Provide Method to install DoD Root Certs for Server and Client OS (#775)

* initial commit

* updated changelog

* added unit test

* updated module import

* updated composite

* updated after testing

* updated tests

* updated coverted stig

* updated integration tests

* updated based on testing

* updated changelog to kick

* updated due to missing cert on 2019 stigs

* update to build.yaml

* updated based on comments

* updated based on test

* updated based on PR feedback

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ## [Unreleased]
 
+* Provide Method to install DoD Root Certs for Server OS and Client OS: [#755](https://github.com/microsoft/PowerStig/issues/755)
 * Update PowerSTIG to send a warning to the user when using a composite that leverages the new DISA Ids: [#772](https://github.com/microsoft/PowerStig/issues/772)
 * Update PowerSTIG to successfully parse/apply Microsoft Office System 2013 STIG - Ver 2, Rel 1: [#769](https://github.com/microsoft/PowerStig/issues/769)
 * Update PowerSTIG to successfully parse/apply Microsoft Windows 2012 Server DNS STIG - Ver 2, Rel 1: [#760](https://github.com/microsoft/PowerStig/issues/760)

Tests/Integration/Module/RootCertificateRule.Integration.tests.ps1

@@ -0,0 +1,94 @@
+#region Header
+. $PSScriptRoot\.tests.header.ps1
+#endregion
+
+try
+{
+    $stigRulesToTest = @(
+        @{
+            CertificateName = 'US DoD CCEB Interoperability Root CA 2'
+            Thumbprint      = '929BF3196896994C0A201DF4A5B71F603FEFBF2E'
+            CheckContent    = 'Verify the US DoD CCEB Interoperability Root CA cross-certificate is installed on unclassified systems as an Untrusted Certificate.
+
+            Run "PowerShell" as an administrator.
+            
+            Execute the following command:
+            
+            Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter
+            
+            If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding.
+            
+            If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding.
+            
+            Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
+            Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
+            Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E
+            NotAfter: 9/27/2019
+            
+            Alternately use the Certificates MMC snap-in:
+            
+            Run "MMC".
+            
+            Select "File", "Add/Remove Snap-in".
+            
+            Select "Certificates", click "Add".
+            
+            Select "Computer account", click "Next".
+            
+            Select "Local computer: (the computer this console is running on)", click "Finish".
+            
+            Click "OK".
+            
+            Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates".
+            
+            For each certificate with "US DoD CCEB Interoperability Root CA …" under "Issued By":
+            
+            Right-click on the certificate and select "Open".
+            
+            Select the "Details" Tab.
+            
+            Scroll to the bottom and select "Thumbprint".
+            
+            If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding.
+            
+            If an expired certificate ("Valid to" date) is not listed in the results, this is not a finding.
+            
+            Issued To: DoD Root CA 3
+            Issuer by: US DoD CCEB Interoperability Root CA 2
+            Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E
+            Valid: Friday, September 27, 2019'
+        }
+    )
+
+    Describe 'RootCertificate Rule Conversion' {
+
+        foreach ($stig in $stigRulesToTest)
+        {
+            [xml] $stigRule = Get-TestStigRule -CheckContent $stig.CheckContent -XccdfTitle 'IIS'
+            $TestFile = Join-Path -Path $TestDrive -ChildPath 'TextData.xml'
+            $stigRule.Save( $TestFile )
+            $rule = ConvertFrom-StigXccdf -Path $TestFile
+
+            It 'Should return an RootCertificateRule  Object' {
+                $rule.GetType() | Should Be 'RootCertificateRule'
+            }
+            It "Should return Thumbprint '$($stig.Thumbprint)'" {
+                $rule.Thumbprint | Should Be $stig.Thumbprint
+            }
+            It "Should return Certificate Name '$($stig.CertificateName)'" {
+                $rule.CertificateName| Should Be $stig.CertificateName
+            }
+            It "Should set the correct DscResource" {
+                $rule.DscResource | Should Be 'CertificateDSC'
+            }
+            It 'Should Set the status to pass' {
+                $rule.ConversionStatus | Should Be 'pass'
+            }
+        }
+    }
+}
+
+finally
+{
+    . $PSScriptRoot\.tests.footer.ps1
+}

Tests/Unit/Module/RootCertificateRule.tests.ps1

@@ -0,0 +1,78 @@
+#region Header
+. $PSScriptRoot\.tests.header.ps1
+#endregion
+
+try
+{
+    InModuleScope -ModuleName "$($global:moduleName).Convert" {
+        #region Test Setup
+        $testRuleList = @(
+            @{
+                CertificateName = "US DoD CCEB Interoperability Root CA 2"
+                Thumbprint = "929BF3196896994C0A201DF4A5B71F603FEFBF2E"
+                OrganizationValueRequired = $true
+                OrganizationValueTestString = "location for US DoD CCEB Interoperability Root CA 2 certificate is present"
+                CheckContent = 'Verify the US DoD CCEB Interoperability Root CA cross-certificate is installed on unclassified systems as an Untrusted Certificate.
+
+                Run "PowerShell" as an administrator.
+                
+                Execute the following command:
+                
+                Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter
+                
+                If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. 
+                
+                If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding.
+                
+                Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US
+                Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
+                Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E
+                NotAfter: 9/27/2019
+                
+                Alternately use the Certificates MMC snap-in:
+                
+                Run "MMC".
+                
+                Select "File", "Add/Remove Snap-in".
+                
+                Select "Certificates", click "Add".
+                
+                Select "Computer account", click "Next".
+                
+                Select "Local computer: (the computer this console is running on)", click "Finish".
+                
+                Click "OK".
+                
+                Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates".
+                
+                For each certificate with "US DoD CCEB Interoperability Root CA …" under "Issued By":
+                
+                Right-click on the certificate and select "Open".
+                
+                Select the "Details" Tab.
+                
+                Scroll to the bottom and select "Thumbprint".
+                
+                If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding.
+                
+                If an expired certificate ("Valid to" date) is not listed in the results, this is not a finding.
+                
+                Issued To: DoD Root CA 3
+                Issuer by: US DoD CCEB Interoperability Root CA 2
+                Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E
+                Valid: Friday, September 27, 2019'
+
+            }
+        )
+        #endregion
+
+        foreach ($testRule in $testRuleList)
+        {
+            . $PSScriptRoot\Convert.CommonTests.ps1
+        }
+    }
+}
+finally
+{
+    . $PSScriptRoot\.tests.footer.ps1
+}

build.yaml

@@ -63,6 +63,7 @@ DscTest:
   ExcludeTag:
     - "Common Tests - New Error-Level Script Analyzer Rules"
     - "Common Tests - Validate Localization"
+    - "Changelog"
   Tag:
   ExcludeSourceFile:
     - output

source/DSCResources/Resources/windows.RootCertificate.ps1

@@ -0,0 +1,24 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+$rules = Select-Rule -RuleList $stig.RuleList -Type RootCertificateRule
+
+foreach ($rule in $rules)
+{
+    if ($rule.CertificateName -match "Interoperability")
+    {
+        $storeLocation = 'Disallowed'
+    }
+    else
+    {
+        $storeLocation = 'Root'
+    }
+
+    CertificateImport (Get-ResourceTitle -Rule $rule)
+    {
+        Thumbprint = $rule.Thumbprint
+        Location   = 'LocalMachine'
+        Store      = $storeLocation
+        Path       = $rule.Location
+    }
+}

source/DSCResources/WindowsClient/WindowsClient.schema.psm1

@@ -112,5 +112,8 @@ configuration WindowsClient
     Import-DscResource -ModuleName AuditSystemDsc -ModuleVersion 1.1.0
     . "$resourcePath\windows.AuditSetting.ps1"
 
+    Import-DscResource -ModuleName CertificateDsc -ModuleVersion 5.0.0
+    . "$resourcePath\windows.RootCertificate.ps1"
+
     . "$resourcePath\windows.RefreshRegistryPolicy.ps1"
 }

source/DSCResources/WindowsServer/WindowsServer.schema.psm1

@@ -121,5 +121,8 @@ configuration WindowsServer
     Import-DscResource -ModuleName AuditSystemDsc -ModuleVersion 1.1.0
     . "$resourcePath\windows.AuditSetting.ps1"
 
+    Import-DscResource -ModuleName CertificateDsc -ModuleVersion 5.0.0
+    . "$resourcePath\windows.RootCertificate.ps1"
+
     . "$resourcePath\windows.RefreshRegistryPolicy.ps1"
 }