Increase Code Coverage of PowerSTIG to %75 (#742)

* updated tests for increased code cov part 1

* fixed test

* update changelog.md

* update changelog

* tes

* reverted change

* added VsphereNTPsetting tests

* updated checklist test

* updated DomainName Function tests

* updated powerstig xml tests

* added tests for Convertto-PowerSTIGxml and Compare

* updated tests

* updated webconfig property rule test

* updated to convert all STIGS

* removed redundant tests

* update only select one of each STIG

* added all office stigs

* reverted some tests

* updated tests:

* removed dependency for helper files

* updated tests

* removed example folder

* update based on feedback

* updated test

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ## [Unreleased]
 
+* Update PowerSTIG to increase code coverage of unit tests: [#737](https://github.com/microsoft/PowerStig/issues/737)
 * Update PowerSTIG with new SkipRuleSeverity Parameter to skip entire STIG Category/Severity Level(s): [711](https://github.com/microsoft/PowerStig/issues/711)
 
 ## [4.5.0] - 2020-09-01

Tests/Unit/Module/.tests.header.ps1

@@ -65,6 +65,26 @@ switch ($psStackCommand)
         . $functionCheckListFile
     }
 
+    'STIG.DomainName'
+    {
+        $functionDomainName = Join-Path -Path $script:moduleRoot -ChildPath '\Module\STIG\Functions.DomainName.ps1'
+        . $functionDomainName
+    }
+
+    'STIG.PowerStigXml'
+    {
+        $functionPowerStigXml = Join-Path -Path $script:moduleRoot -ChildPath '\Module\STIG\Convert\Functions.PowerStigXml.ps1'
+        . $functionPowerStigXml
+        $functionReport = Join-Path -Path $script:moduleRoot -ChildPath '\Module\STIG\Convert\Functions.Report.ps1'
+        . $functionReport
+        $dscResourceData = Join-Path -Path $script:moduleRoot -ChildPath '\Module\STIG\Convert\Data.ps1'
+        . $dscResourceData
+        $destinationPath = Join-Path -Path $PSScriptRoot -ChildPath '..\.DynamicClassImport\Rule.ps1'
+        [void] $setDynamicClassFileParams.Add('DestinationPath', $destinationPath)
+        [void] $setDynamicClassFileParams.Add('ClassModuleFileName', @('Rule.psm1', 'ConvertFactory.psm1','DocumentRule.Convert.psm1','Stig.psm1'))
+    }
+
+
     'STIG'
     {
         $destinationPath = Join-Path -Path $PSScriptRoot -ChildPath '..\.DynamicClassImport\Convert.Main.ps1'
@@ -81,11 +101,15 @@ switch ($psStackCommand)
     }
 }
 
-if ($global:moduleName -ne 'STIG.Checklist')
+if ($global:moduleName -ne 'STIG.Checklist' -and $global:moduleName -ne 'STIG.DomainName')
 {
     Set-DynamicClassFile @setDynamicClassFileParams
     . $setDynamicClassFileParams.DestinationPath
 }
+else
+{
+    import-module $script:moduleRoot\Module\Common\Common.psm1
+}
 
 <#
     Several classes check for duplicate rules against a global variable stigSettings.

Tests/Unit/Module/AuditSettingRule.tests.ps1

@@ -22,6 +22,37 @@ try
                 Some hardware vendors create a small FAT partition to store troubleshooting and recovery data. No other files must be stored here.  This
                 must be documented with the ISSO.'
             }
+            @{
+                Query = "SELECT * FROM Win32_OperatingSystem"
+                Property = 'Version'
+                DesiredValue = '10.0.16299'
+                Operator = '-le'
+                OrganizationValueRequired = $false
+                CheckContent = 'Run "winver.exe".
+
+                If the "About Windows" dialog box does not display:
+
+                "Microsoft Windows Version 1709 (OS Build 16299.0)"
+
+                or greater, this is a  finding.
+
+                Note: Microsoft has extended support for previous versions providing critical and important updates for Windows 10 Enterprise.
+
+                Microsoft scheduled end of support dates for current Semi-Annual Channel versions:
+                v1703 - 8 October 2019
+                v1709 - 14 April 2020
+                v1803 - 10 November 2020
+                v1809 - 13 April 2021
+                v1903 - 8 December 2020
+
+                No preview versions will be used in a production environment.
+
+                Special purpose systems using the Long-Term Servicing Branch\Channel (LTSC\B) may be at following versions which are not a finding:
+
+                v1507 (Build 10240)
+                v1607 (Build 14393)
+                v1809 (Build 17763)'
+            }
         )
         #endregion
 

Tests/Unit/Module/Convert.CommonTests.ps1

@@ -20,6 +20,12 @@ $stigRule = Get-TestStigRule -CheckContent $testRule.CheckContent -ReturnGroupOn
 # Create an instance of the convert class that is currently being tested
 $convertedRule = New-Object -TypeName ($global:moduleName + 'Convert') -ArgumentList $stigRule
 
+Describe 'Exception Help' {
+    It 'Should not Return $null' {
+        $convertedrule.GetExceptionHelp() | Should -Not -BeNullOrEmpty
+    }
+}
+
 Describe "$($convertedRule.GetType().Name) Class Instance" {
     # Only run the base class test once
     if ($count -le 0)
@@ -104,7 +110,7 @@ Describe "$($convertedRule.GetType().Name) Class Instance" {
     $checkContent = [System.Web.HttpUtility]::HtmlDecode( $testRule.checkContent )
 
     # The manual rule is the default and does not contain a match method.
-    if ($convertedRule.GetType().Name -notmatch 'ManualRuleConvert')
+    if ($convertedRule.GetType().Name -notmatch 'ManualRuleConvert|GroupRuleConvert')
     {
         <#
             To dynamically call a static method, we have to get the static method
@@ -119,3 +125,4 @@ Describe "$($convertedRule.GetType().Name) Class Instance" {
         }
     }
 }
+

Tests/Unit/Module/DnsServerSettingRule.tests.ps1

@@ -23,6 +23,33 @@ try
 
                 If any option other than "Errors and warnings" or "All events" is selected, this is a finding.'
             }
+            @{
+                IsExistingRule = $true
+                PropertyName = 'NoRecursion'
+                PropertyValue = '$true'
+                OrganizationValueRequired = $false
+                CheckContent = 'Note: If the Windows DNS server is in the classified network, this check is Not Applicable.
+
+                Note: In Windows DNS Server, if forwarders are configured, the recursion setting must also be enabled since disabling recursion will disable forwarders.
+
+                If forwarders are not used, recursion must be disabled. In both cases, the use of root hints must be disabled.
+
+                Log on to the DNS server using the Domain Admin or Enterprise Admin account.
+
+                Press Windows Key + R, execute dnsmgmt.msc.
+
+                On the opened DNS Manager snap-in from the left pane, right-click on the server name for the DNS server and select “Properties”.
+
+                Click on the “Forwarders” tab.
+
+                If forwarders are not being used, this is not applicable.
+
+                Review the IP address(es) for the forwarder(s) use.
+
+                If the DNS Server does not forward to another DoD-managed DNS server or to the DoD Enterprise Recursive Services (ERS), this is a finding.
+
+                If the "Use root hints if no forwarders are available" is selected, this is a finding.'
+            }
         )
         #endregion
 

Tests/Unit/Module/DocumentRule.tests.ps1

@@ -15,6 +15,23 @@ try
 
                 If unapproved shared accounts exist, this is a finding.'
             }
+            @{
+                Id = "V-7069"
+                Severity = "medium"
+                title = "APPNET0055 CAS and Policy Config File Backups"
+                Dscresource = "None"
+                OrganizationValueRequired = $false
+                CheckContent = 'Ask the System Administrator if all CAS policy and policy configuration files are included in the system backup. If they are not, this is a finding.
+
+                Ask the System Administrator if the policy and configuration files are backed up prior to migration, deployment, and reconfiguration. If they are not, this is a finding.
+
+                Ask the System Administrator for documentation that shows CAS Policy configuration files are backed up as part of a disaster recovery plan. If they have no documentation proving the files are backed up, this is a finding.'
+                RawString = 'Ask the System Administrator if all CAS policy and policy configuration files are included in the system backup. If they are not, this is a finding.
+
+                Ask the System Administrator if the policy and configuration files are backed up prior to migration, deployment, and reconfiguration. If they are not, this is a finding.
+
+                Ask the System Administrator for documentation that shows CAS Policy configuration files are backed up as part of a disaster recovery plan. If they have no documentation proving the files are backed up, this is a finding.'
+            }
         )
         #endregion
 

Tests/Unit/Module/FileContentRule.tests.ps1

@@ -11,6 +11,7 @@ try
                 Key = 'security.default_personal_cert'
                 Value = 'Ask Every Time'
                 ArchiveFile = 'MozillaFirefox'
+                DscResource = 'ReplaceText'
                 OrganizationValueRequired = $false
                 CheckContent = 'Type "about:config" in the browser address bar. Verify  Preference Name "security.default_personal_cert" is set to "Ask Every Time" and is locked to prevent the user from altering.
 

Tests/Unit/Module/GroupRule.tests.ps1

@@ -60,9 +60,7 @@ try
 
         foreach ($testRule in $testRuleList)
         {
-            <# TODO uncomment when ready to parse group rules
             . $PSScriptRoot\Convert.CommonTests.ps1
-            #>
         }
 
         #region Add Custom Tests Here

Tests/Unit/Module/HardCodedRule.tests.ps1

@@ -196,6 +196,13 @@ try
                 DscResource  = 'xWinEventLog'
                 IsEnabled    = 'True'
                 LogName      = 'Microsoft-Windows-DnsServer/Analytical'
+            },
+            @{
+                RuleType     = 'WindowsFeatureRule'
+                CheckContent = "HardCodedRule(WindowsFeatureRule)@{DscResource = 'WindowsFeature'; Ensure = `$null; Name = 'FeatureName'}"
+                DscResource  = 'WindowsFeature'
+                Ensure       = ''
+                Name         = "FeatureName"
             }
         )
 

Tests/Unit/Module/MimeTypeRule.tests.ps1

@@ -27,7 +27,87 @@ try
                     .exe
 
                     If any OS shell MIME types are configured, this is a finding.'
+            },
+            @{
+                Ensure = 'absent'
+                MimeType = 'application/x-msdownload'
+                Extension = '.dll'
+                OrganizationValueRequired = $false
+                CheckContent = 'Open the IIS 8.5 Manager.
+
+                    Click the IIS 8.5 web server name.
+
+                    Under IIS, double-click the “MIME Types” icon.
+
+                    From the "Group by:" drop-down list, select "Content Type".
+
+                    From the list of extensions under "Application", verify MIME types for OS shell program extensions have been removed, to include at a minimum, the following extensions:
+
+                    If any OS shell MIME types are configured, this is a finding.
+
+                    .dll
+
+                    If any OS shell MIME types are configured, this is a finding.'
+            },
+            @{
+                Ensure = 'absent'
+                MimeType = 'application/x-bat'
+                Extension = '.bat'
+                OrganizationValueRequired = $false
+                CheckContent = 'Open the IIS 8.5 Manager.
+                    Click the IIS 8.5 web server name.
+
+                    Under IIS, double-click the “MIME Types” icon.
+
+                    From the "Group by:" drop-down list, select "Content Type".
+
+                    From the list of extensions under "Application", verify MIME types for OS shell program extensions have been removed, to include at a minimum, the following extensions:
+
+                    If any OS shell MIME types are configured, this is a finding.
+
+                    .bat'
+
+            },
+            @{
+                Ensure = 'absent'
+                MimeType = 'application/x-csh'
+                Extension = '.csh'
+                OrganizationValueRequired = $false
+                CheckContent = 'Open the IIS 8.5 Manager.
+
+                    Click the IIS 8.5 web server name.
+
+                    Under IIS, double-click the “MIME Types” icon.
+
+                    From the "Group by:" drop-down list, select "Content Type".
+
+                    From the list of extensions under "Application", verify MIME types for OS shell program extensions have been removed, to include at a minimum, the following extensions:
+
+                    If any OS shell MIME types are configured, this is a finding.
+
+                    .csh'
+
+            },
+            @{
+                Ensure = $null
+                MimeType = $null
+                Extension = '.not'
+                OrganizationValueRequired = $false
+                CheckContent = 'Open the IIS 8.5 Manager.
+
+                    Click the IIS 8.5 web server name.
+
+                    Under IIS, double-click the “MIME Types” icon.
+
+                    From the "Group by:" drop-down list, select "Content Type".
+
+                    From the list of extensions under "Application", verify MIME types for OS shell program extensions have been something, to include at a minimum, the following extensions:
+
+                    If any OS shell MIME types are configured, this is a finding.
+
+                    .not'
             }
+
         )
         #endregion
 

Tests/Unit/Module/STIG.Checklist.tests.ps1

@@ -3,6 +3,32 @@
 #endregion
 
 Describe 'New-StigCheckList' {
+
+    configuration Example
+    {
+        param
+        (
+            [parameter()]
+            [string]
+            $NodeName = "localhost"
+        )
+
+        Import-DscResource -ModuleName PowerStig
+
+        Node $NodeName
+        {
+            WindowsServer BaseLine
+            {
+                OsVersion   = "2019"
+                OsRole      = "MS"
+                SkipRuleType = "AccountPolicyRule","AuditPolicyRule","AuditSettingRule","DocumentRule","ManualRule","PermissionRule","SecurityOptionRule","UserRightRule","WindowsFeatureRule","ProcessMitigationRule","RegistryRule"
+            }
+        }
+    }
+    Example -OutputPath $TestDrive
+
+    $mofTest = '{0}{1}' -f $TestDrive.fullname,"\localhost.mof"
+
     # Test parameter validity -OutputPath
     It 'Should throw if an invalid path is provided' {
         {New-StigCheckList -MofFile 'test' -XccdfPath 'test' -OutputPath 'c:\asdf'} | Should -Throw
@@ -25,5 +51,14 @@ Describe 'New-StigCheckList' {
     It 'Should throw if an invalid combination of parameters for Xccdf validation is provided' {
         {New-StigCheckList -DscResult 'foo' -MofFile 'bar' -OutputPath 'C:\Test'} | Should -Throw
     }
+
+    It 'Generate a checklist given correct parameters' {
+
+        {
+            $outputPath = Join-Path $Testdrive -ChildPath Checklist.ckl
+            $xccdfPath = ((Get-ChildItem -Path $script:moduleRoot\StigData\Archive -Include *xccdf.xml -Recurse | Where-Object -Property Name -Match "Server_2019_MS")[1]).FullName
+            New-StigChecklist -ReferenceConfiguration $mofTest -XccdfPath $xccdfPath -OutputPath $outputPath
+        } | Should -Not -Throw
+    }
 }