Update PowerSTIG to Parse/Apply Google Chrome V2R1

CHANGELOG.md

@@ -8,9 +8,11 @@
 * Update PowerSTIG to successfully parse/apply Microsoft Windows Defender Antivirus STIG - Ver 2, Rel 1: [#786](https://github.com/microsoft/PowerStig/issues/786)
 * Update PowerSTIG to successfully parse/apply Microsoft Windows Server 2016 STIG - Ver 2, Rel 1: [#782](https://github.com/microsoft/PowerStig/issues/782)
 * Update PowerSTIG to successfully parse/apply Microsoft Windows Server 2019 STIG - Ver 2, Rel 1  [#787](https://github.com/microsoft/PowerStig/issues/787)
+* Update PowerSTIG to successfully parse/apply Microsoft Windows 2012 and 2012 R2 DC STIG - Ver 3, Rel 1: [#784](https://github.com/microsoft/PowerStig/issues/784)
 * Update PowerSTIG to include LegacyId to assist in determining Legacy Vuln Ids with the new DISA standard: [#788](https://github.com/microsoft/PowerStig/issues/788)
 * Update PowerSTIG to include LegacyId query via Get-StigRule function: [#800](https://github.com/microsoft/PowerStig/issues/800)
 * Update PowerSTIG to fix LegacyId logic: [#791](https://github.com/microsoft/PowerStig/issues/791)
+* Update PowerSTIG to successfully parse/apply Google Chrome V1R19: [#709](https://github.com/microsoft/PowerStig/issues/709)
 
 ## [4.6.0] - 2020-12-01
 

Tests/Integration/DSCResources/Chrome.config.ps1

@@ -0,0 +1,57 @@
+configuration Chrome_config
+{
+    param
+    (
+        [Parameter()]
+        [AllowNull()]
+        [string]
+        $TechnologyVersion,
+
+        [Parameter()]
+        [AllowNull()]
+        [string]
+        $TechnologyRole,
+
+        [Parameter(Mandatory = $true)]
+        [version]
+        $StigVersion,
+
+        [Parameter()]
+        [string[]]
+        $SkipRule,
+
+        [Parameter()]
+        [string[]]
+        $SkipRuleType,
+
+        [Parameter()]
+        [string[]]
+        $SkipRuleSeverity,
+
+        [Parameter()]
+        [hashtable]
+        $Exception,
+
+        [Parameter()]
+        [object]
+        $OrgSettings,
+
+        [Parameter()]
+        [string[]]
+        $ResourceParameters
+    )
+
+    Import-DscResource -ModuleName PowerStig
+
+    Node localhost
+    {
+        $psboundParams = $PSBoundParameters
+        $psboundParams.Remove('TechnologyRole')
+        $psboundParams.Remove('ConfigurationData')
+        $psboundParams.Remove('TechnologyVersion')
+
+        $resourceParamString = New-ResourceParameterString -ResourceParameters $ResourceParameters -PSBoundParams $psboundParams
+        $resourceScriptBlockString = New-ResourceString -ResourceParameterString $resourceParamString -ResourceName Chrome
+        & ([scriptblock]::Create($resourceScriptBlockString))
+    }
+}

Tests/Integration/DSCResources/Chrome.integration.tests.ps1

@@ -0,0 +1,47 @@
+using module .\helper.psm1
+
+$script:DSCCompositeResourceName = ($MyInvocation.MyCommand.Name -split '\.')[0]
+. $PSScriptRoot\.tests.header.ps1
+
+$configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1"
+. $configFile
+
+$script:DSCCompositeResourceNameUpdate = "Google-{0}" -f ($MyInvocation.MyCommand.Name -split '\.')[0]
+$stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceNameUpdate
+$resourceInformation = $global:getDscResource | Where-Object -FilterScript {$PSItem.Name -eq $script:DSCCompositeResourceName}
+$resourceParameters = $resourceInformation.Properties.Name
+
+foreach ($stig in $stigList)
+{
+    $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml')
+    $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath
+    $powerstigXml = [xml](Get-Content -Path $stig.Path) |
+        Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath
+
+    $skipRule = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id
+    $skipRuleType = $null
+    $expectedSkipRuleTypeCount = 0 + $blankSkipRuleId.Count
+
+    $skipRuleMultiple = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id -Count 2
+    $skipRuleTypeMultiple = $null
+    $expectedSkipRuleTypeMultipleCount = 0 + $blankSkipRuleId.Count
+
+    $singleSkipRuleSeverity = 'CAT_I'
+    $multipleSkipRuleSeverity = 'CAT_I', 'CAT_II'
+    $expectedSingleSkipRuleSeverity = Get-CategoryRule -PowerStigXml $powerstigXml -RuleCategory $singleSkipRuleSeverity
+    $expectedSingleSkipRuleSeverityCount = ($expectedSingleSkipRuleSeverity | Measure-Object).Count + $blankSkipRuleId.Count
+    $expectedMultipleSkipRuleSeverity = Get-CategoryRule -PowerStigXml $powerstigXml -RuleCategory $multipleSkipRuleSeverity
+    $expectedMultipleSkipRuleSeverityCount = ($expectedMultipleSkipRuleSeverity | Measure-Object).Count + $blankSkipRuleId.Count
+
+    $getRandomExceptionRuleParams = @{
+        RuleType       = 'RegistryRule'
+        PowerStigXml   = $powerstigXml
+        ParameterValue = 1234567
+    }
+    $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1
+    $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2
+    $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility
+    $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility
+
+    . "$PSScriptRoot\Common.integration.ps1"
+}

source/DSCResources/Chrome/Chrome.psd1

@@ -0,0 +1,48 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+@{
+
+    # Script module or binary module file associated with this manifest.
+    RootModule = 'Chrome.schema.psm1'
+
+    # Version number of this module.
+    ModuleVersion = '1.0.0.0'
+
+    # ID used to uniquely identify this module
+    GUID = '30cee7e3-aa8b-4f11-bcfa-01b851eecae5'
+
+    # Author of this module
+    Author = 'Microsoft Corporation'
+
+    # Company or vendor of this module
+    CompanyName = 'Microsoft Corporation'
+
+    # Copyright statement for this module
+    Copyright = '(c) 2020 Microsoft Corporation. All rights reserved.'
+
+    # Description of the functionality provided by this module
+    Description = 'Composite DSC Resource for managing Google Chrome related DISA STIGs'
+
+    # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.
+    FunctionsToExport = @('Chrome')
+
+    # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
+    CmdletsToExport = @()
+
+    # Variables to export from this module
+    VariablesToExport = '*'
+
+    # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export.
+    AliasesToExport = @()
+
+    # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell.
+    PrivateData = @{
+
+        PSData = @{
+
+        } # End of PSData hashtable
+
+    } # End of PrivateData hashtable
+
+}

source/DSCResources/Chrome/Chrome.schema.psm1

@@ -0,0 +1,77 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+using module ..\helper.psm1
+using module ..\..\PowerStig.psm1
+
+<#
+    .SYNOPSIS
+        A composite DSC resource to manage the Chrome STIG settings
+    .PARAMETER BrowserVersion
+        The version of the Browser the STIG applies to
+    .PARAMETER StigVersion
+        The version of the STIG to apply and monitor
+    .PARAMETER Exception
+        A hash table of key value pairs that are injected into the STIG data and applied to
+        the target node. The title of STIG setting is tagged with the text 'Exception' to identify
+        the exceptions to policy across the data center when you centralize DSC log collection.
+    .PARAMETER OrgSettings
+        The path to the xml file that contains the local organizations preferred settings for STIG
+        items that have allowable ranges.  The OrgSettings parameter also accepts a hashtable for
+        values that need to be modified.  When a hashtable is used, the specified values take
+        presidence over the values defined in the org.default.xml file.
+    .PARAMETER SkipRule
+        The SkipRule Node is injected into the STIG data and applied to the target node. The title
+        of STIG settings are tagged with the text 'Skip' to identify the skips to policy across the
+        data center when you centralize DSC log collection.
+    .PARAMETER SkipRuleType
+        All STIG rule IDs of the specified type are collected in an array and passed to the Skip-Rule
+        function. Each rule follows the same process as the SkipRule parameter.
+#>
+configuration Chrome
+{
+    [CmdletBinding()]
+    param
+    (
+        [Parameter()]
+        [ValidateNotNullOrEmpty()]
+        [version]
+        $StigVersion,
+
+        [Parameter()]
+        [ValidateNotNullOrEmpty()]
+        [hashtable]
+        $Exception,
+
+        [Parameter()]
+        [ValidateNotNullOrEmpty()]
+        [object]
+        $OrgSettings,
+
+        [Parameter()]
+        [ValidateNotNullOrEmpty()]
+        [string[]]
+        $SkipRule,
+
+        [Parameter()]
+        [ValidateNotNullOrEmpty()]
+        [string[]]
+        $SkipRuleType,
+
+        [Parameter()]
+        [ValidateSet('CAT_I', 'CAT_II', 'CAT_III')]
+        [string[]]
+        $SkipRuleSeverity
+    )
+
+    ##### BEGIN DO NOT MODIFY #####
+    $stig = [STIG]::New('Google','Chrome', $StigVersion)
+    $stig.LoadRules($OrgSettings, $Exception, $SkipRule, $SkipRuleType, $SkipRuleSeverity)
+    ##### END DO NOT MODIFY #####
+
+    Import-DscResource -ModuleName GPRegistryPolicyDsc -ModuleVersion 1.2.0
+    Import-DscResource -ModuleName PSDSCresources -ModuleVersion 2.12.0.0
+    . "$resourcePath\windows.Registry.ps1"
+    . "$resourcePath\windows.Script.skip.ps1"
+    . "$resourcePath\windows.RefreshRegistryPolicy.ps1"
+}

source/Module/Common/Functions.XccdfXml.ps1

@@ -429,6 +429,11 @@ function Split-BenchmarkId
             $returnId = 'OracleJRE_8'
             continue
         }
+        {$PSItem -match 'Google_Chrome_Current_Windows'}
+        {
+            $returnId = 'Google_Chrome'
+            continue
+        }
         {$PSItem -match "Windows"}
         {
             # The Windows Server 2012 and 2012 R2 STIGs are combined, so return the 2012R2

source/Module/Rule.Registry/Convert/Functions.SingleLine.ps1

@@ -53,6 +53,12 @@ function Get-SingleLineRegistryPath
     foreach ($item in $global:SingleLineRegistryPath.Values)
     {
         $value = Get-SLRegistryPath -CheckContent $CheckContent -Hashtable $item
+
+        if ($value  -match "HKEY_LOCAL_MACHINE.*Chrome\\")
+        {
+            $value  = $value.TrimEnd("\")
+        }
+
         if ([String]::IsNullOrEmpty($value) -eq $false)
         {
             return $value | where-object {[string]::IsNullOrEmpty($_) -eq $false}
@@ -259,9 +265,16 @@ function Get-RegistryValueTypeFromSLStig
     $valueName = Get-RegistryValueNameFromSingleLineStig -CheckContent $CheckContent
 
     # McAfee STIG isn't written in a way that ValueType can be detected via CheckContent and/or FixText
-    if ($CheckContent -match 'Wow6432Node\\McAfee')
+    if ($CheckContent -match 'Wow6432Node\\McAfee|Google\\Chrome')
     {
-        $valueType = 'DWORD'
+        if ($valueName -match "1|URLBlacklist")
+        {
+            $valueType = 'REG_MULTI_SZ'
+        }
+        else
+        {
+            $valueType = 'DWORD'
+        }
     }
     else
     {

source/Module/Rule.Registry/Convert/RegistryRule.Convert.psm1

@@ -369,7 +369,7 @@ class RegistryRuleConvert : RegistryRule
     {
         if ($null -eq $this.DuplicateOf)
         {
-            if ($FixText -match 'Administrative Templates' -or $this.key -match "(^hkcu|^HKEY_CURRENT_USER)")
+            if ($FixText -match 'Administrative Templates' -or $this.key -match "(^hkcu|^HKEY_CURRENT_USER)" -or $this.ValueName -match "RemoteAccessHostFirewallTraversal")
             {
                 $this.DscResource = 'RegistryPolicyFile'
             }
@@ -405,6 +405,10 @@ class RegistryRuleConvert : RegistryRule
             (
                 $CheckContent -Match "HKLM|HKCU" -and
                 $CheckContent -Match "REG_DWORD"
+            ) -or
+            (
+                $CheckContent -Match "regedit" -and
+                $CheckContent -Match "omnibox"
             )
         )
         {

source/Module/Rule/Convert/Data.Chrome.ps1

@@ -0,0 +1,24 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+<#
+    Instructions:  Use this file to add/update/delete regsitry expressions that are used accross 
+    multiple technologies files that are considered commonly used.  Ensure expressions are listed
+    from MOST Restrive to LEAST Restrictive, similar to exception handling.  Also, ensure only
+    UNIQUE Keys are used in each hashtable to prevent errors and conflicts.
+#>
+
+$global:SingleLineRegistryValueName += [ordered]@{
+    Chrome1 = @{
+        Select = '(?<=3. If the\s|\s")\w+(?=("\s|\s)value name|\skey)'
+    }
+}
+
+$global:SingleLineRegistryValueData += [ordered]@{
+    Chrome1 = @{
+        Select = "(?<=entries 1 set to )\w+\:\/\/\*"
+    }
+    Chrome2 = @{
+        Select = '(?<=its value data is not set to\s|\s\")\d+|\*'
+    }
+}

source/Module/STIG/Convert/Functions.PowerStigXml.ps1

@@ -156,7 +156,6 @@ function Get-RegistryRuleExpressions
                 {
                     $spInclude += "Data.Mcafee.ps1"
                 }
-
             }
         }
         else

source/PowerStig.psd1

@@ -59,6 +59,7 @@ DscResourcesToExport = @(
     'IisServer',
     'IisSite',
     'InternetExplorer',
+    'Chrome',
     'McAfee',
     'Office',
     'OracleJRE',

source/StigData/Archive/Chrome/U_Google_Chrome_STIG_V2R1_Manual-xccdf.log

@@ -0,0 +1,14 @@
+V-221561::3. If the value name DefaultPopupsSetting::3. If the DefaultPopupsSetting value name 
+V-221562::3. If the a registry value name of 1 does not exist under that key or its value is not set to *::3. If the 1 value name does not exist under that key or its value data is not set to *
+V-221582::3. If this key "DefaultPluginsSetting"::3. If the "DefaultPluginsSetting" value name
+V-221597::3. If the “::3. If the "
+V-221599::3. If the key "DeveloperToolsAvailability"::3. If the "DeveloperToolsAvailability" value name
+V-221596::3. If the “AutoplayWhitelist” key::If the "AutoplayWhitelist" value name
+V-221563::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallWhitelist'; ValueName = 'ExtensionInstallWhitelist'; ValueType = 'MultiString';  ValueData = $null; OrganizationValueTestString = "{0} -eq '1 | oiigbmnaadbkfbmpbfijlflahbdbdgdf | a list of administrator-approved extension IDs'"}
+V-221564::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome'; ValueName = 'DefaultSearchProviderName'; ValueType = 'String';  ValueData = $null; OrganizationValueTestString = "{0} -eq 'an organization approved encrypted search provider'"}
+V-221565::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome'; ValueName = 'DefaultSearchProviderSearchURL'; ValueType = 'String';  ValueData = $null; OrganizationValueTestString = "{0} -eq 'an organization-approved encrypted search string'"}
+V-221585::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome'; ValueName = 'PluginsAllowedForUrls'; ValueType = 'MultiString';  ValueData = $null; OrganizationValueTestString = "{0} -eq 'a list of administrator approved URLs'"}
+V-221588::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome'; ValueName = 'DownloadRestrictions'; ValueType = 'Dword';  ValueData = $null; OrganizationValueTestString = "{0} -eq '1|2'"}
+V-221596::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome'; ValueName = 'AutoplayWhitelist'; ValueType = 'MultiString';  ValueData = $null; OrganizationValueTestString = "{0} -eq 'a list of administrator-approved URLs"}
+V-221589::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome'; ValueName = 'SSLVersionMin'; ValueType = 'String';  ValueData = 'tls1.1'}
+V-221583::*::HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Absent'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CookiesSessionOnlyForUrls'}

source/StigData/Processed/Google-Chrome-2.1.org.default.xml

@@ -0,0 +1,21 @@
+<!--
+    The organizational settings file is used to define the local organizations
+    preferred setting within an allowed range of the STIG.
+
+    Each setting in this file is linked by STIG ID and the valid range is in an
+    associated comment.
+-->
+<OrganizationalSettings fullversion="2.1">
+  <!-- Ensure 'V-221563' -eq '1 | oiigbmnaadbkfbmpbfijlflahbdbdgdf | a list of administrator-approved extension IDs'-->
+  <OrganizationalSetting id="V-221563" ValueData="1" />
+  <!-- Ensure 'V-221564' -eq 'an organization approved encrypted search provider'-->
+  <OrganizationalSetting id="V-221564" ValueData="" />
+  <!-- Ensure 'V-221565' -eq 'an organization-approved encrypted search string'-->
+  <OrganizationalSetting id="V-221565" ValueData="" />
+  <!-- Ensure 'V-221585' -eq 'a list of administrator approved URLs'-->
+  <OrganizationalSetting id="V-221585" ValueData="" />
+  <!-- Ensure 'V-221588' -eq '1|2'-->
+  <OrganizationalSetting id="V-221588" ValueData="1" />
+  <!-- Ensure 'V-221596' -eq 'a list of administrator-approved URLs-->
+  <OrganizationalSetting id="V-221596" ValueData="" />
+</OrganizationalSettings>