2 + $skipRuleType = "AuditPolicyRule" + $expectedSkipRuleTypeCount = $powerstigXml.AuditPolicyRule.Rule.Count + $blankSkipRuleId.Count + $skipRuleTypeMultiple = @('AuditPolicyRule', 'AccountPolicyRule') + $expectedSkipRuleTypeMultipleCount = $powerstigXml.AuditPolicyRule.Rule.Count + + $powerstigXml.AccountPolicyRule.Rule.Count + + $blankSkipRuleId.Count + + $getRandomExceptionRuleParams = @{ + RuleType = 'RegistryRule' + PowerStigXml = $powerstigXml + ParameterValue = 1234567 } - - . "$PSScriptRoot\Common.integration.ps1" + $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 + $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 + $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility + $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility } -} -finally -{ - Restore-TestEnvironment -TestEnvironment $TestEnvironment + + . "$PSScriptRoot\Common.integration.ps1" } diff --git a/Tests/Integration/DSCResources/helper.psm1 b/Tests/Integration/DSCResources/helper.psm1 index 8fe6f3c14..77d6f288c 100644 --- a/Tests/Integration/DSCResources/helper.psm1 +++ b/Tests/Integration/DSCResources/helper.psm1 @@ -23,6 +23,7 @@ data exceptionRuleParameterValues AuditSettingRule = 'Operator' ServiceRule = 'StartupType' UserRightRule = 'Identity' + VsphereAdvancedSettingsRule = 'AdvancedSettings' } } #endregion @@ -132,6 +133,38 @@ function Get-ResourceMatchStatement { return '\[xSSLSettings\]' } + 'VsphereAcceptanceLevelRule' + { + return '\[VMHostAcceptanceLevel\]' + } + 'VsphereAdvancedSettingsRule' + { + return '\[VMHostAdvancedSettings\]' + } + 'VsphereKernelActiveDumpPartitionRule' + { + return '\[VMHostVMKernelActiveDumpPartition\]' + } + 'VsphereNtpSettingsRule' + { + return '\[VMHostNtpSettings\]' + } + 'VspherePortGroupSecurityRule' + { + return '\[VMHostVssPortGroupSecurity\]' + } + 'VsphereServiceRule' + { + return '\[VMHostService\]' + } + 'VsphereSnmpAgentRule' + { + return '\[VMHostSnmpAgent\]' + } + 'VsphereVssSecurityRule' + { + return '\[VMHostVssSecurity\]' + } } } @@ -279,3 +312,175 @@ function Get-RandomExceptionRule } return $stigException } + +<# + .SYNOPSIS + Creates a string representation of the DSC Configuration parameters + + .DESCRIPTION + This function is used to help create parameter strings, specifically when non-string + parameter values are passed to a configuation. If a string parameter value is + passed to this function, it's contents is expanded as a string, however, if a + non-string parameter value is passed, the function will pass the variable name + as a string so that when a scriptblock is created, the contents of that variable + is then expanded at run time. + + .PARAMETER ResourceParameters + An array of Resource Parameters that will be used in the string output + + .PARAMETER PSBoundParams + A hashtable representing the PSBoundParameters that is passed to the DSC Configuration + + .EXAMPLE + This example is used to create a string representation of the configuration block for the + Vsphere PowerSTIG DSC Resource. + + Node localhost + { + $psboundParams = $PSBoundParameters + $psboundParams.Remove('TechnologyRole') + $psboundParams.Remove('ConfigurationData') + $psboundParams.Version = $psboundParams['TechnologyVersion'] + $psboundParams.Remove('TechnologyVersion') + $resourceParameters = @( + 'Version' + 'StigVersion' + 'Exception' + 'SkipRule' + 'SkipRuleType' + 'OrgSettings' + 'HostIP' + 'ServerIP' + 'Credential' + 'VirtualStandardSwitchGroup' + 'VmGroup' + ) + + $resourceParamString = New-ResourceParameterString -ResourceParameters $resourceParameters -PSBoundParams $psboundParams + $resourceScriptBlockString = New-ResourceString -ResourceParameterString $resourceParamString -ResourceName Vsphere + & ([scriptblock]::Create($resourceScriptBlockString)) + } + + .NOTES + This function is derived from "PSDesiredStateConfiguration\BuildResourceCommonParameters" +#> +function New-ResourceParameterString +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [ValidateNotNullOrEmpty()] + [System.Array] + $ResourceParameters, + + [Parameter(Mandatory = $true)] + [ValidateNotNullOrEmpty()] + [System.Collections.Hashtable] + $PSBoundParams + ) + + $resourceParameterString = New-Object -TypeName System.Text.StringBuilder + + foreach ($parameterName in $($PSBoundParams.keys)) + { + if ($parameterName -in $ResourceParameters) + { + $value = $PSBoundParams[$parameterName] + if ($null -eq $value) + { + continue + } + + if ($value -is [System.String]) + { + [void] $resourceParameterString.AppendFormat('{0} = "{1}"', $parameterName, $value) + [void] $resourceParameterString.AppendLine() + } + else + { + [void] $resourceParameterString.Append($parameterName + ' = $' + $parameterName) + [void] $resourceParameterString.AppendLine() + } + } + } + + return $resourceParameterString.ToString() +} + +<# + .SYNOPSIS + This function creates a string that represents a DSC Resource with the given + parameters passed to it. + + .DESCRIPTION + This function creates a string that represents a DSC Resource with the given + parameters passed to it (from New-ResourceParameterString). + + .PARAMETER ResourceParameterString + A string from which is generated via New-ResourceParameterString with the parameters + that is passed to it. + + .PARAMETER ResourceName + The resource name for the configuration being used. + + .EXAMPLE + This example is used to create a string representation of the configuration block for the + Vsphere PowerSTIG DSC Resource. + + Node localhost + { + $psboundParams = $PSBoundParameters + $psboundParams.Remove('TechnologyRole') + $psboundParams.Remove('ConfigurationData') + $psboundParams.Version = $psboundParams['TechnologyVersion'] + $psboundParams.Remove('TechnologyVersion') + $resourceParameters = @( + 'Version' + 'StigVersion' + 'Exception' + 'SkipRule' + 'SkipRuleType' + 'OrgSettings' + 'HostIP' + 'ServerIP' + 'Credential' + 'VirtualStandardSwitchGroup' + 'VmGroup' + ) + + $resourceParamString = New-ResourceParameterString -ResourceParameters $resourceParameters -PSBoundParams $psboundParams + $resourceScriptBlockString = New-ResourceString -ResourceParameterString $resourceParamString -ResourceName Vsphere + & ([scriptblock]::Create($resourceScriptBlockString)) + } + + .NOTES + This function is derived from "PSDesiredStateConfiguration\BuildResourceString" +#> +function New-ResourceString +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [ValidateNotNullOrEmpty()] + [string] + $ResourceParameterString, + + [Parameter(Mandatory = $true)] + [ValidateNotNullOrEmpty()] + [string] + $ResourceName + ) + + $resourceString = New-Object -TypeName System.Text.StringBuilder + + [void] $resourceString.AppendFormat('{0} Baseline', $ResourceName) + [void] $resourceString.AppendLine() + [void] $resourceString.AppendLine('{') + [void] $resourceString.AppendLine() + [void] $resourceString.AppendLine($ResourceParameterString) + [void] $resourceString.AppendLine('}') + + return $resourceString.ToString() +} diff --git a/Tests/Integration/.tests.footer.ps1 b/Tests/Integration/Module/.tests.footer.ps1 similarity index 100% rename from Tests/Integration/.tests.footer.ps1 rename to Tests/Integration/Module/.tests.footer.ps1 diff --git a/Tests/Integration/Module/.tests.header.ps1 b/Tests/Integration/Module/.tests.header.ps1 new file mode 100644 index 000000000..2410247ce --- /dev/null +++ b/Tests/Integration/Module/.tests.header.ps1 @@ -0,0 +1,21 @@ +# Integration test header +if ((Get-PSCallStack)[1].Command -eq 'PowerStig.Integration.tests.ps1') +{ + $script:moduleName = 'PowerStig' + $extension = 'psd1' +} +else +{ + $script:moduleName = 'PowerStig.Convert' + $extension = 'psm1' +} + +$script:projectRoot = Split-Path -Path (Split-Path -Path (Split-Path -Path $PSScriptRoot -Parent) -Parent) -Parent +$script:buildOutput = Join-Path -Path $projectRoot -ChildPath 'output' +$script:modulePath = (Get-ChildItem -Path $buildOutput -Filter ('{0}.{1}' -f $script:moduleName, $extension) -Recurse).FullName +$script:moduleRoot = Split-Path -Path $script:modulePath -Parent +$script:dscCompositePath = Join-Path -Path $script:moduleRoot -ChildPath 'DSCResources' +$helperModulePath = Join-Path -Path $script:projectRoot -ChildPath 'Tools\TestHelper\TestHelper.psm1' + +Import-Module $helperModulePath -Force +Import-Module $script:modulePath -Force diff --git a/Tests/Integration/.tests.template.ps1 b/Tests/Integration/Module/.tests.template.txt similarity index 62% rename from Tests/Integration/.tests.template.ps1 rename to Tests/Integration/Module/.tests.template.txt index fbee5f7a8..b1a1bcaf5 100644 --- a/Tests/Integration/.tests.template.ps1 +++ b/Tests/Integration/Module/.tests.template.txt @@ -1,6 +1,7 @@ #region Header -. $PSScriptRoot\.tests.Header.ps1 +. $PSScriptRoot\.tests.header.ps1 #endregion + try { #region Test Setup @@ -12,6 +13,6 @@ try } finally { - . $PSScriptRoot\.tests.Footer.ps1 + . $PSScriptRoot\.tests.footer.ps1 } diff --git a/Tests/Integration/AccountPolicyRule.Convert.Integration.tests.ps1 b/Tests/Integration/Module/AccountPolicyRule.Integration.tests.ps1 similarity index 97% rename from Tests/Integration/AccountPolicyRule.Convert.Integration.tests.ps1 rename to Tests/Integration/Module/AccountPolicyRule.Integration.tests.ps1 index 566f668c5..a9cbd3a98 100644 --- a/Tests/Integration/AccountPolicyRule.Convert.Integration.tests.ps1 +++ b/Tests/Integration/Module/AccountPolicyRule.Integration.tests.ps1 @@ -1,11 +1,9 @@ #region Header . $PSScriptRoot\.tests.header.ps1 #endregion + try { - #region Test Setup - #endregion - #region Tests Describe 'ConvertTo-AccountPolicyRule without range' { $checkContent = 'Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -66,8 +64,8 @@ try $rule.conversionstatus | Should Be 'pass' } } - #endregion } + finally { . $PSScriptRoot\.tests.footer.ps1 diff --git a/Tests/Integration/AuditPolicyRule.Integration.tests.ps1 b/Tests/Integration/Module/AuditPolicyRule.Integration.tests.ps1 similarity index 96% rename from Tests/Integration/AuditPolicyRule.Integration.tests.ps1 rename to Tests/Integration/Module/AuditPolicyRule.Integration.tests.ps1 index 5fe05afd0..bf596a73c 100644 --- a/Tests/Integration/AuditPolicyRule.Integration.tests.ps1 +++ b/Tests/Integration/Module/AuditPolicyRule.Integration.tests.ps1 @@ -4,7 +4,6 @@ try { - #region Test Setup $checkContent = 'Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: @@ -14,8 +13,7 @@ Use the AuditPol tool to review the current Audit Policy configuration: Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Account Management -> Computer Account Management - Success' - #endregion - #region Tests + Describe 'Audit Policy Conversion' { [xml] $stigRule = Get-TestStigRule -CheckContent $checkContent -XccdfTitle Windows $TestFile = Join-Path -Path $TestDrive -ChildPath 'TextData.xml' @@ -41,8 +39,8 @@ Account Management -> Computer Account Management - Success' $rule.conversionstatus | Should be 'pass' } } - #endregion } + finally { . $PSScriptRoot\.tests.footer.ps1 diff --git a/Tests/Integration/AuditSettingRule.Integration.tests.ps1 b/Tests/Integration/Module/AuditSettingRule.Integration.tests.ps1 similarity index 98% rename from Tests/Integration/AuditSettingRule.Integration.tests.ps1 rename to Tests/Integration/Module/AuditSettingRule.Integration.tests.ps1 index 6ec27effd..9e82dfdce 100644 --- a/Tests/Integration/AuditSettingRule.Integration.tests.ps1 +++ b/Tests/Integration/Module/AuditSettingRule.Integration.tests.ps1 @@ -1,9 +1,9 @@ #region Header . $PSScriptRoot\.tests.header.ps1 #endregion + try { - #region Test Setup $rulesToTest = @( @{ query = "SELECT * FROM Win32_LogicalDisk WHERE DriveType = '3'" @@ -80,8 +80,6 @@ try } ) - #endregion - #region Tests Describe 'AuditSetting Rule Conversion' { foreach ( $testRule in $rulesToTest ) @@ -114,8 +112,8 @@ try } } } - #endregion } + finally { . $PSScriptRoot\.tests.footer.ps1 diff --git a/Tests/Integration/DnsServerRootHintRule.Integration.tests.ps1 b/Tests/Integration/Module/DnsServerRootHintRule.Integration.tests.ps1 similarity index 96% rename from Tests/Integration/DnsServerRootHintRule.Integration.tests.ps1 rename to Tests/Integration/Module/DnsServerRootHintRule.Integration.tests.ps1 index 07ed2a112..657a31283 100644 --- a/Tests/Integration/DnsServerRootHintRule.Integration.tests.ps1 +++ b/Tests/Integration/Module/DnsServerRootHintRule.Integration.tests.ps1 @@ -4,7 +4,6 @@ try { - #region Test Setup $rootHintsCheckContent = @' Note: If the Windows DNS server is in the classified network, this check is Not Applicable. @@ -20,8 +19,7 @@ Verify the "Root Hints" is either empty or only has entries for internal zones u If "Root Hints" is not empty and the entries on the "Root Hints" tab under "Name servers:" are external to the local network, this is a finding. '@ - #endregion - #region Tests + Describe 'DnsServerRootHintRule conversion' { Context 'Root hints' { @@ -47,8 +45,8 @@ If "Root Hints" is not empty and the entries on the "Root Hints" tab under "Name } } } - #endregion } + finally { . $PSScriptRoot\.tests.footer.ps1 diff --git a/Tests/Integration/DnsServerSettingRule.Integration.tests.ps1 b/Tests/Integration/Module/DnsServerSettingRule.Integration.tests.ps1 similarity index 97% rename from Tests/Integration/DnsServerSettingRule.Integration.tests.ps1 rename to Tests/Integration/Module/DnsServerSettingRule.Integration.tests.ps1 index 2807ed784..480133f97 100644 --- a/Tests/Integration/DnsServerSettingRule.Integration.tests.ps1 +++ b/Tests/Integration/Module/DnsServerSettingRule.Integration.tests.ps1 @@ -1,10 +1,11 @@ #region Header . $PSScriptRoot\.tests.header.ps1 #endregion + try { - #region Test Setup -$forwardersCheckContent = @' + + $forwardersCheckContent = @' Note: If the Windows DNS server is in the classified network, this check is Not Applicable. Note: In Windows 2008 DNS Server, if forwarders are configured, the recursion setting must also be enabled since disabling recursion will disable @@ -30,7 +31,7 @@ If forwarders are not enabled and configured, and the "Disable recursion (also d selected, this is a finding. '@ -$eventLogLevelCheckContent = @' + $eventLogLevelCheckContent = @' Log on to the DNS server using the Domain Admin or Enterprise Admin account. Press Windows Key + R, execute dnsmgmt.msc. @@ -44,7 +45,7 @@ Verify "Errors and warnings" or "All events" is selected. If any option other than "Errors and warnings" or "All events" is selected, this is a finding. '@ -$multiUserRightRule = @' + $multiUserRightRule = @' Review the DNS server to confirm the server restricts direct and remote console access to users other than Administrators. Verify the effective setting in Local Group Policy Editor. @@ -70,7 +71,7 @@ If the following accounts or groups are not defined for the "Deny log on locally Guests Group '@ -$userRightPermissionRuleCombo = @' + $userRightPermissionRuleCombo = @' Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -104,8 +105,7 @@ Administrators - Full Control If the permissions for these files are not as restrictive as the ACLs listed, this is a finding. '@ - #endregion - #region Tests + Describe 'DnsServerSettingRule conversion' { Context 'Forwarders' { @@ -214,8 +214,8 @@ finding. } } } - #endregion } + finally { . $PSScriptRoot\.tests.footer.ps1 diff --git a/Tests/Integration/DocumentRule.Integration.tests.ps1 b/Tests/Integration/Module/DocumentRule.Integration.tests.ps1 similarity index 95% rename from Tests/Integration/DocumentRule.Integration.tests.ps1 rename to Tests/Integration/Module/DocumentRule.Integration.tests.ps1 index 3eeadfd31..3d5a92304 100644 --- a/Tests/Integration/DocumentRule.Integration.tests.ps1 +++ b/Tests/Integration/Module/DocumentRule.Integration.tests.ps1 @@ -3,14 +3,12 @@ #endregion try { - #region Test Setup $checkContent = 'Determine whether any shared accounts exist. If no shared accounts exist, this is NA. Shared accounts, such as required by an application, may be approved by the organization. This must be documented with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity. - + If unapproved shared accounts exist, this is a finding.' - #endregion - #region Tests + Describe 'DocumentRule Conversion' { [xml] $stigRule = Get-TestStigRule -CheckContent $checkContent -XccdfTitle 'Windows' $TestFile = Join-Path -Path $TestDrive -ChildPath 'TextData.xml' @@ -33,8 +31,8 @@ try $rule.conversionstatus | Should Be 'pass' } } - #endregion } + finally { . $PSScriptRoot\.tests.Footer.ps1 diff --git a/Tests/Integration/FileContentRule.Integration.tests.ps1 b/Tests/Integration/Module/FileContentRule.Integration.tests.ps1 similarity index 97% rename from Tests/Integration/FileContentRule.Integration.tests.ps1 rename to Tests/Integration/Module/FileContentRule.Integration.tests.ps1 index d10f260ef..26cd9bea4 100644 --- a/Tests/Integration/FileContentRule.Integration.tests.ps1 +++ b/Tests/Integration/Module/FileContentRule.Integration.tests.ps1 @@ -1,9 +1,9 @@ #region Header . $PSScriptRoot\.tests.header.ps1 #endregion + try { - #region Test Setup $fileContentRulesToTest = @( @{ Key = 'security.default_personal_cert' @@ -34,7 +34,7 @@ try 1. The preference name "app.update.enabled" is set to "false" and locked or - 2. If set to "true" then verify that "app.update.url", "app.update.url.details" and "app.update.url.manual" contain url information that point to a trusted server and is not the default setting. (Default would contain mozilla.com or Mozilla.org). + 2. If set to "true" then verify that "app.update.url", "app.update.url.details" and "app.update.url.manual" contain url information that point to a trusted server and is not the default setting. (Default would contain mozilla.com or Mozilla.org). Criteria: If the parameter is set incorrectly, then this is a finding. If this setting is not locked, then this is a finding.' @@ -46,13 +46,12 @@ try ArchiveFile = 'OracleJRE' CheckContent = 'If the system is on the SIPRNet, this requirement is NA. - Navigate to the system-level "deployment.properties" file for JRE. + Navigate to the system-level "deployment.properties" file for JRE. If the key "deployment.security.revocation.check=ALL_CERTIFICATES" is not present, or is set to "PUBLISHER_ONLY", or "NO_CHECK", this is a finding.' } ) - #endregion - #region Tests + Describe 'FileContentRule Integration Tests' { foreach ($fileContentRule in $fileContentRulesToTest) { @@ -79,8 +78,8 @@ try } } } - #endregion } + finally { . $PSScriptRoot\.tests.footer.ps1 diff --git a/Tests/Integration/GroupRule.Integration.tests.ps1 b/Tests/Integration/Module/GroupRule.Integration.tests.ps1 similarity index 100% rename from Tests/Integration/GroupRule.Integration.tests.ps1 rename to Tests/Integration/Module/GroupRule.Integration.tests.ps1 diff --git a/Tests/Integration/IISLoggingRule.Integration.tests.ps1 b/Tests/Integration/Module/IISLoggingRule.Integration.tests.ps1 similarity index 98% rename from Tests/Integration/IISLoggingRule.Integration.tests.ps1 rename to Tests/Integration/Module/IISLoggingRule.Integration.tests.ps1 index 18e957805..85bba8283 100644 --- a/Tests/Integration/IISLoggingRule.Integration.tests.ps1 +++ b/Tests/Integration/Module/IISLoggingRule.Integration.tests.ps1 @@ -1,9 +1,9 @@ #region Header . $PSScriptRoot\.tests.header.ps1 -#endregion +# + try { - #region Test Setup $stigRulesToTest = @( @{ LogCustomFieldEntry = @( @@ -88,8 +88,7 @@ try If any of the above fields are not selected, this is a finding.' } ) - #endregion - #region Tests + Describe 'IisLogging Rule Conversion' { foreach ($stig in $stigRulesToTest) @@ -133,8 +132,8 @@ try } } } - #endregion } + finally { . $PSScriptRoot\.tests.footer.ps1 diff --git a/Tests/Integration/ManualRule.Integration.tests.ps1 b/Tests/Integration/Module/ManualRule.Integration.tests.ps1 similarity index 92% rename from Tests/Integration/ManualRule.Integration.tests.ps1 rename to Tests/Integration/Module/ManualRule.Integration.tests.ps1 index 45b331429..0b98bcf29 100644 --- a/Tests/Integration/ManualRule.Integration.tests.ps1 +++ b/Tests/Integration/Module/ManualRule.Integration.tests.ps1 @@ -1,12 +1,11 @@ #region Header . $PSScriptRoot\.tests.header.ps1 #endregion + try { - #region Test Setup $checkContent = 'Verify servers are located in controlled access areas that are accessible only to authorized personnel. If systems are not adequately protected, this is a finding.' - #endregion - #region Tests + Describe 'Manual Check Conversion' { [xml] $stigRule = Get-TestStigRule -CheckContent $checkContent -XccdfTitle Windows $TestFile = Join-Path -Path $TestDrive -ChildPath 'TextData.xml' @@ -20,8 +19,8 @@ try $rule.DscResource | Should Be 'None' } } - #endregion } + finally { . $PSScriptRoot\.tests.Footer.ps1 diff --git a/Tests/Integration/MimeTypeRule.Integration.tests.ps1 b/Tests/Integration/Module/MimeTypeRule.Integration.tests.ps1 similarity index 97% rename from Tests/Integration/MimeTypeRule.Integration.tests.ps1 rename to Tests/Integration/Module/MimeTypeRule.Integration.tests.ps1 index 8bf5baf79..91cb8ff52 100644 --- a/Tests/Integration/MimeTypeRule.Integration.tests.ps1 +++ b/Tests/Integration/Module/MimeTypeRule.Integration.tests.ps1 @@ -1,9 +1,9 @@ #region Header . $PSScriptRoot\.tests.header.ps1 #endregion + try { - #region Test Setup $stigRuleToTest = @{ Ensure = 'absent' Extension = @('.exe','.dll','.com','.bat','.csh') @@ -38,8 +38,7 @@ try } $index = 0 - #endregion - #region Tests + Describe 'MimeType Rule Conversion' { [xml] $stigRule = Get-TestStigRule -CheckContent $stigRuleToTest.CheckContent -XccdfTitle 'IIS' @@ -75,8 +74,8 @@ try $index++ } } - #endregion } + finally { . $PSScriptRoot\.tests.footer.ps1 diff --git a/Tests/Integration/PermissionRule.Integration.tests.ps1 b/Tests/Integration/Module/PermissionRule.Integration.tests.ps1 similarity index 97% rename from Tests/Integration/PermissionRule.Integration.tests.ps1 rename to Tests/Integration/Module/PermissionRule.Integration.tests.ps1 index f84d4e2f5..ab85dab65 100644 --- a/Tests/Integration/PermissionRule.Integration.tests.ps1 +++ b/Tests/Integration/Module/PermissionRule.Integration.tests.ps1 @@ -1,9 +1,9 @@ #region Header . $PSScriptRoot\.tests.header.ps1 #endregion + try { - #region Test Setup $checkContent = 'Verify the permissions on Event Viewer only allow TrustedInstaller permissions to change or modify. If any groups or accounts other than TrustedInstaller have Full control or Modify, this is a finding. @@ -25,10 +25,9 @@ try $principal2 = 'SystemUsers' $permission3 = 'Create Folders' $inheritance = 'This folder, subfolders and files' - #endregion - #region Tests + Describe 'Permission Rule Multiple Principals, same permissions, same line' { - + $checkContent = $checkContent -f $targetExe, $principal1, $permission1, $principalList, $permission2, $principal2, $permission3, $inheritance [xml] $stigRule = Get-TestStigRule -CheckContent $checkContent -XccdfTitle Windows @@ -63,8 +62,8 @@ try $rule.dscresource | Should Be 'NTFSAccessEntry' } } - #endregion } + finally { . $PSScriptRoot\.tests.footer.ps1 diff --git a/Tests/Integration/PowerStig.Integration.tests.ps1 b/Tests/Integration/Module/PowerStig.Integration.tests.ps1 similarity index 79% rename from Tests/Integration/PowerStig.Integration.tests.ps1 rename to Tests/Integration/Module/PowerStig.Integration.tests.ps1 index cb1bb70f1..8c1ef9a86 100644 --- a/Tests/Integration/PowerStig.Integration.tests.ps1 +++ b/Tests/Integration/Module/PowerStig.Integration.tests.ps1 @@ -1,12 +1,5 @@ #region Header -# Convert Class Private functions Header V1 -$script:moduleRoot = Split-Path -Parent (Split-Path -Parent $PSScriptRoot) -$script:moduleName = 'PowerStig' -$script:modulePath = "$($script:moduleRoot)\$($script:moduleName).psd1" -$script:dscCompositePath = Join-Path -Path $script:moduleRoot -ChildPath 'DSCResources' - -Import-Module -Name (Join-Path -Path $script:moduleRoot -ChildPath 'Tools\TestHelper\TestHelper.psm1') -Force -Import-Module $modulePath -Force +. $PSScriptRoot\.tests.header.ps1 #endregion Describe "$moduleName module" { @@ -51,4 +44,11 @@ Describe "$moduleName module" { $compare.Count | Should Be 0 } } + + Context 'Import PowerSTIG should not throw' { + + It "Should not throw and error" { + {Import-Module PowerSTIG} | Should -Not -Throw + } + } } diff --git a/Tests/Integration/ProcessMitigationRule.Integration.tests.ps1 b/Tests/Integration/Module/ProcessMitigationRule.Integration.tests.ps1 similarity index 98% rename from Tests/Integration/ProcessMitigationRule.Integration.tests.ps1 rename to Tests/Integration/Module/ProcessMitigationRule.Integration.tests.ps1 index d44bcc69c..1bb87345d 100644 --- a/Tests/Integration/ProcessMitigationRule.Integration.tests.ps1 +++ b/Tests/Integration/Module/ProcessMitigationRule.Integration.tests.ps1 @@ -1,9 +1,9 @@ #region Header . $PSScriptRoot\.tests.header.ps1 -#endregion +# + try { - #region Test Setup $mitigationsRulesToTest = @( @{ MitigationTarget = 'System' @@ -76,8 +76,7 @@ try The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here.' } ) - #endregion - #region Tests + Describe 'ProcessMitigation Integration Tests' { foreach ($mitigationsRule in $mitigationsRulesToTest) { @@ -127,8 +126,8 @@ try } } } - #endregion } + finally { . $PSScriptRoot\.tests.footer.ps1 diff --git a/Tests/Integration/RegistryRule.Integration.tests.ps1 b/Tests/Integration/Module/RegistryRule.Integration.tests.ps1 similarity index 99% rename from Tests/Integration/RegistryRule.Integration.tests.ps1 rename to Tests/Integration/Module/RegistryRule.Integration.tests.ps1 index f0ad9ecd8..0ee78cc93 100644 --- a/Tests/Integration/RegistryRule.Integration.tests.ps1 +++ b/Tests/Integration/Module/RegistryRule.Integration.tests.ps1 @@ -1,9 +1,10 @@ #region Header . $PSScriptRoot\.tests.header.ps1 #endregion + try { - #region Test Setup + $registriesToTest = @( @{ Id = 'Rule1' @@ -186,8 +187,7 @@ try Criteria: If the uAction does not have a value of 5, this is a finding.' } ) - #endregion - #region Tests + Describe 'Registry basic settings conversion' { foreach ($registry in $registriesToTest) @@ -231,8 +231,8 @@ try } } } - #endregion } + finally { . $PSScriptRoot\.tests.footer.ps1 diff --git a/Tests/Integration/SecurityOptionRule.Integration.tests.ps1 b/Tests/Integration/Module/SecurityOptionRule.Integration.tests.ps1 similarity index 97% rename from Tests/Integration/SecurityOptionRule.Integration.tests.ps1 rename to Tests/Integration/Module/SecurityOptionRule.Integration.tests.ps1 index a5d788f80..60aeaff3c 100644 --- a/Tests/Integration/SecurityOptionRule.Integration.tests.ps1 +++ b/Tests/Integration/Module/SecurityOptionRule.Integration.tests.ps1 @@ -1,9 +1,9 @@ #region Header . $PSScriptRoot\.tests.header.ps1 #endregion + try { - #region Test Setup $testStrings = @( @{ OptionName = 'Network security: Force logoff when logon hours expire' @@ -29,8 +29,7 @@ try If the value for "Accounts: Rename administrator account" is not set to a value other than "Administrator", this is a finding.' } ) - #endregion - #region Tests + Describe 'Security Option Conversion' { foreach ( $testString in $testStrings ) @@ -63,8 +62,8 @@ try } } } - #endregion } + finally { . $PSScriptRoot\.tests.footer.ps1 diff --git a/Tests/Integration/ServiceRule.Integration.tests.ps1 b/Tests/Integration/Module/ServiceRule.Integration.tests.ps1 similarity index 98% rename from Tests/Integration/ServiceRule.Integration.tests.ps1 rename to Tests/Integration/Module/ServiceRule.Integration.tests.ps1 index 1e796ae86..f36efcaa2 100644 --- a/Tests/Integration/ServiceRule.Integration.tests.ps1 +++ b/Tests/Integration/Module/ServiceRule.Integration.tests.ps1 @@ -1,9 +1,9 @@ #region Header . $PSScriptRoot\.tests.header.ps1 #endregion + try { - #region Test Setup $servicesToTest = @( @{ ServiceName = 'masvc' @@ -65,8 +65,7 @@ try ConversionStatus = 'fail' } ) - #endregion - #region Tests + Describe 'Single Service Rule Conversion' { foreach ( $service in $servicesToTest) @@ -172,8 +171,8 @@ try } } } - #endregion } + finally { . $PSScriptRoot\.tests.footer.ps1 diff --git a/Tests/Integration/SqlScriptQueryRule.Integration.tests.ps1 b/Tests/Integration/Module/SqlScriptQueryRule.Integration.tests.ps1 similarity index 99% rename from Tests/Integration/SqlScriptQueryRule.Integration.tests.ps1 rename to Tests/Integration/Module/SqlScriptQueryRule.Integration.tests.ps1 index 9c4d91c93..bcaadc41f 100644 --- a/Tests/Integration/SqlScriptQueryRule.Integration.tests.ps1 +++ b/Tests/Integration/Module/SqlScriptQueryRule.Integration.tests.ps1 @@ -1,9 +1,9 @@ #region Header . $PSScriptRoot\.tests.header.ps1 #endregion + try { - #region Test Setup $stigRulesToTest = @( @{ GetScript = "SELECT name from sysdatabases where name like 'AdventureWorks%'" @@ -125,8 +125,7 @@ try GO" } ) - #endregion - #region Tests + Describe 'SqlScriptQuery Rule Conversion' { foreach ( $stig in $stigRulesToTest ) { @@ -176,8 +175,8 @@ try } } } - #endregion } + finally { . $PSScriptRoot\.tests.footer.ps1 diff --git a/Tests/Integration/SslSettingsRule.Integration.tests.ps1 b/Tests/Integration/Module/SslSettingsRule.Integration.tests.ps1 similarity index 96% rename from Tests/Integration/SslSettingsRule.Integration.tests.ps1 rename to Tests/Integration/Module/SslSettingsRule.Integration.tests.ps1 index dd4bdbdd7..f5ff0cf70 100644 --- a/Tests/Integration/SslSettingsRule.Integration.tests.ps1 +++ b/Tests/Integration/Module/SslSettingsRule.Integration.tests.ps1 @@ -1,9 +1,9 @@ #region Header . $PSScriptRoot\.tests.header.ps1 #endregion + try { - #region Test Setup $stigRulesToTest = @( @{ Value = 'Ssl' @@ -24,8 +24,7 @@ try If the "Require SSL" check box is not selected, this is a finding.' } ) - #endregion - #region Tests + Describe 'SslSettings Rule Conversion' { foreach ( $stig in $stigRulesToTest ) @@ -49,8 +48,8 @@ try } } } - #endregion } + finally { . $PSScriptRoot\.tests.footer.ps1 diff --git a/Tests/Integration/UserRightsAssignmentRule.Integration.tests.ps1 b/Tests/Integration/Module/UserRightsAssignmentRule.Integration.tests.ps1 similarity index 98% rename from Tests/Integration/UserRightsAssignmentRule.Integration.tests.ps1 rename to Tests/Integration/Module/UserRightsAssignmentRule.Integration.tests.ps1 index be853f160..4156b6ede 100644 --- a/Tests/Integration/UserRightsAssignmentRule.Integration.tests.ps1 +++ b/Tests/Integration/Module/UserRightsAssignmentRule.Integration.tests.ps1 @@ -1,9 +1,9 @@ #region Header . $PSScriptRoot\.tests.header.ps1 #endregion + try { - #region Test Setup $rulesToTest = @( @{ displayName = 'Act as part of the operating system' @@ -86,8 +86,7 @@ try Microsoft Security Advisory Patch 2871997 adds the new security groups to Windows Server 2012.' } ) - #endregion - #region Tests + Describe 'User Rights Assignment Conversion' { foreach ( $testRule in $rulesToTest ) @@ -123,8 +122,8 @@ try } } } - #endregion } + finally { . $PSScriptRoot\.tests.footer.ps1 diff --git a/Tests/Integration/Module/VsphereAcceptanceLevelRule.Integration.tests.ps1 b/Tests/Integration/Module/VsphereAcceptanceLevelRule.Integration.tests.ps1 new file mode 100644 index 000000000..23512349c --- /dev/null +++ b/Tests/Integration/Module/VsphereAcceptanceLevelRule.Integration.tests.ps1 @@ -0,0 +1,57 @@ +#region Header +. $PSScriptRoot\.tests.header.ps1 +#endregion + +$testCases = @( + @{ + Level = 'PartnerSupported' + CheckContent = 'From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under "Host Image Profile Acceptance Level" view the acceptance level. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following commands: + + $esxcli = Get-EsxCli + $esxcli.software.acceptance.get() + + If the acceptance level is CommunitySupported, this is a finding.' + FixText = 'From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under "Host Image Profile Acceptance Level" click Edit… and use the pull-down selection, set the acceptance level to be VMwareCertified, VMwareAccepted, or PartnerSupported. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following commands: + + $esxcli = Get-EsxCli + $esxcli.software.acceptance.Set("PartnerSupported") + + Note: VMwareCertified or VMwareAccepted may be substituted for PartnerSupported, depending upon local requirements.' + } +) + +try +{ + Describe 'VsphereAcceptanceLevel Rule Conversion' { + + Context "When VsphereAcceptanceLevel is converted" { + + It 'Should return a correctly converted "" Rule' -TestCases $testCases { + param ($Level, $CheckContent, $FixText) + + [xml] $stigRule = Get-TestStigRule -CheckContent $CheckContent -FixText $FixText -XccdfTitle 'Vsphere' + $testFile = Join-Path -Path $TestDrive -ChildPath 'TextData.xml' + $stigRule.Save($testFile) + $rule = ConvertFrom-StigXccdf -Path $testFile + + $rule.GetType().Name | Should -Be 'VsphereAcceptanceLevelRule' + $rule.Level | Should -Be $Level + $rule.DscResource | Should -Be 'VMHostAcceptanceLevel' + $rule.ConversionStatus | Should -Be 'pass' + } + } + } +} + +finally +{ + . $PSScriptRoot\.tests.footer.ps1 +} diff --git a/Tests/Integration/Module/VsphereAdvancedSettingsRule.Integration.tests.ps1 b/Tests/Integration/Module/VsphereAdvancedSettingsRule.Integration.tests.ps1 new file mode 100644 index 000000000..97af7839a --- /dev/null +++ b/Tests/Integration/Module/VsphereAdvancedSettingsRule.Integration.tests.ps1 @@ -0,0 +1,76 @@ +#region Header +. $PSScriptRoot\.tests.header.ps1 +#endregion + +$testCases = @( + @{ + AdvancedSettings = "'DCUI.Access' = 'root'" + CheckContent = 'From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the DCUI.Access value and verify only the root user is listed. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following command: + + Get-VMHost | Get-AdvancedSetting -Name DCUI.Access and verify it is set to root. + + If the DCUI.Access is not restricted to root, this is a finding. + + Note: This list is only for local user accounts and should only contain the root user. + + For environments that do not use vCenter server to manage ESXi, this is not applicable.' + FixText = 'From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the DCUI.Access value and configure it to root. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following command: + + Get-VMHost | Get-AdvancedSetting -Name DCUI.Access | Set-AdvancedSetting -Value "root"' + } + @{ + AdvancedSettings = "'UserVars.ESXiShellInteractiveTimeOut' = '600'" + CheckContent = 'From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the UserVars.ESXiShellInteractiveTimeOut value and verify it is set to 600 (10 Minutes). + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following command: + + Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut + + If the UserVars.ESXiShellInteractiveTimeOut setting is not set to 600, this is a finding.' + FixText = 'From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the UserVars.ESXiShellInteractiveTimeOut value and configure it to 600. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following commands: + + Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 600' + } +) + +try +{ + Describe 'VsphereAdvancedSettings Rule Conversion' { + + Context 'When VsphereAdvancedSettings is converted' { + + It 'Should return a correctly converted "" Rule' -TestCases $testCases { + param ($AdvancedSettings, $CheckContent, $FixText) + + [xml] $stigRule = Get-TestStigRule -Checkcontent $CheckContent -FixText $FixText -XccdfTitle 'Vsphere' + $testFile = Join-Path -Path $TestDrive -ChildPath 'TextData.xml' + $stigRule.Save($testFile) + $rule = ConvertFrom-StigXccdf -Path $testFile + + $rule.GetType().Name | Should -Be 'VsphereAdvancedSettingsRule' + $rule.AdvancedSettings | Should -Be $AdvancedSettings + $rule.DscResource | Should -Be 'VMHostAdvancedSettings' + $rule.ConversionStatus | Should -Be 'pass' + } + } + } +} + +finally +{ + . $PSScriptRoot\.tests.footer.ps1 +} diff --git a/Tests/Integration/Module/VsphereKernelActiveDumpPartitionRule.Integration.tests.ps1 b/Tests/Integration/Module/VsphereKernelActiveDumpPartitionRule.Integration.tests.ps1 new file mode 100644 index 000000000..15572438d --- /dev/null +++ b/Tests/Integration/Module/VsphereKernelActiveDumpPartitionRule.Integration.tests.ps1 @@ -0,0 +1,69 @@ +#region Header +. $PSScriptRoot\.tests.header.ps1 +#endregion + +$testCases = @( + @{ + Enabled = '$true' + CheckContent = 'From the vSphere Web Client select the ESXi Host and right click. If the "Add Diagnostic Partition" option is greyed out then core dumps are configured. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following commands: + + $esxcli = Get-EsxCli + $esxcli.system.coredump.partition.get() + $esxcli.system.coredump.network.get() + + The first command prepares for the other two. The second command shows whether there is an active core dump partition configured. The third command shows whether a network core dump collector is configured and enabled, via the "HostVNic", "NetworkServerIP", "NetworkServerPort", and "Enabled" variables. + + If there is no active core dump partition or the network core dump collector is not configured and enabled, this is a finding.' + FixText = 'From the vSphere Web Client select the ESXi Host and right click. Select the "Add Diagnostic Partition" option configure a core dump diagnostic partition. + + or + + From a PowerCLI command prompt while connected to the ESXi host run at least one of the following sets of commands: + + To configure a core dump partition: + + $esxcli = Get-EsxCli + #View available partitions to configure + $esxcli.system.coredump.partition.list() + $esxcli.system.coredump.partition.set($null,"PartitionName",$null,$null) + + To configure a core dump collector: + + $esxcli = Get-EsxCli + $esxcli.system.coredump.network.set($null,"vmkernel port to use",$null,"CollectorIP","CollectorPort") + $esxcli.system.coredump.network.set($true) + ' + } +) + +try +{ + Describe 'VsphereKernelActiveDumpPartition Rule Conversion' { + + Context 'When VsphereKernelActiveDumpPartition is converted' { + + It 'Should return a correctly converted "" Rule' -TestCases $testCases { + param ($Enabled, $CheckContent, $FixText) + + [xml] $stigRule = Get-TestStigRule -Checkcontent $CheckContent -FixText $FixText -XccdfTitle 'Vsphere' + $testFile = Join-Path -Path $TestDrive -ChildPath 'TextData.xml' + $stigRule.Save($testFile) + $rule = ConvertFrom-StigXccdf -Path $testFile + + $rule.GetType().Name | Should -Be 'VsphereKernelActiveDumpPartitionRule' + $rule.Enabled | Should -Be $Enabled + $rule.DscResource | Should -Be 'VMHostKernelActiveDumpPartition' + $rule.ConversionStatus | Should -Be 'pass' + } + } + } +} + +finally +{ + . $PSScriptRoot\.tests.footer.ps1 +} diff --git a/Tests/Integration/Module/VsphereNtpSettingsRule.Integration.tests.ps1 b/Tests/Integration/Module/VsphereNtpSettingsRule.Integration.tests.ps1 new file mode 100644 index 000000000..695103c5f --- /dev/null +++ b/Tests/Integration/Module/VsphereNtpSettingsRule.Integration.tests.ps1 @@ -0,0 +1,46 @@ +#region Header +. $PSScriptRoot\.tests.header.ps1 +#endregion + +$testCases = @( + @{ + OrganizationValueTestString = '{0} is set to a string array of authoritative DoD time sources' + CheckContent = 'From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Time Configuration. Click Edit to verify the configured NTP servers and service startup policy. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following command: + + Get-VMHost | Get-VMHostNTPServer + + If the NTP service is not configured with authoritative DoD time sources and the service is not configured to start and stop with the host and is running, this is a finding.' + } +) + +try +{ + Describe 'VsphereNtpSettings Rule Conversion' { + + Context 'When VsphereNtpSettings is converted' { + + It 'Should return a correctly converted "" Rule' -TestCases $testCases { + param ($OrganizationValueTestString, $CheckContent) + + [xml] $stigRule = Get-TestStigRule -Checkcontent $CheckContent -XccdfTitle 'Vsphere' -GroupId 'V-94039' + $testFile = Join-Path -Path $TestDrive -ChildPath 'TextData.xml' + $stigRule.Save($testFile) + $rule = ConvertFrom-StigXccdf -Path $testFile + + $rule.GetType().Name | Should -Be 'VsphereNtpSettingsRule' + $rule.OrganizationValueTestString | Should -Be $OrganizationValueTestString + $rule.DscResource | Should -Be 'VMHostNtpSettings' + $rule.ConversionStatus | Should -Be 'pass' + } + } + } +} + +finally +{ + . $PSScriptRoot\.tests.footer.ps1 +} diff --git a/Tests/Integration/Module/VspherePortGroupSecurityRule.Integration.tests.ps1 b/Tests/Integration/Module/VspherePortGroupSecurityRule.Integration.tests.ps1 new file mode 100644 index 000000000..6670e65fc --- /dev/null +++ b/Tests/Integration/Module/VspherePortGroupSecurityRule.Integration.tests.ps1 @@ -0,0 +1,55 @@ +#region Header +. $PSScriptRoot\.tests.header.ps1 +#endregion + +$testCases = @( + @{ + VmGroup = @('VM1','VM2') + MacChangesInherited = '$true' + CheckContent = 'From the vSphere Web Client go to Configure >> Networking >> Virtual Switches. View the properties on each virtual switch and port group and verify "MAC Address Changes" is set to reject. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following commands: + + Get-VirtualPortGroup | Get-SecurityPolicy + + If the "MAC Address Changes" policy is set to accept, this is a finding.' + FixText = 'From the vSphere Web Client go to Configure >> Networking >> Virtual Switches. For each virtual switch and port group click Edit settings and change "MAC Address Changes" to reject. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following commands: + + Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -MacChangesInherited $true' + + } +) + +try +{ + Describe 'VspherePortGroupSecurity Rule Conversion' { + + Context 'When VspherePortGroupSecurity is converted' { + + It 'Should return a correctly converted "" Rule' -TestCases $testCases { + param ($VmGroup, $MacChangesInherited, $CheckContent, $FixText) + + [xml] $stigRule = Get-TestStigRule -Checkcontent $CheckContent -FixText $FixText -XccdfTitle 'Vsphere' + $testFile = Join-Path -Path $TestDrive -ChildPath 'TextData.xml' + $stigRule.Save($testFile) + $rule = ConvertFrom-StigXccdf -Path $testFile + + $rule.GetType().Name | Should -Be 'VspherePortGroupSecurityRule' + $rule.MacChangesInherited | Should -Be $MacChangesInherited + $rule.DscResource | Should -Be 'VMHostVssPortGroupSecurity' + $rule.ConversionStatus | Should -Be 'pass' + } + } + } +} + +finally +{ + . $PSScriptRoot\.tests.footer.ps1 +} diff --git a/Tests/Integration/Module/VsphereServiceRule.Integration.tests.ps1 b/Tests/Integration/Module/VsphereServiceRule.Integration.tests.ps1 new file mode 100644 index 000000000..de13cc7fc --- /dev/null +++ b/Tests/Integration/Module/VsphereServiceRule.Integration.tests.ps1 @@ -0,0 +1,50 @@ +#region Header +. $PSScriptRoot\.tests.header.ps1 +#endregion + +$testCases = @( + @{ + Key = 'TSM-SSH' + Policy = 'off' + Running = 'False' + CheckContent = 'From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under Services select Edit and view the "SSH" service and verify it is stopped. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following command: + + Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} + + If the ESXi SSH service is running, this is a finding.' + } +) + +try +{ + Describe 'VsphereService Rule Conversion' { + + Context 'When VsphereService is converted' { + + It 'Should return a correctly converted "" Rule' -TestCases $testCases { + param ($Key, $Policy, $Running, $CheckContent) + + [xml] $stigRule = Get-TestStigRule -Checkcontent $CheckContent -XccdfTitle 'Vsphere' + $testFile = Join-Path -Path $TestDrive -ChildPath 'TextData.xml' + $stigRule.Save($testFile) + $rule = ConvertFrom-StigXccdf -Path $testFile + + $rule.GetType().Name | Should -Be 'VsphereServiceRule' + $rule.Key | Should -Be $Key + $rule.Policy | Should -Be $Policy + $rule.Running | Should -Be $Running + $rule.DscResource | Should -Be 'VMHostService' + $rule.ConversionStatus | Should -Be 'pass' + } + } + } +} + +finally +{ + . $PSScriptRoot\.tests.footer.ps1 +} diff --git a/Tests/Integration/Module/VsphereSnmpAgentRule.Integration.tests.ps1 b/Tests/Integration/Module/VsphereSnmpAgentRule.Integration.tests.ps1 new file mode 100644 index 000000000..759ce4e55 --- /dev/null +++ b/Tests/Integration/Module/VsphereSnmpAgentRule.Integration.tests.ps1 @@ -0,0 +1,65 @@ +#region Header +. $PSScriptRoot\.tests.header.ps1 +#endregion + +$testCases = @( + @{ + Enabled = '$false' + CheckContent = 'From a PowerCLI command prompt while connected to the ESXi host run the following command: + + Get-VMHostSnmp | Select * + + or + + From a console or ssh session run the follow command: + + esxcli system snmp get + + If SNMP is not in use and is enabled, this is a finding. + + If SNMP is enabled and read only communities is set to public, this is a finding. + + If SNMP is enabled and is not using v3 targets, this is a finding. + + Note: SNMP v3 targets can only be viewed and configured from the esxcli command.' + FixText = 'To disable SNMP run the following command from a PowerCLI command prompt while connected to the ESXi Host: + + Get-VMHostSnmp | Set-VMHostSnmp -Enabled $false + + or + + From a console or ssh session run the follow command: + + esxcli system snmp set -e no + + To configure SNMP for v3 targets use the "esxcli system snmp set" command set.' + } +) + +try +{ + Describe 'VsphereSnmpAgent Rule Conversion' { + + Context 'When VsphereSnmpAgent is converted' { + + It 'Should return a correctly converted "" Rule' -TestCases $testCases { + param ($Enabled, $CheckContent, $FixText) + + [xml] $stigRule = Get-TestStigRule -Checkcontent $CheckContent -FixText $FixText -XccdfTitle 'Vsphere' + $testFile = Join-Path -Path $TestDrive -ChildPath 'TextData.xml' + $stigRule.Save($testFile) + $rule = ConvertFrom-StigXccdf -Path $testFile + + $rule.GetType().Name | Should -Be 'VsphereSnmpAgentRule' + $rule.Enabled | Should -Be $Enabled + $rule.DscResource | Should -Be 'VMHostSnmpAgent' + $rule.ConversionStatus | Should -Be 'pass' + } + } + } +} + +finally +{ + . $PSScriptRoot\.tests.footer.ps1 +} diff --git a/Tests/Integration/Module/VsphereVssSecurityRule.Integration.tests.ps1 b/Tests/Integration/Module/VsphereVssSecurityRule.Integration.tests.ps1 new file mode 100644 index 000000000..cc069f41e --- /dev/null +++ b/Tests/Integration/Module/VsphereVssSecurityRule.Integration.tests.ps1 @@ -0,0 +1,54 @@ +#region Header +. $PSScriptRoot\.tests.header.ps1 +#endregion + +$testCases = @( + @{ + VirtualStandardSwitchGroup = @('Switch1','Switch2') + ForgedTransmits = '$false' + CheckContent = 'From the vSphere Web Client go to Configure >> Networking >> Virtual Switches. View the properties on each virtual switch and port group and verify "Forged Transmits" is set to reject. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following commands: + + Get-VirtualSwitch | Get-SecurityPolicy + + If the "Forged Transmits" policy is set to accept, this is a finding.' + FixText = 'From the vSphere Web Client go to Configure >> Networking >> Virtual Switches. For each virtual switch and port group click Edit settings and change "Forged Transmits" to reject. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following commands: + + Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmits $false' + } +) + +try +{ + Describe 'VsphereVssSecurity Rule Conversion' { + + Context 'When VsphereVssSecurity is converted' { + + It 'Should return a correctly converted "" Rule' -TestCases $testCases { + param ($VirtualStandardSwitchGroup, $ForgedTransmits, $CheckContent, $FixText) + + [xml] $stigRule = Get-TestStigRule -Checkcontent $CheckContent -FixText $FixText -XccdfTitle 'Vsphere' + $testFile = Join-Path -Path $TestDrive -ChildPath 'TextData.xml' + $stigRule.Save($testFile) + $rule = ConvertFrom-StigXccdf -Path $testFile + + $rule.GetType().Name | Should -Be 'VsphereVssSecurityRule' + $rule.ForgedTransmits | Should -Be $ForgedTransmits + $rule.DscResource | Should -Be 'VMHostVssSecurity' + $rule.ConversionStatus | Should -Be 'pass' + } + } + } +} + +finally +{ + . $PSScriptRoot\.tests.footer.ps1 +} diff --git a/Tests/Integration/WebAppPoolRule.Integration.tests.ps1 b/Tests/Integration/Module/WebAppPoolRule.Integration.tests.ps1 similarity index 96% rename from Tests/Integration/WebAppPoolRule.Integration.tests.ps1 rename to Tests/Integration/Module/WebAppPoolRule.Integration.tests.ps1 index 1845e1886..79c8a99a5 100644 --- a/Tests/Integration/WebAppPoolRule.Integration.tests.ps1 +++ b/Tests/Integration/Module/WebAppPoolRule.Integration.tests.ps1 @@ -1,9 +1,9 @@ #region Header . $PSScriptRoot\.tests.header.ps1 #endregion + try { - #region Test Setup $stigRulesToTest = @( @{ Key = 'rapidFailProtection' @@ -36,8 +36,7 @@ try If the value for "Ping Enabled" is not set to "True", this is a finding.' } ) - #endregion - #region Tests + Describe 'WebAppPool Rule Conversion' { foreach ( $stig in $stigRulesToTest ) @@ -64,8 +63,8 @@ try } } } - #endregion } + finally { . $PSScriptRoot\.tests.footer.ps1 diff --git a/Tests/Integration/WebConfigurationPropertyRule.Integration.tests.ps1 b/Tests/Integration/Module/WebConfigurationPropertyRule.Integration.tests.ps1 similarity index 97% rename from Tests/Integration/WebConfigurationPropertyRule.Integration.tests.ps1 rename to Tests/Integration/Module/WebConfigurationPropertyRule.Integration.tests.ps1 index facc1fb81..ef8c8561a 100644 --- a/Tests/Integration/WebConfigurationPropertyRule.Integration.tests.ps1 +++ b/Tests/Integration/Module/WebConfigurationPropertyRule.Integration.tests.ps1 @@ -1,9 +1,9 @@ #region Header . $PSScriptRoot\.tests.header.ps1 #endregion + try { - #region Test Setup $stigRulesToTest = @( @{ ConfigSection = '/system.webServer/security/requestFiltering' @@ -52,8 +52,7 @@ try Verify "HMACSHA256"' } ) - #endregion - #region Tests + Describe 'WebConfigurationProperty Rule Conversion' { foreach ( $stig in $stigRulesToTest ) @@ -86,8 +85,8 @@ try } } } - #endregion } + finally { . $PSScriptRoot\.tests.footer.ps1 diff --git a/Tests/Integration/WinEventLogRule.Integration.tests.ps1 b/Tests/Integration/Module/WinEventLogRule.Integration.tests.ps1 similarity index 97% rename from Tests/Integration/WinEventLogRule.Integration.tests.ps1 rename to Tests/Integration/Module/WinEventLogRule.Integration.tests.ps1 index 8e9b776de..bc56ceba7 100644 --- a/Tests/Integration/WinEventLogRule.Integration.tests.ps1 +++ b/Tests/Integration/Module/WinEventLogRule.Integration.tests.ps1 @@ -1,9 +1,9 @@ #region Header . $PSScriptRoot\.tests.header.ps1 #endregion + try { - #region Test Setup $EventsToTest = @( @{ LogName = 'Microsoft-Windows-DnsServer/Analytical' @@ -44,8 +44,7 @@ try If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding.' } ) - #endregion - #region Tests + Describe 'DnsWinEventLog Rule Conversion' { foreach ( $WinEvents in $EventsToTest) @@ -75,8 +74,8 @@ try } } } - #endregion } + finally { . $PSScriptRoot\.tests.footer.ps1 diff --git a/Tests/Integration/WindowsFeatureRule.Integration.tests.ps1 b/Tests/Integration/Module/WindowsFeatureRule.Integration.tests.ps1 similarity index 98% rename from Tests/Integration/WindowsFeatureRule.Integration.tests.ps1 rename to Tests/Integration/Module/WindowsFeatureRule.Integration.tests.ps1 index 5dadb3703..223f442eb 100644 --- a/Tests/Integration/WindowsFeatureRule.Integration.tests.ps1 +++ b/Tests/Integration/Module/WindowsFeatureRule.Integration.tests.ps1 @@ -1,9 +1,9 @@ #region Header . $PSScriptRoot\.tests.header.ps1 #endregion + try { - #region Test Setup $testStrings = @( @{ Name = 'SMB1Protocol' @@ -66,8 +66,7 @@ try An Installed State of "Available" or "Removed" is not a finding.' } ) - #endregion - #region Tests + Describe 'Windows Feature Conversion' { foreach ($testString in $testStrings) @@ -108,8 +107,8 @@ try } } } - #endregion } + finally { . $PSScriptRoot\.tests.footer.ps1 diff --git a/Tests/Unit/DSCResources/.tests.header.ps1 b/Tests/Unit/DSCResources/.tests.header.ps1 index 13ed16ecb..145ab0615 100644 --- a/Tests/Unit/DSCResources/.tests.header.ps1 +++ b/Tests/Unit/DSCResources/.tests.header.ps1 @@ -1,3 +1,9 @@ # Unit Test Header -$script:moduleRoot = Split-Path -Parent (Split-Path -Parent ( Split-Path -Parent $PSScriptRoot ) ) -Import-Module (Join-Path -Path $moduleRoot -ChildPath 'Tools\TestHelper\TestHelper.psm1') -Force +$script:dscModuleName = 'PowerStig' +$script:projectRoot = Split-Path -Path (Split-Path -Path (Split-Path -Path $PSScriptRoot -Parent) -Parent) -Parent +$script:buildOutput = Join-Path -Path $projectRoot -ChildPath 'output' +$script:manifestPath = (Get-ChildItem -Path $buildOutput -Filter 'PowerStig.psd1' -Recurse).FullName +$script:moduleRoot = Split-Path -Path $manifestPath -Parent + +Import-Module -Name (Join-Path -Path $projectRoot -ChildPath 'Tools\TestHelper\TestHelper.psm1') -Force +Import-Module -Name (Join-Path -Path $moduleRoot -ChildPath 'DscResources\helper.psm1') diff --git a/Tests/Unit/DSCResources/Composite.tests.ps1 b/Tests/Unit/DSCResources/Composite.tests.ps1 index f4a13ebb0..24a2b7155 100644 --- a/Tests/Unit/DSCResources/Composite.tests.ps1 +++ b/Tests/Unit/DSCResources/Composite.tests.ps1 @@ -1,7 +1,6 @@ -$script:DSCModuleName = 'PowerStig' -$script:moduleRoot = Split-Path -Parent (Split-Path -Parent (Split-Path -Parent $PSScriptRoot)) -Import-Module (Join-Path -Path $moduleRoot -ChildPath 'Tools\TestHelper\TestHelper.psm1') -Force -$manifestPath = "$script:moduleRoot\$script:DSCModuleName.psd1" +# DscResource Unit Test Header +. $PSScriptRoot\.tests.header.ps1 + $Manifest = Import-PowerShellDataFile -Path $manifestPath Describe 'Common Tests - Configuration Module Requirements' { @@ -64,10 +63,10 @@ Describe 'Common Tests - Configuration Module Requirements' { } Describe 'Composite Resources' { - $manifestDscResourceList = $Manifest.DscResourcesToExport + $manifestDscResourceList = $Manifest.DscResourcesToExport | Sort-Object -Descending $moduleDscResourceList = Get-ChildItem -Path "$($script:moduleRoot)\DscResources" -Directory -Exclude 'Resources' | - Select-Object -Property BaseName -ExpandProperty BaseName + Select-Object -Property BaseName -ExpandProperty BaseName | Sort-Object -Descending It 'Should have all module resources listed in the manifest' { $manifestDscResourceList | Should Be $moduleDscResourceList diff --git a/Tests/Unit/DSCResources/helper.tests.ps1 b/Tests/Unit/DSCResources/helper.tests.ps1 index 58da4c178..24b01b6fc 100644 --- a/Tests/Unit/DSCResources/helper.tests.ps1 +++ b/Tests/Unit/DSCResources/helper.tests.ps1 @@ -1,4 +1,5 @@ -[String] $script:moduleRoot = Split-Path -Parent (Split-Path -Parent (Split-Path -Parent $PSScriptRoot)) +# DscResource Unit Test Header +. $PSScriptRoot\.tests.header.ps1 Import-Module -Name (Join-Path -Path $moduleRoot -ChildPath 'DscResources\helper.psm1') diff --git a/Tests/Unit/DSCResources/windows.Registry.config.ps1 b/Tests/Unit/DSCResources/windows.Registry.config.ps1 index cfde183a2..4b1aae78d 100644 --- a/Tests/Unit/DSCResources/windows.Registry.config.ps1 +++ b/Tests/Unit/DSCResources/windows.Registry.config.ps1 @@ -1,14 +1,17 @@ +# DscResource Unit Test Header +. $PSScriptRoot\.tests.header.ps1 + configuration Registry_config { param ( ) - Import-Module $PSScriptRoot\..\..\..\DscResources\helper.psm1 -Force + Import-Module $moduleRoot\DscResources\helper.psm1 -Force Import-DscResource -ModuleName GPRegistryPolicyDsc -ModuleVersion 1.2.0 Import-DscResource -ModuleName PSDscResources -ModuleVersion 2.10.0.0 Node localhost { - . $PSScriptRoot\..\..\..\DscResources\Resources\windows.Registry.ps1 + . $moduleRoot\DscResources\Resources\windows.Registry.ps1 } } diff --git a/Tests/Unit/DSCResources/windows.Registry.tests.ps1 b/Tests/Unit/DSCResources/windows.Registry.tests.ps1 index 414f46e0b..5bf3df569 100644 --- a/Tests/Unit/DSCResources/windows.Registry.tests.ps1 +++ b/Tests/Unit/DSCResources/windows.Registry.tests.ps1 @@ -1,4 +1,3 @@ - $ruleList = @( @{ testXml = [xml]' diff --git a/Tests/Unit/Module/.tests.footer.ps1 b/Tests/Unit/Module/.tests.footer.ps1 index 7a5539257..0a3525e4c 100644 --- a/Tests/Unit/Module/.tests.footer.ps1 +++ b/Tests/Unit/Module/.tests.footer.ps1 @@ -1,10 +1,12 @@ - +# footer script cleaning up test scripts test data if ((Get-PSCallStack)[1].Command -notmatch 'Stig\.') { # Cleanup convert module tests Remove-Variable STIGSettings -Scope Global } -else + +$dynamicClassImport = Join-Path -Path $PSScriptRoot -ChildPath '..\.DynamicClassImport' +if (Test-Path -Path $dynamicClassImport) { - # Cleanup Stig module tests -} + Remove-Item -Path $dynamicClassImport -Force -Recurse -Confirm:$false +} \ No newline at end of file diff --git a/Tests/Unit/Module/.tests.header.ps1 b/Tests/Unit/Module/.tests.header.ps1 index 87e08882a..8bc0326bb 100644 --- a/Tests/Unit/Module/.tests.header.ps1 +++ b/Tests/Unit/Module/.tests.header.ps1 @@ -1,11 +1,91 @@ +# Unit Test Header +$script:projectRoot = Split-Path -Path (Split-Path -Path (Split-Path -Path $PSScriptRoot -Parent) -Parent) -Parent +$script:buildOutput = Join-Path -Path $script:projectRoot -ChildPath 'output' +$script:manifestPath = (Get-ChildItem -Path $script:buildOutput -Filter 'PowerStig.psd1' -Recurse) +$script:moduleRoot = Split-Path -Path ($script:manifestPath).FullName -Parent +$psStackCommand = (Get-PSCallStack)[1].Command -replace '\.tests\.ps1' +if ($psStackCommand -ne 'Convert.CommonTests.ps1') +{ + $global:moduleName = $psStackCommand + $script:modulePath = "$($script:moduleRoot)$(($PSScriptRoot -split 'Unit')[1])\$global:moduleName\$($global:moduleName).psm1" +} -$script:moduleRoot = Split-Path -Parent (Split-Path -Parent (Split-Path -Parent $PSScriptRoot)) -$global:moduleName = (Get-PSCallStack)[1].Command -replace '\.tests\.ps1', '' -# TODO $script:moduleName can be removed after all tests are migrated to global -$script:moduleName = (Get-PSCallStack)[1].Command -replace '\.tests\.ps1', '' -$script:modulePath = "$($script:moduleRoot)$(($PSScriptRoot -split 'Unit')[1])\$global:moduleName\$($global:moduleName).psm1" +Import-Module -Name (Join-Path -Path $script:projectRoot -ChildPath 'Tools\TestHelper\TestHelper.psm1') -Force -Global -Import-Module -Name (Join-Path -Path $script:moduleRoot -ChildPath 'Tools\TestHelper\TestHelper.psm1') -Force -Global +<# + if the \.DynamicClassImport folder does not exist create it. This folder is used to import class based + modules specific to a PowerSTIG build version. The challenge is the 'using module' statement will not + allow variables to be passed to it. The output/PowerSTIG folder will have a new version of the build after + the build script is executed, i.e.: .\output\PowerSTIG\4.4.0\. Therefore the using statement + has to be dynamically created with a static path and loaded via dot sourcing. +#> +$dynamicClassImportPath = Join-Path -Path $PSScriptRoot -ChildPath '..\.DynamicClassImport' +if ((Test-Path -Path $dynamicClassImportPath) -eq $false) +{ + New-Item -Path $dynamicClassImportPath -ItemType Directory +} + +$setDynamicClassFileParams = @{ + PowerStigBuildPath = $script:moduleRoot +} + +switch ($psStackCommand) +{ + 'Common' + { + $destinationPath = Join-Path -Path $PSScriptRoot -ChildPath '..\.DynamicClassImport\Common.ps1' + [void] $setDynamicClassFileParams.Add('DestinationPath', $destinationPath) + [void] $setDynamicClassFileParams.Add('ClassModuleFileName', 'Common.psm1') + } + + 'Convert.CommonTests.ps1' + { + $destinationPath = Join-Path -Path $PSScriptRoot -ChildPath '..\.DynamicClassImport\Rule.ps1' + [void] $setDynamicClassFileParams.Add('DestinationPath', $destinationPath) + [void] $setDynamicClassFileParams.Add('ClassModuleFileName', 'Rule.psm1') + } + + 'HardCodedRule' + { + $destinationPath = Join-Path -Path $PSScriptRoot -ChildPath '..\.DynamicClassImport\ConvertFactory.ps1' + [void] $setDynamicClassFileParams.Add('DestinationPath', $destinationPath) + [void] $setDynamicClassFileParams.Add('ClassModuleFileName', 'ConvertFactory.psm1') + } + + 'Rule' + { + $destinationPath = Join-Path -Path $PSScriptRoot -ChildPath '..\.DynamicClassImport\Rule.ps1' + [void] $setDynamicClassFileParams.Add('DestinationPath', $destinationPath) + [void] $setDynamicClassFileParams.Add('ClassModuleFileName', @('Rule.psm1', 'ConvertFactory.psm1')) + } + + 'STIG.Checklist' + { + $functionCheckListFile = Join-Path -Path $script:moduleRoot -ChildPath '\Module\STIG\Functions.Checklist.ps1' + . $functionCheckListFile + } + + 'STIG' + { + $destinationPath = Join-Path -Path $PSScriptRoot -ChildPath '..\.DynamicClassImport\Convert.Main.ps1' + [void] $setDynamicClassFileParams.Add('DestinationPath', $destinationPath) + [void] $setDynamicClassFileParams.Add('ClassModuleFileName', 'Convert.Main.psm1') + } + + default + { + $ruleFile = '{0}.Convert' -f $PSItem + $destinationPath = Join-Path -Path $PSScriptRoot -ChildPath ('..\.DynamicClassImport\{0}.ps1' -f $ruleFile) + [void] $setDynamicClassFileParams.Add('DestinationPath', $destinationPath) + [void] $setDynamicClassFileParams.Add('ClassModuleFileName', ('{0}.psm1' -f $ruleFile)) + } +} + +if ($global:moduleName -ne 'STIG.Checklist') +{ + Set-DynamicClassFile @setDynamicClassFileParams + . $setDynamicClassFileParams.DestinationPath +} <# Several classes check for duplicate rules against a global variable stigSettings. diff --git a/Tests/Unit/Module/AccountPolicyRule.tests.ps1 b/Tests/Unit/Module/AccountPolicyRule.tests.ps1 index 2504b094b..249ac64a3 100644 --- a/Tests/Unit/Module/AccountPolicyRule.tests.ps1 +++ b/Tests/Unit/Module/AccountPolicyRule.tests.ps1 @@ -1,5 +1,4 @@ #region Header -using module .\..\..\..\Module\Rule.AccountPolicy\Convert\AccountPolicyRule.Convert.psm1 . $PSScriptRoot\.tests.header.ps1 #endregion diff --git a/Tests/Unit/Module/AuditPolicyRule.tests.ps1 b/Tests/Unit/Module/AuditPolicyRule.tests.ps1 index dd808688b..4a0810888 100644 --- a/Tests/Unit/Module/AuditPolicyRule.tests.ps1 +++ b/Tests/Unit/Module/AuditPolicyRule.tests.ps1 @@ -1,5 +1,4 @@ #region Header -using module .\..\..\..\Module\Rule.AuditPolicy\Convert\AuditPolicyRule.Convert.psm1 . $PSScriptRoot\.tests.header.ps1 #endregion diff --git a/Tests/Unit/Module/AuditSettingRule.tests.ps1 b/Tests/Unit/Module/AuditSettingRule.tests.ps1 index 5f6897498..f13d1bac5 100644 --- a/Tests/Unit/Module/AuditSettingRule.tests.ps1 +++ b/Tests/Unit/Module/AuditSettingRule.tests.ps1 @@ -1,5 +1,4 @@ #region Header -using module .\..\..\..\Module\Rule.AuditSetting\Convert\AuditSettingRule.Convert.psm1 . $PSScriptRoot\.tests.header.ps1 #endregion diff --git a/Tests/Unit/Module/Common.tests.ps1 b/Tests/Unit/Module/Common.tests.ps1 index 0cb18da6d..7b592de8f 100644 --- a/Tests/Unit/Module/Common.tests.ps1 +++ b/Tests/Unit/Module/Common.tests.ps1 @@ -1,18 +1,20 @@ -using module .\..\..\..\Module\Common\Common.psm1 +#region Header . $PSScriptRoot\.tests.header.ps1 -# Header -#region Enum Tests +#endregion + <# - a list of enums in the script that is used in a "burn down" manner. When an enum is processed - it is removed from the list, The last test will be to verify that all of the enums have - been tested - #> + a list of enums in the script that is used in a "burn down" manner. When an enum is processed + it is removed from the list, The last test will be to verify that all of the enums have + been tested +#> $enumDiscovered = New-Object System.Collections.ArrayList -# Select each line that starts with enum to count the number of enum's in the file +# Select each line that starts with enum to count the number of enum's in the file $enumListString = ( Get-Content $modulePath | Select-String "^Enum " ) + # Add each enum that is found to the array $enumListString | Foreach-Object { $enumDiscovered.add( ( $_ -split " " )[1].ToString().ToLower() ) | Out-Null } + # Get a count to to use in a final test to validate enum test coverage [int] $enumTestCount = $enumDiscovered.Count diff --git a/Tests/Unit/Module/Convert.CommonTests.ps1 b/Tests/Unit/Module/Convert.CommonTests.ps1 index 97b502168..6355a5fab 100644 --- a/Tests/Unit/Module/Convert.CommonTests.ps1 +++ b/Tests/Unit/Module/Convert.CommonTests.ps1 @@ -1,4 +1,7 @@ -using module .\..\..\..\Module\Rule\Rule.psm1 +#region Header +. $PSScriptRoot\.tests.header.ps1 +#endregion + <# The convert common tests loop through the test data that is provided in the form of a hashtable. @@ -12,13 +15,14 @@ using module .\..\..\..\Module\Rule\Rule.psm1 #> # Get the rule element with the checkContent injected into it -$stigRule = Get-TestStigRule -CheckContent $testRule.checkContent -ReturnGroupOnly +$stigRule = Get-TestStigRule -CheckContent $testRule.CheckContent -ReturnGroupOnly -FixText $testRule.FixText + # Create an instance of the convert class that is currently being tested $convertedRule = New-Object -TypeName ($global:moduleName + 'Convert') -ArgumentList $stigRule Describe "$($convertedRule.GetType().Name) Class Instance" { # Only run the base class test once - If ($count -le 0) + if ($count -le 0) { It "Should have a BaseType of $moduleName" { $convertedRule.GetType().BaseType.ToString() | Should Be $moduleName @@ -62,18 +66,21 @@ Describe "$($convertedRule.GetType().Name) Class Instance" { # Test that each property was properly extracted from the test checkContent foreach ($property in $propertyList) { - It "Should return the $Property" { - # Can't test a null property type, only that the property is null - if ($null -ne $testRule.$property) - { - # Some properties are complex types that need to be serialized for comparison - if ($testRule.$property.GetType().BaseType.Name -eq 'Array') + if ($property -ne "FixText") + { + It "Should return the $Property" { + # Can't test a null property type, only that the property is null + if ($null -ne $testRule.$property) { - $convertedRule.$property = $convertedRule.$property | ConvertTo-Json - $testRule.$property = $testRule.$property | ConvertTo-Json + # Some properties are complex types that need to be serialized for comparison + if ($testRule.$property.GetType().BaseType.Name -eq 'Array') + { + $convertedRule.$property = $convertedRule.$property | ConvertTo-Json + $testRule.$property = $testRule.$property | ConvertTo-Json + } } + $convertedRule.$property | Should Be $testRule.$property } - $convertedRule.$property | Should Be $testRule.$property } # Remove the property from the list of tested properties $ruleClassPropertyTestList.Remove($property) diff --git a/Tests/Unit/Module/DnsServerRootHintRule.tests.ps1 b/Tests/Unit/Module/DnsServerRootHintRule.tests.ps1 index 6e7605b6e..ee9f53137 100644 --- a/Tests/Unit/Module/DnsServerRootHintRule.tests.ps1 +++ b/Tests/Unit/Module/DnsServerRootHintRule.tests.ps1 @@ -1,5 +1,4 @@ #region Header -using module .\..\..\..\Module\Rule.DnsServerRootHint\Convert\DnsServerRootHintRule.Convert.psm1 . $PSScriptRoot\.tests.header.ps1 #endregion diff --git a/Tests/Unit/Module/DnsServerSettingRule.tests.ps1 b/Tests/Unit/Module/DnsServerSettingRule.tests.ps1 index fc21ca7f8..fff0b011c 100644 --- a/Tests/Unit/Module/DnsServerSettingRule.tests.ps1 +++ b/Tests/Unit/Module/DnsServerSettingRule.tests.ps1 @@ -1,5 +1,4 @@ #region Header -using module .\..\..\..\Module\Rule.DnsServerSetting\Convert\DnsServerSettingRule.Convert.psm1 . $PSScriptRoot\.tests.header.ps1 #endregion diff --git a/Tests/Unit/Module/DocumentRule.tests.ps1 b/Tests/Unit/Module/DocumentRule.tests.ps1 index 43814348b..60505c9ca 100644 --- a/Tests/Unit/Module/DocumentRule.tests.ps1 +++ b/Tests/Unit/Module/DocumentRule.tests.ps1 @@ -1,5 +1,4 @@ #region Header -using module .\..\..\..\Module\Rule.Document\Convert\DocumentRule.Convert.psm1 . $PSScriptRoot\.tests.header.ps1 #endregion diff --git a/Tests/Unit/Module/FileContentRule.tests.ps1 b/Tests/Unit/Module/FileContentRule.tests.ps1 index 52fba3b5a..27b63ca4e 100644 --- a/Tests/Unit/Module/FileContentRule.tests.ps1 +++ b/Tests/Unit/Module/FileContentRule.tests.ps1 @@ -1,5 +1,4 @@ #region Header -using module .\..\..\..\Module\Rule.FileContent\Convert\FileContentRule.Convert.psm1 . $PSScriptRoot\.tests.header.ps1 #endregion diff --git a/Tests/Unit/Module/GroupRule.tests.ps1 b/Tests/Unit/Module/GroupRule.tests.ps1 index 23cce1b38..5df2c32bb 100644 --- a/Tests/Unit/Module/GroupRule.tests.ps1 +++ b/Tests/Unit/Module/GroupRule.tests.ps1 @@ -1,5 +1,4 @@ #region Header -using module .\..\..\..\Module\Rule.Group\Convert\GroupRule.Convert.psm1 . $PSScriptRoot\.tests.header.ps1 #endregion diff --git a/Tests/Unit/Module/HardCodedRule.tests.ps1 b/Tests/Unit/Module/HardCodedRule.tests.ps1 index 2557c64ea..aefe0ab37 100644 --- a/Tests/Unit/Module/HardCodedRule.tests.ps1 +++ b/Tests/Unit/Module/HardCodedRule.tests.ps1 @@ -1,12 +1,10 @@ #region Header -using module .\..\..\..\Module\Rule\Convert\ConvertFactory.psm1 -using module .\..\..\..\Module\Rule.HardCoded\Convert\HardCodedRule.Convert.psm1 . $PSScriptRoot\.tests.header.ps1 #endregion try { - InModuleScope -ModuleName "$($global:moduleName).Convert" { + InModuleScope -ModuleName ConvertFactory { #region Test Setup $testRuleListSingle = @( @{ @@ -279,6 +277,7 @@ try foreach ($splitRule in $testRuleListSplit) { + Context "Hard Coded Split Rules (CheckContent): $($splitRule.CheckContent)" { <# Generate XML with a temp check content block. diff --git a/Tests/Unit/Module/IISLoggingRule.tests.ps1 b/Tests/Unit/Module/IISLoggingRule.tests.ps1 index aebdee01f..72b90bddb 100644 --- a/Tests/Unit/Module/IISLoggingRule.tests.ps1 +++ b/Tests/Unit/Module/IISLoggingRule.tests.ps1 @@ -1,5 +1,4 @@ #region Header -using module .\..\..\..\Module\Rule.IISLogging\Convert\IISLoggingRule.Convert.psm1 . $PSScriptRoot\.tests.header.ps1 #endregion diff --git a/Tests/Unit/Module/ManualRule.tests.ps1 b/Tests/Unit/Module/ManualRule.tests.ps1 index 4333453bc..7d6d87450 100644 --- a/Tests/Unit/Module/ManualRule.tests.ps1 +++ b/Tests/Unit/Module/ManualRule.tests.ps1 @@ -1,5 +1,4 @@ #region Header -using module .\..\..\..\Module\Rule.Manual\Convert\ManualRule.Convert.psm1 . $PSScriptRoot\.tests.header.ps1 #endregion diff --git a/Tests/Unit/Module/MimeTypeRule.tests.ps1 b/Tests/Unit/Module/MimeTypeRule.tests.ps1 index e43e533fd..6edbff12e 100644 --- a/Tests/Unit/Module/MimeTypeRule.tests.ps1 +++ b/Tests/Unit/Module/MimeTypeRule.tests.ps1 @@ -1,5 +1,4 @@ #region Header -using module .\..\..\..\Module\Rule.MimeType\Convert\MimeTypeRule.Convert.psm1 . $PSScriptRoot\.tests.header.ps1 #endregion diff --git a/Tests/Unit/Module/PermissionRule.tests.ps1 b/Tests/Unit/Module/PermissionRule.tests.ps1 index 68475f20e..d730862ae 100644 --- a/Tests/Unit/Module/PermissionRule.tests.ps1 +++ b/Tests/Unit/Module/PermissionRule.tests.ps1 @@ -1,5 +1,4 @@ #region Header -using module .\..\..\..\Module\Rule.Permission\Convert\PermissionRule.Convert.psm1 . $PSScriptRoot\.tests.header.ps1 #endregion diff --git a/Tests/Unit/Module/ProcessMitigationRule.tests.ps1 b/Tests/Unit/Module/ProcessMitigationRule.tests.ps1 index 87ec483ca..4257a45bb 100644 --- a/Tests/Unit/Module/ProcessMitigationRule.tests.ps1 +++ b/Tests/Unit/Module/ProcessMitigationRule.tests.ps1 @@ -1,5 +1,4 @@ #region Header -using module .\..\..\..\Module\Rule.ProcessMitigation\Convert\ProcessMitigationRule.Convert.psm1 . $PSScriptRoot\.tests.header.ps1 #endregion diff --git a/Tests/Unit/Module/RegistryRule.tests.ps1 b/Tests/Unit/Module/RegistryRule.tests.ps1 index 3b4a03940..27f6f1d2c 100644 --- a/Tests/Unit/Module/RegistryRule.tests.ps1 +++ b/Tests/Unit/Module/RegistryRule.tests.ps1 @@ -1,8 +1,19 @@ #region Header -using module .\..\..\..\Module\Rule.Registry\Convert\RegistryRule.Convert.psm1 . $PSScriptRoot\.tests.header.ps1 #endregion +# Data files +if ($null -eq (Get-Variable -Name SingleLine* -Scope Global)) +{ + $dataFilePath = Join-Path -Path $script:moduleRoot -ChildPath 'Module\Rule\Convert' + $supportFiles = (Get-ChildItem -Path $dataFilePath -Filter 'Data.*.ps1').FullName + foreach ($file in $supportFiles) + { + . $file + } +} +#endregion + try { InModuleScope -ModuleName "$($global:moduleName).Convert" { diff --git a/Tests/Unit/Module/Rule.tests.ps1 b/Tests/Unit/Module/Rule.tests.ps1 index 240acc62e..9775446a4 100644 --- a/Tests/Unit/Module/Rule.tests.ps1 +++ b/Tests/Unit/Module/Rule.tests.ps1 @@ -1,11 +1,10 @@ #region Header -using module .\..\..\..\Module\Rule\Rule.psm1 -using module .\..\..\..\Module\Rule\Convert\ConvertFactory.psm1 . $PSScriptRoot\.tests.header.ps1 #endregion + try { - InModuleScope -ModuleName $script:moduleName { + InModuleScope -ModuleName $global:moduleName { #region Test Setup $stig = [Rule]::new( (Get-TestStigRule -ReturnGroupOnly), $true ) $script:moduleRoot = Split-Path -Parent (Split-Path -Parent (Split-Path -Parent $PSScriptRoot)) @@ -113,12 +112,11 @@ try } } } - #endregion - #region Convert Factory + } + InModuleScope -ModuleName ConvertFactory { Describe 'Convert Factory' { - Context 'AccountPolicyRule' { $checkContent = 'Run "gpedit.msc". @@ -134,7 +132,7 @@ try } Context 'AuditPolicyRule' { - $checkContent = 'Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + $checkContent = 'Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). @@ -344,7 +342,6 @@ try } } } - #endregion } } finally diff --git a/Tests/Unit/Module/STIG.Checklist.tests.ps1 b/Tests/Unit/Module/STIG.Checklist.tests.ps1 index 8e8d32f7d..9a5eb20c6 100644 --- a/Tests/Unit/Module/STIG.Checklist.tests.ps1 +++ b/Tests/Unit/Module/STIG.Checklist.tests.ps1 @@ -1,4 +1,6 @@ -. $PSScriptRoot\..\..\..\Module\STIG\Functions.Checklist.ps1 +#region Header +. $PSScriptRoot\.tests.header.ps1 +#endregion Describe 'New-StigCheckList' { diff --git a/Tests/Unit/Module/STIG.tests.ps1 b/Tests/Unit/Module/STIG.tests.ps1 index 8d22c8960..cf181ffad 100644 --- a/Tests/Unit/Module/STIG.tests.ps1 +++ b/Tests/Unit/Module/STIG.tests.ps1 @@ -1,11 +1,9 @@ #region Header -using module .\..\..\..\Module\STIG\Convert\Convert.Main.psm1 . $PSScriptRoot\.tests.header.ps1 #endregion + try { - #region Functions - Describe 'Split-StigXccdf' { $sampleXccdfFileName = 'U_Windows_Server_2016{0}_STIG_V1R1_Manual-xccdf.xml' @@ -37,6 +35,7 @@ try } } } + Describe 'Get-StigVersionNumber' { $majorVersionNumber = '1' $minorVersionNumber = '5' @@ -48,6 +47,7 @@ try Should Be "$majorVersionNumber.$minorVersionNumber" } } + Describe 'Get-PowerStigFileList' { $majorVersionNumber = '1' $minorVersionNumber = '5' @@ -81,6 +81,7 @@ try } #> } + Describe 'Split-BenchmarkId' { $sampleStrings = [ordered]@{ 'SQLServer' = @( @@ -249,14 +250,16 @@ try } } } + Describe 'Conversion Status' { It 'Should not contain conversionstatus="fail" in any processed STIG' { - $selectStringResults = Select-String -Pattern 'conversionstatus="fail"' -Path "$PSScriptRoot\..\..\..\StigData\Processed\*.xml" + $processedStigDataPath = Join-Path -Path $script:moduleRoot -ChildPath 'StigData\Processed\*.xml' + $selectStringResults = Select-String -Pattern 'conversionstatus="fail"' -Path $processedStigDataPath $selectStringResults | Should Be $null } } - #endregion } + finally { . $PSScriptRoot\.tests.footer.ps1 diff --git a/Tests/Unit/Module/SecurityOptionRule.tests.ps1 b/Tests/Unit/Module/SecurityOptionRule.tests.ps1 index 14486623f..633728643 100644 --- a/Tests/Unit/Module/SecurityOptionRule.tests.ps1 +++ b/Tests/Unit/Module/SecurityOptionRule.tests.ps1 @@ -1,5 +1,4 @@ #region Header -using module .\..\..\..\Module\Rule.SecurityOption\Convert\SecurityOptionRule.Convert.psm1 . $PSScriptRoot\.tests.header.ps1 #endregion diff --git a/Tests/Unit/Module/ServiceRule.tests.ps1 b/Tests/Unit/Module/ServiceRule.tests.ps1 index 4b2a6f53b..3cbea09ed 100644 --- a/Tests/Unit/Module/ServiceRule.tests.ps1 +++ b/Tests/Unit/Module/ServiceRule.tests.ps1 @@ -1,5 +1,4 @@ #region Header -using module .\..\..\..\Module\Rule.Service\Convert\ServiceRule.Convert.psm1 . $PSScriptRoot\.tests.header.ps1 #endregion diff --git a/Tests/Unit/Module/SqlScriptQueryRule.tests.ps1 b/Tests/Unit/Module/SqlScriptQueryRule.tests.ps1 index c4bf150a0..307d659af 100644 --- a/Tests/Unit/Module/SqlScriptQueryRule.tests.ps1 +++ b/Tests/Unit/Module/SqlScriptQueryRule.tests.ps1 @@ -1,5 +1,4 @@ #region Header -using module .\..\..\..\Module\Rule.SqlScriptQuery\Convert\SqlScriptQueryRule.Convert.psm1 . $PSScriptRoot\.tests.header.ps1 #endregion diff --git a/Tests/Unit/Module/SslSettingsRule.tests.ps1 b/Tests/Unit/Module/SslSettingsRule.tests.ps1 index bc2dff09c..44d1018bc 100644 --- a/Tests/Unit/Module/SslSettingsRule.tests.ps1 +++ b/Tests/Unit/Module/SslSettingsRule.tests.ps1 @@ -1,5 +1,4 @@ #region Header -using module .\..\..\..\Module\Rule.SslSettings\Convert\SslSettingsRule.Convert.psm1 . $PSScriptRoot\.tests.header.ps1 #endregion diff --git a/Tests/Unit/Module/UserRightRule.tests.ps1 b/Tests/Unit/Module/UserRightRule.tests.ps1 index 12ab4f584..62226c96f 100644 --- a/Tests/Unit/Module/UserRightRule.tests.ps1 +++ b/Tests/Unit/Module/UserRightRule.tests.ps1 @@ -1,5 +1,4 @@ #region Header -using module .\..\..\..\Module\Rule.UserRight\Convert\UserRightRule.Convert.psm1 . $PSScriptRoot\.tests.header.ps1 #endregion diff --git a/Tests/Unit/Module/VsphereAcceptanceLevelRule.tests.ps1 b/Tests/Unit/Module/VsphereAcceptanceLevelRule.tests.ps1 new file mode 100644 index 000000000..4677eab1f --- /dev/null +++ b/Tests/Unit/Module/VsphereAcceptanceLevelRule.tests.ps1 @@ -0,0 +1,46 @@ +#region Header +. $PSScriptRoot\.tests.header.ps1 +#endregion + +try +{ + InModuleScope -ModuleName "$($global:moduleName).Convert" { + #region Test Setup + $testRuleList = @( + @{ + Level = 'PartnerSupported' + OrganizationValueRequired = $false + CheckContent = 'From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under "Host Image Profile Acceptance Level" view the acceptance level. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following commands: + + $esxcli = Get-EsxCli + $esxcli.software.acceptance.get() + + If the acceptance level is CommunitySupported, this is a finding.' + FixText = 'From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under "Host Image Profile Acceptance Level" click Edit… and use the pull-down selection, set the acceptance level to be VMwareCertified, VMwareAccepted, or PartnerSupported. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following commands: + + $esxcli = Get-EsxCli + $esxcli.software.acceptance.Set("PartnerSupported") + + Note: VMwareCertified or VMwareAccepted may be substituted for PartnerSupported, depending upon local requirements.' + } + ) + #endregion + + foreach ($testRule in $testRuleList) + { + . $PSScriptRoot\Convert.CommonTests.ps1 + } + } +} +finally +{ + . $PSScriptRoot\.tests.footer.ps1 +} diff --git a/Tests/Unit/Module/VsphereAdvancedSettingsRule.tests.ps1 b/Tests/Unit/Module/VsphereAdvancedSettingsRule.tests.ps1 new file mode 100644 index 000000000..1604ad98b --- /dev/null +++ b/Tests/Unit/Module/VsphereAdvancedSettingsRule.tests.ps1 @@ -0,0 +1,66 @@ +#region Header +. $PSScriptRoot\.tests.header.ps1 +#endregion + +try +{ + InModuleScope -ModuleName "$($global:moduleName).Convert" { + #region Test Setup + $testRuleList = @( + @{ + AdvancedSettings = "'DCUI.Access' = 'root'" + OrganizationValueRequired = $false + CheckContent = 'From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the DCUI.Access value and verify only the root user is listed. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following command: + + Get-VMHost | Get-AdvancedSetting -Name DCUI.Access and verify it is set to root. + + If the DCUI.Access is not restricted to root, this is a finding. + + Note: This list is only for local user accounts and should only contain the root user. + + For environments that do not use vCenter server to manage ESXi, this is not applicable.' + FixText = 'From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the DCUI.Access value and configure it to root. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following command: + + Get-VMHost | Get-AdvancedSetting -Name DCUI.Access | Set-AdvancedSetting -Value "root"' + }, + @{ + AdvancedSettings = "'UserVars.ESXiShellInteractiveTimeOut' = '600'" + OrganizationValueRequired = $false + CheckContent = 'From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the UserVars.ESXiShellInteractiveTimeOut value and verify it is set to 600 (10 Minutes). + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following command: + + Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut + + If the UserVars.ESXiShellInteractiveTimeOut setting is not set to 600, this is a finding.' + FixText = 'From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the UserVars.ESXiShellInteractiveTimeOut value and configure it to 600. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following commands: + + Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 600' + } + ) + #endregion + + foreach ($testRule in $testRuleList) + { + . $PSScriptRoot\Convert.CommonTests.ps1 + } + } +} +finally +{ + . $PSScriptRoot\.tests.footer.ps1 +} diff --git a/Tests/Unit/Module/VsphereKernelActiveDumpPartitionRule.tests.ps1 b/Tests/Unit/Module/VsphereKernelActiveDumpPartitionRule.tests.ps1 new file mode 100644 index 000000000..79edaad06 --- /dev/null +++ b/Tests/Unit/Module/VsphereKernelActiveDumpPartitionRule.tests.ps1 @@ -0,0 +1,57 @@ +#region Header +. $PSScriptRoot\.tests.header.ps1 +#endregion + +try +{ + InModuleScope -ModuleName "$($global:moduleName).Convert" { + #region Test Setup + $testRuleList = @( + @{ + Enabled = '$true' + OrganizationValueRequired = $false + CheckContent = 'From the vSphere Web Client select the ESXi Host and right click. If the "Add Diagnostic Partition" option is greyed out then core dumps are configured. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following commands: + + $esxcli = Get-EsxCli + $esxcli.system.coredump.partition.get() + $esxcli.system.coredump.network.get() + + The first command prepares for the other two. The second command shows whether there is an active core dump partition configured. The third command shows whether a network core dump collector is configured and enabled, via the "HostVNic", "NetworkServerIP", "NetworkServerPort", and "Enabled" variables. + + If there is no active core dump partition or the network core dump collector is not configured and enabled, this is a finding.' + FixText = 'From the vSphere Web Client select the ESXi Host and right click. Select the "Add Diagnostic Partition" option configure a core dump diagnostic partition. + + or + + From a PowerCLI command prompt while connected to the ESXi host run at least one of the following sets of commands: + + To configure a core dump partition: + + $esxcli = Get-EsxCli + #View available partitions to configure + $esxcli.system.coredump.partition.list() + $esxcli.system.coredump.partition.set($null,"PartitionName",$null,$null) + + To configure a core dump collector: + + $esxcli = Get-EsxCli + $esxcli.system.coredump.network.set($null,"vmkernel port to use",$null,"CollectorIP","CollectorPort") + $esxcli.system.coredump.network.set($true)' + } + ) + #endregion + + foreach ($testRule in $testRuleList) + { + . $PSScriptRoot\Convert.CommonTests.ps1 + } + } +} +finally +{ + . $PSScriptRoot\.tests.footer.ps1 +} diff --git a/Tests/Unit/Module/VspherePortGroupSecurityRule.tests.ps1 b/Tests/Unit/Module/VspherePortGroupSecurityRule.tests.ps1 new file mode 100644 index 000000000..ac8e7c28a --- /dev/null +++ b/Tests/Unit/Module/VspherePortGroupSecurityRule.tests.ps1 @@ -0,0 +1,82 @@ +#region Header +. $PSScriptRoot\.tests.header.ps1 +#endregion + +try +{ + InModuleScope -ModuleName "$($global:moduleName).Convert" { + #region Test Setup + $testRuleList = @( + @{ + OrganizationValueRequired = $false + ForgedTransmitsInherited = '$true' + CheckContent = 'From the vSphere Web Client go to Configure >> Networking >> Virtual Switches. View the properties on each virtual switch and port group and verify "Forged Transmits" is set to reject. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following commands: + + Get-VirtualPortGroup | Get-SecurityPolicy + + If the "Forged Transmits" policy is set to accept, this is a finding.' + FixText = 'From the vSphere Web Client go to Configure >> Networking >> Virtual Switches. For each virtual switch and port group click Edit settings and change "Forged Transmits" to reject. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following commands: + + Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmitsInherited $true' + }, + @{ + OrganizationValueRequired = $false + AllowPromiscuousInherited = '$true' + CheckContent = 'From the vSphere Web Client go to Configure >> Networking >> Virtual Switches. View the properties on each virtual switch and port group and verify "Promiscuous Mode" is set to reject. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following commands: + + Get-VirtualPortGroup | Get-SecurityPolicy + + If the "Promiscuous Mode" policy is set to accept, this is a finding.' + FixText = 'From the vSphere Web Client go to Configure >> Networking >> Virtual Switches. For each virtual switch and port group click Edit settings and change "Promiscuous Mode" to reject. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following commands: + + Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuousInherited $true' + }, + @{ + OrganizationValueRequired = $false + MacChangesInherited = '$true' + CheckContent = 'From the vSphere Web Client go to Configure >> Networking >> Virtual Switches. View the properties on each virtual switch and port group and verify "MAC Address Changes" is set to reject. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following commands: + + Get-VirtualPortGroup | Get-SecurityPolicy + + If the "MAC Address Changes" policy is set to accept, this is a finding.' + FixText = 'From the vSphere Web Client go to Configure >> Networking >> Virtual Switches. For each virtual switch and port group click Edit settings and change "MAC Address Changes" to reject. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following commands: + + Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -MacChangesInherited $true' + } + ) + #endregion + + foreach ($testRule in $testRuleList) + { + . $PSScriptRoot\Convert.CommonTests.ps1 + } + } +} +finally +{ + . $PSScriptRoot\.tests.footer.ps1 +} diff --git a/Tests/Unit/Module/VsphereServiceRule.tests.ps1 b/Tests/Unit/Module/VsphereServiceRule.tests.ps1 new file mode 100644 index 000000000..4f09d9fc9 --- /dev/null +++ b/Tests/Unit/Module/VsphereServiceRule.tests.ps1 @@ -0,0 +1,37 @@ +#region Header +. $PSScriptRoot\.tests.header.ps1 +#endregion + +try +{ + InModuleScope -ModuleName "$($global:moduleName).Convert" { + #region Test Setup + $testRuleList = @( + @{ + Key = 'TSM-SSH' + Policy = 'off' + Running = 'False' + OrganizationValueRequired = $false + CheckContent = 'From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under Services select Edit and view the "SSH" service and verify it is stopped. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following command: + + Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} + + If the ESXi SSH service is running, this is a finding.' + } + ) + #endregion + + foreach ($testRule in $testRuleList) + { + . $PSScriptRoot\Convert.CommonTests.ps1 + } + } +} +finally +{ + . $PSScriptRoot\.tests.footer.ps1 +} diff --git a/Tests/Unit/Module/VsphereSnmpAgentRule.tests.ps1 b/Tests/Unit/Module/VsphereSnmpAgentRule.tests.ps1 new file mode 100644 index 000000000..a5ed189ed --- /dev/null +++ b/Tests/Unit/Module/VsphereSnmpAgentRule.tests.ps1 @@ -0,0 +1,54 @@ +#region Header +. $PSScriptRoot\.tests.header.ps1 +#endregion + +try +{ + InModuleScope -ModuleName "$($global:moduleName).Convert" { + #region Test Setup + $testRuleList = @( + @{ + Enabled = '$false' + OrganizationValueRequired = $false + CheckContent = 'From a PowerCLI command prompt while connected to the ESXi host run the following command: + + Get-VMHostSnmp | Select * + + or + + From a console or ssh session run the follow command: + + esxcli system snmp get + + If SNMP is not in use and is enabled, this is a finding. + + If SNMP is enabled and read only communities is set to public, this is a finding. + + If SNMP is enabled and is not using v3 targets, this is a finding. + + Note: SNMP v3 targets can only be viewed and configured from the esxcli command.' + FixText = 'To disable SNMP run the following command from a PowerCLI command prompt while connected to the ESXi Host: + + Get-VMHostSnmp | Set-VMHostSnmp -Enabled $false + + or + + From a console or ssh session run the follow command: + + esxcli system snmp set -e no + + To configure SNMP for v3 targets use the "esxcli system snmp set" command set.' + } + ) + #endregion + + foreach ($testRule in $testRuleList) + { + . $PSScriptRoot\Convert.CommonTests.ps1 + } + } +} +finally +{ + . $PSScriptRoot\.tests.footer.ps1 +} diff --git a/Tests/Unit/Module/VsphereVssSecurityRule.tests.ps1 b/Tests/Unit/Module/VsphereVssSecurityRule.tests.ps1 new file mode 100644 index 000000000..f8daa93fe --- /dev/null +++ b/Tests/Unit/Module/VsphereVssSecurityRule.tests.ps1 @@ -0,0 +1,82 @@ +#region Header +. $PSScriptRoot\.tests.header.ps1 +#endregion + +try +{ + InModuleScope -ModuleName "$($global:moduleName).Convert" { + #region Test Setup + $testRuleList = @( + @{ + OrganizationValueRequired = $false + ForgedTransmits = '$false' + CheckContent = 'From the vSphere Web Client go to Configure >> Networking >> Virtual Switches. View the properties on each virtual switch and port group and verify "Forged Transmits" is set to reject. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following commands: + + Get-VirtualSwitch | Get-SecurityPolicy + + If the "Forged Transmits" policy is set to accept, this is a finding.' + FixText = 'From the vSphere Web Client go to Configure >> Networking >> Virtual Switches. For each virtual switch and port group click Edit settings and change "Forged Transmits" to reject. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following commands: + + Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmits $false' + }, + @{ + OrganizationValueRequired = $false + AllowPromiscuous = '$false' + CheckContent = 'From the vSphere Web Client go to Configure >> Networking >> Virtual Switches. View the properties on each virtual switch and port group and verify "Promiscuous Mode" is set to reject. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following commands: + + Get-VirtualSwitch | Get-SecurityPolicy + + If the "Promiscuous Mode" policy is set to accept, this is a finding.' + FixText = 'From the vSphere Web Client go to Configure >> Networking >> Virtual Switches. For each virtual switch and port group click Edit settings and change "Promiscuous Mode" to reject. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following commands: + + Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuous $false' + }, + @{ + OrganizationValueRequired = $false + MacChanges = '$false' + CheckContent = 'From the vSphere Web Client go to Configure >> Networking >> Virtual Switches. View the properties on each virtual switch and port group and verify "MAC Address Changes" is set to reject. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following commands: + + Get-VirtualSwitch | Get-SecurityPolicy + + If the "MAC Address Changes" policy is set to accept, this is a finding.' + FixText = 'From the vSphere Web Client go to Configure >> Networking >> Virtual Switches. For each virtual switch and port group click Edit settings and change "MAC Address Changes" to reject. + + or + + From a PowerCLI command prompt while connected to the ESXi host run the following commands: + + Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -MacChanges $false' + } + ) + #endregion + + foreach ($testRule in $testRuleList) + { + . $PSScriptRoot\Convert.CommonTests.ps1 + } + } +} +finally +{ + . $PSScriptRoot\.tests.footer.ps1 +} diff --git a/Tests/Unit/Module/WebAppPoolRule.tests.ps1 b/Tests/Unit/Module/WebAppPoolRule.tests.ps1 index 8cb8c051c..8e33690d9 100644 --- a/Tests/Unit/Module/WebAppPoolRule.tests.ps1 +++ b/Tests/Unit/Module/WebAppPoolRule.tests.ps1 @@ -1,5 +1,4 @@ #region Header -using module .\..\..\..\Module\Rule.WebAppPool\Convert\WebAppPoolRule.Convert.psm1 . $PSScriptRoot\.tests.header.ps1 #endregion diff --git a/Tests/Unit/Module/WebConfigurationPropertyRule.tests.ps1 b/Tests/Unit/Module/WebConfigurationPropertyRule.tests.ps1 index 9596a8ce6..3414be875 100644 --- a/Tests/Unit/Module/WebConfigurationPropertyRule.tests.ps1 +++ b/Tests/Unit/Module/WebConfigurationPropertyRule.tests.ps1 @@ -1,5 +1,4 @@ #region Header -using module .\..\..\..\Module\Rule.WebConfigurationProperty\Convert\WebConfigurationPropertyRule.Convert.psm1 . $PSScriptRoot\.tests.header.ps1 #endregion diff --git a/Tests/Unit/Module/WinEventLogRule.tests.ps1 b/Tests/Unit/Module/WinEventLogRule.tests.ps1 index 461387726..533206758 100644 --- a/Tests/Unit/Module/WinEventLogRule.tests.ps1 +++ b/Tests/Unit/Module/WinEventLogRule.tests.ps1 @@ -1,5 +1,4 @@ #region Header -using module .\..\..\..\Module\Rule.WinEventLog\Convert\WinEventLogRule.Convert.psm1 . $PSScriptRoot\.tests.header.ps1 #endregion diff --git a/Tests/Unit/Module/WindowsFeatureRule.tests.ps1 b/Tests/Unit/Module/WindowsFeatureRule.tests.ps1 index 03cd57a6d..734cd02bb 100644 --- a/Tests/Unit/Module/WindowsFeatureRule.tests.ps1 +++ b/Tests/Unit/Module/WindowsFeatureRule.tests.ps1 @@ -1,5 +1,4 @@ #region Header -using module .\..\..\..\Module\Rule.WindowsFeature\Convert\WindowsFeatureRule.Convert.psm1 . $PSScriptRoot\.tests.header.ps1 #endregion diff --git a/Tests/Unit/.tests.header.ps1 b/Tests/Unit/Tools/.tests.header.ps1 similarity index 64% rename from Tests/Unit/.tests.header.ps1 rename to Tests/Unit/Tools/.tests.header.ps1 index 39fdedd43..98817ed67 100644 --- a/Tests/Unit/.tests.header.ps1 +++ b/Tests/Unit/Tools/.tests.header.ps1 @@ -1,13 +1,10 @@ # Unit Test Header -$script:moduleSection = Split-Path -Path (Split-Path -Path (Get-PSCallStack)[1].ScriptName -Parent ) -Leaf -$script:projectRoot = Split-Path -Parent (Split-Path -Parent $PSScriptRoot) +$script:moduleSection = Split-Path -Path (Split-Path -Path (Get-PSCallStack)[1].ScriptName -Parent) -Leaf +$script:projectRoot = Split-Path -Path (Split-Path -Path (Split-Path -Path $PSScriptRoot)) -Parent $script:toolsRoot = Join-Path -Path $script:projectRoot -ChildPath 'Tools' $script:moduleName = (Get-PSCallStack)[1].Command -replace '\.tests\.ps1', '' - $script:modulePath = "$($script:projectRoot)\$($script:moduleSection)\$script:moduleName\$($script:moduleName).psm1" +$helperModulePath = Join-Path -Path $script:toolsRoot -ChildPath (Join-Path -Path 'TestHelper' -ChildPath 'TestHelper.psm1') -$helperModulePath = Join-Path -Path $script:toolsRoot -ChildPath ( - Join-Path -Path 'TestHelper' -ChildPath 'TestHelper.psm1') - -Import-Module -Name $helperModulePath -Force -Global +Import-Module -Name $helperModulePath -Force -Global Import-Module -Name $script:modulePath -Force diff --git a/Tests/Unit/Tools/TestHelper.tests.ps1 b/Tests/Unit/Tools/TestHelper.tests.ps1 index 734c72e8b..899d3ae3c 100644 --- a/Tests/Unit/Tools/TestHelper.tests.ps1 +++ b/Tests/Unit/Tools/TestHelper.tests.ps1 @@ -1,5 +1,4 @@ -$unitTestRoot = Split-Path -Path $PSScriptRoot -Parent -. "$unitTestRoot\.tests.header.ps1" +. $PSScriptRoot\.tests.header.ps1 try { diff --git a/Tests/Unit/Tools/WikiPages.tests.ps1 b/Tests/Unit/Tools/WikiPages.tests.ps1 index ebb89a5fe..747179f35 100644 --- a/Tests/Unit/Tools/WikiPages.tests.ps1 +++ b/Tests/Unit/Tools/WikiPages.tests.ps1 @@ -1,5 +1,5 @@ -$unitTestRoot = Split-Path -Path $PSScriptRoot -Parent -. "$unitTestRoot\.tests.header.ps1" +. $PSScriptRoot\.tests.header.ps1 + try { InModuleScope $script:ModuleName { diff --git a/Tools/Release/Release.psm1 b/Tools/Release/Release.psm1 index a102e0bd7..da3c55557 100644 --- a/Tools/Release/Release.psm1 +++ b/Tools/Release/Release.psm1 @@ -825,7 +825,7 @@ function Update-FileHashMarkdown ( [Parameter()] [string[]] - $FileHashPath = (Join-Path -Path $PWD -ChildPath '\StigData\Processed\*.xml'), + $FileHashPath = (Join-Path -Path $PWD -ChildPath 'source\StigData\Processed\*.xml'), [Parameter()] [string] @@ -901,11 +901,11 @@ function Update-PowerSTIGCoverageMarkdown ( [Parameter()] [string[]] - $ProcessedStigPath = (Join-Path -Path $PSScriptRoot -ChildPath '..\..\StigData\Processed\*.xml'), + $ProcessedStigPath = (Join-Path -Path $PSScriptRoot -ChildPath '..\..\source\StigData\Processed\*.xml'), [Parameter()] [string] - $PowerStigWikiPath = (Join-Path -Path $PSScriptRoot -ChildPath '..\..\..\PowerSTIG.wiki\StigDetails'), + $PowerStigWikiPath = (Join-Path -Path $PSScriptRoot -ChildPath '..\..\..\PowerSTIG.wiki\'), [Parameter()] [string[]] @@ -917,7 +917,10 @@ function Update-PowerSTIGCoverageMarkdown throw "$(Split-Path -Path $PowerStigWikiPath) was not detected, check the path and try again." } - $moduleManifest = Join-Path -Path $PSScriptRoot -ChildPath '..\..\PowerStig.psd1' + $stigDetails = Join-Path -Path $PowerStigWikiPath -ChildPath 'StigDetails' + Get-ChildItem -Path $stigDetails -Recurse | Remove-Item -Recurse -Confirm:$false -Force + + $moduleManifest = Join-Path -Path $PSScriptRoot -ChildPath '..\..\source\PowerStig.psd1' $moduleVersion = (Import-PowerShellDataFile -Path $moduleManifest).ModuleVersion $processedStig = Get-ChildItem -Path $ProcessedStigPath -Exclude $Exclude | Select-Object -ExpandProperty FullName $markdownStrings = Import-PowerShellDataFile -Path (Join-Path -Path $PSScriptRoot -ChildPath 'Data.Markdown.psd1') @@ -939,8 +942,9 @@ function Update-PowerSTIGCoverageMarkdown $allStigRuleSevCount = $allStigRuleType | Foreach-Object {$stig.DISASTIG.$_.Rule} | Group-Object -Property severity -NoElement $automatedSevCount = $automatedRuleType | Foreach-Object {$stig.DISASTIG.$_.Rule} | Group-Object -Property severity -NoElement $stigDetailFileName = (Split-Path -Path $stigXml -Leaf) -replace '.xml', '.md' - $stigDetailFilePath = Join-Path -Path $PowerStigWikiPath -ChildPath $stigDetailFileName + $stigDetailFilePath = Join-Path -Path $stigDetails -ChildPath $stigDetailFileName $stigDetailFileLink = $markdownStrings.markdownRuleLink -f ($stigDetailFileName -replace '.md') + [string]$stigAutomatedRulePercentage = ([math]::Round($automatedRuleCount/$allStigRuleCount, 2) * 100) $stigMarkdown = $markdownStrings.markdownSummaryBody -f $stig.DISASTIG.stigid.Replace('_', ' ').Trim(), $stig.DISASTIG.fullversion.Trim(), @@ -953,7 +957,7 @@ function Update-PowerSTIGCoverageMarkdown $stig.DISASTIG.description.Trim(), $automatedRuleCount, $allStigRuleCount, - $([math]::Round($automatedRuleCount/$allStigRuleCount, 2)*100), + $stigAutomatedRulePercentage, ($automatedSevCount | Where-Object {$_.Name -eq 'high'}).Count, ($allStigRuleSevCount | Where-Object {$_.Name -eq 'high'}).Count, ($automatedSevCount | Where-Object {$_.Name -eq 'medium'}).Count, @@ -1009,10 +1013,10 @@ function Update-PowerSTIGCoverageMarkdown Set-Content -Path $stigDetailFilePath -Value $stigDetailContent.ToString().Trim() -Force } - $coverageSummary = Join-Path -Path $PowerStigWikiPath -ChildPath StigCoverageSummary.md + $coverageSummary = Join-Path -Path $stigDetails -ChildPath StigCoverageSummary.md Set-Content -Path $coverageSummary -Value $summaryMarkdownContent.ToString().Trim() -Force - Update-PowerSTIGCoverageSidebar -MarkdownStrings $markdownStrings + Update-PowerSTIGCoverageSidebar -MarkdownStrings $markdownStrings -PowerStigWikiPath $PowerStigWikiPath } <# diff --git a/Tools/TestHelper/TestHelper.psm1 b/Tools/TestHelper/TestHelper.psm1 index d870cab62..be13b0de6 100644 --- a/Tools/TestHelper/TestHelper.psm1 +++ b/Tools/TestHelper/TestHelper.psm1 @@ -262,7 +262,10 @@ function Get-StigDataRootPath param ( ) $projectRoot = Split-Path -Path (Split-Path -Path $PsScriptRoot) - return Join-Path -Path $projectRoot -Child 'StigData' + $buildOutput = Join-Path -Path $projectRoot -ChildPath 'output' + $manifestPath = (Get-ChildItem -Path $buildOutput -Filter 'PowerStig.psd1' -Recurse).FullName + $moduleRoot = Split-Path -Path $manifestPath -Parent + return Join-Path -Path $moduleRoot -Child 'StigData' } <# @@ -493,7 +496,7 @@ function Get-DscResourceModuleInfo ) $moduleInfo = @() - $modulePattern = "(?(?<=ModuleName\s)\w+(?=\s))" + $modulePattern = "(?(?<=ModuleName\s)\w+.\w+(?=\s))" $versionPatthern = "(?(?<=ModuleVersion\s)[\d\.]+(?=$))" $importModuleCommands = Select-String -Path $Path -Pattern 'Import-DscResource' -AllMatches @@ -509,6 +512,57 @@ function Get-DscResourceModuleInfo return $moduleInfo } +<# + .SYNOPSIS + Set/Creates ps1 file with 'using module' statement in order to dynamically load + Rule specific classes. + + .DESCRIPTION + Sets/Creates a ps1 file with a 'using module' statement with a specified class. + This function is needed for tests due to the 'using' statement accepting either + relative paths and/or fully qualified paths. The build process creates an output + folder with the current version + + .PARAMETER RuleType + The Rule Type to set in the ps1 file. + + .PARAMETER PowerSTIGBuildPath + The path where PowerSTIG module was created. + + .PARAMETER DestinationPath + The path where the ps1 file containing the using statement should reside. +#> +function Set-DynamicClassFile +{ + [CmdletBinding()] + [OutputType()] + param + ( + [Parameter(Mandatory = $true)] + [string[]] + $ClassModuleFileName, + + [Parameter(Mandatory = $true)] + [ValidateScript({Test-Path -Path $_})] + [string] + $PowerStigBuildPath, + + [Parameter(Mandatory = $true)] + [string] + $DestinationPath + ) + + $stringBuilder = [System.Text.StringBuilder]::new() + foreach ($class in $ClassModuleFileName) + { + $classModulePath = (Get-ChildItem -Path $PowerStigBuildPath -Filter $class -Recurse).FullName + $usingStatement = 'using module {0}' -f $classModulePath + [void] $stringBuilder.AppendLine($usingStatement) + } + + Set-Content -Value $stringBuilder.ToString() -Path $DestinationPath +} + Export-ModuleMember -Function @( 'Split-TestStrings' 'Get-StigDataRootPath' @@ -523,4 +577,5 @@ Export-ModuleMember -Function @( 'Get-ValidStigVersionNumbers' 'Test-AutomatableRuleType' 'Get-DscResourceModuleInfo' + 'Set-DynamicClassFile' ) diff --git a/appveyor.yml b/appveyor.yml deleted file mode 100644 index 3b2bdad13..000000000 --- a/appveyor.yml +++ /dev/null @@ -1,63 +0,0 @@ -# Notes: -# - Minimal appveyor.yml file is an empty file. All sections are optional. -# - Indent each level of configuration with 2 spaces. Do not use tabs! -# - All section names are case-sensitive. -# - Section names should be unique on each level. - -#---------------------------------# -# general configuration # -#---------------------------------# - -version: 4.0.0.{build} - -skip_commits: - files: - - '**/*.md' - - .github/* - -#---------------------------------# -# environment configuration # -#---------------------------------# - -install: - - ps: Write-Verbose -Message "PowerShell version $($PSVersionTable.PSVersion)" -Verbose - - ps: (Import-PowerShellDataFile "$env:APPVEYOR_BUILD_FOLDER\PowerStig.psd1").RequiredModules | - ForEach-Object { Install-Module $PSItem.moduleName -RequiredVersion $PSItem.ModuleVersion -Repository PSGallery -Scope CurrentUser -Force } - - git clone https://github.com/PowerShell/DscResource.Tests - - ps: Import-Module "$env:APPVEYOR_BUILD_FOLDER\DscResource.Tests\AppVeyor.psm1" - - ps: Import-Module "$env:APPVEYOR_BUILD_FOLDER\Tools\AppVeyor\AppVeyor.psm1" - - ps: Invoke-AppveyorInstallTask - -#---------------------------------# -# build configuration # -#---------------------------------# - -build: false - -#---------------------------------# -# test configuration # -#---------------------------------# - -test_script: - - ps: | - Invoke-AppveyorTestScriptTask -CodeCoverage -CodeCovIo -ExcludeTag @('tools') - -#---------------------------------# -# deployment configuration # -#---------------------------------# - -# Scripts to run before deployment -before_deploy: - - ps: Invoke-PowerStigAppveyorAfterTestTask - -for: -- - branches: - only: - - master - - deploy: - - provider: Environment - name: Test PS Gallery - on: - appveyor_repo_tag: true diff --git a/azure-pipelines.yml b/azure-pipelines.yml new file mode 100644 index 000000000..13e94b634 --- /dev/null +++ b/azure-pipelines.yml @@ -0,0 +1,223 @@ +trigger: + branches: + include: + - "*" + paths: + exclude: + - CHANGELOG.md + tags: + include: + - "v*" + exclude: + - "*-*" + +stages: + - stage: Build + jobs: + - job: Package_Module + displayName: 'Package Module' + pool: + vmImage: 'windows-2019' + steps: + - task: GitVersion@5 + name: gitVersion + displayName: 'Evaluate Next Version' + inputs: + runtime: 'core' + configFilePath: 'GitVersion.yml' + + - task: PowerShell@2 + name: package + displayName: 'Build & Package Module' + inputs: + filePath: './build.ps1' + arguments: '-ResolveDependency -tasks pack' + pwsh: true + env: + ModuleVersion: $(gitVersion.NuGetVersionV2) + + - task: PublishBuildArtifacts@1 + displayName: 'Publish Build Artifact' + inputs: + pathToPublish: 'output/' + artifactName: 'output' + publishLocation: 'Container' + + - stage: Test + dependsOn: Build + jobs: + - job: Test_HQRM + displayName: 'High Quality Resource Module' + pool: + vmImage: 'windows-2019' + timeoutInMinutes: 0 + steps: + - task: DownloadBuildArtifacts@0 + displayName: 'Download Build Artifact' + inputs: + buildType: 'current' + downloadType: 'single' + artifactName: 'output' + downloadPath: '$(Build.SourcesDirectory)' + - task: PowerShell@2 + name: test + displayName: 'Run HQRM Test' + inputs: + filePath: './build.ps1' + arguments: '-Tasks hqrmtest' + pwsh: false + - task: PublishTestResults@2 + displayName: 'Publish Test Results' + condition: succeededOrFailed() + inputs: + testResultsFormat: 'NUnit' + testResultsFiles: 'output/testResults/NUnit*.xml' + testRunTitle: 'HQRM' + + - job: Test_Unit + displayName: 'Unit' + pool: + vmImage: 'windows-2019' + timeoutInMinutes: 0 + steps: + - task: DownloadBuildArtifacts@0 + displayName: 'Download Build Artifact' + inputs: + buildType: 'current' + downloadType: 'single' + artifactName: 'output' + downloadPath: '$(Build.SourcesDirectory)' + + - task: PowerShell@2 + name: test + displayName: 'Run Unit Test' + inputs: + filePath: './build.ps1' + arguments: "-Tasks test -PesterScript 'tests/Unit'" + pwsh: false + + - task: PublishTestResults@2 + displayName: 'Publish Test Results' + condition: succeededOrFailed() + inputs: + testResultsFormat: 'NUnit' + testResultsFiles: 'output/testResults/NUnit*.xml' + testRunTitle: 'Unit (Windows Server Core)' + + - task: PublishBuildArtifacts@1 + displayName: 'Publish Test Artifact' + inputs: + pathToPublish: 'output/testResults/' + artifactName: 'testResults' + publishLocation: 'Container' + + - job: Test_Integration + displayName: 'Integration' + pool: + vmImage: 'windows-2019' + timeoutInMinutes: 0 + steps: + - task: DownloadBuildArtifacts@0 + displayName: 'Download Build Artifact' + inputs: + buildType: 'current' + downloadType: 'single' + artifactName: 'output' + downloadPath: '$(Build.SourcesDirectory)' + + - task: PowerShell@2 + name: configureWinRM + displayName: 'Configure WinRM' + inputs: + targetType: 'inline' + script: 'winrm quickconfig -quiet' + pwsh: false + + - task: PowerShell@2 + name: test + displayName: 'Run Integration Test' + inputs: + filePath: './build.ps1' + arguments: "-Tasks test -PesterScript 'tests/Integration' -CodeCoverageThreshold 0" + pwsh: false + + - task: PublishTestResults@2 + displayName: 'Publish Test Results' + condition: succeededOrFailed() + inputs: + testResultsFormat: 'NUnit' + testResultsFiles: 'output/testResults/NUnit*.xml' + testRunTitle: 'Integration (Windows Server Core)' + + - job: Code_Coverage + displayName: 'Publish Code Coverage' + dependsOn: Test_Unit + pool: + vmImage: 'ubuntu 16.04' + timeoutInMinutes: 0 + steps: + - pwsh: | + $repositoryOwner,$repositoryName = $env:BUILD_REPOSITORY_NAME -split '/' + echo "##vso[task.setvariable variable=RepositoryOwner;isOutput=true]$repositoryOwner" + echo "##vso[task.setvariable variable=RepositoryName;isOutput=true]$repositoryName" + name: dscBuildVariable + displayName: 'Set Environment Variables' + - task: DownloadBuildArtifacts@0 + displayName: 'Download Build Artifact' + inputs: + buildType: 'current' + downloadType: 'single' + artifactName: 'output' + downloadPath: '$(Build.SourcesDirectory)' + + - task: DownloadBuildArtifacts@0 + displayName: 'Download Test Artifact' + inputs: + buildType: 'current' + downloadType: 'single' + artifactName: 'testResults' + downloadPath: '$(Build.SourcesDirectory)/output' + + - task: PublishCodeCoverageResults@1 + displayName: 'Publish Code Coverage' + condition: succeededOrFailed() + inputs: + codeCoverageTool: 'JaCoCo' + summaryFileLocation: 'output/testResults/JaCoCo_coverage.xml' + pathToSources: '$(Build.SourcesDirectory)/output/$(dscBuildVariable.RepositoryName)' + - script: | + bash <(curl -s https://codecov.io/bash) -f "./output/testResults/JaCoCo_coverage.xml" + displayName: 'Upload to Codecov.io' + condition: succeededOrFailed() + + - stage: Deploy + dependsOn: Test + condition: | + and( + succeeded(), + or( + eq(variables['Build.SourceBranch'], 'refs/heads/master'), + startsWith(variables['Build.SourceBranch'], 'refs/tags/') + ) + ) + jobs: + - job: Deploy_Module + displayName: 'Deploy Module' + pool: + vmImage: 'windows-2019' + steps: + - task: DownloadBuildArtifacts@0 + displayName: 'Download Build Artifact' + inputs: + buildType: 'current' + downloadType: 'single' + artifactName: 'output' + downloadPath: '$(Build.SourcesDirectory)' + - task: PowerShell@2 + name: publishRelease + displayName: 'Publish Release' + inputs: + filePath: './build.ps1' + arguments: '-tasks publish' + env: + GalleryApiToken: $(GalleryApiToken) diff --git a/build.ps1 b/build.ps1 new file mode 100644 index 000000000..81fe87ece --- /dev/null +++ b/build.ps1 @@ -0,0 +1,422 @@ +<# + +.DESCRIPTION + Bootstrap and build script for PowerShell module pipeline + +#> +[CmdletBinding()] +param +( + [Parameter(Position = 0)] + [string[]]$Tasks = '.', + + [Parameter()] + [String] + $CodeCoverageThreshold = '', + + [Parameter()] + [validateScript( + { Test-Path -Path $_ } + )] + $BuildConfig, + + [Parameter()] + # A Specific folder to build the artefact into. + $OutputDirectory = 'output', + + [Parameter()] + # Subdirectory name to build the module (under $OutputDirectory) + $BuiltModuleSubdirectory = '', + + # Can be a path (relative to $PSScriptRoot or absolute) to tell Resolve-Dependency & PSDepend where to save the required modules, + # or use CurrentUser, AllUsers to target where to install missing dependencies + # You can override the value for PSDepend in the Build.psd1 build manifest + # This defaults to $OutputDirectory/modules (by default: ./output/modules) + [Parameter()] + $RequiredModulesDirectory = $(Join-Path 'output' 'RequiredModules'), + + [Parameter()] + [object[]] + $PesterScript, + + # Filter which tags to run when invoking Pester tests + # This is used in the Invoke-Pester.pester.build.ps1 tasks + [Parameter()] + [string[]] + $PesterTag, + + # Filter which tags to exclude when invoking Pester tests + # This is used in the Invoke-Pester.pester.build.ps1 tasks + [Parameter()] + [string[]] + $PesterExcludeTag, + + # Filter which tags to run when invoking DSC Resource tests + # This is used in the DscResource.Test.build.ps1 tasks + [Parameter()] + [string[]] + $DscTestTag, + + # Filter which tags to exclude when invoking DSC Resource tests + # This is used in the DscResource.Test.build.ps1 tasks + [Parameter()] + [string[]] + $DscTestExcludeTag, + + [Parameter()] + [Alias('bootstrap')] + [switch]$ResolveDependency, + + [Parameter(DontShow)] + [AllowNull()] + $BuildInfo, + + [Parameter()] + [switch] + $AutoRestore +) + +# The BEGIN block (at the end of this file) handles the Bootstrap of the Environment before Invoke-Build can run the tasks +# if the -ResolveDependency (aka Bootstrap) is specified, the modules are already available, and can be auto loaded + +process +{ + + if ($MyInvocation.ScriptName -notLike '*Invoke-Build.ps1') + { + # Only run the process block through InvokeBuild (Look at the Begin block at the bottom of this script) + return + } + + # Execute the Build Process from the .build.ps1 path. + Push-Location -Path $PSScriptRoot -StackName BeforeBuild + + try + { + Write-Host -ForeGroundColor magenta "[build] Parsing defined tasks" + + # Load Default BuildInfo if not provided as parameter + if (!$PSBoundParameters.ContainsKey('BuildInfo')) + { + try + { + if (Test-Path $BuildConfig) + { + $ConfigFile = (Get-Item -Path $BuildConfig) + Write-Host "[build] Loading Configuration from $ConfigFile" + $BuildInfo = switch -Regex ($ConfigFile.Extension) + { + # Native Support for PSD1 + '\.psd1' + { + Import-PowerShellDataFile -Path $BuildConfig + } + # Support for yaml when module PowerShell-Yaml is available + '\.[yaml|yml]' + { + Import-Module -ErrorAction Stop -Name 'powershell-yaml' + ConvertFrom-Yaml -Yaml (Get-Content -Raw $ConfigFile) + } + # Native Support for JSON and JSONC (by Removing comments) + '\.[json|jsonc]' + { + $JSONC = (Get-Content -Raw -Path $ConfigFile) + $JSON = $JSONC -replace '(?m)\s*//.*?$' -replace '(?ms)/\*.*?\*/' + # This should probably be converted to hashtable for splatting + $JSON | ConvertFrom-Json + } + default + { + Write-Error "Extension '$_' not supported. using @{}" + @{ } + } + } + } + else + { + Write-Host -Object "Configuration file $BuildConfig not found" -ForegroundColor Red + $BuildInfo = @{ } + } + } + catch + { + Write-Host -Object "Error loading Config $ConfigFile.`r`n Are you missing dependencies?" -ForegroundColor Yellow + Write-Host -Object "Make sure you run './build.ps1 -ResolveDependency -tasks noop' to restore the Required modules the first time" -ForegroundColor Yellow + $BuildInfo = @{ } + Write-Error $_.Exception.Message + } + } + + # If the Invoke-Build Task Header is specified in the Build Info, set it + if ($BuildInfo.TaskHeader) + { + Set-BuildHeader ([scriptblock]::Create($BuildInfo.TaskHeader)) + } + + # Import Tasks from modules via their exported aliases when defined in BUild Manifest + # https://github.com/nightroman/Invoke-Build/tree/master/Tasks/Import#example-2-import-from-a-module-with-tasks + if ($BuildInfo.containsKey('ModuleBuildTasks')) + { + foreach ($Module in $BuildInfo['ModuleBuildTasks'].Keys) + { + try + { + Write-Host -ForegroundColor DarkGray -Verbose "Importing tasks from module $Module" + $LoadedModule = Import-Module $Module -PassThru -ErrorAction Stop + foreach ($TaskToExport in $BuildInfo['ModuleBuildTasks'].($Module)) + { + $LoadedModule.ExportedAliases.GetEnumerator().Where{ + # using -like to support wildcard + Write-Host -ForegroundColor DarkGray "`t Loading $($_.Key)..." + $_.Key -like $TaskToExport + }.ForEach{ + # Dot sourcing the Tasks via their exported aliases + . (Get-Alias $_.Key) + } + } + } + catch + { + Write-Host -ForegroundColor Red -Object "Could not load tasks for module $Module." + Write-Error $_ + } + } + } + + # Loading Build Tasks defined in the .build/ folder (will override the ones imported above if same task name) + Get-ChildItem -Path ".build/" -Recurse -Include *.ps1 -ErrorAction Ignore | ForEach-Object { + "Importing file $($_.BaseName)" | Write-Verbose + . $_.FullName + } + + # Synopsis: Empty task, useful to test the bootstrap process + task noop { } + + # Define default task sequence ("."), can be overridden in the $BuildInfo + task . { + Write-Build Yellow "No sequence currently defined for the default task" + } + + # Load Invoke-Build task sequences/workflows from $BuildInfo + Write-Host -ForegroundColor DarkGray "Adding Workflow from configuration:" + foreach ($Workflow in $BuildInfo.BuildWorkflow.keys) + { + Write-Verbose "Creating Build Workflow '$Workflow' with tasks $($BuildInfo.BuildWorkflow.($Workflow) -join ', ')" + $WorkflowItem = $BuildInfo.BuildWorkflow.($Workflow) + if ($WorkflowItem.Trim() -match '^\{(?[\w\W]*)\}$') + { + $WorkflowItem = [ScriptBlock]::Create($Matches['sb']) + } + Write-Host -ForegroundColor DarkGray " +-> $Workflow" + task $Workflow $WorkflowItem + } + + Write-Host -ForeGroundColor magenta "[build] Executing requested workflow: $($Tasks -join ', ')" + + } + finally + { + Pop-Location -StackName BeforeBuild + } +} + +Begin +{ + # dynamically build the required module data file based on PowerStig.psd1 module manifest + $requiredModulesContent = @' +@{ + # Set up a mini virtual environment... + PSDependOptions = @{ + AddToPath = $true + Target = 'output\RequiredModules' + Parameters = @{ + + } + } + + InvokeBuild = 'latest' + PSScriptAnalyzer = 'latest' + Pester = '4.10.1' + Plaster = 'latest' + ModuleBuilder = '1.0.0' + ChangelogManagement = 'latest' + Sampler = '0.104.0' + xDSCResourceDesigner = 'latest' + PSPKI = 'latest' + MarkdownLinkCheck = 'latest' + 'DscResource.Test' = '0.13.1' + 'DscResource.AnalyzerRules' = 'latest' + 'powershell-yaml' = 'latest' + # The modules below are dynamically inserted from the Begin block of .\build.ps1 + +'@ + + $stringBuilder = New-Object -TypeName System.Text.StringBuilder -ArgumentList $requiredModulesContent + $powerStigModuleManifest = Import-PowerShellDataFile -Path (Join-Path -Path $PSScriptRoot -ChildPath '.\source\PowerStig.psd1') + $powerStigRequiredModule = $powerStigModuleManifest.RequiredModules + foreach ($requiredModule in $powerStigRequiredModule) + { + $moduleInfo = " '{0}' = '{1}'" -f $requiredModule.ModuleName, $requiredModule.ModuleVersion + [void] $stringBuilder.AppendLine($moduleInfo) + } + + [void] $stringBuilder.AppendLine("}`n`r") + Set-Content -Path (Join-Path -Path $PSScriptRoot -ChildPath 'RequiredModules.psd1') -Value $stringBuilder.ToString() -Encoding UTF8 + + # Find build config if not specified + if (-not $BuildConfig) { + $config = Get-ChildItem -Path "$PSScriptRoot\*" -Include 'build.y*ml', 'build.psd1', 'build.json*' -ErrorAction:Ignore + if (-not $config -or ($config -is [array] -and $config.Length -le 0)) { + throw "No build configuration found. Specify path via -BuildConfig" + } + elseif ($config -is [array]) { + if ($config.Length -gt 1) { + throw "More than one build configuration found. Specify which one to use via -BuildConfig" + } + $BuildConfig = $config[0] + } + else { + $BuildConfig = $config + } + } + # Bootstrapping the environment before using Invoke-Build as task runner + + if ($MyInvocation.ScriptName -notLike '*Invoke-Build.ps1') + { + Write-Host -foregroundColor Green "[pre-build] Starting Build Init" + Push-Location $PSScriptRoot -StackName BuildModule + } + + if ($RequiredModulesDirectory -in @('CurrentUser', 'AllUsers')) + { + # Installing modules instead of saving them + Write-Host -foregroundColor Green "[pre-build] Required Modules will be installed for $RequiredModulesDirectory, not saved." + # Tell Resolve-Dependency to use provided scope as the -PSDependTarget if not overridden in Build.psd1 + $PSDependTarget = $RequiredModulesDirectory + } + else + { + if (-Not (Split-Path -IsAbsolute -Path $OutputDirectory)) + { + $OutputDirectory = Join-Path -Path $PSScriptRoot -ChildPath $OutputDirectory + } + + # Resolving the absolute path to save the required modules to + if (-Not (Split-Path -IsAbsolute -Path $RequiredModulesDirectory)) + { + $RequiredModulesDirectory = Join-Path -Path $PSScriptRoot -ChildPath $RequiredModulesDirectory + } + + # Create the output/modules folder if not exists, or resolve the Absolute path otherwise + if (Resolve-Path $RequiredModulesDirectory -ErrorAction SilentlyContinue) + { + Write-Debug "[pre-build] Required Modules path already exist at $RequiredModulesDirectory" + $RequiredModulesPath = Convert-Path $RequiredModulesDirectory + } + else + { + Write-Host -foregroundColor Green "[pre-build] Creating required modules directory $RequiredModulesDirectory." + $RequiredModulesPath = (New-Item -ItemType Directory -Force -Path $RequiredModulesDirectory).FullName + } + + # Prepending $RequiredModulesPath folder to PSModulePath to resolve from this folder FIRST + if ($RequiredModulesDirectory -notIn @('CurrentUser', 'AllUsers') -and + (($Env:PSModulePath -split [io.path]::PathSeparator) -notContains $RequiredModulesDirectory)) + { + Write-Host -foregroundColor Green "[pre-build] Prepending '$RequiredModulesDirectory' folder to PSModulePath" + $Env:PSModulePath = $RequiredModulesDirectory + [io.path]::PathSeparator + $Env:PSModulePath + } + + # Checking if the user should -ResolveDependency + if ((!(Get-Module -ListAvailable powershell-yaml) -or !(Get-Module -ListAvailable InvokeBuild) -or !(Get-Module -ListAvailable PSDepend)) -and !$ResolveDependency) + { + if ($AutoRestore -or !$PSBoundParameters.ContainsKey('Tasks') -or $Tasks -contains 'build') + { + Write-Host -ForegroundColor Yellow "[pre-build] Dependency missing, running './build.ps1 -ResolveDependency -Tasks noop' for you `r`n" + $ResolveDependency = $true + } + else + { + Write-Warning "Some required Modules are missing, make sure you first run with the '-ResolveDependency' parameter." + Write-Warning "Running 'build.ps1 -ResolveDependency -Tasks noop' will pull required modules without running the build task." + } + } + + if ($BuiltModuleSubdirectory) + { + if (-Not (Split-Path -IsAbsolute $BuiltModuleSubdirectory)) + { + $BuildModuleOutput = Join-Path $OutputDirectory $BuiltModuleSubdirectory + } + else + { + $BuildModuleOutput = $BuiltModuleSubdirectory + } + } + else + { + $BuildModuleOutput = $OutputDirectory + } + + # Prepending $BuildModuleOutput folder to PSModulePath to resolve built module from this folder + if (($Env:PSModulePath -split [io.path]::PathSeparator) -notContains $BuildModuleOutput) + { + Write-Host -foregroundColor Green "[pre-build] Prepending '$BuildModuleOutput' folder to PSModulePath" + $Env:PSModulePath = $BuildModuleOutput + [io.path]::PathSeparator + $Env:PSModulePath + } + + # Tell Resolve-Dependency to use $RequiredModulesPath as -PSDependTarget if not overridden in Build.psd1 + $PSDependTarget = $RequiredModulesPath + } + + if ($ResolveDependency) + { + Write-Host -Object "[pre-build] Resolving dependencies." -foregroundColor Green + $ResolveDependencyParams = @{ } + + # If BuildConfig is a Yaml file, bootstrap powershell-yaml via ResolveDependency + if ($BuildConfig -match '\.[yaml|yml]$') + { + $ResolveDependencyParams.add('WithYaml', $True) + } + + $ResolveDependencyAvailableParams = (Get-Command -Name '.\Resolve-Dependency.ps1').parameters.keys + foreach ($CmdParameter in $ResolveDependencyAvailableParams) + { + + # The parameter has been explicitly used for calling the .build.ps1 + if ($MyInvocation.BoundParameters.ContainsKey($CmdParameter)) + { + $ParamValue = $MyInvocation.BoundParameters.ContainsKey($CmdParameter) + Write-Debug " adding $CmdParameter :: $ParamValue [from user-provided parameters to Build.ps1]" + $ResolveDependencyParams.Add($CmdParameter, $ParamValue) + } + # Use defaults parameter value from Build.ps1, if any + else + { + if ($ParamValue = Get-Variable -Name $CmdParameter -ValueOnly -ErrorAction Ignore) + { + Write-Debug " adding $CmdParameter :: $ParamValue [from default Build.ps1 variable]" + $ResolveDependencyParams.add($CmdParameter, $ParamValue) + } + } + } + + Write-Host -foregroundColor Green "[pre-build] Starting bootstrap process." + .\Resolve-Dependency.ps1 @ResolveDependencyParams + } + + if ($MyInvocation.ScriptName -notLike '*Invoke-Build.ps1') + { + Write-Verbose "Bootstrap completed. Handing back to InvokeBuild." + if ($PSBoundParameters.ContainsKey('ResolveDependency')) + { + Write-Verbose "Dependency already resolved. Removing task" + $null = $PSBoundParameters.Remove('ResolveDependency') + } + Write-Host -foregroundColor Green "[build] Starting build with InvokeBuild." + Invoke-Build @PSBoundParameters -Task $Tasks -File $MyInvocation.MyCommand.Path + Pop-Location -StackName BuildModule + return + } +} diff --git a/build.yaml b/build.yaml new file mode 100644 index 000000000..9ffc410a7 --- /dev/null +++ b/build.yaml @@ -0,0 +1,90 @@ +--- +#################################################### +# ModuleBuilder Configuration # +#################################################### + +CopyDirectories: + - DSCResources + - Module + - StigData +Encoding: UTF8 # With BOM in WinPS, noBOM in PSCore. +VersionedOutputDirectory: true + +#################################################### +# Sampler Pipeline Configuration # +#################################################### + +# Defining 'Workflows' (suite of InvokeBuild tasks) to be run using their alias +BuildWorkflow: + '.': # "." is the default Invoke-Build workflow. It is called when no -Tasks is specified to the build.ps1 + - build + - test + + build: + - Clean + - Build_Module_ModuleBuilder + - Build_NestedModules_ModuleBuilder + - Create_changelog_release_output + + pack: + - build + - package_module_nupkg + + hqrmtest: + - DscResource_Tests_Stop_On_Fail + + test: + - Pester_Tests_Stop_On_Fail + - Pester_if_Code_Coverage_Under_Threshold + + publish: + - Publish_release_to_GitHub + - publish_module_to_gallery # runs if nuget is not available + +#################################################### +# PESTER Configuration # +#################################################### + +Pester: + OutputFormat: NUnitXML + + # Will look at every *.ps1 & *.psm1 under ModulePath, excepts when $_.FullName -match (Join-Path $ProjectPath $ExcludeFromCodeCoverageItem) + ExcludeFromCodeCoverage: + - DSCResources + Script: + - tests/Unit + ExcludeTag: + Tag: + CodeCoverageThreshold: 55 # Set to 0 to bypass + CodeCoverageOutputFile: JaCoCo_coverage.xml + CodeCoverageOutputFileEncoding: ascii + +DscTest: + ExcludeTag: + - "Common Tests - New Error-Level Script Analyzer Rules" + - "Common Tests - Validate Localization" + Tag: + ExcludeSourceFile: + - output + ExcludeModuleFile: + +Resolve-Dependency: + Gallery: 'PSGallery' + AllowPrerelease: false + Verbose: false + +ModuleBuildTasks: + Sampler: + - '*.build.Sampler.ib.tasks' + +# Invoke-Build Header to be used to 'decorate' the terminal output of the tasks. +TaskHeader: | + param($Path) + "" + "=" * 79 + Write-Build Cyan "`t`t`t$($Task.Name.replace("_"," ").ToUpper())" + Write-Build DarkGray "$(Get-BuildSynopsis $Task)" + "-" * 79 + Write-Build DarkGray " $Path" + Write-Build DarkGray " $($Task.InvocationInfo.ScriptName):$($Task.InvocationInfo.ScriptLineNumber)" + "" diff --git a/DSCResources/ActiveDirectory.md b/source/DSCResources/ActiveDirectory.md similarity index 100% rename from DSCResources/ActiveDirectory.md rename to source/DSCResources/ActiveDirectory.md diff --git a/DSCResources/Adobe/Adobe.psd1 b/source/DSCResources/Adobe/Adobe.psd1 similarity index 100% rename from DSCResources/Adobe/Adobe.psd1 rename to source/DSCResources/Adobe/Adobe.psd1 diff --git a/DSCResources/Adobe/Adobe.schema.psm1 b/source/DSCResources/Adobe/Adobe.schema.psm1 similarity index 100% rename from DSCResources/Adobe/Adobe.schema.psm1 rename to source/DSCResources/Adobe/Adobe.schema.psm1 diff --git a/DSCResources/DotNetFramework/DotNetFramework.psd1 b/source/DSCResources/DotNetFramework/DotNetFramework.psd1 similarity index 100% rename from DSCResources/DotNetFramework/DotNetFramework.psd1 rename to source/DSCResources/DotNetFramework/DotNetFramework.psd1 diff --git a/DSCResources/DotNetFramework/DotNetFramework.schema.psm1 b/source/DSCResources/DotNetFramework/DotNetFramework.schema.psm1 similarity index 100% rename from DSCResources/DotNetFramework/DotNetFramework.schema.psm1 rename to source/DSCResources/DotNetFramework/DotNetFramework.schema.psm1 diff --git a/DSCResources/FireFox/FireFox.psd1 b/source/DSCResources/FireFox/FireFox.psd1 similarity index 100% rename from DSCResources/FireFox/FireFox.psd1 rename to source/DSCResources/FireFox/FireFox.psd1 diff --git a/DSCResources/FireFox/FireFox.schema.psm1 b/source/DSCResources/FireFox/FireFox.schema.psm1 similarity index 100% rename from DSCResources/FireFox/FireFox.schema.psm1 rename to source/DSCResources/FireFox/FireFox.schema.psm1 diff --git a/DSCResources/IisServer/IisServer.psd1 b/source/DSCResources/IisServer/IisServer.psd1 similarity index 100% rename from DSCResources/IisServer/IisServer.psd1 rename to source/DSCResources/IisServer/IisServer.psd1 diff --git a/DSCResources/IisServer/IisServer.schema.psm1 b/source/DSCResources/IisServer/IisServer.schema.psm1 similarity index 99% rename from DSCResources/IisServer/IisServer.schema.psm1 rename to source/DSCResources/IisServer/IisServer.schema.psm1 index 2a7130f2e..a6e5579f8 100644 --- a/DSCResources/IisServer/IisServer.schema.psm1 +++ b/source/DSCResources/IisServer/IisServer.schema.psm1 @@ -33,7 +33,7 @@ using module ..\..\PowerStig.psm1 configuration IisServer { [CmdletBinding()] - Param + param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] diff --git a/DSCResources/IisSite/IisSite.psd1 b/source/DSCResources/IisSite/IisSite.psd1 similarity index 100% rename from DSCResources/IisSite/IisSite.psd1 rename to source/DSCResources/IisSite/IisSite.psd1 diff --git a/DSCResources/IisSite/IisSite.schema.psm1 b/source/DSCResources/IisSite/IisSite.schema.psm1 similarity index 99% rename from DSCResources/IisSite/IisSite.schema.psm1 rename to source/DSCResources/IisSite/IisSite.schema.psm1 index 0aa3585e5..a6c817d46 100644 --- a/DSCResources/IisSite/IisSite.schema.psm1 +++ b/source/DSCResources/IisSite/IisSite.schema.psm1 @@ -36,7 +36,7 @@ using module ..\..\PowerStig.psm1 configuration IisSite { [CmdletBinding()] - Param + param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] diff --git a/DSCResources/InternetExplorer/InternetExplorer.psd1 b/source/DSCResources/InternetExplorer/InternetExplorer.psd1 similarity index 100% rename from DSCResources/InternetExplorer/InternetExplorer.psd1 rename to source/DSCResources/InternetExplorer/InternetExplorer.psd1 diff --git a/DSCResources/InternetExplorer/InternetExplorer.schema.psm1 b/source/DSCResources/InternetExplorer/InternetExplorer.schema.psm1 similarity index 100% rename from DSCResources/InternetExplorer/InternetExplorer.schema.psm1 rename to source/DSCResources/InternetExplorer/InternetExplorer.schema.psm1 diff --git a/DSCResources/McAfee/McAfee.psd1 b/source/DSCResources/McAfee/McAfee.psd1 similarity index 100% rename from DSCResources/McAfee/McAfee.psd1 rename to source/DSCResources/McAfee/McAfee.psd1 diff --git a/DSCResources/McAfee/McAfee.schema.psm1 b/source/DSCResources/McAfee/McAfee.schema.psm1 similarity index 100% rename from DSCResources/McAfee/McAfee.schema.psm1 rename to source/DSCResources/McAfee/McAfee.schema.psm1 diff --git a/DSCResources/Office/Office.psd1 b/source/DSCResources/Office/Office.psd1 similarity index 100% rename from DSCResources/Office/Office.psd1 rename to source/DSCResources/Office/Office.psd1 diff --git a/DSCResources/Office/Office.schema.psm1 b/source/DSCResources/Office/Office.schema.psm1 similarity index 100% rename from DSCResources/Office/Office.schema.psm1 rename to source/DSCResources/Office/Office.schema.psm1 diff --git a/DSCResources/OracleJRE/OracleJRE.psd1 b/source/DSCResources/OracleJRE/OracleJRE.psd1 similarity index 100% rename from DSCResources/OracleJRE/OracleJRE.psd1 rename to source/DSCResources/OracleJRE/OracleJRE.psd1 diff --git a/DSCResources/OracleJRE/OracleJRE.schema.psm1 b/source/DSCResources/OracleJRE/OracleJRE.schema.psm1 similarity index 100% rename from DSCResources/OracleJRE/OracleJRE.schema.psm1 rename to source/DSCResources/OracleJRE/OracleJRE.schema.psm1 diff --git a/DSCResources/Resources/SqlServer.ScriptQuery.ps1 b/source/DSCResources/Resources/SqlServer.ScriptQuery.ps1 similarity index 85% rename from DSCResources/Resources/SqlServer.ScriptQuery.ps1 rename to source/DSCResources/Resources/SqlServer.ScriptQuery.ps1 index d0e0a5007..c4520f646 100644 --- a/DSCResources/Resources/SqlServer.ScriptQuery.ps1 +++ b/source/DSCResources/Resources/SqlServer.ScriptQuery.ps1 @@ -9,12 +9,15 @@ foreach ($instance in $ServerInstance) { foreach ($db in $Database) { + $getScript = '{0} --{1}' -f $rule.GetScript, $db + foreach ($rule in $rules) { - SqlScriptQuery "$(Get-ResourceTitle -Rule $rule)$instance" + $resourceTitle = '{0}{1}_{2}' -f (Get-ResourceTitle -Rule $rule), $instance, $db + SqlScriptQuery "$resourceTitle" { ServerInstance = $Instance - GetQuery = $rule.GetScript + GetQuery = $getScript TestQuery = $rule.TestScript SetQuery = $rule.SetScript Variable = Format-SqlScriptVariable -Database $db -Variable $($rule.Variable) -VariableValue $($rule.VariableValue) @@ -35,7 +38,7 @@ foreach ($instance in $ServerInstance) TestQuery = $rule.TestScript SetQuery = $rule.SetScript Variable = Format-SqlScriptVariable -Variable $($rule.Variable) -VariableValue $($rule.VariableValue) - } + } continue } diff --git a/source/DSCResources/Resources/Vsphere.VMHostNtpSettings.ps1 b/source/DSCResources/Resources/Vsphere.VMHostNtpSettings.ps1 new file mode 100644 index 000000000..3ce1b5219 --- /dev/null +++ b/source/DSCResources/Resources/Vsphere.VMHostNtpSettings.ps1 @@ -0,0 +1,15 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. + +$rules = $stig.RuleList | Select-Rule -Type 'VsphereNtpSettingsRule' + +foreach ($rule in $rules) +{ + VmHostNtpSettings (Get-ResourceTitle -Rule $rule) + { + Name = $HostIP + Server = $ServerIP + Credential = $Credential + NtpServer = $rule.NtpServer + } +} diff --git a/source/DSCResources/Resources/Vsphere.VmHostAcceptanceLevel.ps1 b/source/DSCResources/Resources/Vsphere.VmHostAcceptanceLevel.ps1 new file mode 100644 index 000000000..9eb4d9ccd --- /dev/null +++ b/source/DSCResources/Resources/Vsphere.VmHostAcceptanceLevel.ps1 @@ -0,0 +1,15 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. + +$rules = $stig.RuleList | Select-Rule -Type 'VsphereAcceptanceLevelRule' + +foreach ($rule in $rules) +{ + VMHostAcceptanceLevel (Get-ResourceTitle -Rule $rule) + { + Name = $HostIP + Server = $ServerIP + Credential = $Credential + Level = $rule.Level + } +} diff --git a/source/DSCResources/Resources/Vsphere.VmHostAdvancedSettings.ps1 b/source/DSCResources/Resources/Vsphere.VmHostAdvancedSettings.ps1 new file mode 100644 index 000000000..70fe62f80 --- /dev/null +++ b/source/DSCResources/Resources/Vsphere.VmHostAdvancedSettings.ps1 @@ -0,0 +1,24 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. + +$rules = $stig.RuleList | Select-Rule -Type 'VsphereAdvancedSettingsRule' + +$advancedSettings = @{} +foreach ($rule in $rules) +{ + $key, $value = $rule.AdvancedSettings -split ' = ' + if ([string]::IsNullOrEmpty($key) -eq $false) + { + $advancedSettings.Add($key, $value) + } +} + +$resourceTitle = "[$($rules.id -join ' ')]" + +VmHostAdvancedSettings $resourceTitle +{ + Name = $HostIP + Server = $ServerIP + Credential = $Credential + AdvancedSettings = $advancedSettings +} diff --git a/source/DSCResources/Resources/Vsphere.VmHostSNMPAgent.ps1 b/source/DSCResources/Resources/Vsphere.VmHostSNMPAgent.ps1 new file mode 100644 index 000000000..3085b4382 --- /dev/null +++ b/source/DSCResources/Resources/Vsphere.VmHostSNMPAgent.ps1 @@ -0,0 +1,15 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. + +$rules = $stig.RuleList | Select-Rule -Type 'VsphereSnmpAgentRule' + +foreach ($rule in $rules) +{ + VmHostSnmpAgent (Get-ResourceTitle -Rule $rule) + { + Name = $HostIP + Server = $ServerIP + Credential = $Credential + Enable = [bool] $rule.Enabled + } +} diff --git a/source/DSCResources/Resources/Vsphere.VmHostService.ps1 b/source/DSCResources/Resources/Vsphere.VmHostService.ps1 new file mode 100644 index 000000000..dc8530ab4 --- /dev/null +++ b/source/DSCResources/Resources/Vsphere.VmHostService.ps1 @@ -0,0 +1,17 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. + +$rules = $stig.RuleList | Select-Rule -Type 'VsphereServiceRule' + +foreach ($rule in $rules) +{ + VmHostService (Get-ResourceTitle -Rule $rule) + { + Name = $HostIP + Server = $ServerIP + Credential = $Credential + Running = $rule.Running + Key = $rule.Key + Policy = $rule.Policy + } +} diff --git a/source/DSCResources/Resources/Vsphere.VmHostVMKernelActiveDumpPartition.ps1 b/source/DSCResources/Resources/Vsphere.VmHostVMKernelActiveDumpPartition.ps1 new file mode 100644 index 000000000..5b736778b --- /dev/null +++ b/source/DSCResources/Resources/Vsphere.VmHostVMKernelActiveDumpPartition.ps1 @@ -0,0 +1,15 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. + +$rules = $stig.RuleList | Select-Rule -Type 'VsphereKernelActiveDumpPartitionRule' + +foreach ($rule in $rules) +{ + VmHostVMKernelActiveDumpPartition (Get-ResourceTitle -Rule $rule) + { + Name = $HostIP + Server = $ServerIP + Credential = $Credential + Enable = [bool] $rule.Enabled + } +} diff --git a/source/DSCResources/Resources/Vsphere.VmHostVssPortGroupSecurity.ps1 b/source/DSCResources/Resources/Vsphere.VmHostVssPortGroupSecurity.ps1 new file mode 100644 index 000000000..c8b8cacf0 --- /dev/null +++ b/source/DSCResources/Resources/Vsphere.VmHostVssPortGroupSecurity.ps1 @@ -0,0 +1,37 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. + +$rules = $stig.RuleList | Select-Rule -Type 'VspherePortGroupSecurityRule' + +foreach ($vm in $vmGroup) +{ + foreach ($rule in $rules) + { + if ($rule.AllowPromiscuous) + { + $allowPromiscuousInherited = $rule.AllowPromiscuousInherited + } + if ($rule.ForgedTransmits) + { + $forgedTransmitsInherited = $rule.ForgedTransmitsInherited + } + if ($rule.MacChanges) + { + $macChangesInherited = $rule.MacChangesInherited + } + + $idValue += $rule.id + } + + VmHostVssPortGroupSecurity "$vm-$idValue" + { + Name = $HostIP + Server = $ServerIP + Credential = $Credential + VmHostName = $vm + AllowPromiscuousInherited = [bool] $allowPromiscuousInherited + ForgedTransmitsInherited = [bool] $forgedTransmitsInherited + MacChangesInherited = [bool] $macChangesInherited + Ensure = 'Present' + } +} diff --git a/source/DSCResources/Resources/Vsphere.VmHostVssSecurity.ps1 b/source/DSCResources/Resources/Vsphere.VmHostVssSecurity.ps1 new file mode 100644 index 000000000..5b13c750e --- /dev/null +++ b/source/DSCResources/Resources/Vsphere.VmHostVssSecurity.ps1 @@ -0,0 +1,37 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. + +$rules = $stig.RuleList | Select-Rule -Type 'VsphereVssSecurityRule' + +foreach ($virtualStandardSwitch in $virtualStandardSwitchGroup) +{ + foreach ($rule in $rules) + { + if ($rule.AllowPromiscuous) + { + $allowPromiscuous = $rule.AllowPromiscuous + } + if ($rule.ForgedTransmits) + { + $forgedTransmits = $rule.ForgedTransmits + } + if ($rule.MacChanges) + { + $macChanges = $rule.MacChanges + } + + $idValue += $rule.id + } + + VmHostVssSecurity "$virtualStandardSwitch-$idValue" + { + Name = $HostIP + Server = $ServerIP + Credential = $Credential + VssName = $VirtualStandardSwitch + AllowPromiscuous = [bool] $allowPromiscuous + ForgedTransmits = [bool] $forgedTransmits + MacChanges = [bool] $macChanges + Ensure = 'Present' + } +} diff --git a/DSCResources/Resources/firefox.ReplaceText.ps1 b/source/DSCResources/Resources/firefox.ReplaceText.ps1 similarity index 100% rename from DSCResources/Resources/firefox.ReplaceText.ps1 rename to source/DSCResources/Resources/firefox.ReplaceText.ps1 diff --git a/DSCResources/Resources/oraclejre.KeyValuePairFile.ps1 b/source/DSCResources/Resources/oraclejre.KeyValuePairFile.ps1 similarity index 100% rename from DSCResources/Resources/oraclejre.KeyValuePairFile.ps1 rename to source/DSCResources/Resources/oraclejre.KeyValuePairFile.ps1 diff --git a/DSCResources/Resources/readme.md b/source/DSCResources/Resources/readme.md similarity index 100% rename from DSCResources/Resources/readme.md rename to source/DSCResources/Resources/readme.md diff --git a/DSCResources/Resources/windows.AccessControl.ps1 b/source/DSCResources/Resources/windows.AccessControl.ps1 similarity index 99% rename from DSCResources/Resources/windows.AccessControl.ps1 rename to source/DSCResources/Resources/windows.AccessControl.ps1 index e3afbbf82..11f0cdc65 100644 --- a/DSCResources/Resources/windows.AccessControl.ps1 +++ b/source/DSCResources/Resources/windows.AccessControl.ps1 @@ -6,7 +6,7 @@ $rules = $stig.RuleList | Select-Rule -Type PermissionRule foreach ($rule in $rules) { # Determine PermissionRule type and handle - Switch ($rule.dscresource) + switch ($rule.dscresource) { 'RegistryAccessEntry' { diff --git a/DSCResources/Resources/windows.AccountPolicy.ps1 b/source/DSCResources/Resources/windows.AccountPolicy.ps1 similarity index 100% rename from DSCResources/Resources/windows.AccountPolicy.ps1 rename to source/DSCResources/Resources/windows.AccountPolicy.ps1 diff --git a/DSCResources/Resources/windows.AuditPolicySubcategory.ps1 b/source/DSCResources/Resources/windows.AuditPolicySubcategory.ps1 similarity index 100% rename from DSCResources/Resources/windows.AuditPolicySubcategory.ps1 rename to source/DSCResources/Resources/windows.AuditPolicySubcategory.ps1 diff --git a/DSCResources/Resources/windows.AuditSetting.ps1 b/source/DSCResources/Resources/windows.AuditSetting.ps1 similarity index 100% rename from DSCResources/Resources/windows.AuditSetting.ps1 rename to source/DSCResources/Resources/windows.AuditSetting.ps1 diff --git a/DSCResources/Resources/windows.ProcessMitigation.ps1 b/source/DSCResources/Resources/windows.ProcessMitigation.ps1 similarity index 100% rename from DSCResources/Resources/windows.ProcessMitigation.ps1 rename to source/DSCResources/Resources/windows.ProcessMitigation.ps1 diff --git a/DSCResources/Resources/windows.RefreshRegistryPolicy.ps1 b/source/DSCResources/Resources/windows.RefreshRegistryPolicy.ps1 similarity index 100% rename from DSCResources/Resources/windows.RefreshRegistryPolicy.ps1 rename to source/DSCResources/Resources/windows.RefreshRegistryPolicy.ps1 diff --git a/DSCResources/Resources/windows.Registry.ps1 b/source/DSCResources/Resources/windows.Registry.ps1 similarity index 100% rename from DSCResources/Resources/windows.Registry.ps1 rename to source/DSCResources/Resources/windows.Registry.ps1 diff --git a/DSCResources/Resources/windows.Script.RootHint.ps1 b/source/DSCResources/Resources/windows.Script.RootHint.ps1 similarity index 100% rename from DSCResources/Resources/windows.Script.RootHint.ps1 rename to source/DSCResources/Resources/windows.Script.RootHint.ps1 diff --git a/DSCResources/Resources/windows.Script.skip.ps1 b/source/DSCResources/Resources/windows.Script.skip.ps1 similarity index 100% rename from DSCResources/Resources/windows.Script.skip.ps1 rename to source/DSCResources/Resources/windows.Script.skip.ps1 diff --git a/DSCResources/Resources/windows.SecurityOption.ps1 b/source/DSCResources/Resources/windows.SecurityOption.ps1 similarity index 100% rename from DSCResources/Resources/windows.SecurityOption.ps1 rename to source/DSCResources/Resources/windows.SecurityOption.ps1 diff --git a/DSCResources/Resources/windows.Service.ps1 b/source/DSCResources/Resources/windows.Service.ps1 similarity index 100% rename from DSCResources/Resources/windows.Service.ps1 rename to source/DSCResources/Resources/windows.Service.ps1 diff --git a/source/DSCResources/Resources/windows.UserRightsAssignment.ps1 b/source/DSCResources/Resources/windows.UserRightsAssignment.ps1 new file mode 100644 index 000000000..bccf6e01d --- /dev/null +++ b/source/DSCResources/Resources/windows.UserRightsAssignment.ps1 @@ -0,0 +1,69 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. + +$rules = $stig.RuleList | Select-Rule -Type UserRightRule + +$domainGroupTranslation = @{ + 'Administrators' = 'Builtin\Administrators' + 'Auditors' = '{0}\auditors' + 'Authenticated Users' = 'Authenticated Users' + 'Domain Admins' = '{0}\Domain Admins' + 'Guests' = 'Guests' + 'Local Service' = 'NT Authority\Local Service' + 'Network Service' = 'NT Authority\Network Service' + 'NT Service\WdiServiceHost' = 'NT Service\WdiServiceHost' + 'NULL' = '' + 'Security' = '{0}\security' + 'Service' = 'Service' + 'Window Manager\Window Manager Group' = 'Window Manager\Window Manager Group' +} + +$forestGroupTranslation = @{ + 'Enterprise Admins' = '{0}\Enterprise Admins' + 'Schema Admins' = '{0}\Schema Admins' +} + +if ($DomainName -and $ForestName) +{ + # This requires a local forest and/or domain name to be injected to ensure a valid account name. + $DomainName = PowerStig\Get-DomainName -DomainName $DomainName -Format NetbiosName + $ForestName = PowerStig\Get-DomainName -ForestName $ForestName -Format NetbiosName + + foreach ($rule in $rules) + { + Write-Verbose -Message $rule + $identitySplit = $rule.Identity -split "," + [System.Collections.ArrayList] $identityList = @() + + foreach ($identity in $identitySplit) + { + if ($domainGroupTranslation.Contains($identity)) + { + [void] $identityList.Add($domainGroupTranslation.$identity -f $DomainName ) + } + elseif ($forestGroupTranslation.Contains($identity)) + { + [void] $identityList.Add($forestGroupTranslation.$identity -f $ForestName ) + } + # Default to adding the identify as provided for any non-default identities. + else + { + [void] $identityList.Add($identity) + } + } + + UserRightsAssignment (Get-ResourceTitle -Rule $rule) + { + Policy = ($rule.DisplayName -replace " ", "_") + Identity = $identityList + Force = [bool] $rule.Force + } + } +} +else +{ + foreach ($rule in $rules) + { + Write-Warning -Message "$($rule.id) not compiled to mof because DomainName and ForestName were not specified" + } +} diff --git a/DSCResources/Resources/windows.WindowsEventLog.ps1 b/source/DSCResources/Resources/windows.WindowsEventLog.ps1 similarity index 100% rename from DSCResources/Resources/windows.WindowsEventLog.ps1 rename to source/DSCResources/Resources/windows.WindowsEventLog.ps1 diff --git a/DSCResources/Resources/windows.WindowsFeature.ps1 b/source/DSCResources/Resources/windows.WindowsFeature.ps1 similarity index 100% rename from DSCResources/Resources/windows.WindowsFeature.ps1 rename to source/DSCResources/Resources/windows.WindowsFeature.ps1 diff --git a/DSCResources/Resources/windows.WindowsOptionalFeature.ps1 b/source/DSCResources/Resources/windows.WindowsOptionalFeature.ps1 similarity index 100% rename from DSCResources/Resources/windows.WindowsOptionalFeature.ps1 rename to source/DSCResources/Resources/windows.WindowsOptionalFeature.ps1 diff --git a/DSCResources/Resources/windows.xDnsServerSetting.ps1 b/source/DSCResources/Resources/windows.xDnsServerSetting.ps1 similarity index 100% rename from DSCResources/Resources/windows.xDnsServerSetting.ps1 rename to source/DSCResources/Resources/windows.xDnsServerSetting.ps1 diff --git a/DSCResources/Resources/windows.xIisLogging.ps1 b/source/DSCResources/Resources/windows.xIisLogging.ps1 similarity index 100% rename from DSCResources/Resources/windows.xIisLogging.ps1 rename to source/DSCResources/Resources/windows.xIisLogging.ps1 diff --git a/DSCResources/Resources/windows.xIisMimeTypeMapping.ps1 b/source/DSCResources/Resources/windows.xIisMimeTypeMapping.ps1 similarity index 100% rename from DSCResources/Resources/windows.xIisMimeTypeMapping.ps1 rename to source/DSCResources/Resources/windows.xIisMimeTypeMapping.ps1 diff --git a/DSCResources/Resources/windows.xSslSettings.ps1 b/source/DSCResources/Resources/windows.xSslSettings.ps1 similarity index 100% rename from DSCResources/Resources/windows.xSslSettings.ps1 rename to source/DSCResources/Resources/windows.xSslSettings.ps1 diff --git a/DSCResources/Resources/windows.xWebAppPool.ps1 b/source/DSCResources/Resources/windows.xWebAppPool.ps1 similarity index 100% rename from DSCResources/Resources/windows.xWebAppPool.ps1 rename to source/DSCResources/Resources/windows.xWebAppPool.ps1 diff --git a/DSCResources/Resources/windows.xWebConfigProperty.ps1 b/source/DSCResources/Resources/windows.xWebConfigProperty.ps1 similarity index 100% rename from DSCResources/Resources/windows.xWebConfigProperty.ps1 rename to source/DSCResources/Resources/windows.xWebConfigProperty.ps1 diff --git a/DSCResources/Resources/windows.xWebSite.ps1 b/source/DSCResources/Resources/windows.xWebSite.ps1 similarity index 100% rename from DSCResources/Resources/windows.xWebSite.ps1 rename to source/DSCResources/Resources/windows.xWebSite.ps1 diff --git a/DSCResources/SqlServer/SqlServer.psd1 b/source/DSCResources/SqlServer/SqlServer.psd1 similarity index 100% rename from DSCResources/SqlServer/SqlServer.psd1 rename to source/DSCResources/SqlServer/SqlServer.psd1 diff --git a/DSCResources/SqlServer/SqlServer.schema.psm1 b/source/DSCResources/SqlServer/SqlServer.schema.psm1 similarity index 100% rename from DSCResources/SqlServer/SqlServer.schema.psm1 rename to source/DSCResources/SqlServer/SqlServer.schema.psm1 diff --git a/source/DSCResources/Vsphere/Vsphere.psd1 b/source/DSCResources/Vsphere/Vsphere.psd1 new file mode 100644 index 000000000..6ab1c7816 --- /dev/null +++ b/source/DSCResources/Vsphere/Vsphere.psd1 @@ -0,0 +1,48 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. + +@{ + + # Script module or binary module file associated with this manifest. + RootModule = 'Vsphere.schema.psm1' + + # Version number of this module. + ModuleVersion = '1.0.0.0' + + # ID used to uniquely identify this module + GUID = '4c3bfae0-5bd8-430f-954e-e9ca14356cf5' + + # Author of this module + Author = 'Microsoft Corporation' + + # Company or vendor of this module + CompanyName = 'Microsoft Corporation' + + # Copyright statement for this module + Copyright = '(c) 2020 Microsoft Corporation. All rights reserved.' + + # Description of the functionality provided by this module + Description = 'Module for managing the Vsphere DISA STIGs' + + # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. + FunctionsToExport = @('Vsphere') + + # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. + CmdletsToExport = @() + + # Variables to export from this module + VariablesToExport = '*' + + # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. + AliasesToExport = @() + + # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. + PrivateData = @{ + + PSData = @{ + + } # End of PSData hashtable + + } # End of PrivateData + +} diff --git a/source/DSCResources/Vsphere/Vsphere.schema.psm1 b/source/DSCResources/Vsphere/Vsphere.schema.psm1 new file mode 100644 index 000000000..9c1adf6a4 --- /dev/null +++ b/source/DSCResources/Vsphere/Vsphere.schema.psm1 @@ -0,0 +1,117 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. + +using module ..\helper.psm1 +using module ..\..\PowerStig.psm1 + +<# + .SYNOPSIS + A composite DSC resource to manage Vsphere STIG settings + .PARAMETER Version + The Vsphere Esxi version for which a DISA STIG configuration is generated, i.e. '6.5' + .PARAMETER HostIP + The IP address of the Esxi Host that is being targeted + .PARAMETER ServerIP + The Vcenter Server Ip that the host is connected to. This is required to secure the host with Vsphere resource + .PARAMETER Credential + The credential to administer the Esxi host + .PARAMETER VirtualStandardSwitchGroup + A group of standard switches + .PARAMETER VmGroup + A group of VM's to target on host + .PARAMETER StigVersion + The version of the Adobe Application STIG to apply and/or monitor + .PARAMETER Exception + A hashtable of StigId=Value key pairs that are injected into the STIG data and applied to + the target node. The title of STIG settings are tagged with the text 'Exception' to identify + the exceptions to policy across the data center when you centralize DSC log collection. + .PARAMETER OrgSettings + The path to the xml file that contains the local organizations preferred settings for STIG + items that have allowable ranges. The OrgSettings parameter also accepts a hashtable for + values that need to be modified. When a hashtable is used, the specified values take + presidence over the values defined in the org.default.xml file. + .PARAMETER SkipRule + The SkipRule Node is injected into the STIG data and applied to the taget node. The title + of STIG settings are tagged with the text 'Skip' to identify the skips to policy across the + data center when you centralize DSC log collection. + .PARAMETER SkipRuleType + All STIG rule IDs of the specified type are collected in an array and passed to the Skip-Rule + function. Each rule follows the same process as the SkipRule parameter. +#> +configuration Vsphere +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [ValidateNotNullOrEmpty()] + [string] + $Version, + + [Parameter(Mandatory = $true)] + [ValidateNotNullOrEmpty()] + [string] + $HostIP, + + [Parameter(Mandatory = $true)] + [ValidateNotNullOrEmpty()] + [string] + $ServerIP, + + [Parameter(Mandatory = $true)] + [ValidateNotNullOrEmpty()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [string[]] + $VirtualStandardSwitchGroup, + + [Parameter()] + [string[]] + $VmGroup, + + [Parameter()] + [ValidateNotNullOrEmpty()] + [version] + $StigVersion, + + [Parameter()] + [ValidateNotNullOrEmpty()] + [hashtable] + $Exception, + + [Parameter()] + [ValidateNotNullOrEmpty()] + [object] + $OrgSettings, + + [Parameter()] + [ValidateNotNullOrEmpty()] + [string[]] + $SkipRule, + + [Parameter()] + [ValidateNotNullOrEmpty()] + [string[]] + $SkipRuleType + ) + + ##### BEGIN DO NOT MODIFY ##### + $stig = [STIG]::New('Vsphere', $Version, $StigVersion) + $stig.LoadRules($OrgSettings, $Exception, $SkipRule, $SkipRuleType) + ##### END DO NOT MODIFY ##### + + Import-DscResource -ModuleName Vmware.vSphereDSC -ModuleVersion 2.1.0.58 + . "$resourcePath\Vsphere.VmHostAcceptanceLevel.ps1" + . "$resourcePath\Vsphere.VmHostAdvancedSettings.ps1" + . "$resourcePath\Vsphere.VMHostNtpSettings.ps1" + . "$resourcePath\Vsphere.VmHostService.ps1" + . "$resourcePath\Vsphere.VmHostSNMPAgent.ps1" + . "$resourcePath\Vsphere.VmHostVMKernelActiveDumpPartition.ps1" + . "$resourcePath\Vsphere.VmHostVssSecurity.ps1" + . "$resourcePath\Vsphere.VmHostVssPortGroupSecurity.ps1" + + Import-DscResource -ModuleName PSDscResources -ModuleVersion 2.10.0.0 + . "$resourcePath\windows.Script.skip.ps1" +} diff --git a/DSCResources/WindowsClient/WindowsClient.psd1 b/source/DSCResources/WindowsClient/WindowsClient.psd1 similarity index 100% rename from DSCResources/WindowsClient/WindowsClient.psd1 rename to source/DSCResources/WindowsClient/WindowsClient.psd1 diff --git a/DSCResources/WindowsClient/WindowsClient.schema.psm1 b/source/DSCResources/WindowsClient/WindowsClient.schema.psm1 similarity index 98% rename from DSCResources/WindowsClient/WindowsClient.schema.psm1 rename to source/DSCResources/WindowsClient/WindowsClient.schema.psm1 index f9a875af5..ec5ca822f 100644 --- a/DSCResources/WindowsClient/WindowsClient.schema.psm1 +++ b/source/DSCResources/WindowsClient/WindowsClient.schema.psm1 @@ -50,12 +50,10 @@ configuration WindowsClient $StigVersion, [Parameter()] - [ValidateNotNullOrEmpty()] [string] $ForestName, [Parameter()] - [ValidateNotNullOrEmpty()] [string] $DomainName, diff --git a/DSCResources/WindowsDefender/WindowsDefender.psd1 b/source/DSCResources/WindowsDefender/WindowsDefender.psd1 similarity index 100% rename from DSCResources/WindowsDefender/WindowsDefender.psd1 rename to source/DSCResources/WindowsDefender/WindowsDefender.psd1 diff --git a/DSCResources/WindowsDefender/WindowsDefender.schema.psm1 b/source/DSCResources/WindowsDefender/WindowsDefender.schema.psm1 similarity index 100% rename from DSCResources/WindowsDefender/WindowsDefender.schema.psm1 rename to source/DSCResources/WindowsDefender/WindowsDefender.schema.psm1 diff --git a/DSCResources/WindowsDnsServer/WindowsDnsServer.psd1 b/source/DSCResources/WindowsDnsServer/WindowsDnsServer.psd1 similarity index 100% rename from DSCResources/WindowsDnsServer/WindowsDnsServer.psd1 rename to source/DSCResources/WindowsDnsServer/WindowsDnsServer.psd1 diff --git a/DSCResources/WindowsDnsServer/WindowsDnsServer.schema.psm1 b/source/DSCResources/WindowsDnsServer/WindowsDnsServer.schema.psm1 similarity index 100% rename from DSCResources/WindowsDnsServer/WindowsDnsServer.schema.psm1 rename to source/DSCResources/WindowsDnsServer/WindowsDnsServer.schema.psm1 diff --git a/DSCResources/WindowsFirewall/WindowsFirewall.psd1 b/source/DSCResources/WindowsFirewall/WindowsFirewall.psd1 similarity index 100% rename from DSCResources/WindowsFirewall/WindowsFirewall.psd1 rename to source/DSCResources/WindowsFirewall/WindowsFirewall.psd1 diff --git a/DSCResources/WindowsFirewall/WindowsFirewall.schema.psm1 b/source/DSCResources/WindowsFirewall/WindowsFirewall.schema.psm1 similarity index 100% rename from DSCResources/WindowsFirewall/WindowsFirewall.schema.psm1 rename to source/DSCResources/WindowsFirewall/WindowsFirewall.schema.psm1 diff --git a/DSCResources/WindowsServer/WindowsServer.psd1 b/source/DSCResources/WindowsServer/WindowsServer.psd1 similarity index 100% rename from DSCResources/WindowsServer/WindowsServer.psd1 rename to source/DSCResources/WindowsServer/WindowsServer.psd1 diff --git a/DSCResources/WindowsServer/WindowsServer.schema.psm1 b/source/DSCResources/WindowsServer/WindowsServer.schema.psm1 similarity index 100% rename from DSCResources/WindowsServer/WindowsServer.schema.psm1 rename to source/DSCResources/WindowsServer/WindowsServer.schema.psm1 diff --git a/DSCResources/helper.psm1 b/source/DSCResources/helper.psm1 similarity index 100% rename from DSCResources/helper.psm1 rename to source/DSCResources/helper.psm1 diff --git a/Module/Common/Common.psm1 b/source/Module/Common/Common.psm1 similarity index 100% rename from Module/Common/Common.psm1 rename to source/Module/Common/Common.psm1 diff --git a/source/Module/Common/Convert/Data.ps1 b/source/Module/Common/Convert/Data.ps1 new file mode 100644 index 000000000..664f08101 --- /dev/null +++ b/source/Module/Common/Convert/Data.ps1 @@ -0,0 +1,63 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. + +# This is used to exclude rules from the convert +data exclusionRuleList +{ + ConvertFrom-StringData -StringData @' + V-73523 = '' + V-6599 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' + V-6600 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' + V-6601 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' + V-6602 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' + V-6604 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' + V-6611 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' + V-6612 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' + V-6614 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' + V-6615 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' + V-6616 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' + V-6617 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' + V-6618 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' + V-6620 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' + V-6625 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' + V-6627 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' + V-14657 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' + V-14658 = 'McAfee: Not Applicable to 64-bit systems.' + V-14659 = 'McAfee: Not Applicable to 64-bit systems.' + V-14660 = 'McAfee: Not Applicable to 64-bit systems.' + V-14661 = 'McAfee: Not Applicable to 64-bit systems.' + V-42563 = 'McAfee:exclusions have been documented with, and approved by, the ISSO/ISSM/DAA' + V-42564 = 'McAfee:exclusions have been documented with, and approved by, the ISSO/ISSM/DAA' + V-42565 = 'McAfee:with the assistance of the System Administrator, review each GUID key's szTaskName' + V-42566 = 'McAfee:with the assistance of the System Administrator, review each GUID key's szTaskName' + V-42567 = 'McAfee:with the assistance of the System Administrator, review each GUID key's szTaskName' + V-42572 = 'McAfee:If the ExcludedURLs REG_MULTI_SZ has any entries, and the excluded URLs have not been documented with, and approved by, the ISSO/ISSM/DAA' + V-14654 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' + V-94509 = 'Vsphere: To Be added in a future release' + V-94025 = 'Vsphere: To Be added in a future release' + V-94533 = 'Vsphere: To Be added in a future release' + V-77189 = 'Set-ProcessMitigation doesn't allow for configuration of Override Settings, this will be updated in next release' + V-77191 = 'Set-ProcessMitigation doesn't allow for configuration of Override Settings, this will be updated in next release' + V-77195 = 'Set-ProcessMitigation doesn't allow for configuration of Override Settings, this will be updated in next release' + V-77201 = 'Set-ProcessMitigation doesn't allow for configuration of Override Settings, this will be updated in next release' + V-77205 = 'Set-ProcessMitigation doesn't allow for configuration of Override Settings, this will be updated in next release' + V-77209 = 'Set-ProcessMitigation doesn't allow for configuration of Override Settings, this will be updated in next release' + V-77213 = 'Set-ProcessMitigation doesn't allow for configuration of Override Settings, this will be updated in next release' + V-77217 = 'Set-ProcessMitigation doesn't allow for configuration of Override Settings, this will be updated in next release' + V-77221 = 'Set-ProcessMitigation doesn't allow for configuration of Override Settings, this will be updated in next release' + V-77223 = 'Set-ProcessMitigation doesn't allow for configuration of Override Settings, this will be updated in next release' + V-77227 = 'Set-ProcessMitigation doesn't allow for configuration of Override Settings, this will be updated in next release' + V-77231 = 'Set-ProcessMitigation doesn't allow for configuration of Override Settings, this will be updated in next release' + V-77233 = 'Set-ProcessMitigation doesn't allow for configuration of Override Settings, this will be updated in next release' + V-77235 = 'Set-ProcessMitigation doesn't allow for configuration of Override Settings, this will be updated in next release' + V-77239 = 'Set-ProcessMitigation doesn't allow for configuration of Override Settings, this will be updated in next release' + V-77243 = 'Set-ProcessMitigation doesn't allow for configuration of Override Settings, this will be updated in next release' + V-77247 = 'Set-ProcessMitigation doesn't allow for configuration of Override Settings, this will be updated in next release' + V-77249 = 'Set-ProcessMitigation doesn't allow for configuration of Override Settings, this will be updated in next release' + V-77255 = 'Set-ProcessMitigation doesn't allow for configuration of Override Settings, this will be updated in next release' + V-77259 = 'Set-ProcessMitigation doesn't allow for configuration of Override Settings, this will be updated in next release' + V-77263 = 'Set-ProcessMitigation doesn't allow for configuration of Override Settings, this will be updated in next release' + V-77267 = 'Set-ProcessMitigation doesn't allow for configuration of Override Settings, this will be updated in next release' + V-77269 = 'Set-ProcessMitigation doesn't allow for configuration of Override Settings, this will be updated in next release' +'@ +} diff --git a/Module/Common/Convert/Function.Helper.ps1 b/source/Module/Common/Convert/Function.Helper.ps1 similarity index 100% rename from Module/Common/Convert/Function.Helper.ps1 rename to source/Module/Common/Convert/Function.Helper.ps1 diff --git a/Module/Common/Convert/Function.RangeConversion.ps1 b/source/Module/Common/Convert/Function.RangeConversion.ps1 similarity index 99% rename from Module/Common/Convert/Function.RangeConversion.ps1 rename to source/Module/Common/Convert/Function.RangeConversion.ps1 index 18504ad20..8f4999a69 100644 --- a/Module/Common/Convert/Function.RangeConversion.ps1 +++ b/source/Module/Common/Convert/Function.RangeConversion.ps1 @@ -385,7 +385,7 @@ function ConvertTo-OrTestString { $tokens = [System.Management.Automation.PSParser]::Tokenize($string, [ref]$null) $orgSettings = $tokens.Where( {$PSItem.type -eq 'Number' -and $PSItem.Content -notmatch '\dx\d{8}' }).Content - if($string -match 'or if the Value Name does not exist') + if ($string -match 'or if the Value Name does not exist') { $orgSettings += 'ShouldBeAbsent' } diff --git a/Module/Common/Function.Xccdf.ps1 b/source/Module/Common/Function.Xccdf.ps1 similarity index 100% rename from Module/Common/Function.Xccdf.ps1 rename to source/Module/Common/Function.Xccdf.ps1 diff --git a/Module/Common/Functions.Helper.ps1 b/source/Module/Common/Functions.Helper.ps1 similarity index 100% rename from Module/Common/Functions.Helper.ps1 rename to source/Module/Common/Functions.Helper.ps1 diff --git a/Module/Common/Functions.XccdfXml.ps1 b/source/Module/Common/Functions.XccdfXml.ps1 similarity index 93% rename from Module/Common/Functions.XccdfXml.ps1 rename to source/Module/Common/Functions.XccdfXml.ps1 index 11837d893..2465eddd5 100644 --- a/Module/Common/Functions.XccdfXml.ps1 +++ b/source/Module/Common/Functions.XccdfXml.ps1 @@ -215,7 +215,7 @@ function Get-StigRuleList So we simply unwind the changes we made earlier so that any new text we added is removed by reversing the regex match. #> - + # Trim the unique char from split rules if they exist foreach ($correction in $StigGroupListChangeLog[($rule.Id -split '\.')[0]]) { @@ -365,7 +365,8 @@ function Split-BenchmarkId 'Outlook', 'PowerPoint', 'Word', - 'System' + 'System', + 'Visio' ) $id = $id -replace ($idVariations -join '|'), '' @@ -374,13 +375,10 @@ function Split-BenchmarkId { {$PSItem -match "SQL_Server"} { - # The metadata does not differentiate between the database and instance STIG so we have to get that from the file name. - $sqlRole = Get-SqlTechnologyRole -Path $FilePath - $returnId = $id -replace ($sqlServerVariations -join '|'), 'SqlServer' - - # SQL 2012 Instance 1.17 has a different format which requires this line, can be removed when this STIG is no longer in archive - $returnId = $returnId -replace "_Database_Instance" + "" - $returnId = '{0}_{1}' -f $returnId, $sqlRole + $sqlRole = Get-SqlTechnologyRole -Path $FilePath -Id $id + $id -match "(?\d{4})" + $sqlVersion = $Matches['Version'] + $returnId = 'SqlServer_{0}_{1}' -f $sqlVersion, $sqlRole continue } {$PSItem -match "_Firewall"} @@ -403,6 +401,16 @@ function Split-BenchmarkId $returnId = 'IISSite_8.5' continue } + {$PSItem -match "IIS_10-0_Site"} + { + $returnId = 'IISSite_10.0' + continue + } + {$PSItem -match "IIS_10-0_Server"} + { + $returnId = 'IISServer_10.0' + continue + } {$PSItem -match "Domain_Name_System"} { # The Windows Server 2012 and 2012 R2 STIGs are combined, so return the 2012R2 @@ -444,11 +452,11 @@ function Split-BenchmarkId $returnId = "FireFox_All" continue } - {$PSItem -match 'Excel|Outlook|PowerPoint|Word|System'} + {$PSItem -match 'Excel|Outlook|PowerPoint|Word|System|Visio'} { $officeStig = ($id -split '_') - if($PSItem -match 'System') + if ($PSItem -match 'System') { $officeStig = $officeStig[2], $officeStig[3] -join "" $returnId = '{0}_{1}' -f 'Office', $officeStig @@ -476,6 +484,11 @@ function Split-BenchmarkId $returnId = 'McAfee_8.8_VirusScan' continue } + {$PSItem -match 'Vmware_Vsphere'} + { + $returnId = 'Vsphere_6.5' + continue + } default { $returnId = $id @@ -501,6 +514,10 @@ function Get-SqlTechnologyRole [OutputType([string])] param ( + [Parameter(Mandatory = $true)] + [string] + $Id, + [Parameter(Mandatory=$true)] [AllowEmptyString()] [string] @@ -510,6 +527,11 @@ function Get-SqlTechnologyRole $split = $Path -split '_' $stigIndex = $split.IndexOf('STIG') $sqlRole = $split[$stigIndex -1] + if ($sqlRole -match '\w\d{1,}\w\d{1,}') + { + $null = $Id -match "(?Database|Instance)" + $sqlRole = $Matches['Type'] + } return $sqlRole } @@ -537,12 +559,8 @@ function Get-StigVersionNumber ) # Extract the revision number from the xccdf - $revision = ( $StigDetails.Benchmark.'plain-text'.'#text' ` - -split "(Release:)(.*?)(Benchmark)" )[2].trim() - + $revision = ($StigDetails.Benchmark.'plain-text'.'#text' -split "(Release:)(.*?)(Benchmark)")[2].trim() "$($StigDetails.Benchmark.version).$revision" - } #endregion - diff --git a/Module/Rule.AccountPolicy/AccountPolicyRule.psm1 b/source/Module/Rule.AccountPolicy/AccountPolicyRule.psm1 similarity index 92% rename from Module/Rule.AccountPolicy/AccountPolicyRule.psm1 rename to source/Module/Rule.AccountPolicy/AccountPolicyRule.psm1 index 7fd66f2be..b42faa77e 100644 --- a/Module/Rule.AccountPolicy/AccountPolicyRule.psm1 +++ b/source/Module/Rule.AccountPolicy/AccountPolicyRule.psm1 @@ -14,7 +14,7 @@ using module .\..\Rule\Rule.psm1 .PARAMETER PolicyValue The value the account policy should be set to. #> -Class AccountPolicyRule : Rule +class AccountPolicyRule : Rule { [string] $PolicyName [string] $PolicyValue <#(ExceptionValue)#> @@ -33,7 +33,7 @@ Class AccountPolicyRule : Rule .PARAMETER Rule The STIG rule to load #> - AccountPolicyRule ([xml.xmlelement] $Rule) : Base ($Rule) + AccountPolicyRule ([xml.xmlelement] $Rule) : base ($Rule) { } @@ -45,7 +45,7 @@ Class AccountPolicyRule : Rule .PARAMETER Convert A simple bool flag to create a unique constructor signature #> - AccountPolicyRule ([xml.xmlelement] $Rule, [switch] $Convert) : Base ($Rule, $Convert) + AccountPolicyRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) { } diff --git a/Module/Rule.AccountPolicy/Convert/AccountPolicyRule.Convert.psm1 b/source/Module/Rule.AccountPolicy/Convert/AccountPolicyRule.Convert.psm1 similarity index 97% rename from Module/Rule.AccountPolicy/Convert/AccountPolicyRule.Convert.psm1 rename to source/Module/Rule.AccountPolicy/Convert/AccountPolicyRule.Convert.psm1 index 8dc890acd..660c93551 100644 --- a/Module/Rule.AccountPolicy/Convert/AccountPolicyRule.Convert.psm1 +++ b/source/Module/Rule.AccountPolicy/Convert/AccountPolicyRule.Convert.psm1 @@ -14,7 +14,7 @@ using namespace System.Text Account Policy rule. The configuration details are then extracted and validated before returning the object. #> -Class AccountPolicyRuleConvert : AccountPolicyRule +class AccountPolicyRuleConvert : AccountPolicyRule { <# .SYNOPSIS @@ -30,7 +30,7 @@ Class AccountPolicyRuleConvert : AccountPolicyRule .PARAMETER XccdfRule The STIG rule to convert #> - AccountPolicyRuleConvert ([xml.xmlelement] $XccdfRule) : Base ($XccdfRule, $true) + AccountPolicyRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) { [RegularExpressions.MatchCollection] $tokens = $this.ExtractProperties() $this.SetPolicyName($tokens) @@ -106,7 +106,7 @@ Class AccountPolicyRuleConvert : AccountPolicyRule hidden [void] SetDscResource () { - if($null -eq $this.DuplicateOf) + if ($null -eq $this.DuplicateOf) { $this.DscResource = 'AccountPolicy' } diff --git a/Module/Rule.AuditPolicy/AuditPolicyRule.psm1 b/source/Module/Rule.AuditPolicy/AuditPolicyRule.psm1 similarity index 93% rename from Module/Rule.AuditPolicy/AuditPolicyRule.psm1 rename to source/Module/Rule.AuditPolicy/AuditPolicyRule.psm1 index d2f81e00d..0618c7af6 100644 --- a/Module/Rule.AuditPolicy/AuditPolicyRule.psm1 +++ b/source/Module/Rule.AuditPolicy/AuditPolicyRule.psm1 @@ -16,7 +16,7 @@ using module .\..\Rule\Rule.psm1 .PARAMETER Ensure A present or absent flag #> -Class AuditPolicyRule : Rule +class AuditPolicyRule : Rule { [string] $Subcategory [string] $AuditFlag @@ -36,7 +36,7 @@ Class AuditPolicyRule : Rule .PARAMETER Rule The STIG rule to load #> - AuditPolicyRule ([xml.xmlelement] $Rule) : Base ($Rule) + AuditPolicyRule ([xml.xmlelement] $Rule) : base ($Rule) { } @@ -48,7 +48,7 @@ Class AuditPolicyRule : Rule .PARAMETER Convert A simple bool flag to create a unique constructor signature #> - AuditPolicyRule ([xml.xmlelement] $Rule, [switch] $Convert) : Base ($Rule, $Convert) + AuditPolicyRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) { } diff --git a/Module/Rule.AuditPolicy/Convert/AuditPolicyRule.Convert.psm1 b/source/Module/Rule.AuditPolicy/Convert/AuditPolicyRule.Convert.psm1 similarity index 91% rename from Module/Rule.AuditPolicy/Convert/AuditPolicyRule.Convert.psm1 rename to source/Module/Rule.AuditPolicy/Convert/AuditPolicyRule.Convert.psm1 index b1be48503..05579cfad 100644 --- a/Module/Rule.AuditPolicy/Convert/AuditPolicyRule.Convert.psm1 +++ b/source/Module/Rule.AuditPolicy/Convert/AuditPolicyRule.Convert.psm1 @@ -9,7 +9,7 @@ using namespace System.Text .SYNOPSIS Converts the xccdf check-content element into an audit policy object. #> -Class AuditPolicyRuleConvert : AuditPolicyRule +class AuditPolicyRuleConvert : AuditPolicyRule { <# .SYNOPSIS @@ -25,7 +25,7 @@ Class AuditPolicyRuleConvert : AuditPolicyRule .PARAMETER XccdfRule The STIG rule to convert #> - AuditPolicyRuleConvert ([xml.xmlelement] $XccdfRule) : Base ($XccdfRule, $true) + AuditPolicyRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) { $tokens = $this.ExtractProperties() $this.SetSubcategory($tokens) @@ -50,7 +50,7 @@ Class AuditPolicyRuleConvert : AuditPolicyRule { return [regex]::Matches( $this.RawString, - '(?:(?:\w+(?:\s|\/))+(?:(?:>|-)>(?:\s+)?))(?(?:\w+\s)+)(?:-(?:\s+)?)(?(?:\w+)+)' + '(?:(?:\w+(?:\s|\/))+(?:(?: >|>|-)>(?:\s+)?))(?(?:.+?(?=\s-\s)))\s-\s(?(?:\w+)+)' ) } @@ -94,7 +94,7 @@ Class AuditPolicyRuleConvert : AuditPolicyRule hidden [void] SetDscResource () { - if($null -eq $this.DuplicateOf) + if ($null -eq $this.DuplicateOf) { $this.DscResource = 'AuditPolicySubcategory' } diff --git a/Module/Rule.AuditSetting/AuditSettingRule.psm1 b/source/Module/Rule.AuditSetting/AuditSettingRule.psm1 similarity index 92% rename from Module/Rule.AuditSetting/AuditSettingRule.psm1 rename to source/Module/Rule.AuditSetting/AuditSettingRule.psm1 index ecfdcd8c3..139a1fdc7 100644 --- a/Module/Rule.AuditSetting/AuditSettingRule.psm1 +++ b/source/Module/Rule.AuditSetting/AuditSettingRule.psm1 @@ -19,7 +19,7 @@ using module .\..\Rule\Rule.psm1 The PowerShell equivalent operator #> -Class AuditSettingRule : Rule +class AuditSettingRule : Rule { [string] $Query [string] $Property @@ -40,7 +40,7 @@ Class AuditSettingRule : Rule .PARAMETER Rule The STIG rule to load #> - AuditSettingRule ([xml.xmlelement] $Rule) : Base ($Rule) + AuditSettingRule ([xml.xmlelement] $Rule) : base ($Rule) { } @@ -52,7 +52,7 @@ Class AuditSettingRule : Rule .PARAMETER Convert A simple bool flag to create a unique constructor signature #> - AuditSettingRule ([xml.xmlelement] $Rule, [switch] $Convert) : Base ($Rule, $Convert) + AuditSettingRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) { } diff --git a/Module/Rule.AuditSetting/Convert/AuditSettingRule.Convert.psm1 b/source/Module/Rule.AuditSetting/Convert/AuditSettingRule.Convert.psm1 similarity index 93% rename from Module/Rule.AuditSetting/Convert/AuditSettingRule.Convert.psm1 rename to source/Module/Rule.AuditSetting/Convert/AuditSettingRule.Convert.psm1 index ec6afa703..f3d03a219 100644 --- a/Module/Rule.AuditSetting/Convert/AuditSettingRule.Convert.psm1 +++ b/source/Module/Rule.AuditSetting/Convert/AuditSettingRule.Convert.psm1 @@ -22,7 +22,7 @@ foreach ($supportFile in $supportFileList) class for parsing and validation. #> -Class AuditSettingRuleConvert : AuditSettingRule +class AuditSettingRuleConvert : AuditSettingRule { <# .SYNOPSIS @@ -38,9 +38,9 @@ Class AuditSettingRuleConvert : AuditSettingRule .PARAMETER XccdfRule The STIG rule to convert #> - AuditSettingRuleConvert ([xml.xmlelement] $XccdfRule) : Base ($XccdfRule, $true) + AuditSettingRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) { - Switch ($this.rawString) + switch ($this.rawString) { {$PSItem -Match "winver\.exe" } { @@ -79,7 +79,7 @@ Class AuditSettingRuleConvert : AuditSettingRule hidden [void] SetDscResource () { - if($null -eq $this.DuplicateOf) + if ($null -eq $this.DuplicateOf) { $this.DscResource = 'AuditSetting' } diff --git a/Module/Rule.DnsServerRootHint/Convert/DnsServerRootHintRule.Convert.psm1 b/source/Module/Rule.DnsServerRootHint/Convert/DnsServerRootHintRule.Convert.psm1 similarity index 94% rename from Module/Rule.DnsServerRootHint/Convert/DnsServerRootHintRule.Convert.psm1 rename to source/Module/Rule.DnsServerRootHint/Convert/DnsServerRootHintRule.Convert.psm1 index 79ec5ccb8..f788d4d30 100644 --- a/Module/Rule.DnsServerRootHint/Convert/DnsServerRootHintRule.Convert.psm1 +++ b/source/Module/Rule.DnsServerRootHint/Convert/DnsServerRootHintRule.Convert.psm1 @@ -26,7 +26,7 @@ foreach ($supportFile in $supportFileList) .PARAMETER IpAddress The ip address of the root hint server #> -Class DnsServerRootHintRuleConvert : DnsServerRootHintRule +class DnsServerRootHintRuleConvert : DnsServerRootHintRule { <# .SYNOPSIS @@ -42,7 +42,7 @@ Class DnsServerRootHintRuleConvert : DnsServerRootHintRule .PARAMETER XccdfRule The STIG rule to convert #> - DnsServerRootHintRuleConvert ([xml.xmlelement] $XccdfRule) : Base ($XccdfRule, $true) + DnsServerRootHintRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) { $this.set_HostName('$null') $this.set_IpAddress('$null') @@ -52,7 +52,7 @@ Class DnsServerRootHintRuleConvert : DnsServerRootHintRule hidden [void] SetDscResource () { - if($null -eq $this.DuplicateOf) + if ($null -eq $this.DuplicateOf) { $this.DscResource = 'Script' } diff --git a/Module/Rule.DnsServerRootHint/DnsServerRootHintRule.psm1 b/source/Module/Rule.DnsServerRootHint/DnsServerRootHintRule.psm1 similarity index 90% rename from Module/Rule.DnsServerRootHint/DnsServerRootHintRule.psm1 rename to source/Module/Rule.DnsServerRootHint/DnsServerRootHintRule.psm1 index da85a7a41..c8638a9e7 100644 --- a/Module/Rule.DnsServerRootHint/DnsServerRootHintRule.psm1 +++ b/source/Module/Rule.DnsServerRootHint/DnsServerRootHintRule.psm1 @@ -11,7 +11,7 @@ using module .\..\Rule\Rule.psm1 The DnsServerRootHintRule class is used to maange the Account Policy Settings. #> -Class DnsServerRootHintRule : Rule +class DnsServerRootHintRule : Rule { [string] $HostName [string] $IpAddress <#(ExceptionValue)#> @@ -30,7 +30,7 @@ Class DnsServerRootHintRule : Rule .PARAMETER Rule The STIG rule to load #> - DnsServerRootHintRule ([xml.xmlelement] $Rule) : Base ($Rule) + DnsServerRootHintRule ([xml.xmlelement] $Rule) : base ($Rule) { } @@ -42,7 +42,7 @@ Class DnsServerRootHintRule : Rule .PARAMETER Convert A simple bool flag to create a unique constructor signature #> - DnsServerRootHintRule ([xml.xmlelement] $Rule, [switch] $Convert) : Base ($Rule, $Convert) + DnsServerRootHintRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) { } diff --git a/Module/Rule.DnsServerSetting/Convert/Data.ps1 b/source/Module/Rule.DnsServerSetting/Convert/Data.ps1 similarity index 100% rename from Module/Rule.DnsServerSetting/Convert/Data.ps1 rename to source/Module/Rule.DnsServerSetting/Convert/Data.ps1 diff --git a/Module/Rule.DnsServerSetting/Convert/DnsServerSettingRule.Convert.psm1 b/source/Module/Rule.DnsServerSetting/Convert/DnsServerSettingRule.Convert.psm1 similarity index 96% rename from Module/Rule.DnsServerSetting/Convert/DnsServerSettingRule.Convert.psm1 rename to source/Module/Rule.DnsServerSetting/Convert/DnsServerSettingRule.Convert.psm1 index a59ee1a06..c9555a998 100644 --- a/Module/Rule.DnsServerSetting/Convert/DnsServerSettingRule.Convert.psm1 +++ b/source/Module/Rule.DnsServerSetting/Convert/DnsServerSettingRule.Convert.psm1 @@ -23,7 +23,7 @@ foreach ($supportFile in $supportFileList) parsing and validation. #> -Class DnsServerSettingRuleConvert : DnsServerSettingRule +class DnsServerSettingRuleConvert : DnsServerSettingRule { <# .SYNOPSIS @@ -39,7 +39,7 @@ Class DnsServerSettingRuleConvert : DnsServerSettingRule .PARAMETER XccdfRule The STIG rule to convert #> - DnsServerSettingRuleConvert ([xml.xmlelement] $XccdfRule) : Base ($XccdfRule, $true) + DnsServerSettingRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) { $this.SetDnsServerPropertyName() $this.SetDnsServerPropertyValue() @@ -95,7 +95,7 @@ Class DnsServerSettingRuleConvert : DnsServerSettingRule hidden [void] SetDscResource () { - if($null -eq $this.DuplicateOf) + if ($null -eq $this.DuplicateOf) { $this.DscResource = 'xDnsServerSetting' } diff --git a/Module/Rule.DnsServerSetting/Convert/Methods.ps1 b/source/Module/Rule.DnsServerSetting/Convert/Methods.ps1 similarity index 100% rename from Module/Rule.DnsServerSetting/Convert/Methods.ps1 rename to source/Module/Rule.DnsServerSetting/Convert/Methods.ps1 diff --git a/Module/Rule.DnsServerSetting/DnsServerSettingRule.psm1 b/source/Module/Rule.DnsServerSetting/DnsServerSettingRule.psm1 similarity index 91% rename from Module/Rule.DnsServerSetting/DnsServerSettingRule.psm1 rename to source/Module/Rule.DnsServerSetting/DnsServerSettingRule.psm1 index 0d559b58b..45e3e7125 100644 --- a/Module/Rule.DnsServerSetting/DnsServerSettingRule.psm1 +++ b/source/Module/Rule.DnsServerSetting/DnsServerSettingRule.psm1 @@ -14,7 +14,7 @@ using module .\..\Rule\Rule.psm1 .PARAMETER PropertyValue The value to set the proerty to #> -Class DnsServerSettingRule : Rule +class DnsServerSettingRule : Rule { [string] $PropertyName [string] $PropertyValue <#(ExceptionValue)#> @@ -33,7 +33,7 @@ Class DnsServerSettingRule : Rule .PARAMETER Rule The STIG rule to load #> - DnsServerSettingRule ([xml.xmlelement] $Rule) : Base ($Rule) + DnsServerSettingRule ([xml.xmlelement] $Rule) : base ($Rule) { } @@ -45,7 +45,7 @@ Class DnsServerSettingRule : Rule .PARAMETER Convert A simple bool flag to create a unique constructor signature #> - DnsServerSettingRule ([xml.xmlelement] $Rule, [switch] $Convert) : Base ($Rule, $Convert) + DnsServerSettingRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) { } diff --git a/Module/Rule.Document/Convert/DocumentRule.Convert.psm1 b/source/Module/Rule.Document/Convert/DocumentRule.Convert.psm1 similarity index 95% rename from Module/Rule.Document/Convert/DocumentRule.Convert.psm1 rename to source/Module/Rule.Document/Convert/DocumentRule.Convert.psm1 index 771308d2e..b30c15c48 100644 --- a/Module/Rule.Document/Convert/DocumentRule.Convert.psm1 +++ b/source/Module/Rule.Document/Convert/DocumentRule.Convert.psm1 @@ -21,7 +21,7 @@ foreach ($supportFile in $supportFileList) document rule, it is passed to the DocumentRuleConvert class for parsing and validation. #> -Class DocumentRuleConvert : DocumentRule +class DocumentRuleConvert : DocumentRule { <# .SYNOPSIS @@ -37,7 +37,7 @@ Class DocumentRuleConvert : DocumentRule .PARAMETER XccdfRule The STIG rule to convert #> - DocumentRuleConvert ([xml.xmlelement] $XccdfRule) : Base ($XccdfRule, $true) + DocumentRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) { $this.DscResource = 'None' } diff --git a/Module/Rule.Document/DocumentRule.psm1 b/source/Module/Rule.Document/DocumentRule.psm1 similarity index 92% rename from Module/Rule.Document/DocumentRule.psm1 rename to source/Module/Rule.Document/DocumentRule.psm1 index 0ee02ffe5..003a1b155 100644 --- a/Module/Rule.Document/DocumentRule.psm1 +++ b/source/Module/Rule.Document/DocumentRule.psm1 @@ -11,7 +11,7 @@ using module .\..\Rule\Rule.psm1 The DocumentRule class is used to maange the Document Settings. #> -Class DocumentRule : Rule +class DocumentRule : Rule { <# .SYNOPSIS @@ -50,7 +50,7 @@ Class DocumentRule : Rule .PARAMETER Rule The STIG rule to load #> - DocumentRule ([xml.xmlelement] $Rule) : Base ($Rule) + DocumentRule ([xml.xmlelement] $Rule) : base ($Rule) { } @@ -62,7 +62,7 @@ Class DocumentRule : Rule .PARAMETER Convert A simple bool flag to create a unique constructor signature #> - DocumentRule ([xml.xmlelement] $Rule, [switch] $Convert) : Base ($Rule, $Convert) + DocumentRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) { } diff --git a/Module/Rule.FileContent/Convert/Data.ps1 b/source/Module/Rule.FileContent/Convert/Data.ps1 similarity index 100% rename from Module/Rule.FileContent/Convert/Data.ps1 rename to source/Module/Rule.FileContent/Convert/Data.ps1 diff --git a/Module/Rule.FileContent/Convert/FileContentRule.Convert.psm1 b/source/Module/Rule.FileContent/Convert/FileContentRule.Convert.psm1 similarity index 97% rename from Module/Rule.FileContent/Convert/FileContentRule.Convert.psm1 rename to source/Module/Rule.FileContent/Convert/FileContentRule.Convert.psm1 index d4e7ed17e..d1b6ec430 100644 --- a/Module/Rule.FileContent/Convert/FileContentRule.Convert.psm1 +++ b/source/Module/Rule.FileContent/Convert/FileContentRule.Convert.psm1 @@ -20,7 +20,7 @@ foreach ($supportFile in $supportFileList) The FileContentRule class is used to manage STIGs for applications that utilize a configuration file to manage security settings #> -Class FileContentRuleConvert : FileContentRule +class FileContentRuleConvert : FileContentRule { <# .SYNOPSIS @@ -36,7 +36,7 @@ Class FileContentRuleConvert : FileContentRule .PARAMETER XccdfRule The STIG rule to convert #> - FileContentRuleConvert ([xml.xmlelement] $XccdfRule) : Base ($XccdfRule, $true) + FileContentRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) { $this.SetKeyName() $this.SetValue() @@ -87,7 +87,7 @@ Class FileContentRuleConvert : FileContentRule hidden [void] SetDscResource () { - if($null -eq $this.DuplicateOf) + if ($null -eq $this.DuplicateOf) { if ($this.Key -match 'deployment.') { diff --git a/Module/Rule.FileContent/Convert/FileContentType/FileContentType.psm1 b/source/Module/Rule.FileContent/Convert/FileContentType/FileContentType.psm1 similarity index 98% rename from Module/Rule.FileContent/Convert/FileContentType/FileContentType.psm1 rename to source/Module/Rule.FileContent/Convert/FileContentType/FileContentType.psm1 index 457a560f7..bf49fcdda 100644 --- a/Module/Rule.FileContent/Convert/FileContentType/FileContentType.psm1 +++ b/source/Module/Rule.FileContent/Convert/FileContentType/FileContentType.psm1 @@ -11,7 +11,7 @@ .PARAMETER Instance Maintains a single instance of the class object #> -Class FileContentType +class FileContentType { static [FileContentType] $Instance #region Constructor diff --git a/Module/Rule.FileContent/Convert/FileContentType/Methods.MozillaFirefox.ps1 b/source/Module/Rule.FileContent/Convert/FileContentType/Methods.MozillaFirefox.ps1 similarity index 100% rename from Module/Rule.FileContent/Convert/FileContentType/Methods.MozillaFirefox.ps1 rename to source/Module/Rule.FileContent/Convert/FileContentType/Methods.MozillaFirefox.ps1 diff --git a/Module/Rule.FileContent/Convert/FileContentType/Methods.OracleJRE.ps1 b/source/Module/Rule.FileContent/Convert/FileContentType/Methods.OracleJRE.ps1 similarity index 100% rename from Module/Rule.FileContent/Convert/FileContentType/Methods.OracleJRE.ps1 rename to source/Module/Rule.FileContent/Convert/FileContentType/Methods.OracleJRE.ps1 diff --git a/Module/Rule.FileContent/Convert/Methods.ps1 b/source/Module/Rule.FileContent/Convert/Methods.ps1 similarity index 100% rename from Module/Rule.FileContent/Convert/Methods.ps1 rename to source/Module/Rule.FileContent/Convert/Methods.ps1 diff --git a/Module/Rule.FileContent/FileContentRule.psm1 b/source/Module/Rule.FileContent/FileContentRule.psm1 similarity index 92% rename from Module/Rule.FileContent/FileContentRule.psm1 rename to source/Module/Rule.FileContent/FileContentRule.psm1 index c72da50ad..41a0837cb 100644 --- a/Module/Rule.FileContent/FileContentRule.psm1 +++ b/source/Module/Rule.FileContent/FileContentRule.psm1 @@ -14,7 +14,7 @@ using module .\..\Rule\Rule.psm1 .PARAMETER Value Specifies the value of the configuration setting #> -Class FileContentRule : Rule +class FileContentRule : Rule { [string] $Key [string] $Value <#(ExceptionValue)#> @@ -33,7 +33,7 @@ Class FileContentRule : Rule .PARAMETER Rule The STIG rule to load #> - FileContentRule ([xml.xmlelement] $Rule) : Base ($Rule) + FileContentRule ([xml.xmlelement] $Rule) : base ($Rule) { } @@ -45,7 +45,7 @@ Class FileContentRule : Rule .PARAMETER Convert A simple bool flag to create a unique constructor signature #> - FileContentRule ([xml.xmlelement] $Rule, [switch] $Convert) : Base ($Rule, $Convert) + FileContentRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) { } diff --git a/Module/Rule.Group/Convert/GroupRule.Convert.psm1 b/source/Module/Rule.Group/Convert/GroupRule.Convert.psm1 similarity index 95% rename from Module/Rule.Group/Convert/GroupRule.Convert.psm1 rename to source/Module/Rule.Group/Convert/GroupRule.Convert.psm1 index 7891748a8..270cde3b8 100644 --- a/Module/Rule.Group/Convert/GroupRule.Convert.psm1 +++ b/source/Module/Rule.Group/Convert/GroupRule.Convert.psm1 @@ -21,7 +21,7 @@ foreach ($supportFile in $supportFileList) group rule, it is passed to the GroupRuleConvert class for parsing and validation. #> -Class GroupRuleConvert : GroupRule +class GroupRuleConvert : GroupRule { <# .SYNOPSIS @@ -37,7 +37,7 @@ Class GroupRuleConvert : GroupRule .PARAMETER XccdfRule The STIG rule to convert #> - GroupRuleConvert ([xml.xmlelement] $XccdfRule) : Base ($XccdfRule, $true) + GroupRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) { $this.SetGroupName() $this.SetMembersToExclude() @@ -96,7 +96,7 @@ Class GroupRuleConvert : GroupRule hidden [void] SetDscResource () { - if($null -eq $this.DuplicateOf) + if ($null -eq $this.DuplicateOf) { $this.DscResource = 'Group' } diff --git a/Module/Rule.Group/Convert/Methods.ps1 b/source/Module/Rule.Group/Convert/Methods.ps1 similarity index 100% rename from Module/Rule.Group/Convert/Methods.ps1 rename to source/Module/Rule.Group/Convert/Methods.ps1 diff --git a/Module/Rule.Group/Convert/Template.GroupDetail.txt b/source/Module/Rule.Group/Convert/Template.GroupDetail.txt similarity index 100% rename from Module/Rule.Group/Convert/Template.GroupDetail.txt rename to source/Module/Rule.Group/Convert/Template.GroupDetail.txt diff --git a/Module/Rule.Group/GroupRule.psm1 b/source/Module/Rule.Group/GroupRule.psm1 similarity index 90% rename from Module/Rule.Group/GroupRule.psm1 rename to source/Module/Rule.Group/GroupRule.psm1 index 78bcffca8..562f3fac1 100644 --- a/Module/Rule.Group/GroupRule.psm1 +++ b/source/Module/Rule.Group/GroupRule.psm1 @@ -14,7 +14,7 @@ using module .\..\Rule\Rule.psm1 .PARAMETER MembersToExclude The list of memmbers that are not allowed to be in the group #> -Class GroupRule : Rule +class GroupRule : Rule { [string] $GroupName [string[]] $MembersToExclude <#(ExceptionValue)#> @@ -33,7 +33,7 @@ Class GroupRule : Rule .PARAMETER Rule The STIG rule to load #> - GroupRule ([xml.xmlelement] $Rule) : Base ($Rule) + GroupRule ([xml.xmlelement] $Rule) : base ($Rule) { } @@ -45,7 +45,7 @@ Class GroupRule : Rule .PARAMETER Convert A simple bool flag to create a unique constructor signature #> - GroupRule ([xml.xmlelement] $Rule, [switch] $Convert) : Base ($Rule, $Convert) + GroupRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) { } diff --git a/Module/Rule.HardCoded/Convert/HardCodedRule.Convert.psm1 b/source/Module/Rule.HardCoded/Convert/HardCodedRule.Convert.psm1 similarity index 99% rename from Module/Rule.HardCoded/Convert/HardCodedRule.Convert.psm1 rename to source/Module/Rule.HardCoded/Convert/HardCodedRule.Convert.psm1 index df6f33f02..2021fd9c7 100644 --- a/Module/Rule.HardCoded/Convert/HardCodedRule.Convert.psm1 +++ b/source/Module/Rule.HardCoded/Convert/HardCodedRule.Convert.psm1 @@ -36,7 +36,7 @@ using module .\..\..\Rule.WindowsFeature\Convert\WindowsFeatureRule.Convert.psm1 a predefined rule type. The configuration details are then extracted and validated before returning the object. #> -Class HardCodedRuleConvert +class HardCodedRuleConvert { [System.Object] $Rule <# diff --git a/Module/Rule.IISLogging/Convert/Data.ps1 b/source/Module/Rule.IISLogging/Convert/Data.ps1 similarity index 100% rename from Module/Rule.IISLogging/Convert/Data.ps1 rename to source/Module/Rule.IISLogging/Convert/Data.ps1 diff --git a/Module/Rule.IISLogging/Convert/IISLoggingRule.Convert.psm1 b/source/Module/Rule.IISLogging/Convert/IISLoggingRule.Convert.psm1 similarity index 96% rename from Module/Rule.IISLogging/Convert/IISLoggingRule.Convert.psm1 rename to source/Module/Rule.IISLogging/Convert/IISLoggingRule.Convert.psm1 index 3d5cea609..3e8f5ecbf 100644 --- a/Module/Rule.IISLogging/Convert/IISLoggingRule.Convert.psm1 +++ b/source/Module/Rule.IISLogging/Convert/IISLoggingRule.Convert.psm1 @@ -23,7 +23,7 @@ foreach ($supportFile in $supportFileList) IIS Log rule, it is passed to the IisLoggingRuleConvert class for parsing and validation. #> -Class IisLoggingRuleConvert : IisLoggingRule +class IisLoggingRuleConvert : IisLoggingRule { <# .SYNOPSIS @@ -39,9 +39,8 @@ Class IisLoggingRuleConvert : IisLoggingRule .PARAMETER XccdfRule The STIG rule to convert #> - IisLoggingRuleConvert ([xml.xmlelement] $XccdfRule) : Base ($XccdfRule, $true) + IisLoggingRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) { - if ($this.conversionstatus -eq 'pass') { $this.SetDuplicateRule() @@ -174,7 +173,7 @@ Class IisLoggingRuleConvert : IisLoggingRule hidden [void] SetDscResource () { - if($null -eq $this.DuplicateOf) + if ($null -eq $this.DuplicateOf) { if ($global:stigTitle -match "Server") { @@ -196,7 +195,7 @@ Class IisLoggingRuleConvert : IisLoggingRule if ( $CheckContent -Match 'Logging' -and - $CheckContent -Match 'IIS 8\.5' -and + $CheckContent -Match 'IIS 8\.5|IIS 10\.0' -and $CheckContent -NotMatch 'review source IP' -and $CheckContent -NotMatch 'verify only authorized groups' -and $CheckContent -NotMatch 'Confirm|Consult with the System Administrator' -and diff --git a/Module/Rule.IISLogging/Convert/Methods.ps1 b/source/Module/Rule.IISLogging/Convert/Methods.ps1 similarity index 100% rename from Module/Rule.IISLogging/Convert/Methods.ps1 rename to source/Module/Rule.IISLogging/Convert/Methods.ps1 diff --git a/Module/Rule.IISLogging/IISLoggingRule.psm1 b/source/Module/Rule.IISLogging/IISLoggingRule.psm1 similarity index 92% rename from Module/Rule.IISLogging/IISLoggingRule.psm1 rename to source/Module/Rule.IISLogging/IISLoggingRule.psm1 index c67222d1d..33b8fc6e9 100644 --- a/Module/Rule.IISLogging/IISLoggingRule.psm1 +++ b/source/Module/Rule.IISLogging/IISLoggingRule.psm1 @@ -19,7 +19,7 @@ using module .\..\Rule\Rule.psm1 .PARAMETER LogTargetW3C #> -Class IisLoggingRule : Rule +class IisLoggingRule : Rule { [object[]] $LogCustomFieldEntry [string] $LogFlags @@ -41,7 +41,7 @@ Class IisLoggingRule : Rule .PARAMETER Rule The STIG rule to load #> - IisLoggingRule ([xml.xmlelement] $Rule) : Base ($Rule) + IisLoggingRule ([xml.xmlelement] $Rule) : base ($Rule) { } @@ -53,7 +53,7 @@ Class IisLoggingRule : Rule .PARAMETER Convert A simple bool flag to create a unique constructor signature #> - IisLoggingRule ([xml.xmlelement] $Rule, [switch] $Convert) : Base ($Rule, $Convert) + IisLoggingRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) { } diff --git a/Module/Rule.Manual/Convert/ManualRule.Convert.psm1 b/source/Module/Rule.Manual/Convert/ManualRule.Convert.psm1 similarity index 91% rename from Module/Rule.Manual/Convert/ManualRule.Convert.psm1 rename to source/Module/Rule.Manual/Convert/ManualRule.Convert.psm1 index 7a803e249..d16c811e0 100644 --- a/Module/Rule.Manual/Convert/ManualRule.Convert.psm1 +++ b/source/Module/Rule.Manual/Convert/ManualRule.Convert.psm1 @@ -20,7 +20,7 @@ foreach ($supportFile in $supportFileList) check-content of the xccdf. Once a STIG rule is identifed as a manual rule, it is passed to the ManualRule class for parsing and validation. #> -Class ManualRuleConvert : ManualRule +class ManualRuleConvert : ManualRule { <# .SYNOPSIS @@ -36,7 +36,7 @@ Class ManualRuleConvert : ManualRule .PARAMETER XccdfRule The STIG rule to convert #> - ManualRuleConvert ([xml.xmlelement] $XccdfRule) : Base ($XccdfRule, $true) + ManualRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) { $this.DscResource = 'None' } diff --git a/Module/Rule.Manual/ManualRule.psm1 b/source/Module/Rule.Manual/ManualRule.psm1 similarity index 88% rename from Module/Rule.Manual/ManualRule.psm1 rename to source/Module/Rule.Manual/ManualRule.psm1 index 18463bb91..77c48db88 100644 --- a/Module/Rule.Manual/ManualRule.psm1 +++ b/source/Module/Rule.Manual/ManualRule.psm1 @@ -11,7 +11,7 @@ using module .\..\Rule\Rule.psm1 The ManualRule class is used to maange the Account Policy Settings. #> -Class ManualRule : Rule +class ManualRule : Rule { <#(ExceptionValue)#> @@ -29,7 +29,7 @@ Class ManualRule : Rule .PARAMETER Rule The STIG rule to load #> - ManualRule ([xml.xmlelement] $Rule) : Base ($Rule) + ManualRule ([xml.xmlelement] $Rule) : base ($Rule) { } @@ -41,7 +41,7 @@ Class ManualRule : Rule .PARAMETER Convert A simple bool flag to create a unique constructor signature #> - ManualRule ([xml.xmlelement] $Rule, [switch] $Convert) : Base ($Rule, $Convert) + ManualRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) { } diff --git a/Module/Rule.MimeType/Convert/Data.ps1 b/source/Module/Rule.MimeType/Convert/Data.ps1 similarity index 100% rename from Module/Rule.MimeType/Convert/Data.ps1 rename to source/Module/Rule.MimeType/Convert/Data.ps1 diff --git a/Module/Rule.MimeType/Convert/Methods.ps1 b/source/Module/Rule.MimeType/Convert/Methods.ps1 similarity index 100% rename from Module/Rule.MimeType/Convert/Methods.ps1 rename to source/Module/Rule.MimeType/Convert/Methods.ps1 diff --git a/Module/Rule.MimeType/Convert/MimeTypeRule.Convert.psm1 b/source/Module/Rule.MimeType/Convert/MimeTypeRule.Convert.psm1 similarity index 95% rename from Module/Rule.MimeType/Convert/MimeTypeRule.Convert.psm1 rename to source/Module/Rule.MimeType/Convert/MimeTypeRule.Convert.psm1 index d21f9940a..2131593e1 100644 --- a/Module/Rule.MimeType/Convert/MimeTypeRule.Convert.psm1 +++ b/source/Module/Rule.MimeType/Convert/MimeTypeRule.Convert.psm1 @@ -22,7 +22,7 @@ foreach ($supportFile in $supportFileList) and validation. #> -Class MimeTypeRuleConvert : MimeTypeRule +class MimeTypeRuleConvert : MimeTypeRule { <# .SYNOPSIS @@ -38,7 +38,7 @@ Class MimeTypeRuleConvert : MimeTypeRule .PARAMETER XccdfRule The STIG rule to convert #> - MimeTypeRuleConvert ([xml.xmlelement] $XccdfRule) : Base ($XccdfRule, $true) + MimeTypeRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) { $this.SetExtension() $this.SetMimeType() @@ -139,7 +139,7 @@ Class MimeTypeRuleConvert : MimeTypeRule hidden [void] SetDscResource () { - if($null -eq $this.DuplicateOf) + if ($null -eq $this.DuplicateOf) { $this.DscResource = 'xIisMimeTypeMapping' } @@ -154,7 +154,7 @@ Class MimeTypeRuleConvert : MimeTypeRule if ( $CheckContent -Match 'MIME Types' -and - $CheckContent -Match 'IIS 8\.5' + $CheckContent -Match 'IIS 8\.5|IIS 10\.0' ) { return $true diff --git a/Module/Rule.MimeType/MimeTypeRule.psm1 b/source/Module/Rule.MimeType/MimeTypeRule.psm1 similarity index 90% rename from Module/Rule.MimeType/MimeTypeRule.psm1 rename to source/Module/Rule.MimeType/MimeTypeRule.psm1 index 8c65a615e..3d7c35be4 100644 --- a/Module/Rule.MimeType/MimeTypeRule.psm1 +++ b/source/Module/Rule.MimeType/MimeTypeRule.psm1 @@ -16,7 +16,7 @@ using module .\..\Rule\Rule.psm1 .PARAMETER Ensure A present or absent flag #> -Class MimeTypeRule : Rule +class MimeTypeRule : Rule { [string] $Extension [string] $MimeType @@ -36,7 +36,7 @@ Class MimeTypeRule : Rule .PARAMETER Rule The STIG rule to load #> - MimeTypeRule ([xml.xmlelement] $Rule) : Base ($Rule) + MimeTypeRule ([xml.xmlelement] $Rule) : base ($Rule) { } @@ -48,7 +48,7 @@ Class MimeTypeRule : Rule .PARAMETER Convert A simple bool flag to create a unique constructor signature #> - MimeTypeRule ([xml.xmlelement] $Rule, [switch] $Convert) : Base ($Rule, $Convert) + MimeTypeRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) { } diff --git a/Module/Rule.Permission/Convert/Data.ps1 b/source/Module/Rule.Permission/Convert/Data.ps1 similarity index 100% rename from Module/Rule.Permission/Convert/Data.ps1 rename to source/Module/Rule.Permission/Convert/Data.ps1 diff --git a/Module/Rule.Permission/Convert/Methods.ps1 b/source/Module/Rule.Permission/Convert/Methods.ps1 similarity index 99% rename from Module/Rule.Permission/Convert/Methods.ps1 rename to source/Module/Rule.Permission/Convert/Methods.ps1 index 9f4439c9d..07bb4d291 100644 --- a/Module/Rule.Permission/Convert/Methods.ps1 +++ b/source/Module/Rule.Permission/Convert/Methods.ps1 @@ -546,7 +546,7 @@ function Convert-RightsConstant { $string.Split(',') } - elseIf ( $string.Contains('/') ) + elseif ($string.Contains('/')) { $string.Split('/') } @@ -651,7 +651,7 @@ function Split-MultiplePermissionRule $headerLineRange = 0..($hklmSecurityMatch.LineNumber - 2) $footerLineRange = ($lastPermissonMatch.LineNumber)..($checkContent.Length - 1) } - elseIf ( + elseif ( $checkContent -match $regularExpression.rootOfC -and $checkContent -match $regularExpression.programFilesWin10 -and $checkContent -match $regularExpression.winDir diff --git a/Module/Rule.Permission/Convert/PermissionRule.Convert.psm1 b/source/Module/Rule.Permission/Convert/PermissionRule.Convert.psm1 similarity index 96% rename from Module/Rule.Permission/Convert/PermissionRule.Convert.psm1 rename to source/Module/Rule.Permission/Convert/PermissionRule.Convert.psm1 index f43c73e28..941e3c378 100644 --- a/Module/Rule.Permission/Convert/PermissionRule.Convert.psm1 +++ b/source/Module/Rule.Permission/Convert/PermissionRule.Convert.psm1 @@ -21,7 +21,7 @@ foreach ($supportFile in $supportFileList) permission rule, it is passed to the PermissionRule class for parsing and validation. #> -Class PermissionRuleConvert : PermissionRule +class PermissionRuleConvert : PermissionRule { <# .SYNOPSIS @@ -37,7 +37,7 @@ Class PermissionRuleConvert : PermissionRule .PARAMETER XccdfRule The STIG rule to convert #> - PermissionRuleConvert ([xml.xmlelement] $XccdfRule) : Base ($XccdfRule, $true) + PermissionRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) { $this.SetPath() $this.SetDscResource() @@ -121,7 +121,7 @@ Class PermissionRuleConvert : PermissionRule hidden [void] SetDscResource () { - if($null -eq $this.DuplicateOf) + if ($null -eq $this.DuplicateOf) { if ($this.Path) { @@ -141,7 +141,7 @@ Class PermissionRuleConvert : PermissionRule } } } - elseIf ($this.RawString -match 'Auditing Tab') + elseif ($this.RawString -match 'Auditing Tab') { $this.DscResource = 'FileSystemAuditRuleEntry' } @@ -163,7 +163,7 @@ Class PermissionRuleConvert : PermissionRule $CheckContent -NotMatch 'Windows Registry Editor' -and $CheckContent -NotMatch '(ID|id)s? .* (A|a)uditors?,? (SA|sa)s?,? .* (W|w)eb (A|a)dministrators? .* access to log files?' -and $CheckContent -NotMatch '\n*\.NET Trust Level' -and - $CheckContent -NotMatch 'IIS 8\.5 web' -and + $CheckContent -NotMatch 'IIS 8\.5 web|IIS 10\.0 web' -and $CheckContent -cNotmatch 'SELECT' -and $CheckContent -NotMatch 'SQL Server' -and $CheckContent -NotMatch 'user\srights\sand\spermissions' -and diff --git a/Module/Rule.Permission/PermissionRule.psm1 b/source/Module/Rule.Permission/PermissionRule.psm1 similarity index 93% rename from Module/Rule.Permission/PermissionRule.psm1 rename to source/Module/Rule.Permission/PermissionRule.psm1 index 29375bfe7..5d4b74ca1 100644 --- a/Module/Rule.Permission/PermissionRule.psm1 +++ b/source/Module/Rule.Permission/PermissionRule.psm1 @@ -16,7 +16,7 @@ using module .\..\Rule\Rule.psm1 .PARAMETER Force A flag that will overwrite the current ACE in the ACL instead of merge #> -Class PermissionRule : Rule +class PermissionRule : Rule { [string] $Path [object[]] $AccessControlEntry <#(ExceptionValue)#> @@ -36,7 +36,7 @@ Class PermissionRule : Rule .PARAMETER Rule The STIG rule to load #> - PermissionRule ([xml.xmlelement] $Rule) : Base ($Rule) + PermissionRule ([xml.xmlelement] $Rule) : base ($Rule) { } @@ -48,7 +48,7 @@ Class PermissionRule : Rule .PARAMETER Convert A simple bool flag to create a unique constructor signature #> - PermissionRule ([xml.xmlelement] $Rule, [switch] $Convert) : Base ($Rule, $Convert) + PermissionRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) { } diff --git a/Module/Rule.ProcessMitigation/Convert/Data.ps1 b/source/Module/Rule.ProcessMitigation/Convert/Data.ps1 similarity index 100% rename from Module/Rule.ProcessMitigation/Convert/Data.ps1 rename to source/Module/Rule.ProcessMitigation/Convert/Data.ps1 diff --git a/Module/Rule.ProcessMitigation/Convert/Methods.ps1 b/source/Module/Rule.ProcessMitigation/Convert/Methods.ps1 similarity index 100% rename from Module/Rule.ProcessMitigation/Convert/Methods.ps1 rename to source/Module/Rule.ProcessMitigation/Convert/Methods.ps1 diff --git a/Module/Rule.ProcessMitigation/Convert/ProcessMitigationRule.Convert.psm1 b/source/Module/Rule.ProcessMitigation/Convert/ProcessMitigationRule.Convert.psm1 similarity index 97% rename from Module/Rule.ProcessMitigation/Convert/ProcessMitigationRule.Convert.psm1 rename to source/Module/Rule.ProcessMitigation/Convert/ProcessMitigationRule.Convert.psm1 index 8a41645a5..e8661d24f 100644 --- a/Module/Rule.ProcessMitigation/Convert/ProcessMitigationRule.Convert.psm1 +++ b/source/Module/Rule.ProcessMitigation/Convert/ProcessMitigationRule.Convert.psm1 @@ -23,7 +23,7 @@ foreach ($supportFile in $supportFileList) for parsing and validation. #> -Class ProcessMitigationRuleConvert : ProcessMitigationRule +class ProcessMitigationRuleConvert : ProcessMitigationRule { <# .SYNOPSIS @@ -39,7 +39,7 @@ Class ProcessMitigationRuleConvert : ProcessMitigationRule .PARAMETER XccdfRule The STIG rule to convert #> - ProcessMitigationRuleConvert ([xml.xmlelement] $XccdfRule) : Base ($XccdfRule, $true) + ProcessMitigationRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) { $this.SetMitigationTarget() $this.SetMitigationToEnable() @@ -122,7 +122,7 @@ Class ProcessMitigationRuleConvert : ProcessMitigationRule hidden [void] SetDscResource () { - if($null -eq $this.DuplicateOf) + if ($null -eq $this.DuplicateOf) { $this.DscResource = 'ProcessMitigation' } diff --git a/Module/Rule.ProcessMitigation/ProcessMitigationRule.psm1 b/source/Module/Rule.ProcessMitigation/ProcessMitigationRule.psm1 similarity index 91% rename from Module/Rule.ProcessMitigation/ProcessMitigationRule.psm1 rename to source/Module/Rule.ProcessMitigation/ProcessMitigationRule.psm1 index da1041cc7..3a7eb876b 100644 --- a/Module/Rule.ProcessMitigation/ProcessMitigationRule.psm1 +++ b/source/Module/Rule.ProcessMitigation/ProcessMitigationRule.psm1 @@ -16,7 +16,7 @@ using module .\..\Rule\Rule.psm1 .PARAMETER Disable A flag to disable the mitigation rule #> -Class ProcessMitigationRule : Rule +class ProcessMitigationRule : Rule { [string] $MitigationTarget [string] $Enable @@ -36,7 +36,7 @@ Class ProcessMitigationRule : Rule .PARAMETER Rule The STIG rule to load #> - ProcessMitigationRule ([xml.xmlelement] $Rule) : Base ($Rule) + ProcessMitigationRule ([xml.xmlelement] $Rule) : base ($Rule) { } @@ -48,7 +48,7 @@ Class ProcessMitigationRule : Rule .PARAMETER Convert A simple bool flag to create a unique constructor signature #> - ProcessMitigationRule ([xml.xmlelement] $Rule, [switch] $Convert) : Base ($Rule, $Convert) + ProcessMitigationRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) { } diff --git a/Module/Rule.Registry/Convert/Data.ps1 b/source/Module/Rule.Registry/Convert/Data.ps1 similarity index 100% rename from Module/Rule.Registry/Convert/Data.ps1 rename to source/Module/Rule.Registry/Convert/Data.ps1 diff --git a/Module/Rule.Registry/Convert/Functions.SingleLine.ps1 b/source/Module/Rule.Registry/Convert/Functions.SingleLine.ps1 similarity index 99% rename from Module/Rule.Registry/Convert/Functions.SingleLine.ps1 rename to source/Module/Rule.Registry/Convert/Functions.SingleLine.ps1 index fd8278534..f524bc967 100644 --- a/Module/Rule.Registry/Convert/Functions.SingleLine.ps1 +++ b/source/Module/Rule.Registry/Convert/Functions.SingleLine.ps1 @@ -216,7 +216,7 @@ function Get-McAfeeRegistryPath if ($CheckContent -match "Software\\McAfee") { $path = "HKEY_LOCAL_MACHINE\Software\Wow6432Node\McAfee\" - if($CheckContent -match 'DesktopProtection') + if ($CheckContent -match 'DesktopProtection') { $mcafeePath = $CheckContent | Select-String -Pattern 'DesktopProtection.*$' } diff --git a/Module/Rule.Registry/Convert/Methods.ps1 b/source/Module/Rule.Registry/Convert/Methods.ps1 similarity index 95% rename from Module/Rule.Registry/Convert/Methods.ps1 rename to source/Module/Rule.Registry/Convert/Methods.ps1 index 1973e9f48..ee7fcdeb3 100644 --- a/Module/Rule.Registry/Convert/Methods.ps1 +++ b/source/Module/Rule.Registry/Convert/Methods.ps1 @@ -1050,7 +1050,7 @@ function Split-MultipleRegistryEntries If a check contains only the registry hive, but have multiple/unique paths,type,names,and values, then reference the single hive for each path that is discovered. #> - elseIf ( $paths.count -gt 1 -and $types.count -eq 1 -and $names.count -eq 1 -and $values.count -eq 1 ) + elseif ($paths.count -gt 1 -and $types.count -eq 1 -and $names.count -eq 1 -and $values.count -eq 1) { Write-Verbose -Message "[$($MyInvocation.MyCommand.Name)] Paths : $($paths.count)" @@ -1071,7 +1071,7 @@ function Split-MultipleRegistryEntries If a check contains a single registry hive, path, type, and value, but multiple value names, then reference the single hive hive, path, type, and value for each value name that is discovered. #> - elseIf ( $names.count -gt 1 -and $types.count -eq 1 -and $values.count -eq 1 ) + elseif ($names.count -gt 1 -and $types.count -eq 1 -and $values.count -eq 1) { Write-Verbose -Message "[$($MyInvocation.MyCommand.Name)] Values : $($names.count)" @@ -1092,7 +1092,7 @@ function Split-MultipleRegistryEntries If a check contains a single registry hive and path, but multiple values, then reference the single hive and path for each value name that is discovered. #> - elseIf ( $names.count -gt 1 -and $types.count -gt 1 ) + elseif ($names.count -gt 1 -and $types.count -gt 1) { Write-Verbose -Message "[$($MyInvocation.MyCommand.Name)] Values : $($names.count)" @@ -1109,7 +1109,7 @@ function Split-MultipleRegistryEntries $registryEntryCounter ++ } } - elseIf ( $hives.count -eq 1 -and $paths.count -gt 1 -and $types.count -eq 1 -and $names.count -eq 1 -and $values.count -eq 1 ) + elseif ($hives.count -eq 1 -and $paths.count -gt 1 -and $types.count -eq 1 -and $names.count -eq 1 -and $values.count -eq 1) { foreach ( $registryRule in $names ) { @@ -1124,9 +1124,9 @@ function Split-MultipleRegistryEntries $registryEntryCounter ++ } } - elseIf ( $hives.count -eq 1 -and $paths.count -eq 1 -and $types.count -eq 1 -and $names.count -gt 1 -and $values.count -gt 1 ) + elseif ($hives.count -eq 1 -and $paths.count -eq 1 -and $types.count -eq 1 -and $names.count -gt 1 -and $values.count -gt 1) { - foreach ( $registryRule in $values ) + foreach ($registryRule in $values) { $newSplitRegistryEntry = @( $hives[0], @@ -1166,56 +1166,56 @@ function Set-RegistryPatternLog ( [Parameter(Mandatory = $true)] [string] - $Pattern, + $Pattern, [Parameter()] [string] $Rule ) - - <# + + <# Load table with patterns from Core data file. Build the in-memory table of patterns #> - if(-not $global:patternTable) + if (-not $global:patternTable) { - $nonestedItems = $global:SingleLineRegistryPath.GetEnumerator() | + $nonestedItems = $global:SingleLineRegistryPath.GetEnumerator() | Where-Object { $_.Value['Select'] -ne $null } - - $nestedItems = $global:SingleLineRegistryPath.GetEnumerator() | + + $nestedItems = $global:SingleLineRegistryPath.GetEnumerator() | Where-Object { $_.Value['Select'] -eq $null } | Select-Object {$_.Value } -ExpandProperty Value - $regPathTable = $nonestedItems.GetEnumerator() | + $regPathTable = $nonestedItems.GetEnumerator() | ForEach-Object { New-Object -TypeName PSObject -Property @{Pattern=$_.Value['Select']; Count=0; Type='RegistryPath'}} - - $regPathTable += $nestedItems.GetEnumerator() | - Where-Object { $_.Value['Select'] -ne $null } | + + $regPathTable += $nestedItems.GetEnumerator() | + Where-Object { $_.Value['Select'] -ne $null } | ForEach-Object { New-Object -TypeName PSObject -Property @{Pattern=$_.Value['Select']; Count=0; Type='RegistryPath'}} - - $regValueTypeTable = $global:SingleLineRegistryValueType.GetEnumerator() | - Where-Object { $_.Value['Select'] -ne $null } | + + $regValueTypeTable = $global:SingleLineRegistryValueType.GetEnumerator() | + Where-Object { $_.Value['Select'] -ne $null } | ForEach-Object { New-Object -TypeName PSObject -Property @{Pattern=$_.Value['Select']; Count=0; Type='ValueType'}} - - $regValueNameTable = $global:SingleLineRegistryValueName.GetEnumerator() | - Where-Object { $_.Value['Select'] -ne $null } | + + $regValueNameTable = $global:SingleLineRegistryValueName.GetEnumerator() | + Where-Object { $_.Value['Select'] -ne $null } | ForEach-Object { New-Object -TypeName PSObject -Property @{Pattern=$_.Value['Select']; Count=0; Type='ValueName'}} - - $regValueDataTable = $global:SingleLineRegistryValueData.GetEnumerator() | - Where-Object { $_.Value['Select'] -ne $null } | + + $regValueDataTable = $global:SingleLineRegistryValueData.GetEnumerator() | + Where-Object { $_.Value['Select'] -ne $null } | ForEach-Object { New-Object -TypeName PSObject -Property @{Pattern=$_.Value['Select']; Count=0; Type='ValueData'}} - - $valueTypeTable = $regValueTypeTable | - Group-Object -Property "Pattern" | + + $valueTypeTable = $regValueTypeTable | + Group-Object -Property "Pattern" | ForEach-Object{ $_.Group | Select-Object 'Pattern','Count', 'Type' -First 1} - - $valueNameTable = $regValueNameTable | - Group-Object -Property "Pattern" | + + $valueNameTable = $regValueNameTable | + Group-Object -Property "Pattern" | ForEach-Object{ $_.Group | Select-Object 'Pattern','Count', 'Type' -First 1} - $valueDataTable = $regValueDataTable | - Group-Object -Property "Pattern" | + $valueDataTable = $regValueDataTable | + Group-Object -Property "Pattern" | ForEach-Object{ $_.Group | Select-Object 'Pattern','Count', 'Type' -First 1} - + $global:patternTable = $regPathTable + $valueTypeTable + $valueNameTable + $valueDataTable } @@ -1233,7 +1233,7 @@ function Set-RegistryPatternLog .PARAMETER Path Specifies a path to a directory with (unprocessed) xccdf.xml files or a specific xccdf.xml file. - Path should be StigData\Archive\{Directory Name} or StigData\Archive\{DirectoryName}\{*.xccdf.xml} + Path should be StigData\Archive\{Directory Name} or StigData\Archive\{DirectoryName}\{*.xccdf.xml} .Notes Expression patterns are only for Registry Rules, this could change in the future @@ -1264,7 +1264,7 @@ function Get-RegistryPatternLog } } } - + # If $Path is a file, process it $isFile = Test-Path $Path -pathType Leaf if ($isFile) @@ -1312,22 +1312,22 @@ function Test-StigProcessed # Setup, check $Path for Processed [xml]$XmlDocument = Get-Content -Path $Path $id = $XmlDocument.Benchmark | Select-Object id - - $version = $Path | Select-String -Pattern '(?<=_)V.*(?=_)' | + + $version = $Path | Select-String -Pattern '(?<=_)V.*(?=_)' | ForEach-Object { $_.Matches[0] -replace "V", "" -replace "R","\." } $conversionPath = Get-Item "$($PSScriptRoot)..\..\..\StigData\Processed" #Write-Host $testPath - $hasConversion = Get-ChildItem -Path $conversionPath -recurse | Where-Object { $_ | Select-String -Pattern $id.id } | Where-Object { $_ | Select-String -Pattern $version } - #$hasConversion = Get-ChildItem -Path ..\..\..\StigData\Processed -recurse | Where-Object { $_ | Select-String -Pattern $id.id } | Where-Object { $_ | Select-String -Pattern $version } - + $hasConversion = Get-ChildItem -Path $conversionPath -recurse | Where-Object { $_ | Select-String -Pattern $id.id } | Where-Object { $_ | Select-String -Pattern $version } + #$hasConversion = Get-ChildItem -Path ..\..\..\StigData\Processed -recurse | Where-Object { $_ | Select-String -Pattern $id.id } | Where-Object { $_ | Select-String -Pattern $version } + if ($hasConversion) { return $true } - else - { - return $false + else + { + return $false } } #endregion diff --git a/Module/Rule.Registry/Convert/RegistryRule.Convert.psm1 b/source/Module/Rule.Registry/Convert/RegistryRule.Convert.psm1 similarity index 99% rename from Module/Rule.Registry/Convert/RegistryRule.Convert.psm1 rename to source/Module/Rule.Registry/Convert/RegistryRule.Convert.psm1 index 1bf6e01ab..ae3ea7b54 100644 --- a/Module/Rule.Registry/Convert/RegistryRule.Convert.psm1 +++ b/source/Module/Rule.Registry/Convert/RegistryRule.Convert.psm1 @@ -22,7 +22,7 @@ foreach ($supportFile in $supportFileList) registry rule, it is passed to the RegistryRule class for parsing and validation. #> -Class RegistryRuleConvert : RegistryRule +class RegistryRuleConvert : RegistryRule { <# .SYNOPSIS @@ -38,9 +38,8 @@ Class RegistryRuleConvert : RegistryRule .PARAMETER XccdfRule The STIG rule to convert #> - RegistryRuleConvert ([xml.xmlelement] $XccdfRule) : Base ($XccdfRule, $true) + RegistryRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) { - $fixText = [RegistryRule]::GetFixText($XccdfRule) if ($global:stigTitle -match 'Adobe Acrobat Reader') @@ -368,7 +367,7 @@ Class RegistryRuleConvert : RegistryRule hidden [void] SetDscResource ([string] $FixText) { - if($null -eq $this.DuplicateOf) + if ($null -eq $this.DuplicateOf) { if ($FixText -match 'Administrative Templates' -or $this.key -match "(^hkcu|^HKEY_CURRENT_USER)") { diff --git a/Module/Rule.Registry/RegistryRule.psm1 b/source/Module/Rule.Registry/RegistryRule.psm1 similarity index 92% rename from Module/Rule.Registry/RegistryRule.psm1 rename to source/Module/Rule.Registry/RegistryRule.psm1 index 2c1a624d8..ef23df226 100644 --- a/Module/Rule.Registry/RegistryRule.psm1 +++ b/source/Module/Rule.Registry/RegistryRule.psm1 @@ -23,7 +23,7 @@ using module .\..\Rule\Rule.psm1 .PARAMETER Ensure A present or absent flag #> -Class RegistryRule : Rule +class RegistryRule : Rule { [string] $Key [string] $ValueName @@ -45,7 +45,7 @@ Class RegistryRule : Rule .PARAMETER Rule The STIG rule to load #> - RegistryRule ([xml.xmlelement] $Rule) : Base ($Rule) + RegistryRule ([xml.xmlelement] $Rule) : base ($Rule) { } @@ -57,7 +57,7 @@ Class RegistryRule : Rule .PARAMETER Convert A simple bool flag to create a unique constructor signature #> - RegistryRule ([xml.xmlelement] $Rule, [switch] $Convert) : Base ($Rule, $Convert) + RegistryRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) { } diff --git a/Module/Rule.SecurityOption/Convert/SecurityOptionRule.Convert.psm1 b/source/Module/Rule.SecurityOption/Convert/SecurityOptionRule.Convert.psm1 similarity index 97% rename from Module/Rule.SecurityOption/Convert/SecurityOptionRule.Convert.psm1 rename to source/Module/Rule.SecurityOption/Convert/SecurityOptionRule.Convert.psm1 index 0468f2abb..1e26aa7ce 100644 --- a/Module/Rule.SecurityOption/Convert/SecurityOptionRule.Convert.psm1 +++ b/source/Module/Rule.SecurityOption/Convert/SecurityOptionRule.Convert.psm1 @@ -14,7 +14,7 @@ using namespace System.Text Security Option rule. The configuration details are then extracted and validated before returning the object. #> -Class SecurityOptionRuleConvert : SecurityOptionRule +class SecurityOptionRuleConvert : SecurityOptionRule { <# .SYNOPSIS @@ -30,7 +30,7 @@ Class SecurityOptionRuleConvert : SecurityOptionRule .PARAMETER XccdfRule The STIG rule to convert #> - SecurityOptionRuleConvert ([xml.xmlelement] $XccdfRule) : Base ($XccdfRule, $true) + SecurityOptionRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) { [System.Text.RegularExpressions.Match] $tokens = $this.ExtractProperties() $this.SetOptionName($tokens) @@ -144,7 +144,7 @@ Class SecurityOptionRuleConvert : SecurityOptionRule hidden [void] SetDscResource () { - if($null -eq $this.DuplicateOf) + if ($null -eq $this.DuplicateOf) { $this.DscResource = 'SecurityOption' } diff --git a/Module/Rule.SecurityOption/SecurityOptionRule.psm1 b/source/Module/Rule.SecurityOption/SecurityOptionRule.psm1 similarity index 92% rename from Module/Rule.SecurityOption/SecurityOptionRule.psm1 rename to source/Module/Rule.SecurityOption/SecurityOptionRule.psm1 index 3f75ae35f..8bfa7aabc 100644 --- a/Module/Rule.SecurityOption/SecurityOptionRule.psm1 +++ b/source/Module/Rule.SecurityOption/SecurityOptionRule.psm1 @@ -14,7 +14,7 @@ using module .\..\Rule\Rule.psm1 .PARAMETER OptionValue The security option value #> -Class SecurityOptionRule : Rule +class SecurityOptionRule : Rule { [ValidateNotNullOrEmpty()] [string] $OptionName [ValidateNotNullOrEmpty()] [string] $OptionValue <#(ExceptionValue)#> @@ -33,7 +33,7 @@ Class SecurityOptionRule : Rule .PARAMETER Rule The STIG rule to load #> - SecurityOptionRule ([xml.xmlelement] $Rule) : Base ($Rule) + SecurityOptionRule ([xml.xmlelement] $Rule) : base ($Rule) { } @@ -45,7 +45,7 @@ Class SecurityOptionRule : Rule .PARAMETER Convert A simple bool flag to create a unique constructor signature #> - SecurityOptionRule ([xml.xmlelement] $Rule, [switch] $Convert) : Base ($Rule, $Convert) + SecurityOptionRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) { } diff --git a/Module/Rule.Service/Convert/Data.ps1 b/source/Module/Rule.Service/Convert/Data.ps1 similarity index 100% rename from Module/Rule.Service/Convert/Data.ps1 rename to source/Module/Rule.Service/Convert/Data.ps1 diff --git a/Module/Rule.Service/Convert/Methods.ps1 b/source/Module/Rule.Service/Convert/Methods.ps1 similarity index 85% rename from Module/Rule.Service/Convert/Methods.ps1 rename to source/Module/Rule.Service/Convert/Methods.ps1 index 1fb8c460b..c7551b135 100644 --- a/Module/Rule.Service/Convert/Methods.ps1 +++ b/source/Module/Rule.Service/Convert/Methods.ps1 @@ -18,19 +18,19 @@ function Get-ServiceName Write-Verbose "[$($MyInvocation.MyCommand.Name)]" - if ( $checkContent -match $regularExpression.McAfee ) + if ( $checkContent -match $regularExpression.McAfee) { $serviceName = 'masvc' } - elseif ( $checkContent -match $regularExpression.SmartCardRemovalPolicy ) + elseif ($checkContent -match $regularExpression.SmartCardRemovalPolicy) { $serviceName = 'SCPolicySvc' } - elseif ( $checkContent -match $regularExpression.SecondaryLogon ) + elseif ($checkContent -match $regularExpression.SecondaryLogon) { $serviceName = 'seclogon' } - elseif ( $checkContent -match $regularExpression.followingservices ) + elseif ($checkContent -match $regularExpression.followingservices) { $regexMatch = $checkContent | Select-String '-' $svcArray = @() @@ -58,8 +58,8 @@ function Get-ServiceName $serviceName = $regexMatch.matches.groups[-1].Value } } - <# - There is an edge case with the rule concerning the FTP Service. All service rules have the service names inside of parentheses + <# + There is an edge case with the rule concerning the FTP Service. All service rules have the service names inside of parentheses (ex. (servicename)), however the rule pertaining to the FTP service presents this scenario: (Service name: FTPSVC) #> if ( $serviceName -match 'Service name: FTPSVC' ) @@ -109,16 +109,16 @@ function Get-ServiceState $serviceName = Get-ServiceName -CheckContent $checkContent # ServiceState McAfee and Smartcard is running everything else is stopped - if ( $serviceName -match 'masvc' -or $serviceName -eq 'SCPolicySvc' ) + if ($serviceName -match 'masvc' -or $serviceName -eq 'SCPolicySvc') { return 'Running' } - elseif ( $checkContent -match 'is installed and not disabled, this is a finding' ) + elseif ($checkContent -match 'is installed and not disabled, this is a finding') { return 'Stopped' } - elseif ( $checkContent -match 'is not set to Automatic, this is a finding' -or - $checkContent -match 'is not Automatic, this is a finding' ) + elseif ($checkContent -match 'is not set to Automatic, this is a finding' -or + $checkContent -match 'is not Automatic, this is a finding') { return 'Running' } @@ -148,16 +148,16 @@ function Get-ServiceStartupType $serviceName = Get-ServiceName -CheckContent $checkContent # StartupType McAfee and Smartcard is Automatic everything else is disabled - if ( $serviceName -match 'masvc' -or $serviceName -eq 'SCPolicySvc' ) + if ($serviceName -match 'masvc' -or $serviceName -eq 'SCPolicySvc') { return 'Automatic' } - elseif ( $checkContent -match 'is installed and not disabled, this is a finding' ) + elseif ($checkContent -match 'is installed and not disabled, this is a finding') { return 'Disabled' } - elseif ( $checkContent -match 'is not set to Automatic, this is a finding' -or - $checkContent -match 'is not Automatic, this is a finding' ) + elseif ($checkContent -match 'is not set to Automatic, this is a finding' -or + $checkContent -match 'is not Automatic, this is a finding') { return 'Automatic' } diff --git a/Module/Rule.Service/Convert/ServiceRule.Convert.psm1 b/source/Module/Rule.Service/Convert/ServiceRule.Convert.psm1 similarity index 97% rename from Module/Rule.Service/Convert/ServiceRule.Convert.psm1 rename to source/Module/Rule.Service/Convert/ServiceRule.Convert.psm1 index e9a22212a..029b281b1 100644 --- a/Module/Rule.Service/Convert/ServiceRule.Convert.psm1 +++ b/source/Module/Rule.Service/Convert/ServiceRule.Convert.psm1 @@ -20,7 +20,7 @@ foreach ($supportFile in $supportFileList) check-content of the xccdf. Once a STIG rule is identified a service rule, it is passed to the ServiceRule class for parsing and validation. #> -Class ServiceRuleConvert : ServiceRule +class ServiceRuleConvert : ServiceRule { <# .SYNOPSIS @@ -36,7 +36,7 @@ Class ServiceRuleConvert : ServiceRule .PARAMETER XccdfRule The STIG rule to convert #> - ServiceRuleConvert ([xml.xmlelement] $XccdfRule) : Base ($XccdfRule, $true) + ServiceRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) { $this.SetServiceName() $this.SetServiceState() @@ -153,7 +153,7 @@ Class ServiceRuleConvert : ServiceRule hidden [void] SetDscResource () { - if($null -eq $this.DuplicateOf) + if ($null -eq $this.DuplicateOf) { $this.DscResource = 'Service' } diff --git a/Module/Rule.Service/ServiceRule.psm1 b/source/Module/Rule.Service/ServiceRule.psm1 similarity index 91% rename from Module/Rule.Service/ServiceRule.psm1 rename to source/Module/Rule.Service/ServiceRule.psm1 index 722613b32..2d78eb4ac 100644 --- a/Module/Rule.Service/ServiceRule.psm1 +++ b/source/Module/Rule.Service/ServiceRule.psm1 @@ -18,7 +18,7 @@ using module .\..\Rule\Rule.psm1 .PARAMETER Ensure A present or absent flag #> -Class ServiceRule : Rule +class ServiceRule : Rule { [string] $ServiceName [string] $ServiceState @@ -39,7 +39,7 @@ Class ServiceRule : Rule .PARAMETER Rule The STIG rule to load #> - ServiceRule ([xml.xmlelement] $Rule) : Base ($Rule) + ServiceRule ([xml.xmlelement] $Rule) : base ($Rule) { } @@ -51,7 +51,7 @@ Class ServiceRule : Rule .PARAMETER Convert A simple bool flag to create a unique constructor signature #> - ServiceRule ([xml.xmlelement] $Rule, [switch] $Convert) : Base ($Rule, $Convert) + ServiceRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) { } diff --git a/Module/Rule.Skip/Skip.psm1 b/source/Module/Rule.Skip/Skip.psm1 similarity index 94% rename from Module/Rule.Skip/Skip.psm1 rename to source/Module/Rule.Skip/Skip.psm1 index 7ff16c97c..891af6eb8 100644 --- a/Module/Rule.Skip/Skip.psm1 +++ b/source/Module/Rule.Skip/Skip.psm1 @@ -16,7 +16,7 @@ using module .\..\Rule\Rule.psm1 .NOTES This class requires PowerShell v5 or above. #> -Class SkippedRule : Rule +class SkippedRule : Rule { <# .SYNOPSIS @@ -40,7 +40,7 @@ Class SkippedRule : Rule .PARAMETER Rule The Stig Rule #> - SkippedRule ([xml.xmlelement] $Rule) : Base ($Rule) + SkippedRule ([xml.xmlelement] $Rule) : base ($Rule) { $this.UpdateRuleTitle('Skip') } diff --git a/Module/Rule.SqlScriptQuery/Convert/Methods.ps1 b/source/Module/Rule.SqlScriptQuery/Convert/Methods.ps1 similarity index 100% rename from Module/Rule.SqlScriptQuery/Convert/Methods.ps1 rename to source/Module/Rule.SqlScriptQuery/Convert/Methods.ps1 diff --git a/Module/Rule.SqlScriptQuery/Convert/SqlScriptQueryRule.Convert.psm1 b/source/Module/Rule.SqlScriptQuery/Convert/SqlScriptQueryRule.Convert.psm1 similarity index 97% rename from Module/Rule.SqlScriptQuery/Convert/SqlScriptQueryRule.Convert.psm1 rename to source/Module/Rule.SqlScriptQuery/Convert/SqlScriptQueryRule.Convert.psm1 index 18be67b3c..17089bc9e 100644 --- a/Module/Rule.SqlScriptQuery/Convert/SqlScriptQueryRule.Convert.psm1 +++ b/source/Module/Rule.SqlScriptQuery/Convert/SqlScriptQueryRule.Convert.psm1 @@ -22,7 +22,7 @@ foreach ($supportFile in $supportFileList) SQL script query rule, it is passed to the SqlScriptQueryRule class for parsing and validation. #> -Class SqlScriptQueryRuleConvert : SqlScriptQueryRule +class SqlScriptQueryRuleConvert : SqlScriptQueryRule { <# .SYNOPSIS @@ -38,7 +38,7 @@ Class SqlScriptQueryRuleConvert : SqlScriptQueryRule .PARAMETER XccdfRule The STIG rule to convert #> - SqlScriptQueryRuleConvert ([xml.xmlelement] $XccdfRule) : Base ($XccdfRule, $true) + SqlScriptQueryRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) { $ruleType = $this.GetRuleType($this.splitCheckContent) $fixText = [SqlScriptQueryRule]::GetFixText($XccdfRule) @@ -154,7 +154,7 @@ Class SqlScriptQueryRuleConvert : SqlScriptQueryRule hidden [void] SetDscResource () { - if($null -eq $this.DuplicateOf) + if ($null -eq $this.DuplicateOf) { $this.DscResource = 'SqlScriptQuery' } @@ -166,7 +166,7 @@ Class SqlScriptQueryRuleConvert : SqlScriptQueryRule static [bool] Match ([string] $CheckContent) { - <# + <# Provide match criteria to validate that the rule is (or is not) a SQL rule. Standard match rules #> diff --git a/Module/Rule.SqlScriptQuery/SqlScriptQueryRule.psm1 b/source/Module/Rule.SqlScriptQuery/SqlScriptQueryRule.psm1 similarity index 92% rename from Module/Rule.SqlScriptQuery/SqlScriptQueryRule.psm1 rename to source/Module/Rule.SqlScriptQuery/SqlScriptQueryRule.psm1 index dcc1a2308..4391667d1 100644 --- a/Module/Rule.SqlScriptQuery/SqlScriptQueryRule.psm1 +++ b/source/Module/Rule.SqlScriptQuery/SqlScriptQueryRule.psm1 @@ -16,7 +16,7 @@ using module .\..\Rule\Rule.psm1 .PARAMETER SetScript The set script content #> -Class SqlScriptQueryRule : Rule +class SqlScriptQueryRule : Rule { [string] $GetScript [string] $TestScript @@ -38,7 +38,7 @@ Class SqlScriptQueryRule : Rule .PARAMETER Rule The STIG rule to load #> - SqlScriptQueryRule ([xml.xmlelement] $Rule) : Base ($Rule) + SqlScriptQueryRule ([xml.xmlelement] $Rule) : base ($Rule) { } @@ -50,7 +50,7 @@ Class SqlScriptQueryRule : Rule .PARAMETER Convert A simple bool flag to create a unique constructor signature #> - SqlScriptQueryRule ([xml.xmlelement] $Rule, [switch] $Convert) : Base ($Rule, $Convert) + SqlScriptQueryRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) { } diff --git a/Module/Rule.SslSettings/Convert/SslSettingsRule.Convert.psm1 b/source/Module/Rule.SslSettings/Convert/SslSettingsRule.Convert.psm1 similarity index 94% rename from Module/Rule.SslSettings/Convert/SslSettingsRule.Convert.psm1 rename to source/Module/Rule.SslSettings/Convert/SslSettingsRule.Convert.psm1 index 11970da57..f774728f4 100644 --- a/Module/Rule.SslSettings/Convert/SslSettingsRule.Convert.psm1 +++ b/source/Module/Rule.SslSettings/Convert/SslSettingsRule.Convert.psm1 @@ -13,7 +13,7 @@ using module .\..\SslSettingsRule.psm1 rule is identified as a web configuration property rule, it is passed to the WebConfigurationPropertyRule class for parsing and validation. #> -Class SslSettingsRuleConvert : SslSettingsRule +class SslSettingsRuleConvert : SslSettingsRule { <# .SYNOPSIS @@ -29,7 +29,7 @@ Class SslSettingsRuleConvert : SslSettingsRule .PARAMETER XccdfRule The STIG rule to convert #> - SslSettingsRuleConvert ([xml.xmlelement] $XccdfRule) : Base ($XccdfRule, $true) + SslSettingsRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) { $this.SetSslValue() @@ -86,7 +86,7 @@ Class SslSettingsRuleConvert : SslSettingsRule hidden [void] SetDscResource () { - if($null -eq $this.DuplicateOf) + if ($null -eq $this.DuplicateOf) { $this.DscResource = 'xSslSettings' } diff --git a/Module/Rule.SslSettings/SslSettingsRule.psm1 b/source/Module/Rule.SslSettings/SslSettingsRule.psm1 similarity index 91% rename from Module/Rule.SslSettings/SslSettingsRule.psm1 rename to source/Module/Rule.SslSettings/SslSettingsRule.psm1 index c477a6a62..ea88c5090 100644 --- a/Module/Rule.SslSettings/SslSettingsRule.psm1 +++ b/source/Module/Rule.SslSettings/SslSettingsRule.psm1 @@ -12,7 +12,7 @@ using module .\..\Rule\Rule.psm1 .PARAMETER Value The value the bindings should be set to #> -Class SslSettingsRule : Rule +class SslSettingsRule : Rule { [string] $Value <#(ExceptionValue)#> @@ -30,7 +30,7 @@ Class SslSettingsRule : Rule .PARAMETER Rule The STIG rule to load #> - SslSettingsRule ([xml.xmlelement] $Rule) : Base ($Rule) + SslSettingsRule ([xml.xmlelement] $Rule) : base ($Rule) { } @@ -42,7 +42,7 @@ Class SslSettingsRule : Rule .PARAMETER Convert A simple bool flag to create a unique constructor signature #> - SslSettingsRule ([xml.xmlelement] $Rule, [switch] $Convert) : Base ($Rule, $Convert) + SslSettingsRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) { } diff --git a/Module/Rule.UserRight/Convert/Data.ps1 b/source/Module/Rule.UserRight/Convert/Data.ps1 similarity index 100% rename from Module/Rule.UserRight/Convert/Data.ps1 rename to source/Module/Rule.UserRight/Convert/Data.ps1 diff --git a/Module/Rule.UserRight/Convert/Methods.ps1 b/source/Module/Rule.UserRight/Convert/Methods.ps1 similarity index 87% rename from Module/Rule.UserRight/Convert/Methods.ps1 rename to source/Module/Rule.UserRight/Convert/Methods.ps1 index d71c64147..84dc2a8d0 100644 --- a/Module/Rule.UserRight/Convert/Methods.ps1 +++ b/source/Module/Rule.UserRight/Convert/Methods.ps1 @@ -94,15 +94,15 @@ function Get-UserRightIdentity { [void] $return.Add('Administrators') } - elseif ( $checkContent -Match "If (any|the following){1} (accounts or groups|groups or accounts) (other than the following|are not defined){1}.*this is a finding" ) + elseif ($checkContent -Match "If (any|the following){1} (accounts or groups|groups or accounts) (other than the following|are not defined){1}.*this is a finding") { Write-Verbose "[$($MyInvocation.MyCommand.Name)] Ensure : Present" # There is an edge case where multiple finding statements are made, so a zero index is needed. - [int] $lineNumber = ( ( $checkContent | Select-String "this is a finding" )[0] ).LineNumber + [int] $lineNumber = (($checkContent | Select-String "this is a finding")[0]).LineNumber # Set the negative index number of the first group to process. $startLine = $lineNumber - $checkContent.Count - foreach ( $line in $checkContent[$startLine..-1] ) + foreach ($line in $checkContent[$startLine..-1]) { <# The Windows Server 2016 STIG prepends each identity with a dash space (- ) @@ -124,16 +124,16 @@ function Get-UserRightIdentity { [void] $return.Add("{Hyper-V}") } - elseif ( $line.Trim() -match "(^Enterprise|^Domain) (Admins|Admin)|^Guests" ) + elseif ($line.Trim() -match "(^Enterprise|^Domain) (Admins|Admin)|^Guests") { - if ( $line -match '\sAdmin\s' ) + if ($line -match '\sAdmin\s') { $line = $line -replace 'Admin', 'Admins' } # .Trim method is case sensitive, so the replace operator is used instead - [void] $return.Add( $($line.Trim() -replace ' Group').Trim() ) + [void] $return.Add($($line.Trim() -replace ' Group').Trim()) } - elseIf ($line.Trim() -match '"Local account and member of Administrators group" or "Local account"') + elseif ($line.Trim() -match '"Local account and member of Administrators group" or "Local account"') { [void] $return.Add('(Local account and member of Administrators group|Local account)') } @@ -148,7 +148,7 @@ function Get-UserRightIdentity } } } - elseif ( $checkContent -Match "If any (accounts or groups|groups or accounts).*are (granted|defined).*this is a finding" ) + elseif ($checkContent -Match "If any (accounts or groups|groups or accounts).*are (granted|defined).*this is a finding") { Write-Verbose "[$($MyInvocation.MyCommand.Name)] Ensure : Absent" @@ -173,11 +173,11 @@ function Test-SetForceFlag $CheckContent ) - if ( $checkContent -match 'If any (accounts or groups|groups or accounts) other than the following' ) + if ($checkContent -match 'If any (accounts or groups|groups or accounts) other than the following') { return $true } - elseif ( $checkContent -match 'If any (accounts or groups|groups or accounts)\s*(\(.*\),)?\s*are (granted|defined)' ) + elseif ($checkContent -match 'If any (accounts or groups|groups or accounts)\s*(\(.*\),)?\s*are (granted|defined)') { return $true } diff --git a/Module/Rule.UserRight/Convert/UserRightRule.Convert.psm1 b/source/Module/Rule.UserRight/Convert/UserRightRule.Convert.psm1 similarity index 97% rename from Module/Rule.UserRight/Convert/UserRightRule.Convert.psm1 rename to source/Module/Rule.UserRight/Convert/UserRightRule.Convert.psm1 index fa2dfaee0..ceb2f4cec 100644 --- a/Module/Rule.UserRight/Convert/UserRightRule.Convert.psm1 +++ b/source/Module/Rule.UserRight/Convert/UserRightRule.Convert.psm1 @@ -21,7 +21,7 @@ foreach ($supportFile in $supportFileList) user right rule, it is passed to the UserRightRule class for parsing and validation. #> -Class UserRightRuleConvert : UserRightRule +class UserRightRuleConvert : UserRightRule { <# .SYNOPSIS @@ -37,7 +37,7 @@ Class UserRightRuleConvert : UserRightRule .PARAMETER XccdfRule The STIG rule to convert #> - UserRightRuleConvert ([xml.xmlelement] $XccdfRule) : Base ($XccdfRule, $true) + UserRightRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) { $this.SetDisplayName() $this.SetConstant() @@ -146,7 +146,7 @@ Class UserRightRuleConvert : UserRightRule hidden [void] SetDscResource () { - if($null -eq $this.DuplicateOf) + if ($null -eq $this.DuplicateOf) { $this.DscResource = 'UserRightsAssignment' } diff --git a/Module/Rule.UserRight/UserRightRule.psm1 b/source/Module/Rule.UserRight/UserRightRule.psm1 similarity index 93% rename from Module/Rule.UserRight/UserRightRule.psm1 rename to source/Module/Rule.UserRight/UserRightRule.psm1 index 510166678..33e468097 100644 --- a/Module/Rule.UserRight/UserRightRule.psm1 +++ b/source/Module/Rule.UserRight/UserRightRule.psm1 @@ -18,7 +18,7 @@ using module .\..\Rule\Rule.psm1 .PARAMETER Force A flag that replaces the identities vs append #> -Class UserRightRule : Rule +class UserRightRule : Rule { [ValidateNotNullOrEmpty()] [string] $DisplayName [ValidateNotNullOrEmpty()] [string] $Constant @@ -39,7 +39,7 @@ Class UserRightRule : Rule .PARAMETER Rule The STIG rule to load #> - UserRightRule ([xml.xmlelement] $Rule) : Base ($Rule) + UserRightRule ([xml.xmlelement] $Rule) : base ($Rule) { } @@ -51,7 +51,7 @@ Class UserRightRule : Rule .PARAMETER Convert A simple bool flag to create a unique constructor signature #> - UserRightRule ([xml.xmlelement] $Rule, [switch] $Convert) : Base ($Rule, $Convert) + UserRightRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) { } diff --git a/source/Module/Rule.VsphereAcceptanceLevel/Convert/Methods.ps1 b/source/Module/Rule.VsphereAcceptanceLevel/Convert/Methods.ps1 new file mode 100644 index 000000000..703ab43c4 --- /dev/null +++ b/source/Module/Rule.VsphereAcceptanceLevel/Convert/Methods.ps1 @@ -0,0 +1,37 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +#region Method Functions + +<# + .SYNOPSIS + Takes the Name property from a VsphereAcceptanceLevelRule. + + .PARAMETER CheckContent + An array of the raw string data taken from the STIG setting. +#> +function Get-VsphereAcceptanceLevel +{ + [CmdletBinding()] + [OutputType([object])] + param + ( + [Parameter(Mandatory = $true)] + [psobject] + $Fixtext + ) + + if ($Fixtext -match 'software.acceptance') + { + $acceptanceLevel = ($FixText | Select-String -Pattern '(?<=acceptance.Set\(")([^"]+)').Matches.Value + } + + if ($null -ne $acceptanceLevel) + { + Write-Verbose -Message $("[$($MyInvocation.MyCommand.Name)] Found Acceptance Level: {0}" -f $acceptanceLevel) + return $acceptanceLevel + } + else + { + return $null + } +} diff --git a/source/Module/Rule.VsphereAcceptanceLevel/Convert/VsphereAcceptanceLevelRule.Convert.psm1 b/source/Module/Rule.VsphereAcceptanceLevel/Convert/VsphereAcceptanceLevelRule.Convert.psm1 new file mode 100644 index 000000000..35882a75a --- /dev/null +++ b/source/Module/Rule.VsphereAcceptanceLevel/Convert/VsphereAcceptanceLevelRule.Convert.psm1 @@ -0,0 +1,81 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +using module .\..\..\Common\Common.psm1 +using module .\..\VsphereAcceptanceLevelRule.psm1 + +$exclude = @($MyInvocation.MyCommand.Name,'Template.*.txt') +$supportFileList = Get-ChildItem -Path $PSScriptRoot -Exclude $exclude +foreach ($supportFile in $supportFileList) +{ + Write-Verbose -Message "Loading $($supportFile.FullName)" + . $supportFile.FullName +} + +<# + .SYNOPSIS + Convert the contents of an xccdf check-content element into a Vsphere object. + .DESCRIPTION + The VsphereRule Acceptance Level class is used to extract the Vsphere settings + from the check-content of the xccdf. Once a STIG rule is identified a + Vsphere Acceptance Level rule, it is passed to the VsphereRule Acceptance Level class for parsing + and validation. +#> +class VsphereAcceptanceLevelRuleConvert : VsphereAcceptanceLevelRule +{ + <# + .SYNOPSIS + Empty constructor for SplitFactory + #> + VsphereAcceptanceLevelRuleConvert () + { + } + + <# + .SYNOPSIS + Converts an xccdf stig rule element into a Vsphere Rule + .PARAMETER XccdfRule + The STIG rule to convert + #> + VsphereAcceptanceLevelRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) + { + $fixText = [VsphereAcceptanceLevelRule]::GetFixText($XccdfRule) + $this.SetVsphereAcceptanceLevel($fixtext) + $this.SetDscResource() + } + + <# + .SYNOPSIS + Extracts the acceptance level from the fix text and sets the level + .DESCRIPTION + Gets the accceptance leve from the xccdf content and sets the level. + If the level that is returned is not valid, the parser status is + set to fail. + #> + [void] SetVsphereAcceptanceLevel ([string[]] $Fixtext) + { + $vsphereAcceptanceLevel = Get-VsphereAcceptanceLevel -FixText $Fixtext + $this.set_Level($vsphereAcceptanceLevel) + } + + hidden [void] SetDscResource () + { + if ($null -eq $this.DuplicateOf) + { + $this.DscResource = 'VMHostAcceptanceLevel' + } + else + { + $this.DscResource = 'None' + } + } + + static [bool] Match ([string] $CheckContent) + { + if ($CheckContent -match 'software.acceptance') + { + return $true + } + + return $false + } +} diff --git a/source/Module/Rule.VsphereAcceptanceLevel/VsphereAcceptanceLevelRule.psm1 b/source/Module/Rule.VsphereAcceptanceLevel/VsphereAcceptanceLevelRule.psm1 new file mode 100644 index 000000000..a5214dc4b --- /dev/null +++ b/source/Module/Rule.VsphereAcceptanceLevel/VsphereAcceptanceLevelRule.psm1 @@ -0,0 +1,59 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +using module .\..\Common\Common.psm1 +using module .\..\Rule\Rule.psm1 + +<# + .SYNOPSIS + An Vsphere AcceptanceLevel Rule object. + .DESCRIPTION + The Vsphere class is used to maange the Vmware Vsphere Settings. + .PARAMETER Level + The acceptance level of supported VIBs. (i.e. VMwareCertified, VMwareAccepted, PartnerSupported, or CommunitySupported). +#> +class VsphereAcceptanceLevelRule : Rule +{ + [string] $Level + + <# + .SYNOPSIS + Default constructor to support the AsRule cast method + #> + VsphereAcceptanceLevelRule () + { + } + + <# + .SYNOPSIS + Used to load PowerSTIG data from the processed data directory + .PARAMETER Rule + The STIG rule to load + #> + VsphereAcceptanceLevelRule ([xml.xmlelement] $Rule) : base ($Rule) + { + } + + <# + .SYNOPSIS + The Convert child class constructor + .PARAMETER Rule + The STIG rule to convert + .PARAMETER Convert + A simple bool flag to create a unique constructor signature + #> + VsphereAcceptanceLevelRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) + { + } + + <# + .SYNOPSIS + Creates class specifc help content + #> + [hashtable] GetExceptionHelp() + { + return @{ + Value = "15" + Notes = $null + } + } +} diff --git a/source/Module/Rule.VsphereAdvancedSettings/Convert/Methods.ps1 b/source/Module/Rule.VsphereAdvancedSettings/Convert/Methods.ps1 new file mode 100644 index 000000000..97c5f2dbf --- /dev/null +++ b/source/Module/Rule.VsphereAdvancedSettings/Convert/Methods.ps1 @@ -0,0 +1,96 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +#region Method Functions + +<# + .SYNOPSIS + Takes the AdvancedSettings property from a VsphereAdvancedSettingsRule. + + .PARAMETER RawString + An array of the raw string data taken from the Fix Text of the STIG. + + .PARAMETER CheckContent + An array of the raw string data taken from the STIG setting. +#> +function Get-VsphereAdvancedSettings +{ + [CmdletBinding()] + [OutputType([object])] + param + ( + [Parameter(Mandatory = $true)] + [psobject] + $FixText, + + [Parameter()] + [psobject] + $CheckContent + ) + + if ($FixText -match 'Get-AdvancedSetting') + { + $matchName = ($FixText | Select-String -Pattern '(?<=Get-AdvancedSetting -Name )([^\s]+)' -AllMatches).Matches.Value + $matchValue = ($FixText | Select-String -Pattern '(?<=Set-AdvancedSetting -Value |Set-AdvancedSetting -Value ")[^"]+' -AllMatches).Matches.Value + $advancedSettings = "'{0}' = '{1}'" -f $matchName, $matchValue + } + + switch ($matchName) + { + {$PSItem -eq "Annotations.WelcomeMessage"} + { + $matchValue = ($CheckContent | Select-String -Pattern 'You are accessing[^"]+(?<=details.)').Matches.Value + $advancedSettings = "'{0}' = '{1}'" -f $matchName,$matchValue + } + {$PSItem -eq "Config.Etc.issue"} + { + $matchValue = ($CheckContent | Select-String -Pattern 'You are accessing[^"]+').Matches.Value + $advancedSettings = "'{0}' = '{1}'" -f $matchName,$matchValue + } + {$PSItem -eq "Net.DVFilterBindIpAddress"} + { + $advancedSettings = "'{0}' = ''" -f $matchName + } + {$PSItem -match "Syslog.global.logHost|Config.HostAgent.plugins.hostsvc.esxAdminsGroup|Syslog.global.logDir"} + { + $advancedSettings = $null + } + } + + if ($null -ne $advancedSettings) + { + Write-Verbose -Message $("[$($MyInvocation.MyCommand.Name)] Found Advanced Setting: {0}" -f $advancedSettings) + return $advancedSettings + } + else + { + return $null + } +} + +function Get-OrganizationValueTestString +{ + [CmdletBinding()] + [OutputType([string])] + param + ( + [Parameter(Mandatory = $true)] + [string] + $Id + ) + + switch ($Id) + { + {$PsItem -match 'V-93955'} + { + return '{0} is set to "Syslog.global.logHost" = "site specific log host"' + } + {$PsItem -match 'V-94037'} + { + return '"{0}" is set to "Syslog.global.logDir" = "site specific log storage location"' + } + default + { + return $null + } + } +} diff --git a/source/Module/Rule.VsphereAdvancedSettings/Convert/VsphereAdvancedSettingsRule.Convert.psm1 b/source/Module/Rule.VsphereAdvancedSettings/Convert/VsphereAdvancedSettingsRule.Convert.psm1 new file mode 100644 index 000000000..273b50780 --- /dev/null +++ b/source/Module/Rule.VsphereAdvancedSettings/Convert/VsphereAdvancedSettingsRule.Convert.psm1 @@ -0,0 +1,124 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +using module .\..\..\Common\Common.psm1 +using module .\..\VsphereAdvancedSettingsRule.psm1 + +$exclude = @($MyInvocation.MyCommand.Name,'Template.*.txt') +$supportFileList = Get-ChildItem -Path $PSScriptRoot -Exclude $exclude +foreach ($supportFile in $supportFileList) +{ + Write-Verbose "Loading $($supportFile.FullName)" + . $supportFile.FullName +} +# Header + +<# + .SYNOPSIS + Convert the contents of an xccdf check-content element into a Vsphere object + .DESCRIPTION + The VsphereAdvancedSettingsRule class is used to extract the Vsphere settings + from the check-content of the xccdf. Once a STIG rule is identified a + Vsphere AdvancedSettings rule, it is passed to the VsphereRule class for parsing + and validation. +#> +class VsphereAdvancedSettingsRuleConvert : VsphereAdvancedSettingsRule +{ + <# + .SYNOPSIS + Empty constructor for SplitFactory + #> + VsphereAdvancedSettingsRuleConvert () + { + } + + <# + .SYNOPSIS + Converts an xccdf stig rule element into a Vsphere Rule + .PARAMETER XccdfRule + The STIG rule to convert + #> + VsphereAdvancedSettingsRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) + { + $fixText = [VsphereAdvancedSettingsRule]::GetFixText($XccdfRule) + $this.SetVsphereAdvancedSettings($fixText) + + if ($this.IsOrganizationalSetting()) + { + $this.SetOrganizationValueTestString() + } + + $this.SetDscResource() + } + + # Methods + <# + .SYNOPSIS + Extracts the advanced settings key value pair from the check-content and sets the Advanced Setting + .DESCRIPTION + Gets the key value pair from the xccdf content and combines the two as a string. + If the value that is returned is not valid, the parser status is + set to fail. + #> + [void] SetVsphereAdvancedSettings ([string[]] $fixText) + { + $vsphereAdvancedSettings = Get-VsphereAdvancedSettings -FixText $fixText -CheckContent $this.RawString + $this.set_AdvancedSettings($vsphereAdvancedSettings) + } + + <# + .SYNOPSIS + Tests if and organizational value is required + .DESCRIPTION + Tests if and organizational value is required + #> + [bool] IsOrganizationalSetting () + { + if ($this.id -match 'V-93955|V-94025|V-94509|V-94533|V-94037') + { + return $true + } + else + { + return $false + } + } + + <# + .SYNOPSIS + Set the organizational value + .DESCRIPTION + Extracts the organizational value from the key and then sets the value + #> + [void] SetOrganizationValueTestString () + { + $OrganizationValueTestString = Get-OrganizationValueTestString -Id $this.Id + + if (-not $this.SetStatus($OrganizationValueTestString)) + { + $this.set_OrganizationValueTestString($OrganizationValueTestString) + $this.set_OrganizationValueRequired($true) + } + } + + hidden [void] SetDscResource () + { + if ($null -eq $this.DuplicateOf) + { + $this.DscResource = 'VMHostAdvancedSettings' + } + else + { + $this.DscResource = 'None' + } + } + + static [bool] Match ([string] $CheckContent) + { + if ($CheckContent -match 'Get-AdvancedSetting') + { + return $true + } + + return $false + } +} diff --git a/source/Module/Rule.VsphereAdvancedSettings/VsphereAdvancedSettingsRule.psm1 b/source/Module/Rule.VsphereAdvancedSettings/VsphereAdvancedSettingsRule.psm1 new file mode 100644 index 000000000..2dd618929 --- /dev/null +++ b/source/Module/Rule.VsphereAdvancedSettings/VsphereAdvancedSettingsRule.psm1 @@ -0,0 +1,60 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +using module .\..\Common\Common.psm1 +using module .\..\Rule\Rule.psm1 +#header + +<# + .SYNOPSIS + An Vsphere Advanced Settings Rule object. + .DESCRIPTION + The Vsphere Advanced Settings class is used to maange the Vmware Vsphere Settings. + .PARAMETER AdvancedSettings + A string with value name and value data. (i.e. 'ValueName' = 'ValueData'). +#> +class VsphereAdvancedSettingsRule : Rule +{ + [string] $AdvancedSettings <#(ExceptionValue)#> + + <# + .SYNOPSIS + Default constructor to support the AsRule cast method. + #> + VsphereAdvancedSettingsRule () + { + } + + <# + .SYNOPSIS + Used to load PowerSTIG data from the processed data directory. + .PARAMETER Rule + The STIG rule to load. + #> + VsphereAdvancedSettingsRule ([xml.xmlelement] $Rule) : base ($Rule) + { + } + + <# + .SYNOPSIS + The Convert child class constructor. + .PARAMETER Rule + The STIG rule to convert. + .PARAMETER Convert + A simple bool flag to create a unique constructor signature. + #> + VsphereAdvancedSettingsRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) + { + } + + <# + .SYNOPSIS + Creates class specifc help content. + #> + [hashtable] GetExceptionHelp() + { + return @{ + Value = "15" + Notes = $null + } + } +} diff --git a/source/Module/Rule.VsphereKernelActiveDumpPartition/Convert/Methods.ps1 b/source/Module/Rule.VsphereKernelActiveDumpPartition/Convert/Methods.ps1 new file mode 100644 index 000000000..0f2703429 --- /dev/null +++ b/source/Module/Rule.VsphereKernelActiveDumpPartition/Convert/Methods.ps1 @@ -0,0 +1,37 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +#region Method Functions + +<# + .SYNOPSIS + Takes the Rawstring from the fix text of a VsphereKernelActiveDumpPartitionRule. + + .PARAMETER RawString + An array of the raw string data taken from the Fix text of the STIG. +#> +function Get-VsphereKernelActiveDumpPartition +{ + [CmdletBinding()] + [OutputType([object])] + param + ( + [Parameter(Mandatory = $true)] + [psobject] + $FixText + ) + + if ($FixText -match 'coredump.partition') + { + $kernelActiveDumpPartitionEnabled = ($FixText | Select-String -Pattern '(?<=coredump.network.set\()(.\w+)(?=\))').Matches.Value + } + + if ($null -ne $kernelActiveDumpPartitionEnabled) + { + Write-Verbose -Message $("[$($MyInvocation.MyCommand.Name)] Found Host Kernel Active Dump Partition Enabled: {0}" -f $kernelActiveDumpPartitionEnabled) + return $kernelActiveDumpPartitionEnabled + } + else + { + return $null + } +} diff --git a/source/Module/Rule.VsphereKernelActiveDumpPartition/Convert/VsphereKernelActiveDumpPartitionRule.Convert.psm1 b/source/Module/Rule.VsphereKernelActiveDumpPartition/Convert/VsphereKernelActiveDumpPartitionRule.Convert.psm1 new file mode 100644 index 000000000..47ba21eb2 --- /dev/null +++ b/source/Module/Rule.VsphereKernelActiveDumpPartition/Convert/VsphereKernelActiveDumpPartitionRule.Convert.psm1 @@ -0,0 +1,82 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +using module .\..\..\Common\Common.psm1 +using module .\..\VsphereKernelActiveDumpPartitionRule.psm1 + +$exclude = @($MyInvocation.MyCommand.Name,'Template.*.txt') +$supportFileList = Get-ChildItem -Path $PSScriptRoot -Exclude $exclude +foreach ($supportFile in $supportFileList) +{ + Write-Verbose -Message "Loading $($supportFile.FullName)" + . $supportFile.FullName +} + +<# + .SYNOPSIS + Convert the contents of an xccdf check-content element into a Vsphere object. + .DESCRIPTION + The VsphereRule class is used to extract the Vsphere settings + from the check-content of the xccdf. Once a STIG rule is identified a + Vsphere rule, it is passed to the VsphereRule class for parsing + and validation. +#> +class VsphereKernelActiveDumpPartitionRuleConvert : VsphereKernelActiveDumpPartitionRule +{ + <# + .SYNOPSIS + Empty constructor for SplitFactory. + #> + VsphereKernelActiveDumpPartitionRuleConvert () + { + } + + <# + .SYNOPSIS + Converts an xccdf stig rule element into a Vsphere Kernel Active Dump Partition Rule. + .PARAMETER XccdfRule + The STIG rule to convert. + #> + VsphereKernelActiveDumpPartitionRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) + { + $fixText = [VsphereKernelActiveDumpPartitionRule]::GetFixText($XccdfRule) + $this.SetVsphereKernelActiveDumpPartition($fixText) + $this.SetDscResource() + } + + # Methods + <# + .SYNOPSIS + Extracts the Kernel Active Dump Partition boolean from the fix text and sets the value. + .DESCRIPTION + Gets the boolean from the xccdf content and sets the value. + If the value that is returned is not valid, the parser status is + set to fail. + #> + [void] SetVsphereKernelActiveDumpPartition ([string[]] $fixText) + { + $vsphereKernelActiveDumpPartition = Get-VsphereKernelActiveDumpPartition -FixText $fixText + $this.set_Enabled($vsphereKernelActiveDumpPartition) + } + + hidden [void] SetDscResource () + { + if ($null -eq $this.DuplicateOf) + { + $this.DscResource = 'VMHostKernelActiveDumpPartition' + } + else + { + $this.DscResource = 'None' + } + } + + static [bool] Match ([string] $CheckContent) + { + if ($CheckContent -match 'coredump.partition') + { + return $true + } + + return $false + } +} diff --git a/source/Module/Rule.VsphereKernelActiveDumpPartition/VsphereKernelActiveDumpPartitionRule.psm1 b/source/Module/Rule.VsphereKernelActiveDumpPartition/VsphereKernelActiveDumpPartitionRule.psm1 new file mode 100644 index 000000000..55b62bd81 --- /dev/null +++ b/source/Module/Rule.VsphereKernelActiveDumpPartition/VsphereKernelActiveDumpPartitionRule.psm1 @@ -0,0 +1,60 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +using module .\..\Common\Common.psm1 +using module .\..\Rule\Rule.psm1 +#header + +<# + .SYNOPSIS + An Vsphere Rule object + .DESCRIPTION + The Vsphere Kernel ActiveDump Partition class is used to maange the Vmware Vsphere Settings. + .PARAMETER Enabled + The boolean $true or $false to enable or disable this feature. +#> +class VsphereKernelActiveDumpPartitionRule : Rule +{ + [string] $Enabled + + <# + .SYNOPSIS + Default constructor to support the AsRule cast method + #> + VsphereKernelActiveDumpPartitionRule () + { + } + + <# + .SYNOPSIS + Used to load PowerSTIG data from the processed data directory + .PARAMETER Rule + The STIG rule to load + #> + VsphereKernelActiveDumpPartitionRule ([xml.xmlelement] $Rule) : base ($Rule) + { + } + + <# + .SYNOPSIS + The Convert child class constructor + .PARAMETER Rule + The STIG rule to convert + .PARAMETER Convert + A simple bool flag to create a unique constructor signature + #> + VsphereKernelActiveDumpPartitionRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) + { + } + + <# + .SYNOPSIS + Creates class specifc help content + #> + [hashtable] GetExceptionHelp() + { + return @{ + Value = "15" + Notes = $null + } + } +} diff --git a/source/Module/Rule.VsphereNtpSettings/Convert/Methods.ps1 b/source/Module/Rule.VsphereNtpSettings/Convert/Methods.ps1 new file mode 100644 index 000000000..d55374424 --- /dev/null +++ b/source/Module/Rule.VsphereNtpSettings/Convert/Methods.ps1 @@ -0,0 +1,62 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +#region Method Functions + +<# + .SYNOPSIS + This returns null for the value of a Vsphere Ntp SettingsRule, because the ony rule + is an organizational setting. + + .PARAMETER CheckContent + An array of the raw string data taken from the STIG setting. +#> +function Get-VsphereNtpSettings +{ + [CmdletBinding()] + [OutputType([object])] + param + ( + [Parameter(Mandatory = $true)] + [psobject] + $CheckContent + ) + + if ($CheckContent -match 'Get-VMHostNTPServer') + { + $ntpServer = $null + } + + if ($null -ne $ntpServer) + { + Write-Verbose -Message $("[$($MyInvocation.MyCommand.Name)] NTPServer List Found: {0}" -f $ntpServer) + return $ntpServer + } + else + { + return $null + } +} + +<# + .SYNOPSIS + This returns the organizational test string from a Vsphere Ntp SettingsRule. + + .PARAMETER Id + This is the id of the rule that matches the organizational test string. +#> +function Get-VsphereNtpSettingsOrganizationValueTestString +{ + [CmdletBinding()] + [OutputType([string])] + param + ( + [Parameter(Mandatory = $true)] + [string] + $Id + ) + + if ($this.id -match "V-94039") + { + return '{0} is set to a string array of authoritative DoD time sources' + } +} diff --git a/source/Module/Rule.VsphereNtpSettings/Convert/VsphereNtpSettingsRule.Convert.psm1 b/source/Module/Rule.VsphereNtpSettings/Convert/VsphereNtpSettingsRule.Convert.psm1 new file mode 100644 index 000000000..2e787b386 --- /dev/null +++ b/source/Module/Rule.VsphereNtpSettings/Convert/VsphereNtpSettingsRule.Convert.psm1 @@ -0,0 +1,119 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +using module .\..\..\Common\Common.psm1 +using module .\..\VsphereNtpSettingsRule.psm1 + +$exclude = @($MyInvocation.MyCommand.Name,'Template.*.txt') +$supportFileList = Get-ChildItem -Path $PSScriptRoot -Exclude $exclude +foreach ($supportFile in $supportFileList) +{ + Write-Verbose -Message "Loading $($supportFile.FullName)" + . $supportFile.FullName +} + +<# + .SYNOPSIS + Convert the contents of an xccdf check-content element into a Vsphere Ntp Settings object. + .DESCRIPTION + The Vsphere Ntp Settings Rule class is used to extract the Vsphere Ntp settings + from the check-content of the xccdf. Once a STIG rule is identified a + Vsphere Ntp Settings rule, it is passed to the Vsphere Ntp Settings Rule class for parsing + and validation. +#> +class VsphereNtpSettingsRuleConvert : VsphereNtpSettingsRule +{ + <# + .SYNOPSIS + Empty constructor for SplitFactory. + #> + VsphereNtpSettingsRuleConvert () + { + } + + <# + .SYNOPSIS + Converts an xccdf stig rule element into a Vsphere Rule. + .PARAMETER XccdfRule + The STIG rule to convert. + #> + VsphereNtpSettingsRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) + { + if ($this.IsOrganizationalSetting()) + { + $this.SetOrganizationValueTestString() + } + + $this.SetVsphereNtpSettings() + $this.SetDscResource() + } + + <# + .SYNOPSIS + Tests if and organizational value is required. + .DESCRIPTION + Tests if and organizational value is required. + #> + [bool] IsOrganizationalSetting () + { + if ([String]::IsNullOrEmpty($this.NtpServer)) + { + return $true + } + else + { + return $false + } + } + + <# + .SYNOPSIS + Set the organizational value. + .DESCRIPTION + Extracts the organizational value from the key and then sets the value. + #> + [void] SetOrganizationValueTestString () + { + $OrganizationValueTestString = Get-VsphereNtpSettingsOrganizationValueTestString -Id $this.id + + if (-not $this.SetStatus($OrganizationValueTestString)) + { + $this.set_OrganizationValueTestString($OrganizationValueTestString) + $this.set_OrganizationValueRequired($true) + } + } + + <# + .SYNOPSIS + Extracts the Vsphere NTP settings from the check-content and sets the value. + .DESCRIPTION + Gets the NTP server list from the xccdf content and sets the value. + If the value that is returned is not valid, the parser status is + set to fail. + #> + [void] SetVsphereNtpSettings () + { + $vsphereNtpSettings = Get-VsphereNtpSettings -CheckContent $this.SplitCheckContent + $this.set_NtpServer($vsphereNtpSettings) + } + + hidden [void] SetDscResource () + { + if ($null -eq $this.DuplicateOf) + { + $this.DscResource = 'VMHostNtpSettings' + } + else + { + $this.DscResource = 'None' + } + } + + static [bool] Match ([string] $CheckContent) + { + if ($CheckContent -match 'Get-VMHostNTPServer') + { + return $true + } + return $false + } +} diff --git a/source/Module/Rule.VsphereNtpSettings/VsphereNtpSettingsRule.psm1 b/source/Module/Rule.VsphereNtpSettings/VsphereNtpSettingsRule.psm1 new file mode 100644 index 000000000..0aff6921e --- /dev/null +++ b/source/Module/Rule.VsphereNtpSettings/VsphereNtpSettingsRule.psm1 @@ -0,0 +1,60 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +using module .\..\Common\Common.psm1 +using module .\..\Rule\Rule.psm1 +#header + +<# + .SYNOPSIS + An Vsphere NTP Settings Rule object + .DESCRIPTION + The Vsphere class is used to maange the Vmware Vsphere Settings. + .PARAMETER NtpServer + The string array of NTP servers used by the host. +#> +class VsphereNtpSettingsRule : Rule +{ + [string[]] $NtpServer + + <# + .SYNOPSIS + Default constructor to support the AsRule cast method + #> + VsphereNtpSettingsRule () + { + } + + <# + .SYNOPSIS + Used to load PowerSTIG data from the processed data directory + .PARAMETER Rule + The STIG rule to load + #> + VsphereNtpSettingsRule ([xml.xmlelement] $Rule) : base ($Rule) + { + } + + <# + .SYNOPSIS + The Convert child class constructor + .PARAMETER Rule + The STIG rule to convert + .PARAMETER Convert + A simple bool flag to create a unique constructor signature + #> + VsphereNtpSettingsRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) + { + } + + <# + .SYNOPSIS + Creates class specifc help content + #> + [hashtable] GetExceptionHelp() + { + return @{ + Value = "15" + Notes = $null + } + } +} diff --git a/source/Module/Rule.VspherePortGroupSecurity/Convert/Methods.ps1 b/source/Module/Rule.VspherePortGroupSecurity/Convert/Methods.ps1 new file mode 100644 index 000000000..992193253 --- /dev/null +++ b/source/Module/Rule.VspherePortGroupSecurity/Convert/Methods.ps1 @@ -0,0 +1,105 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +#region Method Functions + +<# + .SYNOPSIS + This function parses the fix text to find the boolean value of ForgedTransmitsInherited, then sets the value. + + .PARAMETER RawString + An array of the raw string data taken from the STIG setting. +#> +function Get-VsphereForgedTransmitsInherited +{ + [CmdletBinding()] + [OutputType([object])] + param + ( + [Parameter(Mandatory = $true)] + [psobject] + $FixText + ) + + if ($FixText -match 'Get-VirtualPortGroup') + { + $vsphereForgedTransmitsInherited = ($FixText | Select-String -Pattern '(?<=ForgedTransmitsInherited\s)(.\w+)').Matches.Value + } + + if ($null -ne $vsphereForgedTransmitsInherited) + { + Write-Verbose -Message $("[$($MyInvocation.MyCommand.Name)] Found ForgedTransmitsInherited value: {0}" -f $vsphereForgedTransmitsInherited) + return $vsphereForgedTransmitsInherited + } + else + { + return $null + } +} + +<# + .SYNOPSIS + This function parses the fix text to find the boolean value of MacChangesInherited, then sets the value. + + .PARAMETER RawString + An array of the raw string data taken from the STIG setting. +#> +function Get-VsphereMacChangeInherited +{ + [CmdletBinding()] + [OutputType([object])] + param + ( + [Parameter(Mandatory = $true)] + [psobject] + $FixText + ) + + if ($FixText -match 'Get-VirtualPortGroup') + { + $vsphereMacChangeInherited = ($FixText | Select-String -Pattern '(?<=MacChangesInherited\s)(.\w+)').Matches.Value + } + + if ($null -ne $vsphereMacChangeInherited) + { + Write-Verbose -Message $("[$($MyInvocation.MyCommand.Name)] Found MacChangesInherited value: {0}" -f $vsphereMacChangeInherited) + return $vsphereMacChangeInherited + } + else + { + return $null + } +} + +<# + .SYNOPSIS + This function parses the fix text to find the boolean value of AllowPromiscuousInherited, then sets the value. + + .PARAMETER RawString + An array of the raw string data taken from the STIG setting. +#> +function Get-VsphereAllowPromiscuousInherited +{ + [CmdletBinding()] + [OutputType([object])] + param + ( + [Parameter(Mandatory = $true)] + [psobject] + $FixText + ) + + if ($FixText -match 'Get-VirtualPortGroup') + { + $vsphereAllowPromiscuousInherited = ($FixText | Select-String -Pattern '(?<=AllowPromiscuousInherited\s)(.\w+)').Matches.Value + } + + if ($null -ne $vsphereAllowPromiscuousInherited) + { + Write-Verbose -Message $("[$($MyInvocation.MyCommand.Name)] Found AllowPromiscuousInherited value: {0}" -f $vsphereAllowPromiscuousInherited) + return $vsphereAllowPromiscuousInherited + } + else + { + return $null + } +} diff --git a/source/Module/Rule.VspherePortGroupSecurity/Convert/VspherePortGroupSecurityRule.Convert.psm1 b/source/Module/Rule.VspherePortGroupSecurity/Convert/VspherePortGroupSecurityRule.Convert.psm1 new file mode 100644 index 000000000..1b86b52a9 --- /dev/null +++ b/source/Module/Rule.VspherePortGroupSecurity/Convert/VspherePortGroupSecurityRule.Convert.psm1 @@ -0,0 +1,121 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +using module .\..\..\Common\Common.psm1 +using module .\..\VspherePortGroupSecurityRule.psm1 + +$exclude = @($MyInvocation.MyCommand.Name,'Template.*.txt') +$supportFileList = Get-ChildItem -Path $PSScriptRoot -Exclude $exclude +foreach ($supportFile in $supportFileList) +{ + Write-Verbose -Message "Loading $($supportFile.FullName)" + . $supportFile.FullName +} + +<# + .SYNOPSIS + Convert the contents of an xccdf check-content element into a Vsphere Port Group Security Rule object. + .DESCRIPTION + The VspherePortGroupSecurityRule class is used to extract the Vsphere Port Group Security settings + from the check-content of the xccdf. Once a STIG rule is identified a + VspherePortGroupSecurity rule, it is passed to the VspherePortGroupSecurityRule class for parsing + and validation. +#> +class VspherePortGroupSecurityRuleConvert : VspherePortGroupSecurityRule +{ + <# + .SYNOPSIS + Empty constructor for SplitFactory. + #> + VspherePortGroupSecurityRuleConvert () + { + } + + <# + .SYNOPSIS + Converts an xccdf stig rule element into a Vsphere Rule. + .PARAMETER XccdfRule + The STIG rule to convert. + #> + VspherePortGroupSecurityRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) + { + $fixText = [VspherePortGroupSecurityRule]::GetFixText($XccdfRule) + $this.SetVsphereForgedTransmitsInherited($fixText) + $this.SetVsphereMacChangesInherited($fixText) + $this.SetVsphereAllowPromiscuousInherited($fixText) + $this.SetDscResource() + } + + # Methods + <# + .SYNOPSIS + Extracts the ForgedTransmitInherited boolean from the fix text and sets the value. + .DESCRIPTION + Gets the boolean from the xccdf content and sets the value. + If the value that is returned is not valid, the parser status is + set to fail. + #> + [void] SetVsphereForgedTransmitsInherited([string[]] $fixText) + { + $vsphereForgedTransmitsInherited = Get-VsphereForgedTransmitsInherited -FixText $fixText + if (-not [String]::IsNullOrEmpty($vsphereForgedTransmitsInherited)) + { + $this.set_ForgedTransmitsInherited($vsphereForgedTransmitsInherited) + } + } + + <# + .SYNOPSIS + Extracts the MacChangesInherited boolean from the fix text and sets the value. + .DESCRIPTION + Gets the boolean from the xccdf content and sets the value. + If the value that is returned is not valid, the parser status is + set to fail. + #> + [void] SetVsphereMacChangesInherited([string[]] $fixText) + { + $vsphereMacChangeInherited = Get-VsphereMacChangeInherited -FixText $fixText + if (-not [String]::IsNullOrEmpty($vsphereMacChangeInherited)) + { + $this.set_MacChangesInherited($vsphereMacChangeInherited) + } + } + + <# + .SYNOPSIS + Extracts the AllowPromiscuousInherited boolean from the fix text and sets the value. + .DESCRIPTION + Gets the boolean from the xccdf content and sets the value. + If the value that is returned is not valid, the parser status is + set to fail. + #> + [void] SetVsphereAllowPromiscuousInherited([string[]] $fixText) + { + $vsphereAllowPromiscuousInherited = Get-VsphereAllowPromiscuousInherited -FixText $fixText + if (-not [String]::IsNullOrEmpty($vsphereAllowPromiscuousInherited)) + { + $this.set_AllowPromiscuousInherited($vsphereAllowPromiscuousInherited) + } + } + + hidden [void] SetDscResource () + { + if ($null -eq $this.DuplicateOf) + { + $this.DscResource = 'VMHostVssPortGroupSecurity' + } + else + { + $this.DscResource = 'None' + } + } + + static [bool] Match ([string] $CheckContent) + { + if ($CheckContent -match 'Get-VirtualPortGroup') + { + return $true + } + + return $false + } +} diff --git a/source/Module/Rule.VspherePortGroupSecurity/VspherePortGroupSecurityRule.psm1 b/source/Module/Rule.VspherePortGroupSecurity/VspherePortGroupSecurityRule.psm1 new file mode 100644 index 000000000..1487003ce --- /dev/null +++ b/source/Module/Rule.VspherePortGroupSecurity/VspherePortGroupSecurityRule.psm1 @@ -0,0 +1,67 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +using module .\..\Common\Common.psm1 +using module .\..\Rule\Rule.psm1 +#header + +<# + .SYNOPSIS + An Vsphere Rule object + .DESCRIPTION + The Vsphere class is used to maange the Vmware Vsphere Settings. + .PARAMETER ForgedTransmitsInherited + The boolean answer to allowing forged transmits on port groups nherited from switch configuration + .PARAMETER MacChangesInherited + The boolean answer to allowing Mac Changes on port groups inherited from switch configuration + .PARAMETER AllowPromiscuousInherited + The boolean answer to allowing Promiscuous mode on port groups inherited from switch configuration + +#> +class VspherePortGroupSecurityRule : Rule +{ + [string] $ForgedTransmitsInherited + [string] $MacChangesInherited + [string] $AllowPromiscuousInherited + + <# + .SYNOPSIS + Default constructor to support the AsRule cast method + #> + VspherePortGroupSecurityRule () + { + } + + <# + .SYNOPSIS + Used to load PowerSTIG data from the processed data directory + .PARAMETER Rule + The STIG rule to load + #> + VspherePortGroupSecurityRule ([xml.xmlelement] $Rule) : base ($Rule) + { + } + + <# + .SYNOPSIS + The Convert child class constructor + .PARAMETER Rule + The STIG rule to convert + .PARAMETER Convert + A simple bool flag to create a unique constructor signature + #> + VspherePortGroupSecurityRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) + { + } + + <# + .SYNOPSIS + Creates class specifc help content + #> + [hashtable] GetExceptionHelp() + { + return @{ + Value = "15" + Notes = $null + } + } +} diff --git a/source/Module/Rule.VsphereService/Convert/Methods.ps1 b/source/Module/Rule.VsphereService/Convert/Methods.ps1 new file mode 100644 index 000000000..556743cc4 --- /dev/null +++ b/source/Module/Rule.VsphereService/Convert/Methods.ps1 @@ -0,0 +1,98 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +#region Method Functions + +<# + .SYNOPSIS + Finds the Key property from a VsphereServiceRule. + + .PARAMETER CheckContent + An array of the raw string data taken from the STIG setting. +#> +function Get-VsphereServiceKey +{ + [CmdletBinding()] + [OutputType([object])] + param + ( + [Parameter(Mandatory = $true)] + [psobject] + $CheckContent + ) + + if ($CheckContent -match 'Get-VMHostService') + { + $name = ($CheckContent | Select-String -Pattern '(?<=Label -eq ")([^"]*)' -AllMatches).Matches.Value + } + + switch ($name) + { + {$PSItem -match "NTP Daemon"} + { + $key = 'ntpd' + } + {$PSItem -match "ESXi Shell"} + { + $key = 'TSM' + } + {$PSItem -match "SSH"} + { + $key = 'TSM-SSH' + } + } + + if ($null -ne $key) + { + Write-Verbose -Message $("[$($MyInvocation.MyCommand.Name)] Found Key name: {0}" -f $key) + return $key + } + else + { + return $null + } +} + +<# + .SYNOPSIS + Gets the startup policy and running status from a vsphere service rule. + + .PARAMETER CheckContent + An array of the raw string data taken from the STIG setting. +#> +function Get-VsphereServicePolicy +{ + [CmdletBinding()] + [OutputType([object])] + param + ( + [Parameter(Mandatory = $true)] + [psobject] + $CheckContent + ) + + if ($CheckContent -match 'Get-VMHostService') + { + $servicePolicy = ($CheckContent | Select-String -Pattern '(?<=verify it is )(\w+)' -AllMatches).Matches.Value + + if ($servicePolicy -eq "stopped") + { + $policy = "off" + $running = $false + } + else + { + $policy = "Automatic" + $running = $true + } + } + + if ($null -ne $policy) + { + Write-Verbose -Message $("[$($MyInvocation.MyCommand.Name)] Found Service Policy: {0}" -f $policy) + return $policy,$running + } + else + { + return $null + } +} diff --git a/source/Module/Rule.VsphereService/Convert/VsphereServiceRule.Convert.psm1 b/source/Module/Rule.VsphereService/Convert/VsphereServiceRule.Convert.psm1 new file mode 100644 index 000000000..ce674e14e --- /dev/null +++ b/source/Module/Rule.VsphereService/Convert/VsphereServiceRule.Convert.psm1 @@ -0,0 +1,96 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +using module .\..\..\Common\Common.psm1 +using module .\..\VsphereServiceRule.psm1 + +$exclude = @($MyInvocation.MyCommand.Name,'Template.*.txt') +$supportFileList = Get-ChildItem -Path $PSScriptRoot -Exclude $exclude +foreach ($supportFile in $supportFileList) +{ + Write-Verbose "Loading $($supportFile.FullName)" + . $supportFile.FullName +} +# Header + +<# + .SYNOPSIS + Convert the contents of an xccdf check-content element into a VsphereServiceRule object + .DESCRIPTION + The VsphereServiceRule class is used to extract the Vsphere Service settings + from the check-content of the xccdf. Once a STIG rule is identified a + Vsphere Service rule, it is passed to the VsphereServiceRule class for parsing + and validation. +#> +class VsphereServiceRuleConvert : VsphereServiceRule +{ + <# + .SYNOPSIS + Empty constructor for SplitFactory + #> + VsphereServiceRuleConvert () + { + } + + <# + .SYNOPSIS + Converts an xccdf stig rule element into a Vsphere Rule + .PARAMETER XccdfRule + The STIG rule to convert + #> + VsphereServiceRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) + { + $this.SetKey() + $this.SetPolicy() + $this.SetDscResource() + } + + # Methods + <# + .SYNOPSIS + Extracts the Key (serviceName) from the check-content and sets the values + .DESCRIPTION + Gets the key from the xccdf content and sets the value. + If the value that is returned is not valid, the parser status is + set to fail. + #> + [void] SetKey () + { + $key = Get-VsphereServiceKey -CheckContent $this.SplitCheckContent + $this.set_Key($key) + } + + <# + .SYNOPSIS + Extracts the service policy from the check-content and sets the values of policy and running state + .DESCRIPTION + Gets the policy from the check-content then sets both the policy and running state based on match. + #> + [void] SetPolicy () + { + $policy = Get-VsphereServicePolicy -CheckContent $this.SplitCheckContent + $this.set_Policy($policy[0]) + $this.set_Running($policy[1]) + } + + hidden [void] SetDscResource () + { + if ($null -eq $this.DuplicateOf) + { + $this.DscResource = 'VMHostService' + } + else + { + $this.DscResource = 'None' + } + } + + static [bool] Match ([string] $CheckContent) + { + if ($CheckContent -match 'Get-VMHostService') + { + return $true + } + + return $false + } +} diff --git a/source/Module/Rule.VsphereService/VsphereServiceRule.psm1 b/source/Module/Rule.VsphereService/VsphereServiceRule.psm1 new file mode 100644 index 000000000..801dd205b --- /dev/null +++ b/source/Module/Rule.VsphereService/VsphereServiceRule.psm1 @@ -0,0 +1,66 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +using module .\..\Common\Common.psm1 +using module .\..\Rule\Rule.psm1 +#header + +<# + .SYNOPSIS + An Vsphere Rule object + .DESCRIPTION + The Vsphere class is used to maange the Vmware Vsphere Settings. + .PARAMETER Key + The name of the Vsphere service. + .PARAMETER Policy + The startup policy of the Vsphere service. + .PARAMETER Running + The running state of the Vsphere service. +#> +class VsphereServiceRule : Rule +{ + [string] $Key + [string] $Policy + [bool] $Running + + <# + .SYNOPSIS + Default constructor to support the AsRule cast method + #> + VsphereServiceRule () + { + } + + <# + .SYNOPSIS + Used to load PowerSTIG data from the processed data directory + .PARAMETER Rule + The STIG rule to load + #> + VsphereServiceRule ([xml.xmlelement] $Rule) : base ($Rule) + { + } + + <# + .SYNOPSIS + The Convert child class constructor + .PARAMETER Rule + The STIG rule to convert + .PARAMETER Convert + A simple bool flag to create a unique constructor signature + #> + VsphereServiceRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) + { + } + + <# + .SYNOPSIS + Creates class specifc help content + #> + [hashtable] GetExceptionHelp() + { + return @{ + Value = "15" + Notes = $null + } + } +} diff --git a/source/Module/Rule.VsphereSnmpAgent/Convert/Methods.ps1 b/source/Module/Rule.VsphereSnmpAgent/Convert/Methods.ps1 new file mode 100644 index 000000000..75bfbf35a --- /dev/null +++ b/source/Module/Rule.VsphereSnmpAgent/Convert/Methods.ps1 @@ -0,0 +1,37 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +#region Method Functions + +<# + .SYNOPSIS + Gets the boolean SNMPAgent Enabled property from a VsphereSnmpAgentRule. + + .PARAMETER RawString + An array of the raw string data taken from the STIG setting. +#> +function Get-VsphereSnmpAgent +{ + [CmdletBinding()] + [OutputType([object])] + param + ( + [Parameter(Mandatory = $true)] + [psobject] + $FixText + ) + + if ($FixText -match 'Get-VMHostSnmp') + { + $snmpAgent = ($FixText | Select-String -Pattern '(?<=Set-VMHostSnmp -Enabled\s)(.\w+)').Matches.Value + } + + if ($null -ne $snmpAgent) + { + Write-Verbose -Message $("[$($MyInvocation.MyCommand.Name)] Found Host SNMP Enabled: {0}" -f $snmpAgent) + return $snmpAgent + } + else + { + return $null + } +} diff --git a/source/Module/Rule.VsphereSnmpAgent/Convert/VsphereSnmpAgentRule.Convert.psm1 b/source/Module/Rule.VsphereSnmpAgent/Convert/VsphereSnmpAgentRule.Convert.psm1 new file mode 100644 index 000000000..88efeb5cc --- /dev/null +++ b/source/Module/Rule.VsphereSnmpAgent/Convert/VsphereSnmpAgentRule.Convert.psm1 @@ -0,0 +1,83 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +using module .\..\..\Common\Common.psm1 +using module .\..\VsphereSnmpAgentRule.psm1 + +$exclude = @($MyInvocation.MyCommand.Name,'Template.*.txt') +$supportFileList = Get-ChildItem -Path $PSScriptRoot -Exclude $exclude +foreach ($supportFile in $supportFileList) +{ + Write-Verbose "Loading $($supportFile.FullName)" + . $supportFile.FullName +} +# Header + +<# + .SYNOPSIS + Convert the contents of an xccdf check-content element into a Vsphere object + .DESCRIPTION + The VsphereRule class is used to extract the Vsphere settings + from the check-content of the xccdf. Once a STIG rule is identified a + Vsphere rule, it is passed to the VsphereRule class for parsing + and validation. +#> +class VsphereSnmpAgentRuleConvert : VsphereSnmpAgentRule +{ + <# + .SYNOPSIS + Empty constructor for SplitFactory + #> + VsphereSnmpAgentRuleConvert () + { + } + + <# + .SYNOPSIS + Converts an xccdf stig rule element into a Vsphere Rule + .PARAMETER XccdfRule + The STIG rule to convert + #> + VsphereSnmpAgentRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) + { + $fixText = [VsphereSnmpAgentRule]::GetFixText($XccdfRule) + $this.SetVsphereSnmpAgent($fixText) + $this.SetDscResource() + } + + # Methods + <# + .SYNOPSIS + Extracts the Snmp Agent boolean from the check-content and sets the values + .DESCRIPTION + Gets the bollean from the xccdf content and sets the value. + If the value that is returned is not valid, the parser status is + set to fail. + #> + [void] SetVsphereSnmpAgent ([string[]] $fixText) + { + $vsphereSnmpAgent = Get-VsphereSnmpAgent -FixText $fixText + $this.set_Enabled($vsphereSnmpAgent) + } + + hidden [void] SetDscResource () + { + if ($null -eq $this.DuplicateOf) + { + $this.DscResource = 'VMHostSnmpAgent' + } + else + { + $this.DscResource = 'None' + } + } + + static [bool] Match ([string] $CheckContent) + { + if ($CheckContent -match 'Get-VMHostSnmp') + { + return $true + } + + return $false + } +} diff --git a/source/Module/Rule.VsphereSnmpAgent/VsphereSnmpAgentRule.psm1 b/source/Module/Rule.VsphereSnmpAgent/VsphereSnmpAgentRule.psm1 new file mode 100644 index 000000000..fe4513d3c --- /dev/null +++ b/source/Module/Rule.VsphereSnmpAgent/VsphereSnmpAgentRule.psm1 @@ -0,0 +1,60 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +using module .\..\Common\Common.psm1 +using module .\..\Rule\Rule.psm1 +#header + +<# + .SYNOPSIS + An Vsphere Rule object + .DESCRIPTION + The Vsphere class is used to maange the Vmware Vsphere Settings. + .PARAMETER Enabled + The boolean $true or $false to enable or disable this feature. +#> +class VsphereSnmpAgentRule : Rule +{ + [string] $Enabled + + <# + .SYNOPSIS + Default constructor to support the AsRule cast method + #> + VsphereSnmpAgentRule () + { + } + + <# + .SYNOPSIS + Used to load PowerSTIG data from the processed data directory + .PARAMETER Rule + The STIG rule to load + #> + VsphereSnmpAgentRule ([xml.xmlelement] $Rule) : base ($Rule) + { + } + + <# + .SYNOPSIS + The Convert child class constructor + .PARAMETER Rule + The STIG rule to convert + .PARAMETER Convert + A simple bool flag to create a unique constructor signature + #> + VsphereSnmpAgentRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) + { + } + + <# + .SYNOPSIS + Creates class specifc help content + #> + [hashtable] GetExceptionHelp() + { + return @{ + Value = "15" + Notes = $null + } + } +} diff --git a/source/Module/Rule.VsphereVssSecurity/Convert/Methods.ps1 b/source/Module/Rule.VsphereVssSecurity/Convert/Methods.ps1 new file mode 100644 index 000000000..d442ee472 --- /dev/null +++ b/source/Module/Rule.VsphereVssSecurity/Convert/Methods.ps1 @@ -0,0 +1,103 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +#region Method Functions + +<# + .SYNOPSIS + This function parses the fix text to find the boolean value of ForgedTransmits, then sets the value. + + .PARAMETER RawString + An array of the raw string data taken from the STIG setting. +#> +function Get-VsphereForgedTransmits +{ + [CmdletBinding()] + [OutputType([object])] + param + ( + [Parameter(Mandatory = $true)] + [psobject] + $FixText + ) + + if ($FixText -match 'Get-VirtualSwitch') + { + $vsphereForgedTransmits = ($FixText | Select-String -Pattern '(?<=ForgedTransmits\s)(.\w+)').Matches.Value + } + + if ($null -ne $vsphereForgedTransmits) + { + Write-Verbose -Message $("[$($MyInvocation.MyCommand.Name)] Found ForgedTransmits value: {0}" -f $vsphereForgedTransmits) + return $vsphereForgedTransmits + } + else + { + return $null + } +} +<# + .SYNOPSIS + This function parses the fix text to find the boolean value of MacChanges, then sets the value. + + .PARAMETER RawString + An array of the raw string data taken from the STIG setting. +#> +function Get-VsphereMacChange +{ + [CmdletBinding()] + [OutputType([object])] + param + ( + [Parameter(Mandatory = $true)] + [psobject] + $FixText + ) + + if ($FixText -match 'Get-VirtualSwitch') + { + $vsphereMacChange = ($FixText | Select-String -Pattern '(?<=MacChanges\s)(.\w+)').Matches.Value + } + + if ($null -ne $vsphereMacChange) + { + Write-Verbose -Message $("[$($MyInvocation.MyCommand.Name)] Found MacChanges value: {0}" -f $vsphereMacChange) + return $vsphereMacChange + } + else + { + return $null + } +} +<# + .SYNOPSIS + This function parses the fix text to find the boolean value of AllowPromiscuous, then sets the value. + + .PARAMETER RawString + An array of the raw string data taken from the STIG setting. +#> +function Get-VsphereAllowPromiscuous +{ + [CmdletBinding()] + [OutputType([object])] + param + ( + [Parameter(Mandatory = $true)] + [psobject] + $FixText + ) + + if ($FixText -match 'Get-VirtualSwitch') + { + $vsphereAllowPromiscuous = ($FixText | Select-String -Pattern '(?<=AllowPromiscuous\s)(.\w+)').Matches.Value + } + + if ($null -ne $vsphereAllowPromiscuous) + { + Write-Verbose -Message $("[$($MyInvocation.MyCommand.Name)] Found AllowPromiscuous value: {0}" -f $vsphereAllowPromiscuous) + return $vsphereAllowPromiscuous + } + else + { + return $null + } +} diff --git a/source/Module/Rule.VsphereVssSecurity/Convert/VsphereVssSecurityRule.Convert.psm1 b/source/Module/Rule.VsphereVssSecurity/Convert/VsphereVssSecurityRule.Convert.psm1 new file mode 100644 index 000000000..c35ec765f --- /dev/null +++ b/source/Module/Rule.VsphereVssSecurity/Convert/VsphereVssSecurityRule.Convert.psm1 @@ -0,0 +1,122 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +using module .\..\..\Common\Common.psm1 +using module .\..\VsphereVssSecurityRule.psm1 + +$exclude = @($MyInvocation.MyCommand.Name,'Template.*.txt') +$supportFileList = Get-ChildItem -Path $PSScriptRoot -Exclude $exclude +foreach ($supportFile in $supportFileList) +{ + Write-Verbose "Loading $($supportFile.FullName)" + . $supportFile.FullName +} +# Header + +<# + .SYNOPSIS + Convert the contents of an xccdf check-content element into a Vsphere Vss Security Rule object + .DESCRIPTION + The VsphereVssSecurityRule class is used to extract the VsphereVssSecurityRule settings + from the check-content of the xccdf. Once a STIG rule is identified a + VsphereVssSecurity rule, it is passed to the VsphereVssSecurityRule class for parsing + and validation. +#> +class VsphereVssSecurityRuleConvert : VsphereVssSecurityRule +{ + <# + .SYNOPSIS + Empty constructor for SplitFactory + #> + VsphereVssSecurityRuleConvert () + { + } + + <# + .SYNOPSIS + Converts an xccdf stig rule element into a Vsphere Rule + .PARAMETER XccdfRule + The STIG rule to convert + #> + VsphereVssSecurityRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) + { + $fixText = [VsphereVssSecurityRule]::GetFixText($XccdfRule) + $this.SetVsphereForgedTransmits($fixText) + $this.SetVsphereMacChanges($fixText) + $this.SetVsphereAllowPromiscuous($fixText) + $this.SetDscResource() + } + + # Methods + <# + .SYNOPSIS + Extracts the Vsphere ForgedTransmits settings from the fix text and sets the value + .DESCRIPTION + Gets the ForgedTransmits from the xccdf content and sets the value. + If the value that is returned is not valid, the parser status is + set to fail. + #> + [void] SetVsphereForgedTransmits([string[]] $fixText) + { + $vsphereForgedTransmits = Get-VsphereForgedTransmits -FixText $fixText + if (-not [String]::IsNullOrEmpty($vsphereForgedTransmits)) + { + $this.set_ForgedTransmits($vsphereForgedTransmits) + } + } + + <# + .SYNOPSIS + Extracts the Vsphere MacChanges settings from the fix text and sets the value + .DESCRIPTION + Gets the MacChanges from the xccdf content and sets the value. + If the value that is returned is not valid, the parser status is + set to fail. + #> + [void] SetVsphereMacChanges([string[]] $fixText) + { + $vsphereMacChange = Get-VsphereMacChange -FixText $fixText + if (-not [String]::IsNullOrEmpty($vsphereMacChange)) + { + $this.set_MacChanges($vsphereMacChange) + } + } + + <# + .SYNOPSIS + Extracts the Vsphere AllowPromiscuous settings from the fix text and sets the value + .DESCRIPTION + Gets the AllowPromiscuous from the xccdf content and sets the value. + If the value that is returned is not valid, the parser status is + set to fail. + #> + [void] SetVsphereAllowPromiscuous([string[]] $fixText) + { + $vsphereAllowPromiscuous = Get-VsphereAllowPromiscuous -FixText $fixText + if (-not [String]::IsNullOrEmpty($vsphereAllowPromiscuous)) + { + $this.set_AllowPromiscuous($vsphereAllowPromiscuous) + } + } + + hidden [void] SetDscResource () + { + if ($null -eq $this.DuplicateOf) + { + $this.DscResource = 'VMHostVssSecurity' + } + else + { + $this.DscResource = 'None' + } + } + + static [bool] Match ([string] $CheckContent) + { + if ($CheckContent -match 'Get-VirtualSwitch') + { + return $true + } + + return $false + } +} diff --git a/source/Module/Rule.VsphereVssSecurity/VsphereVssSecurityRule.psm1 b/source/Module/Rule.VsphereVssSecurity/VsphereVssSecurityRule.psm1 new file mode 100644 index 000000000..3ef6e1bd5 --- /dev/null +++ b/source/Module/Rule.VsphereVssSecurity/VsphereVssSecurityRule.psm1 @@ -0,0 +1,66 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +using module .\..\Common\Common.psm1 +using module .\..\Rule\Rule.psm1 +#header + +<# + .SYNOPSIS + An Vsphere Rule object + .DESCRIPTION + The Vsphere class is used to maange the Vmware Vsphere Settings. + .PARAMETER ForgedTransmits + The boolean answer to allowing forged transmits on the switch configuration + .PARAMETER MacChanges + The boolean answer to allowing Mac Changes on the switch configuration + .PARAMETER AllowPromiscuous + The boolean answer to allowing Promiscuous mode on the switch configuration +#> +class VsphereVssSecurityRule : Rule +{ + [string] $ForgedTransmits + [string] $MacChanges + [string] $AllowPromiscuous + + <# + .SYNOPSIS + Default constructor to support the AsRule cast method + #> + VsphereVssSecurityRule () + { + } + + <# + .SYNOPSIS + Used to load PowerSTIG data from the processed data directory + .PARAMETER Rule + The STIG rule to load + #> + VsphereVssSecurityRule ([xml.xmlelement] $Rule) : base ($Rule) + { + } + + <# + .SYNOPSIS + The Convert child class constructor + .PARAMETER Rule + The STIG rule to convert + .PARAMETER Convert + A simple bool flag to create a unique constructor signature + #> + VsphereVssSecurityRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) + { + } + + <# + .SYNOPSIS + Creates class specifc help content + #> + [hashtable] GetExceptionHelp() + { + return @{ + Value = "15" + Notes = $null + } + } +} diff --git a/Module/Rule.WebAppPool/Convert/Methods.ps1 b/source/Module/Rule.WebAppPool/Convert/Methods.ps1 similarity index 100% rename from Module/Rule.WebAppPool/Convert/Methods.ps1 rename to source/Module/Rule.WebAppPool/Convert/Methods.ps1 diff --git a/Module/Rule.WebAppPool/Convert/WebAppPoolRule.Convert.psm1 b/source/Module/Rule.WebAppPool/Convert/WebAppPoolRule.Convert.psm1 similarity index 95% rename from Module/Rule.WebAppPool/Convert/WebAppPoolRule.Convert.psm1 rename to source/Module/Rule.WebAppPool/Convert/WebAppPoolRule.Convert.psm1 index d5b3b136d..ad1f6cd54 100644 --- a/Module/Rule.WebAppPool/Convert/WebAppPoolRule.Convert.psm1 +++ b/source/Module/Rule.WebAppPool/Convert/WebAppPoolRule.Convert.psm1 @@ -21,7 +21,7 @@ foreach ($supportFile in $supportFileList) webapp rule, it is passed to the WebAppPoolRule class for parsing and validation. #> -Class WebAppPoolRuleConvert : WebAppPoolRule +class WebAppPoolRuleConvert : WebAppPoolRule { <# .SYNOPSIS @@ -37,7 +37,7 @@ Class WebAppPoolRuleConvert : WebAppPoolRule .PARAMETER XccdfRule The STIG rule to convert #> - WebAppPoolRuleConvert ([xml.xmlelement] $XccdfRule) : Base ($XccdfRule, $true) + WebAppPoolRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) { $this.SetKeyValuePair() if ($this.IsOrganizationalSetting()) @@ -110,7 +110,7 @@ Class WebAppPoolRuleConvert : WebAppPoolRule hidden [void] SetDscResource () { - if($null -eq $this.DuplicateOf) + if ($null -eq $this.DuplicateOf) { $this.DscResource = 'xWebAppPool' } diff --git a/Module/Rule.WebAppPool/WebAppPoolRule.psm1 b/source/Module/Rule.WebAppPool/WebAppPoolRule.psm1 similarity index 94% rename from Module/Rule.WebAppPool/WebAppPoolRule.psm1 rename to source/Module/Rule.WebAppPool/WebAppPoolRule.psm1 index 96e2e84a1..d2f77e3ec 100644 --- a/Module/Rule.WebAppPool/WebAppPoolRule.psm1 +++ b/source/Module/Rule.WebAppPool/WebAppPoolRule.psm1 @@ -14,7 +14,7 @@ using module .\..\Rule\Rule.psm1 .PARAMETER Value The value the web.config key should be set to #> -Class WebAppPoolRule : Rule +class WebAppPoolRule : Rule { [string] $Key [string] $Value <#(ExceptionValue)#> @@ -33,7 +33,7 @@ Class WebAppPoolRule : Rule .PARAMETER Rule The STIG rule to load #> - WebAppPoolRule ([xml.xmlelement] $Rule) : Base ($Rule) + WebAppPoolRule ([xml.xmlelement] $Rule) : base ($Rule) { } @@ -45,7 +45,7 @@ Class WebAppPoolRule : Rule .PARAMETER Convert A simple bool flag to create a unique constructor signature #> - WebAppPoolRule ([xml.xmlelement] $Rule, [switch] $Convert) : Base ($Rule, $Convert) + WebAppPoolRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) { } diff --git a/Module/Rule.WebConfigurationProperty/Convert/Data.ps1 b/source/Module/Rule.WebConfigurationProperty/Convert/Data.ps1 similarity index 100% rename from Module/Rule.WebConfigurationProperty/Convert/Data.ps1 rename to source/Module/Rule.WebConfigurationProperty/Convert/Data.ps1 diff --git a/Module/Rule.WebConfigurationProperty/Convert/Methods.ps1 b/source/Module/Rule.WebConfigurationProperty/Convert/Methods.ps1 similarity index 100% rename from Module/Rule.WebConfigurationProperty/Convert/Methods.ps1 rename to source/Module/Rule.WebConfigurationProperty/Convert/Methods.ps1 diff --git a/Module/Rule.WebConfigurationProperty/Convert/WebConfigurationPropertyRule.Convert.psm1 b/source/Module/Rule.WebConfigurationProperty/Convert/WebConfigurationPropertyRule.Convert.psm1 similarity index 95% rename from Module/Rule.WebConfigurationProperty/Convert/WebConfigurationPropertyRule.Convert.psm1 rename to source/Module/Rule.WebConfigurationProperty/Convert/WebConfigurationPropertyRule.Convert.psm1 index a7eb85622..28ff8b8ae 100644 --- a/Module/Rule.WebConfigurationProperty/Convert/WebConfigurationPropertyRule.Convert.psm1 +++ b/source/Module/Rule.WebConfigurationProperty/Convert/WebConfigurationPropertyRule.Convert.psm1 @@ -22,7 +22,7 @@ foreach ($supportFile in $supportFileList) rule is identified as a web configuration property rule, it is passed to the WebConfigurationPropertyRule class for parsing and validation. #> -Class WebConfigurationPropertyRuleConvert : WebConfigurationPropertyRule +class WebConfigurationPropertyRuleConvert : WebConfigurationPropertyRule { <# .SYNOPSIS @@ -38,7 +38,7 @@ Class WebConfigurationPropertyRuleConvert : WebConfigurationPropertyRule .PARAMETER XccdfRule The STIG rule to convert #> - WebConfigurationPropertyRuleConvert ([xml.xmlelement] $XccdfRule) : Base ($XccdfRule, $true) + WebConfigurationPropertyRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) { $this.SetConfigSection() $this.SetKeyValuePair() @@ -132,7 +132,7 @@ Class WebConfigurationPropertyRuleConvert : WebConfigurationPropertyRule hidden [void] SetDscResource () { - if($null -eq $this.DuplicateOf) + if ($null -eq $this.DuplicateOf) { $this.DscResource = 'xWebConfigKeyValue' } @@ -148,7 +148,7 @@ Class WebConfigurationPropertyRuleConvert : WebConfigurationPropertyRule ( $CheckContent -Match '\.NET Trust Level' -or ( - $CheckContent -Match 'IIS 8\.5 web' -and + $CheckContent -Match 'IIS 8\.5 web|IIS 10\.0 web' -and $CheckContent -NotMatch 'document' ) -and ( @@ -171,7 +171,8 @@ Class WebConfigurationPropertyRuleConvert : WebConfigurationPropertyRule $CheckContent -NotMatch 'Authorization Rules' -and $CheckContent -NotMatch 'regedit ' -and $CheckContent -NotMatch 'Enable proxy' -and - $CheckContent -NotMatch 'SSL Settings' + $CheckContent -NotMatch 'SSL Settings' -and + $CheckContent -NotMatch 'Strict-Transport-Security' ) ) { diff --git a/Module/Rule.WebConfigurationProperty/WebConfigurationPropertyRule.psm1 b/source/Module/Rule.WebConfigurationProperty/WebConfigurationPropertyRule.psm1 similarity index 91% rename from Module/Rule.WebConfigurationProperty/WebConfigurationPropertyRule.psm1 rename to source/Module/Rule.WebConfigurationProperty/WebConfigurationPropertyRule.psm1 index baa14ed4d..381a900df 100644 --- a/Module/Rule.WebConfigurationProperty/WebConfigurationPropertyRule.psm1 +++ b/source/Module/Rule.WebConfigurationProperty/WebConfigurationPropertyRule.psm1 @@ -16,7 +16,7 @@ using module .\..\Rule\Rule.psm1 .PARAMETER Value The value the web.config key should be set to #> -Class WebConfigurationPropertyRule : Rule +class WebConfigurationPropertyRule : Rule { [string] $ConfigSection [string] $Key @@ -36,7 +36,7 @@ Class WebConfigurationPropertyRule : Rule .PARAMETER Rule The STIG rule to load #> - WebConfigurationPropertyRule ([xml.xmlelement] $Rule) : Base ($Rule) + WebConfigurationPropertyRule ([xml.xmlelement] $Rule) : base ($Rule) { } @@ -48,7 +48,7 @@ Class WebConfigurationPropertyRule : Rule .PARAMETER Convert A simple bool flag to create a unique constructor signature #> - WebConfigurationPropertyRule ([xml.xmlelement] $Rule, [switch] $Convert) : Base ($Rule, $Convert) + WebConfigurationPropertyRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) { } diff --git a/Module/Rule.WinEventLog/Convert/Data.ps1 b/source/Module/Rule.WinEventLog/Convert/Data.ps1 similarity index 100% rename from Module/Rule.WinEventLog/Convert/Data.ps1 rename to source/Module/Rule.WinEventLog/Convert/Data.ps1 diff --git a/Module/Rule.WinEventLog/Convert/Methods.ps1 b/source/Module/Rule.WinEventLog/Convert/Methods.ps1 similarity index 100% rename from Module/Rule.WinEventLog/Convert/Methods.ps1 rename to source/Module/Rule.WinEventLog/Convert/Methods.ps1 diff --git a/Module/Rule.WinEventLog/Convert/WinEventLogRule.Convert.psm1 b/source/Module/Rule.WinEventLog/Convert/WinEventLogRule.Convert.psm1 similarity index 95% rename from Module/Rule.WinEventLog/Convert/WinEventLogRule.Convert.psm1 rename to source/Module/Rule.WinEventLog/Convert/WinEventLogRule.Convert.psm1 index f3c19e582..35fd6448b 100644 --- a/Module/Rule.WinEventLog/Convert/WinEventLogRule.Convert.psm1 +++ b/source/Module/Rule.WinEventLog/Convert/WinEventLogRule.Convert.psm1 @@ -23,7 +23,7 @@ foreach ($supportFile in $supportFileList) parsing and validation. #> -Class WinEventLogRuleConvert : WinEventLogRule +class WinEventLogRuleConvert : WinEventLogRule { <# .SYNOPSIS @@ -39,7 +39,7 @@ Class WinEventLogRuleConvert : WinEventLogRule .PARAMETER XccdfRule The STIG rule to convert #> - WinEventLogRuleConvert ([xml.xmlelement] $XccdfRule) : Base ($XccdfRule, $true) + WinEventLogRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) { $this.SetWinEventLogName() $this.SetWinEventLogIsEnabled() @@ -74,7 +74,7 @@ Class WinEventLogRuleConvert : WinEventLogRule hidden [void] SetDscResource () { - if($null -eq $this.DuplicateOf) + if ($null -eq $this.DuplicateOf) { $this.DscResource = 'xWinEventLog' } diff --git a/Module/Rule.WinEventLog/WinEventLogRule.psm1 b/source/Module/Rule.WinEventLog/WinEventLogRule.psm1 similarity index 93% rename from Module/Rule.WinEventLog/WinEventLogRule.psm1 rename to source/Module/Rule.WinEventLog/WinEventLogRule.psm1 index a5dfa8aa7..5ae14d320 100644 --- a/Module/Rule.WinEventLog/WinEventLogRule.psm1 +++ b/source/Module/Rule.WinEventLog/WinEventLogRule.psm1 @@ -14,7 +14,7 @@ using module .\..\Rule\Rule.psm1 .PARAMETER IsEnabled The enabled status of the log #> -Class WinEventLogRule : Rule +class WinEventLogRule : Rule { [string] $LogName [bool] $IsEnabled <#(ExceptionValue)#> @@ -33,7 +33,7 @@ Class WinEventLogRule : Rule .PARAMETER Rule The STIG rule to load #> - WinEventLogRule ([xml.xmlelement] $Rule) : Base ($Rule) + WinEventLogRule ([xml.xmlelement] $Rule) : base ($Rule) { } @@ -45,7 +45,7 @@ Class WinEventLogRule : Rule .PARAMETER Convert A simple bool flag to create a unique constructor signature #> - WinEventLogRule ([xml.xmlelement] $Rule, [switch] $Convert) : Base ($Rule, $Convert) + WinEventLogRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) { } diff --git a/Module/Rule.WindowsFeature/Convert/Data.ps1 b/source/Module/Rule.WindowsFeature/Convert/Data.ps1 similarity index 100% rename from Module/Rule.WindowsFeature/Convert/Data.ps1 rename to source/Module/Rule.WindowsFeature/Convert/Data.ps1 diff --git a/Module/Rule.WindowsFeature/Convert/Methods.ps1 b/source/Module/Rule.WindowsFeature/Convert/Methods.ps1 similarity index 100% rename from Module/Rule.WindowsFeature/Convert/Methods.ps1 rename to source/Module/Rule.WindowsFeature/Convert/Methods.ps1 diff --git a/Module/Rule.WindowsFeature/Convert/WindowsFeatureRule.Convert.psm1 b/source/Module/Rule.WindowsFeature/Convert/WindowsFeatureRule.Convert.psm1 similarity index 96% rename from Module/Rule.WindowsFeature/Convert/WindowsFeatureRule.Convert.psm1 rename to source/Module/Rule.WindowsFeature/Convert/WindowsFeatureRule.Convert.psm1 index 4747c6ae3..c7a42b128 100644 --- a/Module/Rule.WindowsFeature/Convert/WindowsFeatureRule.Convert.psm1 +++ b/source/Module/Rule.WindowsFeature/Convert/WindowsFeatureRule.Convert.psm1 @@ -23,7 +23,7 @@ foreach ($supportFile in $supportFileList) parsing and validation. #> -Class WindowsFeatureRuleConvert : WindowsFeatureRule +class WindowsFeatureRuleConvert : WindowsFeatureRule { <# .SYNOPSIS @@ -39,7 +39,7 @@ Class WindowsFeatureRuleConvert : WindowsFeatureRule .PARAMETER XccdfRule The STIG rule to convert #> - WindowsFeatureRuleConvert ([xml.xmlelement] $XccdfRule) : Base ($XccdfRule, $true) + WindowsFeatureRuleConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) { $this.SetFeatureName() $this.SetFeatureInstallState() @@ -137,7 +137,7 @@ Class WindowsFeatureRuleConvert : WindowsFeatureRule hidden [void] SetDscResource () { # Assigns the appropriate Windows Feature DSC Resource - if($null -eq $this.DuplicateOf) + if ($null -eq $this.DuplicateOf) { if ($global:stigTitle -match 'Windows 10') { diff --git a/Module/Rule.WindowsFeature/WindowsFeatureRule.psm1 b/source/Module/Rule.WindowsFeature/WindowsFeatureRule.psm1 similarity index 92% rename from Module/Rule.WindowsFeature/WindowsFeatureRule.psm1 rename to source/Module/Rule.WindowsFeature/WindowsFeatureRule.psm1 index 871dcdbc2..32e318130 100644 --- a/Module/Rule.WindowsFeature/WindowsFeatureRule.psm1 +++ b/source/Module/Rule.WindowsFeature/WindowsFeatureRule.psm1 @@ -14,7 +14,7 @@ using module .\..\Rule\Rule.psm1 .PARAMETER Ensure The state the windows feature should be in #> -Class WindowsFeatureRule : Rule +class WindowsFeatureRule : Rule { [string] $Name [string] $Ensure <#(ExceptionValue)#> @@ -33,7 +33,7 @@ Class WindowsFeatureRule : Rule .PARAMETER Rule The STIG rule to load #> - WindowsFeatureRule ([xml.xmlelement] $Rule) : Base ($Rule) + WindowsFeatureRule ([xml.xmlelement] $Rule) : base ($Rule) { } @@ -45,7 +45,7 @@ Class WindowsFeatureRule : Rule .PARAMETER Convert A simple bool flag to create a unique constructor signature #> - WindowsFeatureRule ([xml.xmlelement] $Rule, [switch] $Convert) : Base ($Rule, $Convert) + WindowsFeatureRule ([xml.xmlelement] $Rule, [switch] $Convert) : base ($Rule, $Convert) { } diff --git a/Module/Rule/Convert/ConvertFactory.psm1 b/source/Module/Rule/Convert/ConvertFactory.psm1 similarity index 81% rename from Module/Rule/Convert/ConvertFactory.psm1 rename to source/Module/Rule/Convert/ConvertFactory.psm1 index 2a909de61..2d2ce68fd 100644 --- a/Module/Rule/Convert/ConvertFactory.psm1 +++ b/source/Module/Rule/Convert/ConvertFactory.psm1 @@ -25,6 +25,14 @@ using module .\..\..\Rule.WindowsFeature\Convert\WindowsFeatureRule.Convert.psm1 using module .\..\..\Rule.WinEventLog\Convert\WinEventLogRule.Convert.psm1 using module .\..\..\Rule.AuditSetting\Convert\AuditSettingRule.Convert.psm1 using module .\..\..\Rule.SslSettings\Convert\SslSettingsRule.Convert.psm1 +using module .\..\..\Rule.VsphereAdvancedSettings\Convert\VsphereAdvancedSettingsRule.Convert.psm1 +using module .\..\..\Rule.VsphereService\Convert\VsphereServiceRule.Convert.psm1 +using module .\..\..\Rule.VspherePortGroupSecurity\Convert\VspherePortGroupSecurityRule.Convert.psm1 +using module .\..\..\Rule.VsphereAcceptanceLevel\Convert\VsphereAcceptanceLevelRule.Convert.psm1 +using module .\..\..\Rule.VsphereSnmpAgent\Convert\VsphereSnmpAgentRule.Convert.psm1 +using module .\..\..\Rule.VsphereKernelActiveDumpPartition\Convert\VsphereKernelActiveDumpPartitionRule.Convert.psm1 +using module .\..\..\Rule.VsphereNtpSettings\Convert\VsphereNtpSettingsRule.Convert.psm1 +using module .\..\..\Rule.VsphereVssSecurity\Convert\VsphereVssSecurityRule.Convert.psm1 # Header @@ -245,6 +253,54 @@ class ConvertFactory [SslSettingsRuleConvert]::new($Rule).AsRule() ) } + {[VsphereAdvancedSettingsRuleConvert]::Match($PSItem)} + { + $null = $ruleTypeList.Add( + [VsphereAdvancedSettingsRuleConvert]::new($Rule).AsRule() + ) + } + {[VsphereServiceRuleConvert]::Match($PSItem)} + { + $null = $ruleTypeList.Add( + [VsphereServiceRuleConvert]::new($Rule).AsRule() + ) + } + {[VspherePortGroupSecurityRuleConvert]::Match($PSItem)} + { + $null = $ruleTypeList.Add( + [VspherePortGroupSecurityRuleConvert]::new($Rule).AsRule() + ) + } + {[VsphereAcceptanceLevelRuleConvert]::Match($PSItem)} + { + $null = $ruleTypeList.Add( + [VsphereAcceptanceLevelRuleConvert]::new($Rule).AsRule() + ) + } + {[VsphereSnmpAgentRuleConvert]::Match($PSItem)} + { + $null = $ruleTypeList.Add( + [VsphereSnmpAgentRuleConvert]::new($Rule).AsRule() + ) + } + {[VsphereKernelActiveDumpPartitionRuleConvert]::Match($PSItem)} + { + $null = $ruleTypeList.Add( + [VsphereKernelActiveDumpPartitionRuleConvert]::new($Rule).AsRule() + ) + } + {[VsphereNtpSettingsRuleConvert]::Match($PSItem)} + { + $null = $ruleTypeList.Add( + [VsphereNtpSettingsRuleConvert]::new($Rule).AsRule() + ) + } + {[VsphereVssSecurityRuleConvert]::Match($PSItem)} + { + $null = $ruleTypeList.Add( + [VsphereVssSecurityRuleConvert]::new($Rule).AsRule() + ) + } <# Some rules have a documentation requirement only for exceptions, so the DocumentRule needs to be at the end of the switch as a diff --git a/Module/Rule/Convert/Data.Core.ps1 b/source/Module/Rule/Convert/Data.Core.ps1 similarity index 100% rename from Module/Rule/Convert/Data.Core.ps1 rename to source/Module/Rule/Convert/Data.Core.ps1 diff --git a/Module/Rule/Convert/Data.McAfee.ps1 b/source/Module/Rule/Convert/Data.McAfee.ps1 similarity index 100% rename from Module/Rule/Convert/Data.McAfee.ps1 rename to source/Module/Rule/Convert/Data.McAfee.ps1 diff --git a/Module/Rule/Convert/Data.Office.ps1 b/source/Module/Rule/Convert/Data.Office.ps1 similarity index 100% rename from Module/Rule/Convert/Data.Office.ps1 rename to source/Module/Rule/Convert/Data.Office.ps1 diff --git a/Module/Rule/Convert/Data.Windows.Defender.ps1 b/source/Module/Rule/Convert/Data.Windows.Defender.ps1 similarity index 100% rename from Module/Rule/Convert/Data.Windows.Defender.ps1 rename to source/Module/Rule/Convert/Data.Windows.Defender.ps1 diff --git a/Module/Rule/Convert/Functions.ps1 b/source/Module/Rule/Convert/Functions.ps1 similarity index 99% rename from Module/Rule/Convert/Functions.ps1 rename to source/Module/Rule/Convert/Functions.ps1 index 6a437806c..86a12f9fe 100644 --- a/Module/Rule/Convert/Functions.ps1 +++ b/source/Module/Rule/Convert/Functions.ps1 @@ -91,7 +91,7 @@ function Get-HardCodedString $StigId ) - Switch ($stigId) + switch ($stigId) { {$PSItem -match 'V-(1089|63675|73647|93147)'} { @@ -183,7 +183,7 @@ function Get-HardCodedString $StigId ) - Switch ($stigId) + switch ($stigId) { {$PSItem -match 'V-3472.b'} { diff --git a/Module/Rule/Convert/Methods.ps1 b/source/Module/Rule/Convert/Methods.ps1 similarity index 100% rename from Module/Rule/Convert/Methods.ps1 rename to source/Module/Rule/Convert/Methods.ps1 diff --git a/source/Module/Rule/Rule.LoadFactory.psm1 b/source/Module/Rule/Rule.LoadFactory.psm1 new file mode 100644 index 000000000..996ef932f --- /dev/null +++ b/source/Module/Rule/Rule.LoadFactory.psm1 @@ -0,0 +1,76 @@ +using module .\..\Rule.AccountPolicy\AccountPolicyRule.psm1 +using module .\..\Rule.AuditPolicy\AuditPolicyRule.psm1 +using module .\..\Rule.DnsServerRootHint\DnsServerRootHintRule.psm1 +using module .\..\Rule.DnsServerSetting\DnsServerSettingRule.psm1 +using module .\..\Rule.Document\DocumentRule.psm1 +using module .\..\Rule.FileContent\FileContentRule.psm1 +using module .\..\Rule.Group\GroupRule.psm1 +using module .\..\Rule.IISLogging\IISLoggingRule.psm1 +using module .\..\Rule.Manual\ManualRule.psm1 +using module .\..\Rule.MimeType\MimeTypeRule.psm1 +using module .\..\Rule.Permission\PermissionRule.psm1 +using module .\..\Rule.ProcessMitigation\ProcessMitigationRule.psm1 +using module .\..\Rule.Registry\RegistryRule.psm1 +using module .\..\Rule.SecurityOption\SecurityOptionRule.psm1 +using module .\..\Rule.Service\ServiceRule.psm1 +using module .\..\Rule.SqlScriptQuery\SqlScriptQueryRule.psm1 +using module .\..\Rule.UserRight\UserRightRule.psm1 +using module .\..\Rule.WebAppPool\WebAppPoolRule.psm1 +using module .\..\Rule.WebConfigurationProperty\WebConfigurationPropertyRule.psm1 +using module .\..\Rule.WindowsFeature\WindowsFeatureRule.psm1 +using module .\..\Rule.WinEventLog\WinEventLogRule.psm1 +using module .\..\Rule.AuditSetting\AuditSettingRule.psm1 +using module .\..\Rule.SslSettings\SslSettingsRule.psm1 +using module .\..\Rule.VsphereAdvancedSettings\VsphereAdvancedSettingsRule.psm1 +using module .\..\Rule.VsphereService\VsphereServiceRule.psm1 +using module .\..\Rule.VspherePortGroupSecurity\VspherePortGroupSecurityRule.psm1 +using module .\..\Rule.VsphereAcceptanceLevel\VsphereAcceptanceLevelRule.psm1 +using module .\..\Rule.VsphereSnmpAgent\VsphereSnmpAgentRule.psm1 +using module .\..\Rule.VsphereKernelActiveDumpPartition\VsphereKernelActiveDumpPartitionRule.psm1 +using module .\..\Rule.VsphereNtpSettings\VsphereNtpSettingsRule.psm1 +using module .\..\Rule.VsphereVssSecurity\VsphereVssSecurityRule.psm1 +#header + +class LoadFactory +{ + static [psobject] Rule ([xml.xmlelement] $Rule) + { + $return = $null + switch ($Rule.ParentNode.Name) + { + 'AccountPolicyRule' {$return = [AccountPolicyRule]::new($Rule)} + 'AuditPolicyRule' {$return = [AuditPolicyRule]::new($Rule)} + 'DnsServerSettingRule' {$return = [DnsServerSettingRule]::new($Rule)} + 'DnsServerRootHintRule' {$return = [DnsServerRootHintRule]::new($Rule)} + 'DocumentRule' {$return = [DocumentRule]::new($Rule)} + 'FileContentRule' {$return = [FileContentRule]::new($Rule)} + 'GroupRule' {$return = [GroupRule]::new($Rule)} + 'IisLoggingRule' {$return = [IisLoggingRule]::new($Rule)} + 'MimeTypeRule' {$return = [MimeTypeRule]::new($Rule)} + 'ManualRule' {$return = [ManualRule]::new($Rule)} + 'PermissionRule' {$return = [PermissionRule]::new($Rule)} + 'ProcessMitigationRule' {$return = [ProcessMitigationRule]::new($Rule)} + 'RegistryRule' {$return = [RegistryRule]::new($Rule)} + 'SecurityOptionRule' {$return = [SecurityOptionRule]::new($Rule)} + 'ServiceRule' {$return = [ServiceRule]::new($Rule)} + 'SqlScriptQueryRule' {$return = [SqlScriptQueryRule]::new($Rule)} + 'UserRightRule' {$return = [UserRightRule]::new($Rule)} + 'WebAppPoolRule' {$return = [WebAppPoolRule]::new($Rule)} + 'WebConfigurationPropertyRule' {$return = [WebConfigurationPropertyRule]::new($Rule)} + 'WindowsFeatureRule' {$return = [WindowsFeatureRule]::new($Rule)} + 'WinEventLogRule' {$return = [WinEventLogRule]::new($Rule)} + 'AuditSettingRule' {$return = [AuditSettingRule]::new($Rule)} + 'SslSettingsRule' {$return = [SslSettingsRule]::new($Rule)} + 'VsphereAdvancedSettingsRule' {$return = [VsphereAdvancedSettingsRule]::new($Rule)} + 'VsphereServiceRule' {$return = [VsphereServiceRule]::new($Rule)} + 'VspherePortGroupSecurityRule' {$return = [VspherePortGroupSecurityRule]::new($Rule)} + 'VsphereAcceptanceLevelRule' {$return = [VsphereAcceptanceLevelRule]::new($Rule)} + 'VsphereSnmpAgentRule' {$return = [VsphereSnmpAgentRule]::new($Rule)} + 'VsphereKernelActiveDumpPartitionRule' {$return = [VsphereKernelActiveDumpPartitionRule]::new($Rule)} + 'VsphereNtpSettingsRule' {$return = [VsphereNtpSettingsRule]::new($Rule)} + 'VsphereVssSecurityRule' {$return = [VsphereVssSecurityRule]::new($Rule)} + } + + return $return + } +} diff --git a/Module/Rule/Rule.psm1 b/source/Module/Rule/Rule.psm1 similarity index 99% rename from Module/Rule/Rule.psm1 rename to source/Module/Rule/Rule.psm1 index 9865a07ea..42c44db1c 100644 --- a/Module/Rule/Rule.psm1 +++ b/source/Module/Rule/Rule.psm1 @@ -40,7 +40,7 @@ foreach ($supportFile in $supportFileList) .PARAMETER DscResource Defines the DSC resource used to configure the rule #> -Class Rule : ICloneable +class Rule : ICloneable { [string] $Id [string] $Title @@ -100,7 +100,7 @@ Class Rule : ICloneable #> Rule ([xml.xmlelement] $Rule, [switch] $Convert) { - # This relaces the current InvokeClass method + # This relaces the current Invokeclass method $this.Id = $Rule.Id $this.Title = $Rule.Title $this.Severity = $Rule.rule.severity diff --git a/Module/STIG/Convert/Convert.Main.psm1 b/source/Module/STIG/Convert/Convert.Main.psm1 similarity index 100% rename from Module/STIG/Convert/Convert.Main.psm1 rename to source/Module/STIG/Convert/Convert.Main.psm1 diff --git a/source/Module/STIG/Convert/Data.ps1 b/source/Module/STIG/Convert/Data.ps1 new file mode 100644 index 000000000..4fc4bff30 --- /dev/null +++ b/source/Module/STIG/Convert/Data.ps1 @@ -0,0 +1,53 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. + +data xmlAttribute +{ + ConvertFrom-StringData -StringData @' + ruleId = id + ruleSeverity = severity + ruleConversionStatus = conversionstatus + ruleTitle = title + ruleDscResource = dscresource + ruleDscResourceModule = dscresourcemodule + + organizationalSettingValue = value +'@ +} + +data dscResourceModule +{ + ConvertFrom-StringData -StringData @' + AccountPolicyRule = SecurityPolicyDsc + AuditPolicyRule = AuditPolicyDsc + DnsServerSettingRule = xDnsServer + DnsServerRootHintRule = PSDscResources + DocumentRule = None + GroupRule = PSDscResources + IisLoggingRule = xWebAdministration + MimeTypeRule = xWebAdministration + ManualRule = None + PermissionRule = AccessControlDsc + ProcessMitigationRule = WindowsDefenderDsc + RegistryRule = PSDscResources + SecurityOptionRule = SecurityPolicyDsc + ServiceRule = PSDscResources + SqlScriptQueryRule = SqlServerDsc + UserRightRule = SecurityPolicyDsc + WebAppPoolRule = xWebAdministration + WebConfigurationPropertyRule = xWebAdministration + WindowsFeatureRule = PSDscResources + WinEventLogRule = xWinEventLog + SslSettingsRule = xWebAdministration + AuditSettingRule = AuditSystemDsc + FileContentRule = FileContentDsc + VsphereAdvancedSettingsRule = Vmware.vSphereDSC + VsphereServiceRule = Vmware.vSphereDSC + VspherePortGroupSecurityRule = Vmware.vSphereDSC + VsphereAcceptanceLevelRule = Vmware.vSphereDSC + VsphereKernelActiveDumpPartitionRule = Vmware.vSphereDSC + VsphereSnmpAgentRule = Vmware.vSphereDSC + VsphereNtpSettingsRule = Vmware.vSphereDSC + VsphereVssSecurityRule = Vmware.vSphereDSC +'@ +} diff --git a/Module/STIG/Convert/Functions.PowerStigXml.ps1 b/source/Module/STIG/Convert/Functions.PowerStigXml.ps1 similarity index 100% rename from Module/STIG/Convert/Functions.PowerStigXml.ps1 rename to source/Module/STIG/Convert/Functions.PowerStigXml.ps1 diff --git a/Module/STIG/Convert/Functions.Report.ps1 b/source/Module/STIG/Convert/Functions.Report.ps1 similarity index 100% rename from Module/STIG/Convert/Functions.Report.ps1 rename to source/Module/STIG/Convert/Functions.Report.ps1 diff --git a/Module/STIG/Functions.Checklist.ps1 b/source/Module/STIG/Functions.Checklist.ps1 similarity index 100% rename from Module/STIG/Functions.Checklist.ps1 rename to source/Module/STIG/Functions.Checklist.ps1 diff --git a/Module/STIG/Functions.DomainName.ps1 b/source/Module/STIG/Functions.DomainName.ps1 similarity index 99% rename from Module/STIG/Functions.DomainName.ps1 rename to source/Module/STIG/Functions.DomainName.ps1 index 0c3c99f33..60a580ae4 100644 --- a/Module/STIG/Functions.DomainName.ps1 +++ b/source/Module/STIG/Functions.DomainName.ps1 @@ -143,7 +143,7 @@ Function Get-NetbiosName ) $parts = Get-DomainParts -FQDN $FQDN - If ($parts.Count -gt 1) + if ($parts.Count -gt 1) { return $parts[0] } diff --git a/Module/STIG/STIG.psm1 b/source/Module/STIG/STIG.psm1 similarity index 99% rename from Module/STIG/STIG.psm1 rename to source/Module/STIG/STIG.psm1 index e070c21ad..f0799bdbc 100644 --- a/Module/STIG/STIG.psm1 +++ b/source/Module/STIG/STIG.psm1 @@ -33,7 +33,7 @@ using module .\..\Rule.Skip\Skip.psm1 This class requires PowerShell v5 or above. #> -Class STIG +class STIG { [string] $Technology # this is aligned to a DSC composite resource. [string] $TechnologyVersion # this is 2012R2, 2016, etc. @@ -216,7 +216,7 @@ Class STIG } # If there are no org settings to merge, skip over that - if($null -ne $settings) + if ($null -ne $settings) { foreach ($ruleId in $settings.Keys) { @@ -308,7 +308,7 @@ Class STIG ).ModuleVersion # load the STIG rules if they are not already laoded - if($this.RuleList.Count -le 0) + if ($this.RuleList.Count -le 0) { $this.LoadRules() } @@ -332,7 +332,7 @@ Class STIG $null = $return.AppendLine(" The $($rule.GetType().ToString()) property '$($rule.GetOverrideValue())' can be overridden ") $null = $return.AppendLine(' with an exception using the syntax below.') $null = $return.AppendLine('') - if($null -ne $exceptionHelp.Notes) + if ($null -ne $exceptionHelp.Notes) { $null = $return.AppendLine('NOTES') $null = $return.AppendLine(" $($exceptionHelp.Notes)") diff --git a/PowerStig.Convert.psm1 b/source/PowerStig.Convert.psm1 similarity index 68% rename from PowerStig.Convert.psm1 rename to source/PowerStig.Convert.psm1 index 2f6729190..8fb3284b3 100644 --- a/PowerStig.Convert.psm1 +++ b/source/PowerStig.Convert.psm1 @@ -3,11 +3,10 @@ #Requires -Version 5.1 <# - A funny note if you have OCD. The order of the dot sourced files is important due to the way - that PowerShell processes the files (Top/Down). The Classes in the module depend on the - enumerations, so if you want to alphabetize this list, don't. PowerShell with throw an error - indicating that the enumerations can't be found, if you try to load the classes before the - enumerations. + The order of the dot sourced files is important due to the way that PowerShell processes the + files (Top/Down). The Classes in the module depend on the enumerations, so if you want to + alphabetize this list, don't. PowerShell with throw an error indicating that the enumerations + can't be found, if you try to load the classes before the enumerations. #> using module .\Module\Common\Common.psm1 using module .\Module\Rule\Rule.psm1 @@ -35,6 +34,14 @@ using module .\Module\Rule.WindowsFeature\Convert\WindowsFeatureRule.Convert.psm using module .\Module\Rule.WinEventLog\Convert\WinEventLogRule.Convert.psm1 using module .\Module\Rule.SslSettings\Convert\SslSettingsRule.Convert.psm1 using module .\Module\Rule.AuditSetting\Convert\AuditSettingRule.Convert.psm1 +using module .\Module\Rule.VsphereAdvancedSettings\Convert\VsphereAdvancedSettingsRule.Convert.psm1 +using module .\Module\Rule.VsphereService\Convert\VsphereServiceRule.Convert.psm1 +using module .\Module\Rule.VspherePortGroupSecurity\Convert\VspherePortGroupSecurityRule.Convert.psm1 +using module .\Module\Rule.VsphereAcceptanceLevel\Convert\VsphereAcceptanceLevelRule.Convert.psm1 +using module .\Module\Rule.VsphereSnmpAgent\Convert\VsphereSnmpAgentRule.Convert.psm1 +using module .\Module\Rule.VsphereKernelActiveDumpPartition\Convert\VsphereKernelActiveDumpPartitionRule.Convert.psm1 +using module .\Module\Rule.VsphereNtpSettings\Convert\VsphereNtpSettingsRule.Convert.psm1 +using module .\Module\Rule.VsphereVssSecurity\Convert\VsphereVssSecurityRule.Convert.psm1 # load the public functions foreach ($supportFile in ( Get-ChildItem -Path "$PSScriptRoot\Module\Stig\Convert" -Recurse -Filter '*.ps1' -Exclude 'Data.*.ps1' ) ) diff --git a/PowerStig.psd1 b/source/PowerStig.psd1 similarity index 58% rename from PowerStig.psd1 rename to source/PowerStig.psd1 index d6ee88213..5b8867ff0 100644 --- a/PowerStig.psd1 +++ b/source/PowerStig.psd1 @@ -6,7 +6,7 @@ RootModule = 'PowerStig.psm1' # Version number of this module. -ModuleVersion = '4.3.0' +ModuleVersion = '0.0.1' # ID used to uniquely identify this module GUID = 'a132f6a5-8f96-4942-be25-b213ee7e4af3' @@ -26,7 +26,7 @@ Description = 'The PowerStig module provides a set of PowerShell classes to acce 2. Ignoring a single or entire class of rules (auto-documenting) 3. Organizational settings to address STIG rules that have allowable ranges. -This module is intended to be used by additional automation as a lightweight portable “database” to audit and enforce the parsed STIG data.' +This module is intended to be used by additional automation as a lightweight portable database to audit and enforce the parsed STIG data.' # Minimum version of the Windows PowerShell engine required by this module PowerShellVersion = '5.1' @@ -47,7 +47,15 @@ RequiredModules = @( @{ModuleName = 'SqlServerDsc'; ModuleVersion = '13.3.0'}, @{ModuleName = 'WindowsDefenderDsc'; ModuleVersion = '1.0.0.0'}, @{ModuleName = 'xDnsServer'; ModuleVersion = '1.11.0.0'}, - @{ModuleName = 'xWebAdministration'; ModuleVersion = '2.5.0.0'} + @{ModuleName = 'xWebAdministration'; ModuleVersion = '2.5.0.0'}, + @{ModuleName = 'VMware.VimAutomation.Sdk'; ModuleVersion = '12.0.0.15939651'}, + @{ModuleName = 'VMware.VimAutomation.Common'; ModuleVersion = '12.0.0.15939652'}, + @{ModuleName = 'VMware.Vim'; ModuleVersion ='7.0.0.15939650'}, + @{ModuleName = 'VMware.VimAutomation.Cis.Core'; ModuleVersion = '12.0.0.15939657'}, + @{ModuleName = 'VMware.VimAutomation.Core'; ModuleVersion = '12.0.0.15939655'}, + @{ModuleName = 'VMware.VimAutomation.Storage'; ModuleVersion = '11.5.0.14901686'}, + @{ModuleName = 'VMware.VimAutomation.Vds'; ModuleVersion = '11.2.0.12483615'}, + @{ModuleName = 'Vmware.vSphereDsc'; ModuleVersion = '2.1.0.58'} ) # DSC resources to export from this module @@ -66,7 +74,8 @@ DscResourcesToExport = @( 'WindowsDefender', 'WindowsDnsServer', 'WindowsFirewall', - 'WindowsServer' + 'WindowsServer', + 'Vsphere' ) # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. @@ -103,27 +112,11 @@ PrivateData = @{ # A URL to the main website for this project. ProjectUri = 'https://github.com/Microsoft/PowerStig' + # Prerelease string value if the release should be a prerelease. + Prerelease = '' + # ReleaseNotes of this module - ReleaseNotes = '* Update PowerSTIG to Expand .NET STIG Automation: [#591](https://github.com/microsoft/PowerStig/issues/591) - * Update PowerSTIG to parse and apply McAfee VirusScan 8.8 Local Client STIG V5R16: [#588](https://github.com/microsoft/PowerStig/issues/588) - * Update PowerSTIG to successfully parse Microsoft SQL Server 2016 Instance STIG - Ver 1, Rel 8: [#586](https://github.com/microsoft/PowerStig/issues/586) - * Update PowerSTIG to parse and apply Windows Server 2019 V1R3 STIG: [#584](https://github.com/microsoft/PowerStig/issues/584) - * Update PowerSTIG to parse/convert the Windows Server 2016 V2R10: [#582](https://github.com/microsoft/PowerStig/issues/582) - * Update PowerSTIG to parse/convert the Windows Server 2012 DNS STIG V1R13: [#580](https://github.com/microsoft/PowerStig/issues/580) - * Update PowerSTIG to to parse/convert the Windows Server 2012 R2 DC V2R19: [#578](https://github.com/microsoft/PowerStig/issues/578) - * Update PowerSTIG to parse/convert the Windows Defender STIG V1R7: [#576](https://github.com/microsoft/PowerStig/issues/576) - * Update PowerSTIG to successfully parse Mozilla Firefox STIG - Ver 4, Rel 28: [#573](https://github.com/microsoft/PowerStig/issues/573) - * Update PowerSTIG to parse and apply Adobe Acrobat Reader Version 1, Release 6: [#562](https://github.com/microsoft/PowerStig/issues/562) - * Update PowerSTIG release process to include STIG Coverage markdown wiki automation: [#560](https://github.com/microsoft/PowerStig/issues/560) - * Update to PowerSTIG to show duplicate rule status matching in a checklist: [#257](https://github.com/microsoft/PowerStig/issues/257) - * Fixed [#589](https://github.com/microsoft/PowerStig/issues/589): Update module manifest to leverage GPRegistryPolicyDsc v1.2.0 - * Fixed [#569](https://github.com/microsoft/PowerStig/issues/569): Update SqlServerDsc module version references - * Fixed [#259](https://github.com/microsoft/PowerStig/issues/259): Checklist .ckl file fails XML validation in Stig Viewer 2.8. - * Fixed [#527](https://github.com/microsoft/PowerStig/issues/527): Checklist is not using manualcheckfile when using DscResult. - * Fixed [#548](https://github.com/microsoft/PowerStig/issues/548): Target/host data is blank when creating a new checklist. - * Fixed [#546](https://github.com/microsoft/PowerStig/issues/546): Typecast causing an issue when trying to generate checklist using New-StigChecklist function. - * Fixed [#401](https://github.com/microsoft/PowerStig/issues/401): Checklists generated by New-StigChecklist do not provide finding details. - * Fixed [#593](https://github.com/microsoft/PowerStig/issues/593): Update PowerSTIG Convert naming conventions of output STIGs' + ReleaseNotes = '' } # End of PSData hashtable } # End of PrivateData hashtable } diff --git a/PowerStig.psm1 b/source/PowerStig.psm1 similarity index 100% rename from PowerStig.psm1 rename to source/PowerStig.psm1 diff --git a/StigData/Archive/Adobe/U_Adobe_Acrobat_Reader_DC_Continuous_STIG_V1R6_Manual-xccdf.log b/source/StigData/Archive/Adobe/U_Adobe_Acrobat_Reader_DC_Continuous_STIG_V1R6_Manual-xccdf.log similarity index 100% rename from StigData/Archive/Adobe/U_Adobe_Acrobat_Reader_DC_Continuous_STIG_V1R6_Manual-xccdf.log rename to source/StigData/Archive/Adobe/U_Adobe_Acrobat_Reader_DC_Continuous_STIG_V1R6_Manual-xccdf.log diff --git a/StigData/Archive/Adobe/U_Adobe_Acrobat_Reader_DC_Continuous_STIG_V1R6_Manual-xccdf.xml b/source/StigData/Archive/Adobe/U_Adobe_Acrobat_Reader_DC_Continuous_STIG_V1R6_Manual-xccdf.xml similarity index 100% rename from StigData/Archive/Adobe/U_Adobe_Acrobat_Reader_DC_Continuous_STIG_V1R6_Manual-xccdf.xml rename to source/StigData/Archive/Adobe/U_Adobe_Acrobat_Reader_DC_Continuous_STIG_V1R6_Manual-xccdf.xml diff --git a/StigData/Archive/DotNet/U_MS_DotNet_Framework_4-0_STIG_V1R8_Manual-xccdf.log b/source/StigData/Archive/DotNet/U_MS_DotNet_Framework_4-0_STIG_V1R8_Manual-xccdf.log similarity index 100% rename from StigData/Archive/DotNet/U_MS_DotNet_Framework_4-0_STIG_V1R8_Manual-xccdf.log rename to source/StigData/Archive/DotNet/U_MS_DotNet_Framework_4-0_STIG_V1R8_Manual-xccdf.log diff --git a/StigData/Archive/DotNet/U_MS_DotNet_Framework_4-0_STIG_V1R8_Manual-xccdf.xml b/source/StigData/Archive/DotNet/U_MS_DotNet_Framework_4-0_STIG_V1R8_Manual-xccdf.xml similarity index 100% rename from StigData/Archive/DotNet/U_MS_DotNet_Framework_4-0_STIG_V1R8_Manual-xccdf.xml rename to source/StigData/Archive/DotNet/U_MS_DotNet_Framework_4-0_STIG_V1R8_Manual-xccdf.xml diff --git a/StigData/Archive/DotNet/U_MS_DotNet_Framework_4-0_STIG_V1R9_Manual-xccdf.log b/source/StigData/Archive/DotNet/U_MS_DotNet_Framework_4-0_STIG_V1R9_Manual-xccdf.log similarity index 100% rename from StigData/Archive/DotNet/U_MS_DotNet_Framework_4-0_STIG_V1R9_Manual-xccdf.log rename to source/StigData/Archive/DotNet/U_MS_DotNet_Framework_4-0_STIG_V1R9_Manual-xccdf.log diff --git a/StigData/Archive/DotNet/U_MS_DotNet_Framework_4-0_STIG_V1R9_Manual-xccdf.xml b/source/StigData/Archive/DotNet/U_MS_DotNet_Framework_4-0_STIG_V1R9_Manual-xccdf.xml similarity index 100% rename from StigData/Archive/DotNet/U_MS_DotNet_Framework_4-0_STIG_V1R9_Manual-xccdf.xml rename to source/StigData/Archive/DotNet/U_MS_DotNet_Framework_4-0_STIG_V1R9_Manual-xccdf.xml diff --git a/StigData/Archive/InternetExplorer/U_MS_IE11_STIG_V1R17_Manual-xccdf.log b/source/StigData/Archive/InternetExplorer/U_MS_IE11_STIG_V1R17_Manual-xccdf.log similarity index 51% rename from StigData/Archive/InternetExplorer/U_MS_IE11_STIG_V1R17_Manual-xccdf.log rename to source/StigData/Archive/InternetExplorer/U_MS_IE11_STIG_V1R17_Manual-xccdf.log index 2336d398c..3a6fdc142 100644 --- a/StigData/Archive/InternetExplorer/U_MS_IE11_STIG_V1R17_Manual-xccdf.log +++ b/source/StigData/Archive/InternetExplorer/U_MS_IE11_STIG_V1R17_Manual-xccdf.log @@ -1,3 +1,5 @@ V-46515::HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3::HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 V-46815::is REG_SZ = 'no',::is REG_SZ = no, V-46987::REG_SZ = 'PMEM',::REG_SZ = PMEM, +V-75169::Note: This policy setting will only exist on Windows 10 Redstone 2 or later, and is otherwise not applicable.::'' +V-75171::Note: This policy setting will only exist on Windows 10 Redstone 2 or later, and is otherwise not applicable.::'' diff --git a/StigData/Archive/InternetExplorer/U_MS_IE11_STIG_V1R17_Manual-xccdf.xml b/source/StigData/Archive/InternetExplorer/U_MS_IE11_STIG_V1R17_Manual-xccdf.xml similarity index 100% rename from StigData/Archive/InternetExplorer/U_MS_IE11_STIG_V1R17_Manual-xccdf.xml rename to source/StigData/Archive/InternetExplorer/U_MS_IE11_STIG_V1R17_Manual-xccdf.xml diff --git a/StigData/Archive/InternetExplorer/U_MS_IE11_STIG_V1R18_Manual-xccdf.log b/source/StigData/Archive/InternetExplorer/U_MS_IE11_STIG_V1R18_Manual-xccdf.log similarity index 51% rename from StigData/Archive/InternetExplorer/U_MS_IE11_STIG_V1R18_Manual-xccdf.log rename to source/StigData/Archive/InternetExplorer/U_MS_IE11_STIG_V1R18_Manual-xccdf.log index 2336d398c..3a6fdc142 100644 --- a/StigData/Archive/InternetExplorer/U_MS_IE11_STIG_V1R18_Manual-xccdf.log +++ b/source/StigData/Archive/InternetExplorer/U_MS_IE11_STIG_V1R18_Manual-xccdf.log @@ -1,3 +1,5 @@ V-46515::HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3::HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 V-46815::is REG_SZ = 'no',::is REG_SZ = no, V-46987::REG_SZ = 'PMEM',::REG_SZ = PMEM, +V-75169::Note: This policy setting will only exist on Windows 10 Redstone 2 or later, and is otherwise not applicable.::'' +V-75171::Note: This policy setting will only exist on Windows 10 Redstone 2 or later, and is otherwise not applicable.::'' diff --git a/StigData/Archive/InternetExplorer/U_MS_IE11_STIG_V1R18_Manual-xccdf.xml b/source/StigData/Archive/InternetExplorer/U_MS_IE11_STIG_V1R18_Manual-xccdf.xml similarity index 100% rename from StigData/Archive/InternetExplorer/U_MS_IE11_STIG_V1R18_Manual-xccdf.xml rename to source/StigData/Archive/InternetExplorer/U_MS_IE11_STIG_V1R18_Manual-xccdf.xml diff --git a/StigData/Archive/McAfee/U_McAfee_VirusScan88_Local_Client_STIG_V5R16_Manual-xccdf.log b/source/StigData/Archive/McAfee/U_McAfee_VirusScan88_Local_Client_STIG_V5R16_Manual-xccdf.log similarity index 100% rename from StigData/Archive/McAfee/U_McAfee_VirusScan88_Local_Client_STIG_V5R16_Manual-xccdf.log rename to source/StigData/Archive/McAfee/U_McAfee_VirusScan88_Local_Client_STIG_V5R16_Manual-xccdf.log diff --git a/StigData/Archive/McAfee/U_McAfee_VirusScan88_Local_Client_STIG_V5R16_Manual-xccdf.xml b/source/StigData/Archive/McAfee/U_McAfee_VirusScan88_Local_Client_STIG_V5R16_Manual-xccdf.xml similarity index 100% rename from StigData/Archive/McAfee/U_McAfee_VirusScan88_Local_Client_STIG_V5R16_Manual-xccdf.xml rename to source/StigData/Archive/McAfee/U_McAfee_VirusScan88_Local_Client_STIG_V5R16_Manual-xccdf.xml diff --git a/StigData/Archive/Office/U_MS_Excel_2013_STIG_V1R7_Manual-xccdf.xml b/source/StigData/Archive/Office/U_MS_Excel_2013_STIG_V1R7_Manual-xccdf.xml similarity index 100% rename from StigData/Archive/Office/U_MS_Excel_2013_STIG_V1R7_Manual-xccdf.xml rename to source/StigData/Archive/Office/U_MS_Excel_2013_STIG_V1R7_Manual-xccdf.xml diff --git a/StigData/Archive/Office/U_MS_Excel_2016_STIG_V1R2_Manual-xccdf.log b/source/StigData/Archive/Office/U_MS_Excel_2016_STIG_V1R2_Manual-xccdf.log similarity index 100% rename from StigData/Archive/Office/U_MS_Excel_2016_STIG_V1R2_Manual-xccdf.log rename to source/StigData/Archive/Office/U_MS_Excel_2016_STIG_V1R2_Manual-xccdf.log diff --git a/StigData/Archive/Office/U_MS_Excel_2016_STIG_V1R2_Manual-xccdf.xml b/source/StigData/Archive/Office/U_MS_Excel_2016_STIG_V1R2_Manual-xccdf.xml similarity index 100% rename from StigData/Archive/Office/U_MS_Excel_2016_STIG_V1R2_Manual-xccdf.xml rename to source/StigData/Archive/Office/U_MS_Excel_2016_STIG_V1R2_Manual-xccdf.xml diff --git a/StigData/Archive/Office/U_MS_OfficeSystem_2013_STIG_V1R9_Manual-xccdf.log b/source/StigData/Archive/Office/U_MS_OfficeSystem_2013_STIG_V1R9_Manual-xccdf.log similarity index 100% rename from StigData/Archive/Office/U_MS_OfficeSystem_2013_STIG_V1R9_Manual-xccdf.log rename to source/StigData/Archive/Office/U_MS_OfficeSystem_2013_STIG_V1R9_Manual-xccdf.log diff --git a/StigData/Archive/Office/U_MS_OfficeSystem_2013_STIG_V1R9_Manual-xccdf.xml b/source/StigData/Archive/Office/U_MS_OfficeSystem_2013_STIG_V1R9_Manual-xccdf.xml similarity index 100% rename from StigData/Archive/Office/U_MS_OfficeSystem_2013_STIG_V1R9_Manual-xccdf.xml rename to source/StigData/Archive/Office/U_MS_OfficeSystem_2013_STIG_V1R9_Manual-xccdf.xml diff --git a/StigData/Archive/Office/U_MS_PowerPoint_2013_V1R6_Manual-xccdf.xml b/source/StigData/Archive/Office/U_MS_PowerPoint_2013_V1R6_Manual-xccdf.xml similarity index 100% rename from StigData/Archive/Office/U_MS_PowerPoint_2013_V1R6_Manual-xccdf.xml rename to source/StigData/Archive/Office/U_MS_PowerPoint_2013_V1R6_Manual-xccdf.xml diff --git a/source/StigData/Archive/Office/U_MS_Visio_2013_STIG_V1R4_Manual-xccdf.xml b/source/StigData/Archive/Office/U_MS_Visio_2013_STIG_V1R4_Manual-xccdf.xml new file mode 100644 index 000000000..a8b046be7 --- /dev/null +++ b/source/StigData/Archive/Office/U_MS_Visio_2013_STIG_V1R4_Manual-xccdf.xml @@ -0,0 +1,85 @@ +acceptedMicrosoft Visio 2013 STIGThe Microsoft Visio 2013 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 4 Benchmark Date: 27 Apr 20181I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000268-DB-000164<GroupDescription></GroupDescription>SQL2-00-023000The system must activate an alarm and/or automatically shut SQL Server down if a failure is detected in its software components. <VulnDiscussion>Predictable failure prevention requires organizational planning to address system failure issues. If components key to maintaining system security fail to function, then SQL Server could continue operating in an unsecure state. The organization must be prepared, and the system must be configured, to send an alarm for such conditions and/or automatically shut SQL Server down. +acceptedMicrosoft SQL Server Instance 2012 Security Technical Implementation GuideThe Microsoft SQL Server 2012 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 20 Benchmark Date: 16 Jan 20201I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-OS-000027-VMM-000080<GroupDescription></GroupDescription>ESXI-65-000001The ESXi host must limit the number of concurrent sessions to ten for all accounts and/or account types by enabling lockdown mode.<VulnDiscussion>Enabling lockdown mode disables direct access to an ESXi host requiring the host be managed remotely from vCenter Server. This is done to ensure the roles and access controls implemented in vCenter are always enforced and users cannot bypass them by logging into a host directly. By forcing all interaction to occur through vCenter Server, the risk of someone inadvertently attaining elevated privileges or performing tasks that are not properly audited is greatly reduced.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000054From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Click edit on "Lockdown Mode" and set to Enabled (Normal or Strict). + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following commands: + +$level = "lockdownNormal" OR "lockdownStrict" +$vmhost = Get-VMHost -Name <hostname> | Get-View +$lockdown = Get-View $vmhost.ConfigManager.HostAccessManager +$lockdown.ChangeLockdownMode($level) + +Note: In strict lockdown mode the DCUI service is stopped. If the connection to vCenter Server is lost and the vSphere Web Client is no longer available, the ESXi host becomes inaccessible.From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Scroll down to "Lockdown Mode" and verify it is set to Enabled (Normal or Strict). + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Select Name,@{N="Lockdown";E={$_.Extensiondata.Config.LockdownMode}} + +If Lockdown Mode is disabled, this is a finding. + +For environments that do not use vCenter server to manage ESXi, this is not applicable.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000002The ESXi host must verify the DCUI.Access list.<VulnDiscussion>Lockdown mode disables direct host access requiring that admins manage hosts from vCenter Server. However, if a host becomes isolated from vCenter Server, the admin is locked out and can no longer manage the host. If you are using normal lockdown mode, you can avoid becoming locked out of an ESXi host that is running in lockdown mode, by setting DCUI.Access to a list of highly trusted users who can override lockdown mode and access the DCUI. The DCUI is not running in strict lockdown mode.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the DCUI.Access value and configure it to root. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-AdvancedSetting -Name DCUI.Access | Set-AdvancedSetting -Value "root"From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the DCUI.Access value and verify only the root user is listed. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-AdvancedSetting -Name DCUI.Access and verify it is set to root. + +If the DCUI.Access is not restricted to root, this is a finding. + +Note: This list is only for local user accounts and should only contain the root user. + +For environments that do not use vCenter server to manage ESXi, this is not applicable.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000003The ESXi host must verify the exception users list for lockdown mode.<VulnDiscussion>In vSphere you can add users to the Exception Users list from the vSphere Web Client. These users do not lose their permissions when the host enters lockdown mode. Usually you may want to add service accounts such as a backup agent to the Exception Users list. Verify that the list of users who are exempted from losing permissions is legitimate and as needed per your environment. Users who do not require special permissions should not be exempted from lockdown mode.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under lockdown mode click Edit and remove unnecessary users to the exceptions list.From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under lockdown mode review the exception users list. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following script: + +$vmhost = Get-VMHost | Get-View +$lockdown = Get-View $vmhost.ConfigManager.HostAccessManager +$lockdown.QueryLockdownExceptions() + +If the Exception users list contains accounts that do not require special permissions, this is a finding. + +Note - This list is not intended for system administrator accounts but for special circumstances such as a service account. + +For environments that do not use vCenter server to manage ESXi, this is not applicable.SRG-OS-000032-VMM-000130<GroupDescription></GroupDescription>ESXI-65-000004Remote logging for ESXi hosts must be configured.<VulnDiscussion>Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host it can more easily monitor all hosts with a single tool. It can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and also provides a long-term audit record.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000067From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the Syslog.global.logHost value and configure it to a site specific syslog server. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following commands: + +Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value "<syslog server hostname>"From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Syslog.global.logHost value and verify it is set to a site specific syslog server hostname. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost + +If the Syslog.global.logHost setting is not set to a site specific syslog server, this is a finding.SRG-OS-000021-VMM-000050<GroupDescription></GroupDescription>ESXI-65-000005The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user.<VulnDiscussion>By limiting the number of failed login attempts, the risk of unauthorized access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000044From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the Security.AccountLockFailures value and configure it to 3. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures | Set-AdvancedSetting -Value 3From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Security.AccountLockFailures value and verify it is set to 3. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures and verify it is set to 3. + +If the Security.AccountLockFailures is set to a value other than 3, this is a finding.SRG-OS-000329-VMM-001180<GroupDescription></GroupDescription>ESXI-65-000006The ESXi host must enforce the unlock timeout of 15 minutes after a user account is locked out.<VulnDiscussion>By limiting the number of failed login attempts, the risk of unauthorized access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-002238From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the Security.AccountUnlockTime value and configure it to 900. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following commands: + +Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime | Set-AdvancedSetting -Value 900From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Security.AccountUnlockTime value and verify it is set to 900. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime and verify it is set to 900. + +If the Security.AccountUnlockTime is set to a value other than 900, this is a finding.SRG-OS-000023-VMM-000060<GroupDescription></GroupDescription>ESXI-65-000007The ESXi host must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.<VulnDiscussion>Failure to display the DoD logon banner prior to a log in attempt will negate legal proceedings resulting from unauthorized access to system resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000048From a PowerCLI command prompt while connected to the ESXi host copy the following contents into a script(.ps1 file) and run to set the DCUI screen to display the DoD logon banner: + +<script begin> + +$value = @" +{bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{hostname} , {ip}{/color}{/bgcolor}{/align} +{bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{esxproduct} {esxversion}{/color}{/bgcolor}{/align} +{bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{memory} RAM{/color}{/bgcolor}{/align} +{bgcolor:black} {/color}{align:left}{bgcolor:black}{color:white} {/color}{/bgcolor}{/align} +{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} +{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By {/color}{/bgcolor}{/align} +{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} using this IS (which includes any device attached to this IS), you consent to the following conditions: {/color}{/bgcolor}{/align} +{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} +{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited {/color}{/bgcolor}{/align} +{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law {/color}{/bgcolor}{/align} +{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} enforcement (LE), and counterintelligence (CI) investigations. {/color}{/bgcolor}{/align} +{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} +{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - At any time, the USG may inspect and seize data stored on this IS. {/color}{/bgcolor}{/align} +{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} +{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - Communications using, or data stored on, this IS are not private, are subject to routine monitoring, {/color}{/bgcolor}{/align} +{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} interception, and search, and may be disclosed or used for any USG-authorized purpose. {/color}{/bgcolor}{/align} +{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} +{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not {/color}{/bgcolor}{/align} +{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} for your personal benefit or privacy. {/color}{/bgcolor}{/align} +{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} +{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching {/color}{/bgcolor}{/align} +{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} or monitoring of the content of privileged communications, or work product, related to personal representation {/color}{/bgcolor}{/align} +{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work {/color}{/bgcolor}{/align} +{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} product are private and confidential. See User Agreement for details. {/color}{/bgcolor}{/align} +{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} +{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} +{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} +{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} +{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} +{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} +{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} +{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} +{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} +{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} +{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} +{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} +{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} +{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} +{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} +{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} +{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} +{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} +{bgcolor:black} {/color}{align:left}{bgcolor:dark-grey}{color:white} <F2> Accept Conditions and Customize System / View Logs{/align}{align:right}<F12> Accept Conditions and Shut Down/Restart {bgcolor:black} {/color}{/color}{/bgcolor}{/align} +{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} +"@ + +Get-VMHost | Get-AdvancedSetting -Name Annotations.WelcomeMessage | Set-AdvancedSetting -Value $value + +<script end>From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Annotations.WelcomeMessage value and verify it contains the DoD logon banner to follow. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-AdvancedSetting -Name Annotations.WelcomeMessage + +Check for either of the following login banners based on the character limitations imposed by the system. An exact match of the text is required. If one of these banners is not displayed, this is a finding. + +You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests- -not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. + +OR + +I've read & consent to terms in IS user agreem't. + +If the DCUI logon screen does not display the DoD logon banner, this is a finding.SRG-OS-000023-VMM-000060<GroupDescription></GroupDescription>ESXI-65-000008The ESXi host must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.<VulnDiscussion>Failure to display the DoD logon banner prior to a log in attempt will negate legal proceedings resulting from unauthorized access to system resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000048From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the Config.Etc.issue value and set it to the following. + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following commands: + +Get-VMHost | Get-AdvancedSetting -Name Config.Etc.issue | Set-AdvancedSetting -Value "<insert logon banner>"From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Config.Etc.issue value and verify it is set to DoD logon banner below. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-AdvancedSetting -Name Config.Etc.issue + +If the Config.Etc.issue setting (/etc/issue file) does not contain the logon banner exactly as shown below this is a finding. + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."SRG-OS-000023-VMM-000060<GroupDescription></GroupDescription>ESXI-65-000009The ESXi host SSH daemon must be configured with the Department of Defense (DoD) login banner.<VulnDiscussion>The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000048From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": + +Banner /etc/issueFrom an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: + +# grep -i "^Banner" /etc/ssh/sshd_config + +If there is no output or the output is not exactly "Banner /etc/issue", this is a finding.SRG-OS-000033-VMM-000140<GroupDescription></GroupDescription>ESXI-65-000010The ESXi host SSH daemon must use DoD-approved encryption to protect the confidentiality of remote access sessions.<VulnDiscussion>Approved algorithms should impart some level of confidence in their implementation. Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. + +Note: This does not imply FIPS 140-2 validation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000068Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. + +From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": + +Ciphers aes128-ctr,aes192-ctr,aes256-ctrOnly FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command from an SSH session connected to the ESXi host, or from the ESXi shell: + +# grep -i "^Ciphers" /etc/ssh/sshd_config + +If there is no output or the output is not exactly "Ciphers aes128-ctr,aes192-ctr,aes256-ctr", this is a finding.SRG-OS-000033-VMM-000140<GroupDescription></GroupDescription>ESXI-65-000011The ESXi host SSH daemon must be configured to use only the SSHv2 protocol.<VulnDiscussion>SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used. Only SSH protocol version 2 connections should be permitted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000068From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": + +Add or correct the following line in "/etc/ssh/sshd_config": + +Protocol 2From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: + +# grep -i "^Protocol" /etc/ssh/sshd_config + +If there is no output or the output is not exactly "Protocol 2", this is a finding.SRG-OS-000107-VMM-000530<GroupDescription></GroupDescription>ESXI-65-000012The ESXi host SSH daemon must ignore .rhosts files.<VulnDiscussion>SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via ".rhosts" files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000767From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": + +Add or correct the following line in "/etc/ssh/sshd_config": + +IgnoreRhosts yesFrom an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: + +# grep -i "^IgnoreRhosts" /etc/ssh/sshd_config + +If there is no output or the output is not exactly "IgnoreRhosts yes", this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000013The ESXi host SSH daemon must not allow host-based authentication.<VulnDiscussion>SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. SSH's cryptographic host-based authentication is more secure than ".rhosts" authentication, since hosts are cryptographically authenticated. However, it is not recommended that hosts unilaterally trust one another, even within an organization.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": + +Add or correct the following line in "/etc/ssh/sshd_config": + +HostbasedAuthentication noFrom an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: + +# grep -i "^HostbasedAuthentication" /etc/ssh/sshd_config + +If there is no output or the output is not exactly "HostbasedAuthentication no", this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000014The ESXi host SSH daemon must not permit root logins.<VulnDiscussion>Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": + +Add or correct the following line in "/etc/ssh/sshd_config": + +PermitRootLogin noFrom an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: + +# grep -i "^PermitRootLogin" /etc/ssh/sshd_config + +If there is no output or the output is not exactly "PermitRootLogin no", this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000015The ESXi host SSH daemon must not allow authentication using an empty password.<VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": + +PermitEmptyPasswords noFrom an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: + +# grep -i "^PermitEmptyPasswords" /etc/ssh/sshd_config + +If there is no output or the output is not exactly "PermitEmptyPasswords no", this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000016The ESXi host SSH daemon must not permit user environment settings.<VulnDiscussion>SSH environment options potentially allow users to bypass access restriction in some configurations. Users must not be able to present environment options to the SSH daemon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": + +PermitUserEnvironment noFrom an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: + +# grep -i "^PermitUserEnvironment" /etc/ssh/sshd_config + +If there is no output or the output is not exactly "PermitUserEnvironment no", this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000017The ESXi host SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.<VulnDiscussion>DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": + +MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: + +# grep -i "^MACs" /etc/ssh/sshd_config + +If there is no output or the output is not exactly "MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512", this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000018The ESXi host SSH daemon must not permit GSSAPI authentication.<VulnDiscussion>GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system’s GSSAPI to remote hosts, increasing the attack surface of the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": + +GSSAPIAuthentication noFrom an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: + +# grep -i "^GSSAPIAuthentication" /etc/ssh/sshd_config + +If there is no output or the output is not exactly "GSSAPIAuthentication no", this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000019The ESXi host SSH daemon must not permit Kerberos authentication.<VulnDiscussion>Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": + +KerberosAuthentication noFrom an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: + +# grep -i "^KerberosAuthentication" /etc/ssh/sshd_config + +If there is no output or the output is not exactly "KerberosAuthentication no", this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000020The ESXi host SSH daemon must perform strict mode checking of home directory configuration files.<VulnDiscussion>If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": + +StrictModes yesFrom an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: + +# grep -i "^StrictModes" /etc/ssh/sshd_config + +If there is no output or the output is not exactly "StrictModes yes", this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000021The ESXi host SSH daemon must not allow compression or must only allow compression after successful authentication.<VulnDiscussion>If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": + +Compression noFrom an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: + +# grep -i "^Compression" /etc/ssh/sshd_config + +If there is no output or the output is not exactly "Compression no", this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000022The ESXi host SSH daemon must be configured to not allow gateway ports.<VulnDiscussion>SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar risk of providing a path to circumvent firewalls and network ACLs. Gateway ports allow remote forwarded ports to bind to non-loopback addresses on the server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": + +GatewayPorts noFrom an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: + +# grep -i "^GatewayPorts" /etc/ssh/sshd_config + +If there is no output or the output is not exactly "GatewayPorts no", this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000023The ESXi host SSH daemon must be configured to not allow X11 forwarding.<VulnDiscussion>X11 forwarding over SSH allows for the secure remote execution of X11-based applications. This feature can increase the attack surface of an SSH connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": + +X11Forwarding noFrom an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: + +# grep -i "^X11Forwarding" /etc/ssh/sshd_config + +If there is no output or the output is not exactly "X11Forwarding no", this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000024The ESXi host SSH daemon must not accept environment variables from the client.<VulnDiscussion>Environment variables can be used to change the behavior of remote sessions and should be limited. Locale environment variables that specify the language, character set, and other features modifying the operation of software to match the user's preferences.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": + +AcceptEnvFrom an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: + +# grep -i "^AcceptEnv" /etc/ssh/sshd_config + +If there is no output or the output is not exactly "AcceptEnv", this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000025The ESXi host SSH daemon must not permit tunnels.<VulnDiscussion>OpenSSH has the ability to create network tunnels (layer-2 and layer-3) over an SSH connection. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar risk of providing a path to circumvent firewalls and network ACLs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": + +PermitTunnel noFrom an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: + +# grep -i "^PermitTunnel" /etc/ssh/sshd_config + +If there is no output or the output is not exactly "PermitTunnel no", this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000026The ESXi host SSH daemon must set a timeout count on idle sessions.<VulnDiscussion>This ensures a user login will be terminated as soon as the "ClientAliveCountMax" is reached.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": + +ClientAliveCountMax 3From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: + +# grep -i "^ClientAliveCountMax" /etc/ssh/sshd_config + +If there is no output or the output is not exactly "ClientAliveCountMax 3", this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000027The ESXi hostSSH daemon must set a timeout interval on idle sessions.<VulnDiscussion>Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": + +ClientAliveInterval 200From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: + +# grep -i "^ClientAliveInterval" /etc/ssh/sshd_config + +If there is no output or the output is not exactly "ClientAliveInterval 200", this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000028The ESXi host SSH daemon must limit connections to a single session.<VulnDiscussion>The SSH protocol has the ability to provide multiple sessions over a single connection without reauthentication. A compromised client could use this feature to establish additional sessions to a system without consent or knowledge of the user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": + +MaxSessions 1From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: + +# grep -i "^MaxSessions" /etc/ssh/sshd_config + +If there is no output or the output is not exactly "MaxSessions 1", this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000029The ESXi host must remove keys from the SSH authorized_keys file.<VulnDiscussion>ESXi hosts come with SSH which can be enabled to allow remote access without requiring user authentication.  To enable password free access copy the remote users public key into the "/etc/ssh/keys-root/authorized_keys" file on the ESXi host.  The presence of the remote user's public key in the "authorized_keys" file identifies the user as trusted, meaning the user is granted access to the host without providing a password.  If using Lockdown Mode and SSH is disabled then login with authorized keys will have the same restrictions as username/password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From an SSH session connected to the ESXi host, or from the ESXi shell, zero or remove the /etc/ssh/keys-root/authorized_keys file: + +# >/etc/ssh/keys-root/authorized_keys + +or + +# rm /etc/ssh/keys-root/authorized_keysFrom an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: + +# ls -la /etc/ssh/keys-root/authorized_keys + +or + +# cat /etc/ssh/keys-root/authorized_keys + +If the authorized_keys file exists and is not empty, this is a finding.SRG-OS-000037-VMM-000150<GroupDescription></GroupDescription>ESXI-65-000030The ESXi host must produce audit records containing information to establish what type of events occurred.<VulnDiscussion>Without establishing what types of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000130From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the Config.HostAgent.log.level value and configure it to "info". + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following commands: + +Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.log.level | Set-AdvancedSetting -Value "info"From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Config.HostAgent.log.level value and verify it is set to "info". + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.log.level + +If the Config.HostAgent.log.level setting is not set to info, this is a finding. + +Note: Verbose logging level is acceptable for troubleshooting purposes.SRG-OS-000069-VMM-000360<GroupDescription></GroupDescription>ESXI-65-000031The ESXi host must enforce password complexity by requiring that at least one upper-case character be used.<VulnDiscussion>To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000192From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the Security.PasswordQualityControl value and configure it to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15". + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following commands: + +Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | Set-AdvancedSetting -Value "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15"From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Security.PasswordQualityControl value and verify it is set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15" + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl + +If the Security.PasswordQualityControl setting is not set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15", this is a finding.SRG-OS-000077-VMM-000440<GroupDescription></GroupDescription>ESXI-65-000032The ESXi host must prohibit the reuse of passwords within five iterations.<VulnDiscussion>If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the opportunity to keep guessing at one user's password until it was guessed correctly.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000200From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in “/etc/pam.d/passwd”: + +password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512 remember=5From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: + +# grep -i "^password" /etc/pam.d/passwd | grep sufficient + +If the remember setting is not set or is not "remember=5", this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000033The password hashes stored on the ESXi host must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.<VulnDiscussion>Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in “/etc/pam.d/passwd”: + +password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512 remember=5From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: + +# grep -i "^password" /etc/pam.d/passwd | grep sufficient + +If sha512 is not listed, this is a finding.SRG-OS-000095-VMM-000480<GroupDescription></GroupDescription>ESXI-65-000034The ESXi host must disable the Managed Object Browser (MOB).<VulnDiscussion>The Managed Object Browser (MOB) provides a way to explore the object model used by the VMkernel to manage the host and enables configurations to be changed as well. This interface is meant to be used primarily for debugging the vSphere SDK, but because there are no access controls it could also be used as a method obtain information about a host being targeted for unauthorized access. By default this is disabled for ESXi in version 6.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000381From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the Config.HostAgent.plugins.solo.enableMob value and configure it to false. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following commands: + +Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob | Set-AdvancedSetting -Value falseFrom the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Config.HostAgent.plugins.solo.enableMob value and verify it is set to false. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob + +If the Config.HostAgent.plugins.solo.enableMob setting is not set to false, this is a finding.SRG-OS-000095-VMM-000480<GroupDescription></GroupDescription>ESXI-65-000035The ESXi host must be configured to disable non-essential capabilities by disabling SSH.<VulnDiscussion>The ESXi Shell is an interactive command line interface (CLI) available at the ESXi server console. The ESXi shell provides temporary access to commands essential for server maintenance. Intended primarily for use in break-fix scenarios, the ESXi shell is well suited for checking and modifying configuration details, not always generally accessible, using the vSphere Client. The ESXi shell is accessible remotely using SSH by users with the Administrator role. Under normal operating conditions, SSH access to the host must be disabled as is the default. As with the ESXi shell, SSH is also intended only for temporary use during break-fix scenarios. SSH must therefore be disabled under normal operating conditions and must only be enabled for diagnostics or troubleshooting. Remote access to the host must therefore be limited to the vSphere Client at all other times.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000381From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under Services select Edit then select the SSH service and click the Stop button to stop the service. Use the pull-down menu to change the Startup policy to "Start and stop manually" and click OK. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following commands: + +Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} | Set-VMHostService -Policy Off +Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} | Stop-VMHostServiceFrom the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under Services select Edit and view the "SSH" service and verify it is stopped. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} + +If the ESXi SSH service is running, this is a finding.SRG-OS-000095-VMM-000480<GroupDescription></GroupDescription>ESXI-65-000036The ESXi host must disable ESXi Shell unless needed for diagnostics or troubleshooting.<VulnDiscussion>The ESXi Shell is an interactive command line environment available locally from the DCUI or remotely via SSH. Activities performed from the ESXi Shell bypass vCenter RBAC and audit controls. The ESXi shell should only be turned on when needed to troubleshoot/resolve problems that cannot be fixed through the vSphere client.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000381From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under Services select Edit then select the ESXi Shell service and click the Stop button to stop the service. Use the pull-down menu to change the Startup policy to "Start and stop manually" and click OK. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following commands: + +Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} | Set-VMHostService -Policy Off +Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} | Stop-VMHostServiceFrom the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under Services select Edit and view the "ESXi Shell" service and verify it is stopped. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} + +If the ESXi Shell service is running, this is a finding.SRG-OS-000104-VMM-000500<GroupDescription></GroupDescription>ESXI-65-000037The ESXi host must use Active Directory for local user authentication.<VulnDiscussion>Join ESXi hosts to an Active Directory (AD) domain to eliminate the need to create and maintain multiple local user accounts. Using AD for user authentication simplifies the ESXi host configuration, ensures password complexity and reuse policies are enforced and reduces the risk of security breaches and unauthorized access. Note: If the AD group "ESX Admins" (default) exists then all users and groups that are assigned as members to this group will have full administrative access to all ESXi hosts the domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000764From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Authentication Services. Click Join Domain and enter the AD domain to join, select the "Using credentials” radio button and enter the credentials of an account with permissions to join machines to AD (use UPN naming – user@domain) and then click OK. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-VMHostAuthentication | Set-VMHostAuthentication -JoinDomain -Domain "domain name" -User "username" -Password "password"From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Authentication Services. Verify the Directory Services Type is set to Active Directory. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-VMHostAuthentication + +For systems that do not use Active Directory and have no local user accounts, other than root and/or vpxuser, this is not applicable. + +For systems that do not use Active Directory and do have local user accounts, other than root and/or vpxuser, this is a finding. + +If the Directory Services Type is not set to "Active Directory", this is a finding.SRG-OS-000104-VMM-000500<GroupDescription></GroupDescription>ESXI-65-000038The ESXi host must use the vSphere Authentication Proxy to protect passwords when adding ESXi hosts to Active Directory.<VulnDiscussion>If you configure your host to join an Active Directory domain using Host Profiles the Active Directory credentials are saved in the host profile and are transmitted over the network. To avoid having to save Active Directory credentials in the Host Profile and to avoid transmitting Active Directory credentials over the network use the vSphere Authentication Proxy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000764From the vSphere Web Client go to Home >> Host Profiles >> and select a Host Profile to edit. View the settings under Security and Services >> Security Settings >> Authentication Configuration >> Active Directory Configuration >> Join Domain Method. Set the method used to join hosts to a domain to "Use vSphere Authentication Proxy to add the host to domain" and provide the IP address of the vSphere Authentication Proxy server.From the vSphere Web Client go to Home >> Host Profiles >> and select a Host Profile to edit. View the settings under Security and Services >> Security Settings >> Authentication Configuration >> Active Directory Configuration >> Join Domain Method. Verify the method used to join hosts to a domain is set to "Use vSphere Authentication Proxy to add the host to domain". + +or + +From a PowerCLI command prompt while connected to vCenter run the following command: + +Get-VMHost | Select Name, ` @{N="HostProfile";E={$_ | Get-VMHostProfile}}, ` @{N="JoinADEnabled";E={($_ | Get-VmHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory.Enabled}}, ` @{N="JoinDomainMethod";E={(($_ | Get-VMHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory | Select -ExpandProperty Policy | Where {$_.Id -eq "JoinDomainMethodPolicy"}).Policyoption.Id}} + +Verify if JoinADEnabled is True then JoinDomainMethod should be "FixedCAMConfigOption". + +If you are not using Host Profiles to join active directory, this is not a finding.SRG-OS-000104-VMM-000500<GroupDescription></GroupDescription>ESXI-65-000039Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory.<VulnDiscussion>When adding ESXi hosts to Active Directory, if the group "ESX Admins" exists, all user/group accounts assigned to the group will have full administrative access to the host. Discretion should be used when managing membership to the "ESX Admins" group.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000764From the vSphere Web Client select the ESXi Host and go to Configuration >> System >> Advanced System Settings. Click Edit and select the Config.HostAgent.plugins.hostsvc.esxAdminsGroup value and configure it to an Active Directory group other than "ESX Admins". + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following commands: + +Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value <AD Group>From the vSphere Web Client select the ESXi Host and go to Configuration >> System >> Advanced System Settings. Click Edit and select the Config.HostAgent.plugins.hostsvc.esxAdminsGroup value and verify it is not set to "ESX Admins". + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup + +For systems that do not use Active Directory and have no local user accounts, other than root and/or vpxuser, this is not applicable. + +For systems that do not use Active Directory and do have local user accounts, other than root and/or vpxuser, this is a finding. + +If the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" keyword is set to "ESX Admins", this is a finding.SRG-OS-000107-VMM-000530<GroupDescription></GroupDescription>ESXI-65-000040The ESXi host must use multifactor authentication for local access to privileged accounts.<VulnDiscussion>To assure accountability and prevent unauthenticated access, privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000767The following are pre-requisites to configuration smart card authentication for the ESXi DCUI: +-Active Directory domain that supports smart card authentication, smart card readers, and smart cards. +-ESXi joined to an Active Directory domain. +-Trusted certificates for root and intermediary certificate authorities. + +From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Authentication Services and click Edit and check "Enable Smart Card Authentication" checkbox, at the Certificates tab, click the green plus sign to import trusted certificate authority certificates and click OK.From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Authentication Services and view the Smart Card Authentication status. If "Enable Smart Card Authentication" is checked, the system requires smart cards to authentication to an Active Directory Domain. + +For systems that have no local user accounts, other than root and/or vpxuser, this is not applicable. + +For environments that do not use vCenter server to manage ESXi, this is not applicable. + +For systems that do not use smart cards with Active Directory and do have local user accounts, other than root and/or vpxuser, this is a finding.SRG-OS-000163-VMM-000700<GroupDescription></GroupDescription>ESXI-65-000041The ESXi host must set a timeout to automatically disable idle sessions after 10 minutes.<VulnDiscussion>If a user forgets to log out of their SSH session, the idle connection will remains open indefinitely, increasing the potential for someone to gain privileged access to the host. The ESXiShellInteractiveTimeOut allows you to automatically terminate idle shell sessions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-001133From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the UserVars.ESXiShellInteractiveTimeOut value and configure it to 600. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following commands: + +Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 600From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the UserVars.ESXiShellInteractiveTimeOut value and verify it is set to 600 (10 Minutes). + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut + +If the UserVars.ESXiShellInteractiveTimeOut setting is not set to 600, this is a finding.SRG-OS-000163-VMM-000700<GroupDescription></GroupDescription>ESXI-65-000042The ESXi host must terminate shell services after 10 minutes.<VulnDiscussion>When the ESXi Shell or SSH services are enabled on a host they will run indefinitely. To avoid having these services left running set the ESXiShellTimeOut. The ESXiShellTimeOut defines a window of time after which the ESXi Shell and SSH services will automatically be terminated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-001133From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the UserVars.ESXiShellTimeOut value and configure it to 600. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following commands: + +Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | Set-AdvancedSetting -Value 600From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the UserVars.ESXiShellTimeOut value and verify it is set to 600 (10 Minutes). + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut + +If the UserVars.ESXiShellTimeOut setting is not set to 600, this is a finding.SRG-OS-000163-VMM-000700<GroupDescription></GroupDescription>ESXI-65-000043The ESXi host must logout of the console UI after 10 minutes.<VulnDiscussion>When the Direct console user interface (DCUI) is enabled and logged in it should be automatically logged out if left logged in to avoid unauthorized privilege gains. The DcuiTimeOut defines a window of time after which the DCUI will be logged out.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-001133From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the UserVars.DcuiTimeOut value and configure it to 600. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following commands: + +Get-VMHost | Get-AdvancedSetting -Name UserVars.DcuiTimeOut | Set-AdvancedSetting -Value 600From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the UserVars.DcuiTimeOut value and verify it is set to 600 (10 Minutes). + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-AdvancedSetting -Name UserVars.DcuiTimeOut + +If the UserVars.DcuiTimeOut setting is not set to 600, this is a finding.SRG-OS-000269-VMM-000950<GroupDescription></GroupDescription>ESXI-65-000044The ESXi host must enable kernel core dumps.<VulnDiscussion>In the event of a system failure, the system must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-001665From the vSphere Web Client select the ESXi Host and right click. Select the "Add Diagnostic Partition" option configure a core dump diagnostic partition. + +or + +From a PowerCLI command prompt while connected to the ESXi host run at least one of the following sets of commands: + +To configure a core dump partition: + +$esxcli = Get-EsxCli +#View available partitions to configure +$esxcli.system.coredump.partition.list() +$esxcli.system.coredump.partition.set($null,"PartitionName",$null,$null) + +To configure a core dump collector: + +$esxcli = Get-EsxCli +$esxcli.system.coredump.network.set($null,"vmkernel port to use",$null,"CollectorIP","CollectorPort") +$esxcli.system.coredump.network.set($true)From the vSphere Web Client select the ESXi Host and right click. If the "Add Diagnostic Partition" option is greyed out then core dumps are configured. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following commands: + +$esxcli = Get-EsxCli +$esxcli.system.coredump.partition.get() +$esxcli.system.coredump.network.get() + +The first command prepares for the other two. The second command shows whether there is an active core dump partition configured. The third command shows whether a network core dump collector is configured and enabled, via the "HostVNic", "NetworkServerIP", "NetworkServerPort", and "Enabled" variables. + +If there is no active core dump partition or the network core dump collector is not configured and enabled, this is a finding.SRG-OS-000341-VMM-001220<GroupDescription></GroupDescription>ESXI-65-000045The ESXi host must enable a persistent log location for all locally stored logs.<VulnDiscussion>ESXi can be configured to store log files on an in-memory file system. This occurs when the host's "/scratch" directory is linked to "/tmp/scratch". When this is done only a single day's worth of logs are stored at any time. In addition log files will be reinitialized upon each reboot. This presents a security risk as user activity logged on the host is only stored temporarily and will not persistent across reboots. This can also complicate auditing and make it harder to monitor events and diagnose issues. ESXi host logging should always be configured to a persistent datastore. + +Note: Scratch space is configured automatically during installation or first boot of an ESXi host, and does not usually need to be manually configured. ESXi Installable creates a 4 GB Fat16 partition on the target device during installation if there is sufficient space, and if the device is considered Local. If ESXi is installed on an SD card or USB device a persistent log location may not be configured upon install as normal.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-001849From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the Syslog.global.logDir value and set it to a known persistent location. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following commands: + +Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logDir | Set-AdvancedSetting -Value "New Log Location"From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Syslog.global.logDir value and verify it is set to a persistent location. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following commands: + +Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logDir + +or + +$esxcli = Get-EsxCli +$esxcli.system.syslog.config.get() | Select LocalLogOutput,LocalLogOutputIsPersistent + +If the Syslog.global.logDir or LocalLogOutput value is not on persistent storage, this is a finding. + +If the LocalLogOutputIsPersistent value is not true, this is a finding.SRG-OS-000355-VMM-001330<GroupDescription></GroupDescription>ESXI-65-000046The ESXi host must configure NTP time synchronization.<VulnDiscussion>To assure the accuracy of the system clock, it must be synchronized with an authoritative time source within DoD. Many system functions, including time-based login and activity restrictions, automated reports, system logs, and audit records depend on an accurate system clock. If there is no confidence in the correctness of the system clock, time-based functions may not operate as intended and records may be of diminished value.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-001891From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Time Configuration. Click Edit to configure the NTP service to start and stop with the host and with authoritative DoD time sources. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +$NTPServers = "ntpserver1","ntpserver2" +Get-VMHost | Add-VMHostNTPServer $NTPServers +Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} | Set-VMHostService -Policy On +Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} | Start-VMHostServiceFrom the vSphere Web Client select the ESXi Host and go to Configure >> System >> Time Configuration. Click Edit to verify the configured NTP servers and service startup policy. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-VMHostNTPServer +Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} + +If the NTP service is not configured with authoritative DoD time sources and the service is not configured to start and stop with the host and is running, this is a finding.SRG-OS-000366-VMM-001430<GroupDescription></GroupDescription>ESXI-65-000047The ESXi Image Profile and VIB Acceptance Levels must be verified.<VulnDiscussion>Verify the ESXi Image Profile to only allow signed VIBs. An unsigned VIB represents untested code installed on an ESXi host. The ESXi Image profile supports four acceptance levels: + +(1) VMwareCertified - VIBs created, tested and signed by VMware +(2) VMwareAccepted - VIBs created by a VMware partner but tested and signed by VMware, +(3) PartnerSupported - VIBs created, tested and signed by a certified VMware partner +(4) CommunitySupported - VIBs that have not been tested by VMware or a VMware partner. + +Community Supported VIBs are not supported and do not have a digital signature. To protect the security and integrity of your ESXi hosts do not allow unsigned (CommunitySupported) VIBs to be installed on your hosts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-001749From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under "Host Image Profile Acceptance Level" click Edit… and use the pull-down selection, set the acceptance level to be VMwareCertified, VMwareAccepted, or PartnerSupported. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following commands: + +$esxcli = Get-EsxCli +$esxcli.software.acceptance.Set("PartnerSupported") + +Note: VMwareCertified or VMwareAccepted may be substituted for PartnerSupported, depending upon local requirements.From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under "Host Image Profile Acceptance Level" view the acceptance level. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following commands: + +$esxcli = Get-EsxCli +$esxcli.software.acceptance.get() + +If the acceptance level is CommunitySupported, this is a finding.SRG-OS-000423-VMM-001700<GroupDescription></GroupDescription>ESXI-65-000048The ESXi host must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic.<VulnDiscussion>While encrypted vMotion is available now vMotion traffic should still be sequestered from other traffic to further protect it from attack. This network must be only be accessible to other ESXi hosts preventing outside access to the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-002418Configuration of the vMotion VMkernel will be unique to each environment. As an example, to modify the IP address and VLAN information to the correct network on a distributed switch do the following: + +From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a port group >> Configure >> Settings >> Edit >> VLAN. Change the "VLAN Type" to "VLAN" and change the "VLAN ID" to a network allocated and dedicated to vMotion traffic exclusively.The vMotion VMKernel port group should in a dedicated VLAN that can be on a common standard or distributed virtual switch as long as the vMotion VLAN is not shared by any other function and it not routed to anything but ESXi hosts. The check for this will be unique per environment. From the vSphere Client select the ESXi host and go to Configuration > Networking and review the VLAN associated with the vMotion VMkernel(s) and verify they are dedicated for that purpose and are logically separated from other functions. + +If long distance or cross vCenter vMotion is used the vMotion network can be routable but must be accessible to only the intended ESXi hosts. + +If the vMotion port group is not on an isolated VLAN and/or is routable to systems other than ESXi hosts, this is a finding. + +For environments that do not use vCenter server to manage ESXi, this is not applicable.SRG-OS-000423-VMM-001700<GroupDescription></GroupDescription>ESXI-65-000050The ESXi host must protect the confidentiality and integrity of transmitted information by protecting IP based management traffic.<VulnDiscussion>Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes vSAN, iSCSI and NFS. This configuration might expose IP-based storage traffic to unauthorized virtual machine users. IP-based storage frequently is not encrypted. It can be viewed by anyone with access to this network. To restrict unauthorized users from viewing the IP-based storage traffic, the IP-based storage network must be logically separated from the production traffic. Configuring the IP-based storage adaptors on separate VLANs or network segments from other VMkernels and Virtual Machines will limit unauthorized users from viewing the traffic.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-002418Configuration of an IP-Based VMkernel will be unique to each environment but for example to modify the IP address and VLAN information to the correct network on a standard switch for an iSCSI VMkernel do the following: + +From the vSphere Web Client select the ESXi host and go to Configure >> Networking >> VMkernel adapters. Select the Storage VMkernel (for vSAN only) and click Edit settings >> On the Port properties tab uncheck everything but "vSAN.” On the IP Settings tab >> Enter the appropriate IP address and subnet information and click OK. + +Set the appropriate VLAN ID >> Configure >> Networking >> Virtual switches. Select the Storage portgroup (iSCSI, NFS, vSAN) and click Edit settings >> On the properties tab, enter the appropriate VLAN ID and click OK.IP-Based storage (iSCSI, NFS, vSAN) VMkernel port groups must be in a dedicated VLAN that can be on a common standard or distributed virtual switch that is logically separated from other traffic types. The check for this will be unique per environment. + +From the vSphere Web Client select the ESXi Host and go to Configure >> Networking >> VMkernel adapters and review the VLANs associated with any IP-Based storage VMkernels and verify they are dedicated for that purpose and are logically separated from other functions. + +If any IP-Based storage networks are not isolated from other traffic types, this is a finding. + +If IP-based storage is not used, this is not applicable.SRG-OS-000423-VMM-001700<GroupDescription></GroupDescription>ESXI-65-000052The ESXi host must protect the confidentiality and integrity of transmitted information by utilizing different TCP/IP stacks where possible.<VulnDiscussion>There are three different TCP/IP stacks by default available on ESXi now which are Default, Provisioning, and vMotion. To better protect and isolate sensitive network traffic within ESXi admins must configure each of these stacks. Additional custom TCP/IP stacks can be created if desired.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-002418From the vSphere Web Client select the ESXi Host and go to Configure >> Networking >> TCP/IP configuration >> Select a TCP/IP stack >> Click Edit >> Enter the appropriate site specific IP address information for the particular TCP/IP stack and click OK.From the vSphere Web Client select the ESXi Host and go to Configure >> Networking >> TCP/IP configuration. Review the default system TCP/IP stacks and verify they are configured with the appropriate IP address information. + +If vMotion and Provisioning VMKernels are in use and are not utilizing their own TCP/IP stack, this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000053SNMP must be configured properly on the ESXi host.<VulnDiscussion>If SNMP is not being used, it must remain disabled. If it is being used, the proper trap destination must be configured. If SNMP is not properly configured, monitoring information can be sent to a malicious host that can then use this information to plan an attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366To disable SNMP run the following command from a PowerCLI command prompt while connected to the ESXi Host: + +Get-VMHostSnmp | Set-VMHostSnmp -Enabled $false + +or + +From a console or ssh session run the follow command: + +esxcli system snmp set -e no + +To configure SNMP for v3 targets use the "esxcli system snmp set" command set.From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHostSnmp | Select * + +or + +From a console or ssh session run the follow command: + +esxcli system snmp get + +If SNMP is not in use and is enabled, this is a finding. + +If SNMP is enabled and read only communities is set to public, this is a finding. + +If SNMP is enabled and is not using v3 targets, this is a finding. + +Note: SNMP v3 targets can only be viewed and configured from the esxcli command.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000054The ESXi host must enable bidirectional CHAP authentication for iSCSI traffic.<VulnDiscussion>When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. There is a potential for a MiTM attack, when not authenticating both the iSCSI target and host, in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication mitigates this risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From the vSphere Web Client select the ESXi Host and go to Configure >> Storage >> Storage Adapters >> Select the iSCSI adapter >> Properties >> Authentication and click the Edit button. Set Authentication method to “Use bidirectional CHAP” and enter a unique secret for each traffic flow direction. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "iscsi"} | Set-VMHostHba -ChapType Required -ChapName "chapname" -ChapPassword "password" -MutualChapEnabled $true -MutualChapName "mutualchapname" -MutualChapPassword "mutualpassword"From the vSphere Web Client select the ESXi Host and go to Configure >> Storage >> Storage Adapters >> Select the iSCSI adapter >> Properties >> Authentication method and view the CHAP configuration and verify CHAP is "Required" for target and host authentication. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "iscsi"} | Select AuthenticationProperties -ExpandProperty AuthenticationProperties + +If iSCSI is not used, this is not a finding. + +If iSCSI is used and CHAP is not set to "Required" for both the target and host, this is a finding. + +If iSCSI is used and unique CHAP secrets are not used for each host, this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000055The ESXi host must disable Inter-VM transparent page sharing.<VulnDiscussion>Published academic papers have demonstrated that by forcing a flush and reload of cache memory, it is possible to measure memory timings to try and determine an AES encryption key in use on another virtual machine running on the same physical processor of the host server if Transparent Page Sharing is enabled between the two virtual machines. This technique works only in a highly controlled system configured in a non-standard way that VMware believes would not be recreated in a production environment. + +Even though VMware believes information being disclosed in real world conditions is unrealistic, out of an abundance of caution upcoming ESXi Update releases will no longer enable TPS between Virtual Machines by default (TPS will still be utilized within individual VMs).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the Mem.ShareForceSalting value and configure it to 2. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following commands: + +Get-VMHost | Get-AdvancedSetting -Name Mem.ShareForceSalting | Set-AdvancedSetting -Value 2From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Mem.ShareForceSalting value and verify it is set to 2. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-AdvancedSetting -Name Mem.ShareForceSalting + +If the Mem.ShareForceSalting setting is not set to 2, this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000056The ESXi host must configure the firewall to restrict access to services running on the host.<VulnDiscussion>Unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to only allow access from authorized networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under the Firewall section click Edit and for each enabled service uncheck the check box to “Allow connections from any IP address,” and input the site specific network(s) required.Configure this for Incoming and Outgoing connections. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +$esxcli = Get-EsxCli +#This disables the allow all rule for the target service +$esxcli.network.firewall.ruleset.set($false,$true,"sshServer") +$esxcli.network.firewall.ruleset.allowedip.add("192.168.0.0/24","sshServer") + +This must be done for each enabled service.From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under the Firewall section click Edit and for each enabled service click Firewall and review the allowed IPs. Check this for Incoming and Outgoing connections. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-VMHostFirewallException | Where {$_.Enabled -eq $true} | Select Name,Enabled,@{N="AllIPEnabled";E={$_.ExtensionData.AllowedHosts.AllIP}} + +If for an enabled service "Allow connections from any IP address" is selected, this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000057The ESXi host must configure the firewall to block network traffic by default.<VulnDiscussion>In addition to service specific firewall rules ESXi has a default firewall rule policy to allow or deny incoming and outgoing traffic. Reduce the risk of attack by making sure this is set to deny incoming and outgoing traffic.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHostFirewallDefaultPolicy | Set-VMHostFirewallDefaultPolicy -AllowIncoming $false -AllowOutgoing $falseFrom a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHostFirewallDefaultPolicy + +If the Incoming or Outgoing policies are True, this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000058The ESXi host must enable BPDU filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled.<VulnDiscussion>BPDU Guard and Portfast are commonly enabled on the physical switch to which the ESXi host is directly connected to reduce the STP convergence delay. If a BPDU packet is sent from a virtual machine on the ESXi host to the physical switch so configured, a cascading lockout of all the uplink interfaces from the ESXi host can occur. To prevent this type of lockout, BPDU Filter can be enabled on the ESXi host to drop any BPDU packets being sent to the physical switch. The caveat is that certain SSL VPN which use Windows bridging capability can legitimately generate BPDU packets. The administrator should verify that there are no legitimate BPDU packets generated by virtual machines on the ESXi host prior to enabling BPDU Filter. If BPDU Filter is enabled in this situation, enabling Reject Forged Transmits on the virtual switch port group adds protection against Spanning Tree loops.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the Net.BlockGuestBPDU value and configure it to 1. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following commands: + +Get-VMHost | Get-AdvancedSetting -Name Net.BlockGuestBPDU | Set-AdvancedSetting -Value 1From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Net.BlockGuestBPDU value and verify it is set to 1. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-AdvancedSetting -Name Net.BlockGuestBPDU + +If the Net.BlockGuestBPDU setting is not set to 1, this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000059The virtual switch Forged Transmits policy must be set to reject on the ESXi host.<VulnDiscussion>If the virtual machine operating system changes the MAC address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. + +This means the virtual switch does not compare the source and effective MAC addresses. + +To protect against MAC address impersonation, all virtual switches should have forged transmissions set to Reject. Reject Forged Transmit can be set at the vSwitch and/or the Portgroup level. You can override switch level settings at the Portgroup level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From the vSphere Web Client go to Configure >> Networking >> Virtual Switches. For each virtual switch and port group click Edit settings and change "Forged Transmits" to reject. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following commands: + +Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmits $false +Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmitsInherited $trueFrom the vSphere Web Client go to Configure >> Networking >> Virtual Switches. View the properties on each virtual switch and port group and verify "Forged Transmits" is set to reject. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following commands: + +Get-VirtualSwitch | Get-SecurityPolicy +Get-VirtualPortGroup | Get-SecurityPolicy + +If the "Forged Transmits" policy is set to accept, this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000060The virtual switch MAC Address Change policy must be set to reject on the ESXi host.<VulnDiscussion>If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. This will prevent VMs from changing their effective MAC address. It will affect applications that require this functionality. This will also affect how a layer 2 bridge will operate. This will also affect applications that require a specific MAC address for licensing. Reject MAC Changes can be set at the vSwitch and/or the Portgroup level. You can override switch level settings at the Portgroup level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From the vSphere Web Client go to Configure >> Networking >> Virtual Switches. For each virtual switch and port group click Edit settings and change "MAC Address Changes" to reject. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following commands: + +Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -MacChanges $false +Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -MacChangesInherited $trueFrom the vSphere Web Client go to Configure >> Networking >> Virtual Switches. View the properties on each virtual switch and port group and verify "MAC Address Changes" is set to reject. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following commands: + +Get-VirtualSwitch | Get-SecurityPolicy +Get-VirtualPortGroup | Get-SecurityPolicy + +If the "MAC Address Changes" policy is set to accept, this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000061The virtual switch Promiscuous Mode policy must be set to reject on the ESXi host.<VulnDiscussion>When promiscuous mode is enabled for a virtual switch all virtual machines connected to the Portgroup have the potential of reading all packets across that network, meaning only the virtual machines connected to that Portgroup. Promiscuous mode is disabled by default on the ESXi Server, and this is the recommended setting. Promiscous mode can be set at the vSwitch and/or the Portgroup level. You can override switch level settings at the Portgroup level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From the vSphere Web Client go to Configure >> Networking >> Virtual Switches. For each virtual switch and port group click Edit settings and change "Promiscuous Mode" to reject. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following commands: + +Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuous $false +Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuousInherited $trueFrom the vSphere Web Client go to Configure >> Networking >> Virtual Switches. View the properties on each virtual switch and port group and verify "Promiscuous Mode" is set to reject. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following commands: + +Get-VirtualSwitch | Get-SecurityPolicy +Get-VirtualPortGroup | Get-SecurityPolicy + +If the "Promiscuous Mode" policy is set to accept, this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000062The ESXi host must prevent unintended use of the dvFilter network APIs.<VulnDiscussion>If you are not using products that make use of the dvfilter network API, the host should not be configured to send network information to a VM. If the API is enabled an attacker might attempt to connect a VM to it thereby potentially providing access to the network of other VMs on the host. If you are using a product that makes use of this API then verify that the host has been configured correctly. If you are not using such a product make sure the setting is blank.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the Net.DVFilterBindIpAddress value and remove any incorrect addresses. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress | Set-AdvancedSetting -Value ""From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Net.DVFilterBindIpAddress value and verify the value is blank or the correct IP address of a security appliance if in use. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress + +If the Net.DVFilterBindIpAddress is not blank and security appliances are not in use on the host, this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000063For the ESXi host all port groups must be configured to a value other than that of the native VLAN.<VulnDiscussion>ESXi does not use the concept of native VLAN. Frames with VLAN specified in the port group will have a tag, but frames with VLAN not specified in the port group are not tagged and therefore will end up as belonging to native VLAN of the physical switch. For example, frames on VLAN 1 from a Cisco physical switch will be untagged, because this is considered as the native VLAN. However, frames from ESXi specified as VLAN 1 will be tagged with a "1"; therefore, traffic from ESXi that is destined for the native VLAN will not be correctly routed (because it is tagged with a "1" instead of being untagged), and traffic from the physical switch coming from the native VLAN will not be visible (because it is not tagged). If the ESXi virtual switch port group uses the native VLAN ID, traffic from those VMs will not be visible to the native VLAN on the switch, because the switch is expecting untagged traffic.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From the vSphere Web Client select the ESXi Host and go to Configure >> Networking >> Virtual switches. Highlight a port group (where VLAN ID set to native VLAN ID) and click Edit settings. Change the VLAN ID to a non-native VLAN and click OK. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VirtualPortGroup -Name "portgroup name" | Set-VirtualPortGroup -VLanId "New VLAN#"From the vSphere Web Client select the ESXi Host and go to Configure >> Networking >> Virtual switches. For each virtual switch, review the port group VLAN tags and verify they are not set to the native VLAN ID of the attached physical switch. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VirtualPortGroup | Select Name, VLanId + +If any port group is configured with the native VLAN of the ESXi hosts attached physical switch, this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000064For the ESXi host all port groups must not be configured to VLAN 4095 unless Virtual Guest Tagging (VGT) is required.<VulnDiscussion>When a port group is set to VLAN 4095, this activates VGT mode. In this mode, the vSwitch passes all network frames to the guest VM without modifying the VLAN tags, leaving it up to the guest to deal with them. VLAN 4095 should be used only if the guest has been specifically configured to manage VLAN tags itself. If VGT is enabled inappropriately, it might cause denial-of-service or allow a guest VM to interact with traffic on an unauthorized VLAN.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From the vSphere Web Client select the ESXi Host and go to Configure >> Networking >> Virtual switches. Highlight a port group (where VLAN ID set to 4095) and click Edit settings. Change the VLAN ID to not be 4095 and click OK. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VirtualPortGroup -Name "portgroup name" | Set-VirtualPortGroup -VLanId "New VLAN#"From the vSphere Web Client select the ESXi Host and go to Configure >> Networking >> Virtual switches. For each virtual switch, review the port group VLAN tags and verify they are not set to 4095. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VirtualPortGroup | Select Name, VLanID + +If any port group is configured with VLAN 4095 and is not documented as a needed exception, this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000065For the ESXi host all port groups must not be configured to VLAN values reserved by upstream physical switches.<VulnDiscussion>Certain physical switches reserve certain VLAN IDs for internal purposes and often disallow traffic configured to these values. For example, Cisco Catalyst switches typically reserve VLANs 1001–1024 and 4094, while Nexus switches typically reserve 3968–4047 and 4094. Check with the documentation for your specific switch. Using a reserved VLAN might result in a denial of service on the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366From the vSphere Web Client select the ESXi Host and go to Configure >> Networking >> Virtual switches. Highlight a port group (where VLAN ID set to 4095) and click Edit settings (pencil). Change the VLAN ID to not be a reserved VLAN ID and click OK. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VirtualPortGroup -Name "portgroup name" | Set-VirtualPortGroup -VLanId "New VLAN#"From the vSphere Web Client select the ESXi Host and go to Configure >> Networking >> Virtual switches. For each virtual switch, review the port group VLAN tags and verify they are not set to a reserved VLAN ID. + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VirtualPortGroup | Select Name, VLanId + +If any port group is configured with a reserved VLAN ID, this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000066For physical switch ports connected to the ESXi host, the non-negotiate option must be configured for trunk links between external physical switches and virtual switches in VST mode.<VulnDiscussion>In order to communicate with virtual switches in VST mode, external switch ports must be configured as trunk ports. VST mode does not support Dynamic Trunking Protocol (DTP), so the trunk must be static and unconditional. The auto or desirable physical switch settings do not work with the ESXi Server because the physical switch communicates with the ESXi Server using DTP. The non-negotiate and on options unconditionally enable VLAN trunking on the physical switch and create a VLAN trunk link between the ESXi Server and the physical switch. The difference between non-negotiate and on options is that on mode still sends out DTP frames, whereas the non-negotiate option does not. The non-negotiate option should be used for all VLAN trunks, to minimize unnecessary network traffic for virtual switches in VST mode.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366Note that this check refers to an entity outside the physical scope of the ESXi server system. Document the configuration of external switch ports as trunk ports. Log in to the vendor-specific physical switch and disable DTP on the physical switch ports connected to the ESXi Host. Update the documentation on an organization defined frequency or whenever modifications are made to either ESXi hosts or the upstream external switch ports.Note that this check refers to an entity outside the physical scope of the ESXi server system. The configuration of external switch ports as trunk ports must be documented. Virtual Switch Tagging (VST) mode does not support Dynamic Trunking Protocol (DTP), so the trunk must be static and unconditional. Inspect the documentation and verify that the documentation is correct and updated on an organization defined frequency and/or whenever modifications are made to either ESXi hosts or the upstream external switch ports. + +If DTP is enabled on the physical switch ports connected to the ESXi Host, this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000067All ESXi host-connected physical switch ports must be configured with spanning tree disabled.<VulnDiscussion>Since VMware virtual switches do not support STP, the ESXi host-connected physical switch ports must have portfast configured if spanning tree is enabled to avoid loops within the physical switch network. If these are not set, potential performance and connectivity issues might arise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366Note that this check refers to an entity outside the scope of the ESXi server system. Document the upstream physical switch configuration for spanning tree protocol disablement and/or portfast configuration for all physical ports connected to ESXi hosts. Log in to the physical switch(es) and disable spanning tree protocol and/or configure portfast for all physical ports connected to ESXi hosts. Update the documentation on an organization defined frequency or whenever modifications are made to either ESXi hosts or the upstream physical switches.Note that this check refers to an entity outside the physical scope of the ESXi server system. The configuration of upstream physical switches must be documented to ensure that spanning tree protocol is disabled and/or portfast is configured for all physical ports connected to ESXi hosts. Inspect the documentation and verify that the documentation is updated on an organization defined frequency and/or whenever modifications are made to either ESXi hosts or the upstream physical switches. Alternatively, log in to the physical switch and verify that spanning tree protocol is disabled and/or portfast is configured for all physical ports connected to ESXi hosts. + +If the physical switch's spanning tree protocol is not disabled or portfast is not configured for all physical ports connected to ESXi hosts, this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000068All ESXi host-connected virtual switch VLANs must be fully documented and have only the required VLANs.<VulnDiscussion>When defining a physical switch port for trunk mode, only specified VLANs must be configured on the VLAN trunk link. The risk with not fully documenting all VLANs on the vSwitch is that it is possible that a physical trunk port might be configured without needed VLANs, or with unneeded VLANs, potentially enabling an administrator to either accidentally or maliciously connect a VM to an unauthorized VLAN.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366Note that this check refers to an entity outside the scope of the ESXi server system. + +Remove any VLANs trunked across physical ports connected to ESXi hosts that are not in use.Note that this check refers to an entity outside the physical scope of the ESXi server system. The configuration of upstream physical switches must be documented to ensure that unneeded VLANs are configured for all physical ports connected to ESXi hosts. Inspect the documentation and verify that the documentation is updated on an organization defined frequency and/or whenever modifications are made to either ESXi hosts or the upstream physical switches. Alternatively, log in to the physical switch and verify that only needed VLANs are configured for all physical ports connected to ESXi hosts. + +If the physical switch's configuration is trunked VLANs that are not used by ESXi for all physical ports connected to ESXi hosts, this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000070The ESXi host must not provide root/administrator level access to CIM-based hardware monitoring tools or other third-party applications.<VulnDiscussion>The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard APIs. Create a limited-privilege, read-only service account for CIM. Grant this role to the user on the ESXi server. Place this user in the Exception Users list. When/where write access is required, create/enable a limited-privilege, service account and grant only the minimum required privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366Create a role for the CIM account. + +From the Host Client, go to manage, then Security & Users. Select Roles then click Add Role. Provide a name for the new role then select Host >> Cim >> Ciminteraction and click Add. + +Add a CIM user account. + +From the Host Client, go to manage, then Security & Users. Select Users then click Add User. Provide a name, description, and password for the new user then click Add. + +Assign the CIM account permissions to the host with the new role. + +From the Host Client, select the ESXi host, right click and go to "Permissions". Click Add User and select the CIM account from the drop down list and select the new CIM role from the drop down list and click Add User.The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard APIs. Create a limited-privilege, read-only service account for CIM. Grant this role to the user on the ESXi server. Place this user in the Exception Users list. When/where write access is required, create/enable a limited-privilege, service account and grant only the minimum required privileges. + +From the Host Client, select the ESXi host, right click and go to "Permissions". Verify the CIM account user role is limited to read only and CIM permissions. + +If there is no dedicated CIM account and the root is used for CIM monitoring, this is a finding. + +If write access is not required and the access level is not "read-only", this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000071The ESXi host must verify the integrity of the installation media before installing ESXi.<VulnDiscussion>Always check the SHA1 or MD5 hash after downloading an ISO, offline bundle, or patch to ensure integrity and authenticity of the downloaded files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366If the hash returned from the md5sum or sha1sum commands do not match the vendor's hash, the downloaded software must be discarded. + +If the physical media is obtained from VMware and the security seal is broken, the software must be returned to VMware for replacement.The downloaded ISO, offline bundle, or patch hash must be verified against the vendor's checksum to ensure the integrity and authenticity of the files. + +See some typical command line example(s) for both the md5 and sha1 hash check(s) directly below. + +# md5sum <filename>.iso +# sha1sum <filename>.iso + +If any of the system's downloaded ISO, offline bundle, or system patch hashes cannot be verified against the vendor's checksum, this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000072The ESXi host must have all security patches and updates installed.<VulnDiscussion>Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366If vCenter Update Manager is used on the network, hosts can be remediated from the vSphere Web Client. From the vSphere Web Client go to Hosts and Clusters >> Update Manager tab and select a non-compliant host and click the Remediate button. + +To manually remediate a host the patch file must be copied locally and the following command run from an SSH session connected to the ESXi host, or from the ESXi shell: + +esxcli software vib update -d <path to offline patch bundle.zip>If vCenter Update Manager is used on the network it can be used to scan all hosts for missing patches. From the vSphere Client go to Hosts and Clusters > Update Manager tab and select scan to view all hosts compliance status. + +If vCenter Update Manager is not used a hosts compliance status must be manually determined by the build number. The following VMware KB 1014508 can be used to correlate patches with build numbers. + +If the ESXi host does not have the latest patches, this is a finding. + +If the ESXi host is not on a supported release, this is a finding. + +VMware also publishes Advisories on security patches, and offers a way to subscribe to email alerts for them. +https://www.vmware.com/support/policies/security_responseSRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000076The ESXi host must enable Secure Boot.<VulnDiscussion>Secure Boot is a protocol of UEFI firmware that ensures the integrity of the boot process from hardware up through to the OS. Secure Boot for ESXi requires support from the firmware and it requires that all ESXi kernel modules, drivers, and VIBs be signed by VMware or a partner subordinate.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366Temporarily enable SSH, connect to the ESXi host and run the following command: + +/usr/lib/vmware/secureboot/bin/secureBoot.py -c + +If the output indicates that Secure Boot cannot be enabled, correct the discrepancies and try again. If the discrepancies cannot be rectified this finding is downgraded to a CAT III. + +Consult your vendor documentation and boot the host into BIOS setup mode. Enable UEFI boot mode and Secure Boot. Restart the host. + +Temporarily enable SSH, connect to the ESXi host and run the following command to verify that Secure Boot is enabled: + +/usr/lib/vmware/secureboot/bin/secureBoot.py -sTemporarily enable SSH, connect to the ESXi host and run the following command: + +/usr/lib/vmware/secureboot/bin/secureBoot.py -s + +If the output is not Enabled, this is a finding.SRG-OS-000480-VMM-002000<GroupDescription></GroupDescription>ESXI-65-000078The ESXi host must use DoD-approved certificates.<VulnDiscussion>The default self-signed, VMCA issued host certificate must be replaced with a DoD-approved certificate. The use of a DoD certificate on the host assures clients that the service they are connecting to is legitimate and properly secured.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000366Obtain a DoD issued certificate and private key for the host following the below requirements: + +Key size: 2048 bits or more (PEM encoded) +Key format: PEM. VMware supports PKCS8 and PKCS1 (RSA keys) +x509 version 3 +SubjectAltName must contain DNS Name=<machine_FQDN> +CRT (Base-64) format +Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment +Start time of one day before the current time +CN (and SubjectAltName) set to the host name (or IP address) that the ESXi host has in the vCenter Server inventory. + +Put the host into maintenance mode. + +Temporarily enable SSH on the host. SCP the new certificate and key to /tmp. SSH to the host. Back up the existing certificate and key: + +mv /etc/vmware/ssl/rui.crt /etc/vmware/ssl/rui.crt.bak +mv /etc/vmware/ssl/rui.key /etc/vmware/ssl/rui.key.bak + +Copy your new certificate and key to /etc/vmware/ssl/ and rename them to rui.crt and rui.key respectively. Restart management agents to implement the new certificate: + +services.sh restart + +From the vSphere Web Client go to vCenter Inventory Lists >> vCenter Servers >> Select your vCenter Server >> Manage >> Settings >> Advanced Settings. Find or create the vpxd.certmgmt.mode key and set its value to custom.Temporarily enable SSH, connect to the ESXi host and run the following command: + +# openssl x509 -in /etc/vmware/ssl/rui.crt -text | grep Issuer + +If the issuer is not a DoD approved certificate authority, this is a finding.SRG-OS-000109-VMM-000550<GroupDescription></GroupDescription>ESXI-65-100037The ESXi host must require individuals to be authenticated with an individual authenticator prior to using a group authenticator by using Active Directory for local user authentication.<VulnDiscussion>Join ESXi hosts to an Active Directory (AD) domain to eliminate the need to create and maintain multiple local user accounts. Using AD for user authentication simplifies the ESXi host configuration, ensures password complexity and reuse policies are enforced and reduces the risk of security breaches and unauthorized access. Note: If the AD group "ESX Admins" (default) exists then all users and groups that are assigned as members to this group will have full administrative access to all ESXi hosts the domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-000770From the vSphere Client select the ESXi host and go to Configuration >> Authentication Services. Click "Properties" and change the "Directory Service Type" to "Active Directory", enter the domain to join, check "Use vSphere Authentication Proxy" and enter the proxy server address then click "Join Domain". + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-VMHostAuthentication | Set-VMHostAuthentication -JoinDomain -Domain "domain name" -User "username" -Password "password"For systems that do not use Active Directory and have no local user accounts, other than "root" and/or "vpxuser", this is not applicable. + +From the vSphere Client select the ESXi host and go to Configuration >> Authentication Services. Verify the "Directory Services Type" is set to "Active Directory". + +or + +From a PowerCLI command prompt while connected to the ESXi host run the following command: + +Get-VMHost | Get-VMHostAuthentication + +For systems that do not use Active Directory and do have local user accounts, other than "root" and/or "vpxuser"", this is a finding. + +If the "Directory Services Type" is not set to "Active Directory", this is a finding. +If you are not using Host Profiles to join active directory, this is not a finding.SRG-OS-000423-VMM-001700<GroupDescription></GroupDescription>ESXI-65-000049The ESXi host must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.<VulnDiscussion>The vSphere management network provides access to the vSphere management interface on each component. Services running on the management interface provide an opportunity for an attacker to gain privileged access to the systems. Any remote attack most likely would begin with gaining entry to this network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESXi 6.5DISADPMS TargetESXi 6.53485CCI-002418From the vSphere Web Client select the ESXi host and go to Configure >> Networking >> VMkernel adapters. Select the Management VMkernel and click Edit settings >> On the Port properties tab uncheck everything but "Management.” On the IP Settings tab >> Enter the appropriate IP address and subnet information and click OK. Set the appropriate VLAN ID >> Configure >> Networking >> Virtual switches. Select the Management portgroup and click Edit settings >> On the properties tab, enter the appropriate VLAN ID and click OK.The Management VMkernel port group should in a dedicated VLAN that can be on a common standard or distributed virtual switch as long as the Management VLAN is not shared by any other function and it not accessible to anything other than management related functions such as vCenter. The check for this will be unique per environment. + +From the vSphere Web Client select the ESXi host and go to Configure >> Networking and review the VLAN associated with the Management VMkernel and verify they are dedicated for that purpose and are logically separated from other functions. + +If the network segment is accessible, except to networks where other management-related entities are located such as vCenter, this is a finding. diff --git a/source/StigData/Archive/Vsphere/U_VMware_vSphere_6-5_ESXi_STIG_V1R3_Manual-xccdf.log b/source/StigData/Archive/Vsphere/U_VMware_vSphere_6-5_ESXi_STIG_V1R3_Manual-xccdf.log new file mode 100644 index 000000000..e822876dd --- /dev/null +++ b/source/StigData/Archive/Vsphere/U_VMware_vSphere_6-5_ESXi_STIG_V1R3_Manual-xccdf.log @@ -0,0 +1,2 @@ +V-94349::From the Host Client, select the ESXi host, right click and go to "Permissions". Verify the CIM account user role is limited to read only and CIM permissions.::"" +V-93953::If the Exception users list contains accounts that do not require special permissions, this is a finding.::"" diff --git a/source/StigData/Archive/Vsphere/U_VMware_vSphere_6-5_ESXi_STIG_V1R3_Manual-xccdf.xml b/source/StigData/Archive/Vsphere/U_VMware_vSphere_6-5_ESXi_STIG_V1R3_Manual-xccdf.xml new file mode 100644 index 000000000..e48b9421c --- /dev/null +++ b/source/StigData/Archive/Vsphere/U_VMware_vSphere_6-5_ESXi_STIG_V1R3_Manual-xccdf.xml @@ -0,0 +1,1197 @@ +acceptedVMware vSphere 6.5 ESXi Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 3 Benchmark Date: 24 Jan 20201I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-APP-000001-WSR-000002<GroupDescription></GroupDescription>IISW-SI-000201The IIS 8.5 website session state must be enabled.<VulnDiscussion>When the session information is stored on the client, the session ID, along with the user authorization and identity information, is sent along with each client request and is stored in either a cookie, embedded in the uniform resource locator (URL), or placed in a hidden field on the displayed form. Each of these offers advantages and disadvantages. The biggest disadvantage to all three is the hijacking of a session along with all of the user's credentials. - -When the user authorization and identity information is stored on the server in a protected and encrypted database, the communication between the client and web server will only send the session identifier, and the server can then retrieve user credentials for the session when needed. If, during transmission, the session were to be hijacked, the user's credentials would not be compromised. - -ASP.NET provides a session state, which is available as the HttpSessionState class, as a method of storing session-specific information that is visible only within the session. ASP.NET session state identifies requests from the same browser during a limited time window as a session, and provides the ability to persist variable values for the duration of that session.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000054Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name. - -Under the "ASP.NET" section, select "Session State". - -Under "Session State Mode Settings", verify the "In Process" mode is selected. - -Select "Apply" from the "Actions" pane.Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name. - -Under the "ASP.NET" section, select "Session State". - -Under "Session State Mode Settings", verify the "In Process" mode is selected. - -If the "Session State Mode Settings" is set to "In Process", this is not a finding. - -Alternative method: - -Click the site name. - -Select "Configuration Editor" under the "Management" section. - -From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState". - -Verify the "mode" reflects "InProc". - -If the "mode" is not set to "InProc", this is a finding.SRG-APP-000001-WSR-000002<GroupDescription></GroupDescription>IISW-SI-000202The IIS 8.5 website session state cookie settings must be configured to Use Cookies mode.<VulnDiscussion>When the session information is stored on the client, the session ID, along with the user authorization and identity information, is sent along with each client request and is stored in either a cookie, embedded in the uniform resource locator (URL), or placed in a hidden field on the displayed form. Each of these offers advantages and disadvantages. The biggest disadvantage to all three is the hijacking of a session along with all of the user's credentials. - -When the user authorization and identity information is stored on the server in a protected and encrypted database, the communication between the client and website will only send the session identifier, and the server can then retrieve user credentials for the session when needed. If, during transmission, the session were to be hijacked, the user's credentials would not be compromised. - -ASP.NET provides a session state, which is available as the HttpSessionState class, as a method of storing session-specific information that is visible only within the session. ASP.NET session state identifies requests from the same browser during a limited time window as a session, and provides the ability to persist variable values for the duration of that session. - -Cookies associate session information with client information for the duration of a user’s connection to a website. Using cookies is a more efficient way to track session state than any of the methods that do not use cookies because cookies do not require any redirection. -</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000054Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name. - -Under the ASP.NET section, select "Session State". - -Under "Cookie Settings", select the "Use Cookies" from the "Mode:" drop-down list. - -Select "Apply" from the "Actions" pane. -Follow the procedures below for each site hosted on the IIS 8.5 web server: -Open the IIS 8.5 Manager. -Click the site name. -Under the "ASP.NET" section, select "Session State". -Under "Cookie Settings", verify the "Use Cookies" mode is selected from the "Mode:" drop-down list. -If the "Use Cookies" mode is selected, this is not a finding. - -Alternative method: -Click the site name. -Select "Configuration Editor" under the "Management" section. -From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState". -Verify the "cookieless" is set to "UseCookies". -If the "cookieless" is not set to "UseCookies", this is a finding. -Note: If IIS 8.5 server/site is used only for system-to-system maintenance, does not allow users to connect to interface, and is restricted to specific system IPs, this is Not Applicable.SRG-APP-000014-WSR-000006<GroupDescription></GroupDescription>IISW-SI-000203A private IIS 8.5 website must only accept Secure Socket Layer connections.<VulnDiscussion>Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2-approved TLS version, and all non-FIPS-approved SSL versions must be disabled. - -FIPS 140-2-approved TLS versions include TLS V1.1 or greater. NIST SP 800-52 specifies the preferred configurations for government systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000068Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable. - -Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name. - -Double-click the "SSL Settings" icon. - -Select "Require SSL" check box. - -Select "Apply" from the "Actions" pane.Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable. - -Note: If SSL is installed on load balancer/proxy server through which traffic is routed to the IIS 8.5 server, and the IIS 8.5 server receives traffic from the load balancer/proxy server, the SSL requirement must be met on the load balancer/proxy server. - -Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. -Click the site name. -Double-click the "SSL Settings" icon. -Verify "Require SSL" check box is selected. - -If the "Require SSL" check box is not selected, this is a finding.SRG-APP-000014-WSR-000006<GroupDescription></GroupDescription>IISW-SI-000204A public IIS 8.5 website must only accept Secure Socket Layer connections when authentication is required.<VulnDiscussion>Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2-approved TLS version, and all non-FIPS-approved SSL versions must be disabled. - -FIPS 140-2-approved TLS versions include TLS V1.1 or greater. NIST SP 800-52 specifies the preferred configurations for government systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000068Note: If the server being reviewed is a private IIS 8.5 web server, this is Not Applicable. - -Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name. - -Double-click the "SSL Settings" icon. - -Select "Require SSL" check box. - -Select "Apply" from the "Actions" pane.Note: If the server being reviewed is a private IIS 8.5 web server, this is Not Applicable. - -Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name. - -Double-click the "SSL Settings" icon. - -Verify "Require SSL" check box is selected. - -If the "Require SSL" check box is not selected, this is a finding.SRG-APP-000092-WSR-000055<GroupDescription></GroupDescription>IISW-SI-000205The enhanced logging for each IIS 8.5 website must be enabled and capture, record, and log all content related to a user session.<VulnDiscussion>Log files are a critical component to the successful management of an IS used within the DoD. By generating log files with useful information web administrators can leverage them in the event of a disaster, malicious attack, or other site-specific needs. - -Ascertaining the correct order of the events that occurred is important during forensic analysis. Events that appear harmless by themselves might be flagged as a potential threat when properly viewed in sequence. By also establishing the event date and time, an event can be properly viewed with an enterprise tool to fully see a possible threat in its entirety. - -Without sufficient information establishing when the log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked. - -Satisfies: SRG-APP-000092-WSR-000055, SRG-APP-000093-WSR-000053</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-001462CCI-001464Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name. - -Click the "Logging" icon. - -Under Format select "W3C". - -Select the following fields: Date, Time, Client IP Address, User Name, Method, URI Query, Protocol Status, and Referrer. - -Select "Apply" from the "Actions" pane.Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name. - -Click the "Logging" icon. - -Under Format select "W3C". - -Click “Select Fields”, verify at a minimum the following fields are checked: Date, Time, Client IP Address, User Name, Method, URI Query, Protocol Status, and Referrer. - -If the "W3C" is not selected as the logging format OR any of the required fields are not selected, this is a finding.SRG-APP-000092-WSR-000055<GroupDescription></GroupDescription>IISW-SI-000206Both the log file and Event Tracing for Windows (ETW) for each IIS 8.5 website must be enabled.<VulnDiscussion>Internet Information Services (IIS) on Windows Server 2012 provides basic logging capabilities. However, because IIS takes some time to flush logs to disk, administrators do not have access to logging information in real-time. In addition, text-based log files can be difficult and time-consuming to process. - -In IIS 8.5, the administrator has the option of sending logging information to Event Tracing for Windows (ETW). This option gives the administrator the ability to use standard query tools, or create custom tools, for viewing real-time logging information in ETW. This provides a significant advantage over parsing text-based log files that are not updated in real time. - -Satisfies: SRG-APP-000092-WSR-000055, SRG-APP-000108-WSR-000166</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000139CCI-001464Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name. - -Click the "Logging" icon. - -Under Log Event Destination, select the "Both log file and ETW event" radio button. - -Select "Apply" from the "Actions" pane.Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name. - -Click the "Logging" icon. - -Under Log Event Destination, verify the "Both log file and ETW event" radio button is selected. - -If the "Both log file and ETW event" radio button is not selected, this is a finding.SRG-APP-000098-WSR-000060<GroupDescription></GroupDescription>IISW-SI-000208An IIS 8.5 website behind a load balancer or proxy server, must produce log records containing the source client IP and destination information.<VulnDiscussion>Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. - -Ascertaining the correct source, e.g. source IP, of the events is important during forensic analysis. Correctly determining the source of events will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the source occurred in other areas within the enterprise. - -A web server behind a load balancer or proxy server, when not configured correctly, will record the load balancer or proxy server as the source of every logable event. When looking at the information forensically, this information is not helpful in the investigation of events. The web server must record with each event the client source of the event.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000133Access the proxy server through which inbound web traffic is passed and configure settings to pass web traffic to the IIS 8.5 web server transparently.Interview the System Administrator to review the configuration of the IIS 8.5 architecture and determine if inbound web traffic is passed through a proxy. - -If the IIS 8.5 is receiving inbound web traffic through a proxy, the audit logs must be reviewed to determine if correct source information is being passed through by the proxy server. - -Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name. - -Click the "Logging" icon. - -Click on "View log file" button. - -When log file is displaced, review source IP information in log entries and verify entries do not reflect the IP address of the proxy server. - -If the website is not behind a load balancer or proxy server, this is Not Applicable. - -If the log entries in the log file(s) reflect the IP address of the proxy server as the source, this is a finding. - -If provisions have been made to log the client IP via another field (i.e., utilizing X-Forwarded-For), this is not a finding.SRG-APP-000099-WSR-000061<GroupDescription></GroupDescription>IISW-SI-000209The IIS 8.5 website must produce log records that contain sufficient information to establish the outcome (success or failure) of IIS 8.5 website events.<VulnDiscussion>Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. - -Ascertaining the success or failure of an event is important during forensic analysis. Correctly determining the outcome will add information to the overall reconstruction of the logable event. By determining the success or failure of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the event occurred in other areas within the enterprise. - -Without sufficient information establishing the success or failure of the logged event, investigation into the cause of event is severely hindered. The success or failure also provides a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000134Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Select the website being reviewed. - -Under "IIS", double-click the "Logging" icon. - -Configure the "Format:" under "Log File" to "W3C". - -Select the "Fields" button. - -Under "Custom Fields", select the following fields: - -Request Header >> Connection - -Request Header >> Warning - -Click "OK". - -Select "Apply" from the "Actions" pane.Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Select the website being reviewed. - -Under "IIS", double-click the "Logging" icon. - -Verify the "Format:" under "Log File" is configured to "W3C". - -Select the "Fields" button. - -Under "Custom Fields", verify the following fields are selected: - -Request Header >> Connection - -Request Header >> Warning - -If any of the above fields are not selected, this is a finding.SRG-APP-000100-WSR-000064<GroupDescription></GroupDescription>IISW-SI-000210The IIS 8.5 website must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event.<VulnDiscussion>Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. - -Determining user accounts, processes running on behalf of the user, and running process identifiers also enable a better understanding of the overall event. User tool identification is also helpful to determine if events are related to overall user access or specific client tools. - -Log record content that may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-001487Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Access the IIS 8.5 web server IIS 8.5 Manager. - -Select the website being reviewed. - -Under "IIS", double-click the "Logging" icon. - -Configure the "Format:" under "Log File" to "W3C". - -Select the "Fields" button. - -Under "Standard Fields", select "User Agent", "User Name" and "Referrer". - -Under "Custom Fields", select the following fields: - -Request Header >> Authorization - -Response Header >> Content-Type - -Click "OK". - -Select "Apply" from the "Actions" pane.Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Access the IIS 8.5 web server IIS 8.5 Manager. - -Under "IIS", double-click the "Logging" icon. - -Verify the "Format:" under "Log File" is configured to "W3C". - -Select the "Fields" button. - -Under "Standard Fields", verify "User Agent", "User Name" and "Referrer" are selected. - -Under "Custom Fields", verify the following fields have been configured: - -Request Header >> Authorization - -Response Header >> Content-Type - -If any of the above fields are not selected, this is a finding.SRG-APP-000120-WSR-000070<GroupDescription></GroupDescription>IISW-SI-000213The log information from the IIS 8.5 website must be protected from unauthorized modification or deletion.<VulnDiscussion>A major tool in exploring the website use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. Failure to protect log files could enable an attacker to modify the log file data or falsify events to mask an attacker's activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000163CCI-000164Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name. - -Click the "Logging" icon. - -Click "Browse" and navigate to the directory where the log files are stored. - -Right-click the log file name to review and click “Properties”. - -Click the “Security” tab. - -Set the log file permissions for the appropriate group.Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. -Click the site name. -Click the "Logging" icon. -Click "Browse" and navigate to the directory where the log files are stored. -Right-click the log file name to review and click “Properties”. -Click the “Security” tab. -Verify only authorized groups are listed, if others are listed, this is a finding. - -Note: The log file should be restricted as follows: -Auditors - Full Control -SYSTEM - Full Control -Administrators - Full Control -Web Managers - ReadSRG-APP-000141-WSR-000081<GroupDescription></GroupDescription>IISW-SI-000214The IIS 8.5 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.<VulnDiscussion>Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too much access can view information that is not needed for the user's job role, or the user could use the function in an unintentional manner. - -A MIME tells the web server what type of program various file types and extensions are and what external utilities or programs are needed to execute the file type. - -A shell is a program that serves as the basic interface between the user and the operating system, so hosted application users must not have access to these programs. Shell programs may execute shell escapes and can then perform unauthorized activities that could damage the security posture of the web server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000381Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click on the IIS 8.5 site. - -Under IIS, double-click the “MIME Types” icon. - -From the "Group by:" drop-down list, select "Content Type". - -From the list of extensions under "Application", remove MIME types for OS shell program extensions, to include at a minimum, the following extensions: - -.exe -.dll -.com -.bat -.csh - -Select "Apply" from the "Actions" pane.Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click on the IIS 8.5 site. - -Under IIS, double-click the “MIME Types” icon. - -From the "Group by:" drop-down list, select "Content Type". - -From the list of extensions under "Application", verify MIME types for OS shell program extensions have been removed, to include at a minimum, the following extensions: - -.exe -.dll -.com -.bat -.csh - -If any OS shell MIME types are configured, this is a finding.SRG-APP-000141-WSR-000082<GroupDescription></GroupDescription>IISW-SI-000215Mappings to unused and vulnerable scripts on the IIS 8.5 website must be removed.<VulnDiscussion>IIS 8.5 will either allow or deny script execution based on file extension. The ability to control script execution is controlled through two features with IIS 8.5, “Request Filtering” and "Handler Mappings". - -For "Request Filtering", the ISSO must document and approve all allowable file extensions the website allows (white list) and denies (black list) by the website. The white list and black list will be compared to the "Request Filtering" in IIS 8. "Request Filtering" at the site level take precedence over "Request Filtering" at the server level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000381Open the IIS 8.5 Manager. - -Click the site name under review. - -Double-click Request Filtering->File Name Extensions Tab->Deny File Name Extension. - -Add any script file extensions listed on the black list that are not listed. - -Select "Apply" from the "Actions" pane.For "Request Filtering", the ISSO must document and approve all allowable scripts the website allows (white list) and denies (black list) by the website. The white list and black list will be compared to the "Request Filtering" in IIS 8.5. "Request Filtering" at the site level take precedence over "Request Filtering" at the server level. - -Open the IIS 8.5 Manager. - -Click the site name under review. - -Double-click Request Filtering->File Name Extensions Tab. - -If any script file extensions from the black list are not denied, this is a finding.SRG-APP-000141-WSR-000083<GroupDescription></GroupDescription>IISW-SI-000216The IIS 8.5 website must have resource mappings set to disable the serving of certain file types.<VulnDiscussion>Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client. - -By not specifying which files can and which files cannot be served to a user, the web server could deliver to a user web server configuration files, log files, password files, etc. - -The web server must only allow hosted application file types to be served to a user and all other types must be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000381Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name under review. - -Double-click "Request Filtering". - -For any file name extensions from the black list which have "Allowed" set to "True", remove the file name extension. - -Select "Deny File Name Extension" from the "Actions" pane. - -Add each file name extension from the black list. - -Select "Apply" from the "Actions" pane.For "Handler Mappings", the ISSO must document and approve all allowable file extensions the website allows (white list) and denies (black list) by the website. The white list and black list will be compared to the "Handler Mappings" in IIS 8.5. "Handler Mappings" at the site level take precedence over "Handler Mappings" at the server level. - -Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Double-click "Request Filtering". - -If any file name extensions from the black list have "Allowed" set to "True", this is a finding.SRG-APP-000141-WSR-000085<GroupDescription></GroupDescription>IISW-SI-000217The IIS 8.5 website must have Web Distributed Authoring and Versioning (WebDAV) disabled.<VulnDiscussion>A web server can be installed with functionality that, just by its nature, is not secure. Web Distributed Authoring (WebDAV) is an extension to the HTTP protocol that, when developed, was meant to allow users to create, change, and move documents on a server, typically a web server or web share. Allowing this functionality, development, and deployment is much easier for web authors. - -WebDAV is not widely used and has serious security concerns because it may allow clients to modify unauthorized files on the web server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000381Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Access Server Manager on the IIS 8.5 website. - -Select the Local Server. - -Click on "Manage". - -Select "Add Roles and Features". - -Click "Next" on the "Before you begin" dialog box. - -Select "Role-based or feature-based installation" on the "Installation Type" dialog box and click on "Next". - -Select the IIS 8.5 web server on the "Server Selection" dialog box. - -From the "Windows Features" dialog box, navigate to "World Wide Web Services" >> "Common HTTP Features". - -De-select "WebDAV Publishing" and click "Next" to complete removing the WebDAV Publishing feature from the IIS 8.5 web server. - -Select "Apply" from the "Actions" pane.Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Select the IIS 8.5 website. - -Review the features listed under the "IIS" section. - -If the "WebDAV Authoring Rules" icon exists, this is a finding.SRG-APP-000141-WSR-000086<GroupDescription></GroupDescription>IISW-SI-000218The production website must configure the Global .NET Trust Level.<VulnDiscussion>A web server may host too many applications. Each application will need certain system resources and privileged operations to operate correctly. An application's trust level determines the permissions granted by the ASP.NET Code Access Security (CAS) policy. An application with full trust permissions may access all resource types on a server and perform privileged operations, while applications running with partial trust have varying levels of operating permissions and access to resources. The CAS determines the permissions granted to the application on the server. Setting a level of trust compatible with the applications will limit the potential harm a compromised application could cause to a system. The web server must be configured to contain and control the applications and protect the system resources and privileged operations from those not needed by the application for operation. - -Limiting the application will confine the potential harm a compromised application could cause to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000381Note: If the server being reviewed is a non-production website, this is Not Applicable. - -Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name under review. - -Double-click the ".NET Trust Level" icon. - -Set the ".NET Trust Level" to Full or less and click “Apply”. - -Select "Apply" from the "Actions" pane. -Note: If the server being reviewed is a non-production website, this is Not Applicable. - -Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name under review. - -Double-click the ".NET Trust Level" icon. - -If the ".NET Trust Level" is not set to Full or less, this is a finding. -SRG-APP-000142-WSR-000089<GroupDescription></GroupDescription>IISW-SI-000219Each IIS 8.5 website must be assigned a default host header.<VulnDiscussion>The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP addresses available to the hosting server. If the web server has multiple IP addresses, i.e., a management IP address, the web server will also accept connections on the management IP address. - -Accessing the hosted application through an IP address normally used for non-application functions opens the possibility of user access to resources, utilities, files, ports, and protocols that are protected on the desired application IP address.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000382Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Right-click on the site name under review. - -Select “Edit Bindings”. - -Assign hostname entries and unique IP addresses to port 80 for HTTP and port 443 for HTTPS. Other approved and documented ports may be used. - -Click "OK". - -Select "Apply" from the "Actions" pane.Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Right-click on the site name under review. - -Select “Edit Bindings”. - -Verify there are hostname entries and unique IP addresses assigned to port 80 for HTTP and port 443 for HTTPS. Other approved and documented ports may be used. - -If both hostname entries and unique IP addresses are not configure to port 80 for HTTP and port 443 for HTTPS (or other approved and documented port), this is a finding. - -Note: If certificate handling is performed at the Proxy/Load Balancer, this is not a finding.SRG-APP-000172-WSR-000104<GroupDescription></GroupDescription>IISW-SI-000220A private websites authentication mechanism must use client certificates to transmit session identifier to assure integrity.<VulnDiscussion>A DoD private website must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity must use the identity provided by certificate-based authentication to support access control decisions. Not using client certificates allows an attacker unauthenticated access to private websites. - -Satisfies: SRG-APP-000172-WSR-000104, SRG-APP-000224-WSR-000135, SRG-APP-000427-WSR-000186</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000197CCI-001188CCI-002470Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable - -Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Double-click the "SSL Settings" icon. - -Verify the "Clients Certificate Required" check box is selected. - -Select "Apply" from the "Actions" pane.Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable. - -Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Double-click the "SSL Settings" icon. - -Verify the "Clients Certificate Required" check box is selected. - -If the "Clients Certificate Required" check box is not selected, this is a finding.SRG-APP-000211-WSR-000031<GroupDescription></GroupDescription>IISW-SI-000221Anonymous IIS 8.5 website access accounts must be restricted.<VulnDiscussion>Many of the security problems that occur are not the result of a user gaining access to files or data for which the user does not have permissions, but rather users are assigned incorrect permissions to unauthorized data. The files, directories, and data that are stored on the web server need to be evaluated and a determination made concerning authorized access to information and programs on the server. Only authorized users and administrative accounts will be allowed on the host server in order to maintain the web server, applications, and review the server operations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-001082Remove the Anonymous access account from all privileged accounts and all privileged groups.Check the account used for anonymous access to the website. - -Follow the procedures below for each site hosted on the IIS 8.5 web server: -Open the IIS 8.5 Manager. - -Double-click "Authentication" in the IIS section of the website’s Home Pane. - -If Anonymous access is disabled, this is Not a Finding. - -If Anonymous access is enabled, click “Anonymous Authentication”. - -Click “Edit” in the "Actions" pane. - -If the “Specific user” radio button is enabled and an ID is specified in the adjacent control box, this is the ID being used for anonymous access. Note: account name. - -Check privileged groups that may allow the anonymous account inappropriate membership: -Open “Server Manager” on the machine. - -Expand Configuration. - -Expand Local Users and Groups. - -Click “Groups”. - -Review members of any of the following privileged groups: - -Administrators -Backup Operators -Certificate Services (of any designation) -Distributed COM Users -Event Log Readers -Network Configuration Operators -Performance Log Users -Performance Monitor Users -Power Users -Print Operators -Remote Desktop Users -Replicator -Users - -Double-click each group and review its members. - -If the IUSR account or any account noted above used for anonymous access is a member of any group with privileged access, this is a finding.SRG-APP-000224-WSR-000136<GroupDescription></GroupDescription>IISW-SI-000223The IIS 8.5 website must generate unique session identifiers that cannot be reliably reproduced.<VulnDiscussion>Communication between a client and the web server is done using the HTTP protocol, but HTTP is a stateless protocol. In order to maintain a connection or session, a web server will generate a session identifier (ID) for each client session when the session is initiated. The session ID allows the web server to track a user session and, in many cases, the user, if the user previously logged into a hosted application. - -By being able to guess session IDs, an attacker can easily perform a man-in-the-middle attack. To truly generate random session identifiers that cannot be reproduced, the web server session ID generator, when used twice with the same input criteria, must generate an unrelated random ID. - -The session ID generator also needs to be a FIPS 140-2-approved generator.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-001188Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name. - -Under the ASP.NET section, select "Session State". - -Under "Session State" Mode Settings, select the "In Process" mode.Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name. - -Under the "ASP.NET" section, select "Session State". - -Under "Session State" Mode Settings, verify the "In Process" mode is selected. - -If the "In Process" mode is selected, this is not a finding. - -Alternative method: - -Click the site name. - -Select "Configuration Editor" under the "Management" section. - -From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState". - -Verify the "mode" reflects "InProc". - -If the "mode" is not set to "InProc", this is a finding.SRG-APP-000233-WSR-000146<GroupDescription></GroupDescription>IISW-SI-000224The IIS 8.5 website document directory must be in a separate partition from the IIS 8.5 websites system files.<VulnDiscussion>The web document (home) directory is accessed by multiple anonymous users when the web server is in production. By locating the web document (home) directory on the same partition as the web server system file the risk for unauthorized access to these protected files is increased. Additionally, having the web document (home) directory path on the same drive as the system folders also increases the potential for a drive space exhaustion attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-001084Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name under review. - -Click the “Advanced Settings” from the "Actions" pane. - -Change the Physical Path to the new partition and directory location.Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name under review. - -Click the "Advanced Settings" from the "Actions" pane. - -Review the Physical Path. - -If the Path is on the same partition as the OS, this is a finding.SRG-APP-000246-WSR-000149<GroupDescription></GroupDescription>IISW-SI-000225The IIS 8.5 website must be configured to limit the maxURL.<VulnDiscussion>Request filtering replaces URLScan in IIS, enabling administrators to create a more granular rule set with which to allow or reject inbound web content. By setting limits on web requests, it helps to ensure availability of web services and may also help mitigate the risk of buffer overflow type attacks. The MaxURL Request Filter limits the number of bytes the server will accept in a URL.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-001094Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Click the site name under review. - -Double-click the "Request Filtering" icon. - -Click “Edit Feature Settings” in the "Actions" pane. - -Set the "maxURL" value to "4096" or less.Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click on the site name. - -Double-click the "Request Filtering" icon. - -Click “Edit Feature Settings” in the "Actions" pane. - -If the "maxUrl" value is not set to "4096" or less, this is a finding.SRG-APP-000246-WSR-000149<GroupDescription></GroupDescription>IISW-SI-000226The IIS 8.5 website must be configured to limit the size of web requests.<VulnDiscussion>By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks. The maxAllowedContentLength Request Filter limits the number of bytes the server will accept in a request.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-001094Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name under review. - -Double-click the "Request Filtering" icon. - -Click “Edit Feature Settings” in the "Actions" pane. - -Set the "maxAllowedContentLength" value to "30000000" or less.Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click on the site name. - -Double-click the "Request Filtering" icon. - -Click “Edit Feature Settings” in the "Actions" pane. - -If the "maxAllowedContentLength" value is not explicitly set to "30000000" or less or a length documented and approved by the ISSO, this is a finding. -SRG-APP-000246-WSR-000149<GroupDescription></GroupDescription>IISW-SI-000227The IIS 8.5 websites Maximum Query String limit must be configured.<VulnDiscussion>By setting limits on web requests, it helps to ensure availability of web services and may also help mitigate the risk of buffer overflow type attacks. The Maximum Query String Request Filter describes the upper limit on allowable query string lengths. Upon exceeding the configured value, IIS will generate a Status Code 404.15.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-001094Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name under review. - -Double-click the "Request Filtering" icon. - -Click “Edit Feature Settings” in the "Actions" pane. - -Set the "Maximum Query String" value to "2048" or less.Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click on the site name. - -Double-click the "Request Filtering" icon. - -Click “Edit Feature Settings” in the "Actions" pane. - -If the "Maximum Query String" value is not set to "2048" or less, this is a finding.SRG-APP-000246-WSR-000149<GroupDescription></GroupDescription>IISW-SI-000228Non-ASCII characters in URLs must be prohibited by any IIS 8.5 website.<VulnDiscussion>By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks. The allow high-bit characters Request Filter enables rejection of requests containing non-ASCII characters.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-001094Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name under review. - -Double-click the "Request Filtering" icon. - -Click “Edit Feature Settings” in the "Actions" pane. - -Uncheck the "Allow high-bit characters" check box.Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click on the site name. - -Double-click the "Request Filtering" icon. - -Click “Edit Feature Settings” in the "Actions" pane. - -If the "Allow high-bit characters" check box is checked, this is a finding.SRG-APP-000246-WSR-000149<GroupDescription></GroupDescription>IISW-SI-000229Double encoded URL requests must be prohibited by any IIS 8.5 website.<VulnDiscussion>Request filtering enables administrators to create a more granular rule set with which to allow or reject inbound web content. By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks. When the “Allow double escaping” option is disabled it prevents attacks that rely on double-encoded requests.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-001094Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name under review. - -Double-click the "Request Filtering" icon. - -Click “Edit Feature Settings” in the "Actions" pane. - -Uncheck the "Allow double escaping" check box.Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click on the site name. - -Double-click the "Request Filtering" icon. - -Click “Edit Feature Settings” in the "Actions" pane. - -If the "Allow double escaping" check box is checked, this is a finding.SRG-APP-000246-WSR-000149<GroupDescription></GroupDescription>IISW-SI-000230Unlisted file extensions in URL requests must be filtered by any IIS 8.5 website.<VulnDiscussion>Request filtering enables administrators to create a more granular rule set to allow or reject inbound web content. By setting limits on web requests it helps to ensure availability of web services and may also help mitigate the risk of buffer overflow type attacks. The allow unlisted property of the “File Extensions Request” filter enables rejection of requests containing specific file extensions not defined in the “File Extensions” filter. Tripping this filter will cause IIS to generate a Status Code 404.7.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-001094Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name under review. - -Double-click the "Request Filtering" icon. - -Click “Edit Feature Settings” in the "Actions" pane. - -Uncheck the "Allow unlisted file extensions" check box.Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click on the site name. - -Double-click the "Request Filtering" icon. - -Click “Edit Feature Settings” in the "Actions" pane. - -If "Allow unlisted file name extensions" check box is checked, this is a finding.SRG-APP-000251-WSR-000157<GroupDescription></GroupDescription>IISW-SI-000231Directory Browsing on the IIS 8.5 website must be disabled.<VulnDiscussion>Directory browsing allows the contents of a directory to be displayed upon request from a web client. If directory browsing is enabled for a directory in IIS, users could receive a web page listing the contents of the directory. If directory browsing is enabled the risk of inadvertently disclosing sensitive content is increased.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-001310Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the Site. - -Double-click the "Directory Browsing" icon. - -Under the "Actions" pane click "Disabled".Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Click the Site. - -Double-click the "Directory Browsing" icon. - -If the "Directory Browsing" is not installed, this is Not Applicable. - -Under the "Actions" pane verify "Directory Browsing" is "Disabled". - -If "Directory Browsing" is not "Disabled", this is a finding.SRG-APP-000266-WSR-000142<GroupDescription></GroupDescription>IISW-SI-000232The IIS 8.5 website must prevent a web content directory from being displayed.<VulnDiscussion>The goal is to control the web users experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Also, enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server’s directory structure by locating directories with default pages. This practice helps ensure the anonymous web user will not obtain directory browsing information or an error message revealing the server type and version.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-001312Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name under review. - -Double-click "Default Document". - -In the “Actions” pane select "Enable". - -Click the "Content View" tab, click on each listed "Default Document" and click on "Explore" under the "Actions" pane. Create a valid document for the listed "Default Document".Note: This requirement is only for each site's root directory. - -Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Click the site name under review. - -Double-click "Default Document". - -In the "Actions" pane, verify the "Default Document" feature is enabled. - -If an "Enable" option is listed under the "Actions" pane, the "Default Document" feature is not enabled and this is a finding. - -If "Default Document" is "Enabled, review the document types. - -Click the "Content View" tab, click on each listed "Default Document" and click on "Explore" under the "Actions" pane. Verify there is a document of that type in the directory. - -If "Default Document" is "Enabled" but no listed document types are present in the "Content View", this is a finding.SRG-APP-000266-WSR-000159<GroupDescription></GroupDescription>IISW-SI-000233Warning and error messages displayed to clients must be modified to minimize the identity of the IIS 8.5 website, patches, loaded modules, and directory paths.<VulnDiscussion>HTTP error pages contain information that could enable an attacker to gain access to an information system. Failure to prevent the sending of HTTP error pages with full information to remote requesters exposes internal configuration information to potential attackers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-001312Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name under review. - -Double-click the "Error Pages" icon. - -Click each error message and click "Edit Feature" Setting from the "Actions" pane; set each error message to “Detailed errors for local requests and custom error pages for remote requests”.Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name under review. - -Double-click the "Error Pages" icon. - -Click each error message and click "Edit Feature" setting from the "Actions" pane. - -If any error message is not set to “Detailed errors for local requests and custom error pages for remote requests”, this is a finding.SRG-APP-000266-WSR-000160<GroupDescription></GroupDescription>IISW-SI-000234Debugging and trace information used to diagnose the IIS 8.5 website must be disabled.<VulnDiscussion>Setting compilation debug to false ensures detailed error information does not inadvertently display during live application usage, mitigating the risk of application information being displayed to users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-001312Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name under review. - -Double-click ".NET Compilation". - -Scroll down to the "Behavior" section and set the value for "Debug" to "False".Note: If the ".NET feature" is not installed, this check is Not Applicable. - -Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name under review. - -Double-click ".NET Compilation". - -Scroll down to the "Behavior" section and verify the value for "Debug" is set to "False". - -If the "Debug" value is not set to "False", this is a finding.SRG-APP-000295-WSR-000012<GroupDescription></GroupDescription>IISW-SI-000235The Idle Time-out monitor for each IIS 8.5 website must be enabled.<VulnDiscussion>The idle time-out attribute controls the amount of time a worker process will remain idle before it shuts down. A worker process is idle if it is not processing requests and no new requests are received. - -The purpose of this attribute is to conserve system resources; the default value for idle time-out is 20 minutes. - -By default, the World Wide Web (WWW) service establishes an overlapped recycle, in which the worker process to be shut down is kept running until after a new worker process is started.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-002361Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the Application Pools. - -Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane. - -Scroll down to the "Process Model" section and set the value for "Idle Time-out" to "20" or less.Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the Application Pools. - -Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane. - -Scroll down to the "Process Model" section and verify the value for "Idle Time-out" is set to "20". - -If the "Idle Time-out" is not set to "20" or less, this is a finding.SRG-APP-000295-WSR-000134<GroupDescription></GroupDescription>IISW-SI-000236The IIS 8.5 websites connectionTimeout setting must be explicitly configured to disconnect an idle session.<VulnDiscussion>Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web server can make certain that those sessions that are not closed through the user logging out of an application are eventually closed. - -Acceptable values are 5 minutes for high-value applications, 10 minutes for medium-value applications, and 20 minutes for low-value applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-002361Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name. - -Select "Configuration Editor" under the "Management" section. - -From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState". - -Set the "timeout" to "00:20:00 or less”, using the lowest value possible depending upon the application. -Acceptable values are 5 minutes for high-value applications, 10 minutes for medium-value applications, and 20 minutes for low-value applications. - -In the "Actions" pane, click "Apply". -Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name. - -Select "Configuration Editor" under the "Management" section. - -From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState". - -Verify the "timeout" is set to "00:20:00 or less”, using the lowest value possible depending upon the application. -Acceptable values are 5 minutes for high-value applications, 10 minutes for medium-value applications, and 20 minutes for low-value applications. - -If "timeout" is not set to "00:20:00 or less”, this is a finding. - -SRG-APP-000316-WSR-000170<GroupDescription></GroupDescription>IISW-SI-000237The IIS 8.5 website must provide the capability to immediately disconnect or disable remote access to the hosted applications.<VulnDiscussion>During an attack on the web server or any of the hosted applications, the system administrator may need to disconnect or disable access by users to stop the attack. - -The web server must provide a capability to disconnect users to a hosted application without compromising other hosted applications unless deemed necessary to stop the attack. Methods to disconnect or disable connections are to stop the application service for a specified hosted application, stop the web server, or block all connections through web server access list. - -The web server capabilities used to disconnect or disable users from connecting to hosted applications and the web server must be documented to make certain that, during an attack, the proper action is taken to conserve connectivity to any other hosted application if possible and to make certain log data is conserved for later forensic analysis.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-002322Prepare documented procedures for shutting down an IIS 8.5 website in the event of an attack. The procedure should, at a minimum, provide the following steps: - -Determine the respective website for the application at risk of an attack. - -Access the IIS 8.5 web server IIS 8.5 Manager. - -Select the respective website. - -In the "Actions" pane, under "Manage Website", click on "Stop". - -If necessary, stop all websites. - -If necessary, stop the IIS 8.5 web server by selecting the web server in the IIS 8.5 Manager. - -In the "Actions" pane, under "Manage Server", click on "Stop".Interview the System Administrator and Web Manager. - -Ask for documentation for the IIS 8.5 web server administration. - -Verify there are documented procedures for shutting down an IIS 8.5 website in the event of an attack. The procedure should, at a minimum, provide the following steps: - -Determine the respective website for the application at risk of an attack. - -Access the IIS 8.5 web server IIS 8.5 Manager. - -Select the respective website. - -In the "Actions" pane, under "Manage Website", click on "Stop". - -If necessary, stop all websites. - -If necessary, stop the IIS 8.5 web server by selecting the web server in the IIS 8.5 Manager. - -In the "Actions" pane, under "Manage Server", click on "Stop". - -If there are not documented procedures with, at a minimum, the mentioned steps for stopping a website, this is a finding.SRG-APP-000357-WSR-000150<GroupDescription></GroupDescription>IISW-SI-000238The IIS 8.5 website must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the IIS 8.5 website.<VulnDiscussion>In order to make certain that the logging mechanism used by the web server has sufficient storage capacity in which to write the logs, the logging mechanism needs to be able to allocate log record storage capacity. - -The task of allocating log record storage capacity is usually performed during initial installation of the logging mechanism. The system administrator will usually coordinate the allocation of physical drive space with the web server administrator along with the physical location of the partition and disk. Refer to NIST SP 800-92 for specific requirements on log rotation and storage dependent on the impact of the web server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-001849Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Under "IIS" double-click on the "Logging" icon. - -If necessary, in the "Logging" configuration box, redesignate a log path to a location able to house the logs. - -Under "Log File Rollover", deselect the "Do not create new log files" setting. - -Configure a schedule to rollover log files on a regular basis.Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Access the IIS 8.5 web server IIS 8.5 Manager. - -Under "IIS" double-click on the "Logging" icon. - -In the "Logging" configuration box, determine the "Directory:" to which the "W3C" logging is being written. - -Confirm with the System Administrator that the designated log path is of sufficient size to maintain the logging. - -Under "Log File Rollover", verify the "Do not create new log files" is not selected. - -Verify a schedule is configured to rollover log files on a regular basis. - -Consult with the System Administrator to determine if there is a documented process for moving the log files off of the IIS 8.5 web server to another logging device. - -If the designated logging path device is not of sufficient space to maintain all log files and there is not a schedule to rollover files on a regular basis, this is a finding.SRG-APP-000383-WSR-000175<GroupDescription></GroupDescription>IISW-SI-000239The IIS 8.5 websites must utilize ports, protocols, and services according to PPSM guidelines.<VulnDiscussion>Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. - -The web server must provide the capability to disable or deactivate network-related services that are deemed to be non-essential to the server mission, are too unsecure, or are prohibited by the PPSM CAL and vulnerability assessments. - -Failure to comply with DoD ports, protocols, and services (PPS) requirements can result in compromise of enclave boundary protections and/or functionality of the AIS. - -The ISSM will ensure web servers are configured to use only authorized PPS in accordance with the Network Infrastructure STIG, DoD Instruction 8551.1, Ports, Protocols, and Services Management (PPSM), and the associated Ports, Protocols, and Services (PPS) Assurance Category Assignments List.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-001762Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name under review. - -In the “Action” Pane, click “Bindings". - -Edit to change an existing binding and set the correct ports and protocol.Review the website to determine if HTTP and HTTPs (e.g., 80 and 443) are used in accordance with those ports and services registered and approved for use by the DoD PPSM. Any variation in PPS will be documented, registered, and approved by the PPSM. - -Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name under review. - -In the “Action” Pane, click “Bindings”. - -Review the ports and protocols. If unknown ports or protocols are used, then this is a finding.SRG-APP-000427-WSR-000186<GroupDescription></GroupDescription>IISW-SI-000241The IIS 8.5 private website have a server certificate issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).<VulnDiscussion>The use of a DoD PKI certificate ensures clients the private website they are connecting to is legitimate, and is an essential part of the DoD defense-in-depth strategy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-002470Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the Server name. - -Double-click “Server Certificates”. - -Click “Import” under the "Actions" pane. - -Browse to the DoD certificate location, select it, and click “OK”. - -Remove any non-DoD certificates if present. - -Click on the site needing the certificate. - -Select “Bindings” under the "Actions" pane. - -Click on the binding needing a certificate and select “Edit”, or add a site binding for HTTPS. - -Assign the certificate to the website by choosing it under the “SSL Certificate” drop-down and clicking “OK”.Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Click the site name under review. - -Click “Bindings” in the “Action” Pane. - -Click the “HTTPS type” from the box. - -Click “Edit”. - -Click “View” and then review and verify the certificate path. - -If the list of CAs in the trust hierarchy does not lead to the DoD PKI Root CA, DoD-approved external certificate authority (ECA), or DoD-approved external partner, this is a finding. - -If HTTPS is not an available type under site bindings, this is a finding. - -If HTTPS is not an available type under site bindings, and the Web Server ONLY communicates directly with a load balancer/proxy server, with IP address and Domain Restrictions in place, this is not a finding.SRG-APP-000429-WSR-000113<GroupDescription></GroupDescription>IISW-SI-000242The IIS 8.5 private website must employ cryptographic mechanisms (TLS) and require client certificates.<VulnDiscussion>When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise. User identities and passwords stored on the hard drive of the hosting hardware must be encrypted to protect the data from easily being discovered and used by an unauthorized user to access the hosted applications. The cryptographic libraries and functionality used to store and retrieve the user identifiers and passwords must be part of the web server. - -Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). - -Transmission of data can take place between the web server and a large number of devices/applications external to the web server. Examples are a web client used by a user, a backend database, an audit server, or other web servers in a web cluster. - -If data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information. - -Also satisfies: SRG-APP-000439-WSR-000151</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-002476Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. - -Double-click the "SSL Settings" icon under the "IIS" section. - -Select the "Require SSL" setting. - -Select the "Client Certificates Required" setting. - -Click "Apply" in the "Actions" pane. - -Click the site under review. - -Select "Configuration Editor" under the "Management" section. - -From the "Section:" drop-down list at the top of the configuration editor, locate “system.webServer/security/access”. - -Click on the drop-down list for "sslFlags". - -Select the "Ssl128" check box. - -Click "Apply" in the "Actions" pane.Note: If SSL is installed on load balancer/proxy server through which traffic is routed to the IIS 8.5 server, and the IIS 8.5 server receives traffic from the load balancer/proxy server, the SSL requirement must be met on the load balancer/proxy server. - -Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. -Double-click the "SSL Settings" icon under the "IIS" section. -Verify "Require SSL" is checked. -Verify "Client Certificates Required" is selected. -Click the site under review. -Select "Configuration Editor" under the "Management" section. -From the "Section:" drop-down list at the top of the configuration editor, locate “system.webServer/security/access”. -The value for "sslFlags" set must include "ssl128". - -If the "Require SSL" is not selected, this is a finding. -If the "Client Certificates Required" is not selected, this is a finding. -If the "sslFlags" is not set to "ssl128", this is a finding.SRG-APP-000439-WSR-000152<GroupDescription></GroupDescription>IISW-SI-000244IIS 8.5 website session IDs must be sent to the client using TLS.<VulnDiscussion>The HTTP protocol is a stateless protocol. To maintain a session, a session identifier is used. The session identifier is a piece of data that is used to identify a session and a user. If the session identifier is compromised by an attacker, the session can be hijacked. By encrypting the session identifier, the identifier becomes more difficult for an attacker to hijack, decrypt, and use before the session has expired.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-002418Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Access the IIS 8.5 Manager. - -Select the website being reviewed. - -Under "Management" section, double-click the "Configuration Editor" icon. - -From the "Section:" drop-down list, select “system.webServer/asp". - -Expand the "session" section. - -Select "True" for the "keepSessionIdSecure" setting. - -Select "Apply" from the "Actions" pane.Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Access the IIS 8.5 Manager. - -Select the website being reviewed. - -Under "Management" section, double-click the "Configuration Editor" icon. - -From the "Section:" drop-down list, select “system.webServer/asp". - -Expand the "session" section. - -Verify the "keepSessionIdSecure" is set to "True". - -If the "keepSessionIdSecure" is not set to "True", this is a finding.SRG-APP-000439-WSR-000154<GroupDescription></GroupDescription>IISW-SI-000246Cookies exchanged between the IIS 8.5 website and the client must use SSL/TLS, have cookie properties set to prohibit client-side scripts from reading the cookie data and must not be compressed.<VulnDiscussion>A cookie is used when a web server needs to share data with the client's browser. The data is often used to remember the client when the client returns to the hosted application at a later date. A session cookie is a special type of cookie used to remember the client during the session. The cookie will contain the session identifier (ID) and may contain authentication data to the hosted application. To protect this data from easily being compromised, the cookie must be encrypted. - -When a cookie is sent encrypted via SSL/TLS, an attacker must spend a great deal of time and resources to decrypt the cookie. If, along with encryption, the cookie is compressed, the attacker can now use a combination of plaintext injection and inadvertent information leakage through data compression to reduce the time needed to decrypt the cookie. This attack is called Compression Ratio Info-leak Made Easy (CRIME). - -Cookies shared between the web server and the client when encrypted should not also be compressed. - -A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and used by an attacker who intercepts the cookie. Setting cookie properties (i.e. HttpOnly property) to disallow client-side scripts from reading cookies better protects the information inside the cookie. - - - -Satisfies: SRG-APP-000439-WSR-000154, SRG-APP-000439-SSR-000155, SRG-APP-000439-WSR-000153</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-002418Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Access the IIS 8.5 Manager. - -Under "Management" section, double-click the "Configuration Editor" icon. - -From the "Section:" drop-down list, select "system.web/httpCookies". - -Set the "require SSL" to "True". - -From the "Section:" drop-down list, select "system.web/sessionState". - -Set the "compressionEnabled" to "False". - -Select "Apply" from the "Actions" pane.Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Access the IIS 8.5 Manager. - -Under "Management" section, double-click the "Configuration Editor" icon. - -From the "Section:" drop-down list, select "system.web/httpCookies". - -Verify the "require SSL" is set to "True". - -From the "Section:" drop-down list, select "system.web/sessionState". - -Verify the "compressionEnabled" is set to "False". - -If both the "system.web/httpCookies:require SSL" is set to "True" and the "system.web/sessionState:compressionEnabled" is set to "False", this is not a finding.SRG-APP-000441-WSR-000181<GroupDescription></GroupDescription>IISW-SI-000249The IIS 8.5 website must maintain the confidentiality and integrity of information during preparation for transmission and during reception.<VulnDiscussion>Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. - -An example of this would be an SMTP queue. This queue may be added to a web server through an SMTP module to enhance error reporting or to allow developers to add SMTP functionality to their applications. - -Any modules used by the web server that queue data before transmission must maintain the confidentiality and integrity of the information before the data is transmitted. - -Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. - -Protecting the confidentiality and integrity of received information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPsec tunnel. - -The web server must utilize approved encryption when receiving transmitted data. - -Also satisfies: SRG-APP-000442-WSR-000182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-002420CCI-002422Follow the procedures below for web server and each site under review: - -Open the IIS 8.5 Manager. -Click the site name. -Double-click the "SSL Settings" icon. -Select "Require SSL". -Select "Client Certificates Required". -Select “sslFlags”, and set to “ssl128”.Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable. - -Note: If SSL is installed on load balancer/proxy server through which traffic is routed to the IIS 8.5 server, and the IIS 8.5 server receives traffic from the load balancer/proxy server, the SSL requirement must be met on the load balancer/proxy server. - -Follow the procedures below for each site hosted on the IIS 8.5 web server: - -Open the IIS 8.5 Manager. -Double-click the "SSL Settings" icon under the "IIS" section. -Verify "Require SSL" is checked. -Verify "Client Certificates Required" is selected. -Click the site under review. -Select "Configuration Editor" under the "Management" section. -From the "Section:" drop-down list at the top of the configuration editor, locate “system.webServer/security/access”. -The value for "sslFlags" should be “ssl128”. - -If the "Require SSL" is not selected, this is a finding. -If the "Client Certificates Required" is not selected, this is a finding. -If the "sslFlags" is not set to "ssl128", this is a finding.SRG-APP-000516-WSR-000174<GroupDescription></GroupDescription>IISW-SI-000251The IIS 8.5 website must have a unique application pool.<VulnDiscussion>Application pools isolate sites and applications to address reliability, availability, and security issues. Sites and applications may be grouped according to configurations, although each site will be associated with a unique application pool.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000366Open the IIS 8.5 Manager. - -Click the site name under review. - -Assign a unique application pool to each website.Note: If the IIS Application Pool is hosting Microsoft SharePoint, this is Not Applicable. - -Open the IIS 8.5 Manager. - -Click "Application Pools". - -In the list of Application Pools, review the "Applications" column and verify unique application pools for each website. - -If any Application Pools are being used for more than one website, this is a finding.SRG-APP-000516-WSR-000174<GroupDescription></GroupDescription>IISW-SI-000252The maximum number of requests an application pool can process for each IIS 8.5 website must be explicitly set.<VulnDiscussion>IIS application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks. By default, application pool recycling is overlapped, which means the worker process to be shut down is kept running until after a new worker process is started. After a new worker process starts, new requests are passed to it. The old worker process shuts down after it finishes processing its existing requests, or after a configured time-out, whichever comes first. This way of recycling ensures uninterrupted service to clients.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000366Open the IIS 8.5 Manager. - -Click on the “Application Pools”. - -Highlight an Application Pool and click "Advanced Settings" in the “Action” Pane. - -Scroll down to the "Recycling section" and set the value for "Request Limit" to greater than "0". - -Click “OK”. -Note: Recycling Application Pools can create an unstable environment in a 64-bit SharePoint environment. If operational issues arise, with supporting documentation from the ISSO, this check can be downgraded to a Cat III. - -Note: If the IIS Application Pool is hosting Microsoft SharePoint, this is Not Applicable. - -Open the IIS 8.5 Manager. - -Perform for each Application Pool. - -Click the “Application Pools”. - -Highlight an Application Pool and click "Advanced Settings" in the “Action” Pane. - -Scroll down to the "Recycling section" and verify the value for "Request Limit" is set to a value other than "0". - -If the "Request Limit" is set to a value of "0", this is a finding.SRG-APP-000516-WSR-000174<GroupDescription></GroupDescription>IISW-SI-000253The amount of virtual memory an application pool uses for each IIS 8.5 website must be explicitly set.<VulnDiscussion>IIS application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks. By default, application pool recycling is overlapped, which means the worker process to be shut down is kept running until after a new worker process is started. After a new worker process starts, new requests are passed to it. The old worker process shuts down after it finishes processing its existing requests, or after a configured time-out, whichever comes first. This way of recycling ensures uninterrupted service to clients.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000366Open the IIS 8.5 Manager. - -Click on “Application Pools”. - -Perform for each Application Pool. - -Highlight an Application Pool and click "Advanced Settings" in the “Action” Pane. - -In the "Advanced Settings" dialog box scroll down to the "Recycling" section and set the value for "Virtual Memory Limit" to a value other than "0". - -Click “OK”.Note: Recycling Application Pools can create an unstable environment in a 64-bit SharePoint environment. If operational issues arise, mitigation steps can be set, to include setting the “Fixed number or requests”, “Specific time”, and “Private memory usage” in the recycling conditions lieu of the “Virtual memory” setting. If mitigation is used in lieu of this requirement, with supporting documentation from the ISSO, this check can be downgraded to a Cat III. - -Note: If the IIS Application Pool is hosting Microsoft SharePoint, this is Not Applicable. - -Open the IIS 8.5 Manager. - -Perform for each Application Pool. - -Click on “Application Pools”. - -Highlight an Application Pool and click "Advanced Settings" in the Action Pane. - -In the "Advanced Settings" dialog box scroll down to the "Recycling" section and verify the value for "Virtual Memory Limit" is not set to 0. - -If the value for "Virtual Memory Limit" is set to 0, this is a finding.SRG-APP-000516-WSR-000174<GroupDescription></GroupDescription>IISW-SI-000254The amount of private memory an application pool uses for each IIS 8.5 website must be explicitly set.<VulnDiscussion>IIS application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks. By default, application pool recycling is overlapped, which means the worker process to be shut down is kept running until after a new worker process is started. After a new worker process starts, new requests are passed to it. The old worker process shuts down after it finishes processing its existing requests, or after a configured time-out, whichever comes first. This way of recycling ensures uninterrupted service to clients.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000366Open the IIS 8.5 Manager. - -Click the “Application Pools”. - -Perform for each Application Pool. - -Highlight an Application Pool and click "Advanced Settings" in the “Action” Pane. - -Scroll down to the "Recycling" section and set the value for "Private Memory Limit" to a value other than "0".Note: Recycling Application Pools can create an unstable environment in a 64-bit SharePoint environment. If operational issues arise, with supporting documentation from the ISSO this check can be downgraded to a Cat III. - -Note: If the IIS Application Pool is hosting Microsoft SharePoint, this is Not Applicable. - -Open the IIS 8.5 Manager. - -Perform for each Application Pool. - -Click the “Application Pools”. - -Highlight an Application Pool and click "Advanced Settings" in the “Action” Pane. - -Scroll down to the "Recycling" section and verify the value for "Private Memory Limit" is set to a value other than "0". - -If the "Private Memory Limit" is set to a value of "0", this is a finding.SRG-APP-000516-WSR-000174<GroupDescription></GroupDescription>IISW-SI-000255The application pool for each IIS 8.5 website must have a recycle time explicitly set.<VulnDiscussion>Application pools can be periodically recycled to avoid unstable states possibly leading to application crashes, hangs, or memory leaks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000366Open the IIS 8.5 Manager. - -Click the “Application Pools”. - -Perform for each Application Pool. - -Highlight an Application Pool and click "Advanced Settings" in the “Action” Pane. - -Scroll down to the "Recycling" section and expand the "Generate Recycle Event Log Entry" section. - -Set both the "Regular time interval" and "Specific time" options to "True".Note: Recycling Application Pools can create an unstable environment in a 64-bit SharePoint environment. If operational issues arise, with supporting documentation from the ISSO this check can be downgraded to a Cat III. - -Open the IIS 8.5 Manager. - -Perform for each Application Pool. - -Click the “Application Pools”. - -Highlight an Application Pool and click "Advanced Settings" in the “Action” Pane. - -Scroll down to the "Recycling" section and expand the "Generate Recycle Event Log Entry" section. - -Verify both the "Regular time interval" and "Specific time" options are set to "True". - -If both the "Regular time interval" and "Specific time" options are not set to "True", this is a finding.SRG-APP-000516-WSR-000174<GroupDescription></GroupDescription>IISW-SI-000256The maximum queue length for HTTP.sys for each IIS 8.5 website must be explicitly configured.<VulnDiscussion>In order to determine the possible causes of client connection errors and to conserve system resources, it is important to both log errors and manage those settings controlling requests to the application pool.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000366Open the IIS 8.5 Manager. - -Click the “Application Pools”. - -Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane. - -Scroll down to the “General” section and set the value for “Queue Length” to “1000” or less. - -Click “OK”.Open the IIS 8.5 Manager. - -Perform for each Application Pool. - -Click the “Application Pools”. - -Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane. - -Scroll down to the "General" section and verify the value for "Queue Length" is set to 1000. - -If the "Queue Length" is set to "1000" or less, this is not a finding.SRG-APP-000516-WSR-000174<GroupDescription></GroupDescription>IISW-SI-000257The application pools pinging monitor for each IIS 8.5 website must be enabled.<VulnDiscussion>Windows Process Activation Service (WAS) manages application pool configurations and may flag a worker process as unhealthy and shut it down. An application pool’s pinging monitor must be enabled to confirm worker processes are functional. A lack of response from the worker process might mean the worker process does not have a thread to respond to the ping request, or it is hanging for some other reason. The ping interval and ping response time may need adjustment to gain access to timely information about application pool health without triggering false, unhealthy conditions; for example, instability caused by an application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000366Open the IIS 8.5 Manager. - -Click the “Application Pools”. - -Perform for each Application Pool. - -Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane. - -Scroll down to the "Process Model" section and set the value for "Ping Enabled" to "True". - -Click “OK”.Open the Internet Information Services (IIS) Manager. - -Click the “Application Pools”. - -Perform for each Application Pool. - -Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane. - -Scroll down to the "Process Model" section and verify the value for "Ping Enabled" is set to "True". - -If the value for "Ping Enabled" is not set to "True", this is a finding.SRG-APP-000516-WSR-000174<GroupDescription></GroupDescription>IISW-SI-000258The application pools rapid fail protection for each IIS 8.5 website must be enabled.<VulnDiscussion>Rapid fail protection is a feature that interrogates the health of worker processes associated with websites and web applications. It can be configured to perform a number of actions such as shutting down and restarting worker processes that have reached failure thresholds. By not setting rapid fail protection the web server could become unstable in the event of a worker process crash potentially leaving the web server unusable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000366Open the IIS 8.5 Manager. - -Click the “Application Pools”. - -Perform for each Application Pool. - -Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane. - -Scroll down to the "Rapid Fail Protection" section and set the value for "Enabled" to "True". - -Click “OK”.Open the IIS 8.5 Manager. - -Click the “Application Pools”. - -Perform for each Application Pool. - -Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane. - -Scroll down to the "Rapid Fail Protection" section and verify the value for "Enabled" is set to "True". - -If the "Rapid Fail Protection:Enabled" is not set to "True", this is a finding.SRG-APP-000516-WSR-000174<GroupDescription></GroupDescription>IISW-SI-000259The application pools rapid fail protection settings for each IIS 8.5 website must be managed.<VulnDiscussion>Windows Process Activation Service (WAS) manages application pool configuration and may flag a worker process as unhealthy and shut it down. The rapid fail protection must be set to a suitable value. A lack of response from the worker process might mean the worker process does not have a thread to respond to the ping request, or that it is hanging for some other reason. The ping interval and ping response time may need adjustment to gain access to timely information about application pool health without triggering false, unhealthy conditions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000366Open the IIS 8.5 Manager. - -Click the “Application Pools”. - -Perform for each Application Pool. - -Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane. - -Scroll down to the "Rapid Fail Protection" section and set the value for "Failure Interval" to "5" or less. - -Click “OK”.Open the IIS 8.5 Manager. - -Click the “Application Pools”. - -Perform for each Application Pool. - -Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane. - -Scroll down to the "Rapid Fail Protection" section and verify the value for "Failure Interval" is set to "5". - -If the "Failure Interval" is not set to "5" or less, this is a finding.SRG-APP-000141-WSR-000087<GroupDescription></GroupDescription>IISW-SI-000261Interactive scripts on the IIS 8.5 web server must be located in unique and designated folders.<VulnDiscussion>CGI and ASP scripts represent one of the most common and exploitable means of compromising a web server. All CGI and ASP program files must be segregated into their own unique folder to simplify the protection of these files. ASP scripts must be placed into a unique folder only containing other ASP scripts. JAVA and other technology-specific scripts must also be placed into their own unique folders. The placement of CGI, ASP, or equivalent scripts to special folders gives the Web Manager or the SA control over what goes into those folders and to facilitate access control at the folder level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000381All interactive programs must be placed in unique designated folders based on CGI or ASP script type. - -Open the IIS 8.5 Manager. - -Right-click the IIS 8.5 web server name and select Explore. - -Search for the listed script extensions. - -Move each script type to its unique designated folder. - -Set the permissions to the scripts folders as follows: - -Administrators: FULL -TrustedInstaller: FULL -SYSTEM: FULL -ApplicationPoolId:READ -Custom Service Account: READ -Users: READ -ALL APPLICATION PACKAGES: READ -Determine whether scripts are used on the web server for the target website. Common file extensions include, but are not limited to: .cgi, .pl, .vb, .class, .c, .php, and .asp. - -All interactive programs must be placed in unique designated folders based on CGI or ASP script type. - -Open the IIS 8.5 Manager. - -Right-click the IIS 8.5 web site name and select Explore. - -Search for the listed script extensions. Each script type must be in its unique designated folder. - -If scripts are not segregated from web content and in their own unique folders, then this is a finding.SRG-APP-000141-WSR-000087<GroupDescription></GroupDescription>IISW-SI-000262Interactive scripts on the IIS 8.5 web server must have restrictive access controls.<VulnDiscussion>CGI is a programming standard for interfacing external applications with information servers, such as HTTP or web servers. CGI, represented by all upper case letters, should not be confused with the .cgi file extension. The .cgi file extension does represent a CGI script, but CGI scripts may be written in a number of programming languages (e.g., PERL, C, PHP, and JavaScript), each having their own unique file extension. - -The use of CGI scripts represent one of the most common and exploitable means of compromising a web server. By definition, CGI scripts are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not limited unless the SA or the Web Manager takes specific measures. CGI programs can access and alter data files, launch other programs, and use the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000381Determine whether scripts are used on the web server for the subject website. Common file extensions include, but are not limited to: .cgi, .pl, .vb, .class, .c, .php, .asp, and .aspx. - -If the website does not utilize CGI, this finding is NA. - -All interactive programs must have restrictive permissions. - -Open the IIS 8.5 Manager. - -Right-click the IIS 8.5 web server name and select “Explore”. - -Search for the listed script extensions. - -Set the permissions to the CGI scripts as follows: - -Administrators: FULL -TrustedInstaller: FULL -ALL APPLICATION PACKAGES: Read -SYSTEM: FULL -ApplicationPoolId: READ -Custom Service Account: READ -Users: READDetermine whether scripts are used on the web server for the subject website. Common file extensions include, but are not limited to: .cgi, .pl, .vb, .class, .c, .php, .asp, and .aspx. - -If the website does not utilize CGI, this finding is Not Applicable. - -All interactive programs must have restrictive permissions. - -Open the IIS 8.5 Manager. - -Right-click the IIS 8.5 web site name and select “Explore”. - -Search for the listed script extensions. - -Review the permissions to the CGI scripts and verify only the permissions listed, or more restrictive permissions are assigned. - -Administrators: FULL -TrustedInstaller: FULL -ALL APPLICATION PACKAGES: Read -SYSTEM: FULL -ApplicationPoolId: READ -Custom Service Account: READ -Users: READ - -If the permissions are less restrictive than listed above, this is a finding.SRG-APP-000141-WSR-000087<GroupDescription></GroupDescription>IISW-SI-000263Backup interactive scripts on the IIS 8.5 server must be removed.<VulnDiscussion>Copies of backup files will not execute on the server, but they can be read by the anonymous user if special precautions are not taken. Such backup copies contain the same sensitive information as the actual script being executed and, as such, are useful to malicious users. Techniques and systems exist today to search web servers for such files and are able to exploit the information contained in them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000381Remove the backup files from the production web server.Determine whether scripts are used on the web server for the subject website. Common file extensions include, but are not limited to: .cgi, .pl, .vb, .class, .c, .php, .asp, and .aspx. - -If the website does not utilize CGI, this finding is Not Applicable. - -Open the IIS 8.5 Manager. - -Right-click the IIS 8.5 web site name and select “Explore”. - -Search for the listed script extensions - -Search for the following files: *.bak, *.old, *.temp, *.tmp, *.backup, or “copy of...”. - -If files with these extensions are found, this is a finding.SRG-APP-000516-WSR-000174<GroupDescription></GroupDescription>IISW-SI-000264The required DoD banner page must be displayed to authenticated users accessing a DoD private website.<VulnDiscussion>A consent banner will be in place to make prospective entrants aware that the website they are about to enter is a DoD web site and their activity is subject to monitoring. The document, DoDI 8500.01, establishes the policy on the use of DoD information systems. It requires the use of a standard Notice and Consent Banner and standard text to be included in user agreements. The requirement for the banner is for websites with security and access controls. These are restricted and not publicly accessible. If the website does not require authentication/authorization for use, then the banner does not need to be present. A manual check of the document root directory for a banner page file (such as banner.html) or navigation to the website via a browser can be used to confirm the information provided from interviewing the web staff.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IIS Web Site 8.5DISADPMS TargetIIS Web Site 8.52791CCI-000366Configure a DoD private website to display the required DoD banner page when authentication is required for user access.Note: This requirement is only applicable for private DoD websites. - -If a banner is required, the following banner page must be in place: - -“You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - -- At any time, the USG may inspect and seize data stored on this IS. - -- Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - -- This IS includes security measures (e.g., authentication and access controls) to protect USG interests—not for your personal benefit or privacy. - -- Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.” - -OR - -If your system cannot meet the character limits to store this amount of text in the banner, the following is another option for the warning banner: - -"I've read & consent to terms in IS user agreem't." - -NOTE: While DoDI 8500.01 does not contain a copy of the banner to be used, it does point to the RMF Knowledge Service for a copy of the required text. It is also noted that the banner is to be displayed only once when the individual enters the site and not for each page. - -If the access-controlled website does not display this banner page before entry, this is a finding. +acceptedIIS 8.5 Site Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 10 Benchmark Date: 24 Apr 20201I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-APP-000279<GroupDescription></GroupDescription>WNDF-AV-000001Windows Defender AV must be configured to enable the Potentially Unwanted Application (PUA) feature.<VulnDiscussion>After enabling this feature, Potentially Unwanted Application (PUA) protection blocking takes effect on endpoint clients after the next signature update or computer restart. Signature updates take place daily under typical circumstances. PUA will be blocked and automatically quarantined.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001243Set the policy value for Computer Configuration -> Administrative Templates -> MS Security Guide -> "Turn on Windows Defender protection against Potentially Unwanted Applications" to “Enabled”. +acceptedMS Windows Defender Antivirus Security Technical Implementation GuideThe Windows Defender Antivirus Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be send via e-mail to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 8 Benchmark Date: 24 Apr 20201I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>