From 6083e139ae93eef6aa28b7050620db66f2a2b87e Mon Sep 17 00:00:00 2001 From: Brian Wilhite Date: Mon, 30 Aug 2021 08:33:15 -0400 Subject: [PATCH 1/4] updated code to better handle NULL Id (#968) --- CHANGELOG.md | 2 + .../windows.UserRightsAssignment.ps1 | 38 +++++++++++-------- 2 files changed, 25 insertions(+), 15 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fa8e13a03..2c8c3b081 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,8 @@ ## [Unreleased] +* Fixed: Windows Server 2019 V2R1 V-205763 generating an exception [#827](https://github.com/microsoft/PowerStig/issues/827) + ## [4.10.0] - 2021-08-20 * Update PowerSTIG to Parse/Apply SQL Server 2016 Instance V2R4 STIG: [#959](https://github.com/microsoft/PowerStig/issues/959) diff --git a/source/DSCResources/Resources/windows.UserRightsAssignment.ps1 b/source/DSCResources/Resources/windows.UserRightsAssignment.ps1 index 9dbabf596..1c0737ea9 100644 --- a/source/DSCResources/Resources/windows.UserRightsAssignment.ps1 +++ b/source/DSCResources/Resources/windows.UserRightsAssignment.ps1 @@ -33,25 +33,33 @@ if ($DomainName -and $ForestName) foreach ($rule in $rules) { Write-Verbose -Message $rule - $identitySplit = $rule.Identity -split "," - [System.Collections.ArrayList] $identityList = @() - foreach ($identity in $identitySplit) + if ($rule.Identity -eq 'NULL') { - if (-not ([string]::IsNullorWhitespace($domainName)) -and $domainGroupTranslation.Contains($identity)) - { - [void] $identityList.Add($domainGroupTranslation.$identity -f $DomainName ) - } - elseif (-not ([string]::IsNullorWhitespace($forestName)) -and $forestGroupTranslation.Contains($identity)) - { - [void] $identityList.Add($forestGroupTranslation.$identity -f $ForestName ) - } - # Default to adding the identify as provided for any non-default identities. - else + $identityList = $null + } + else + { + $identitySplit = $rule.Identity -split "," + [System.Collections.ArrayList] $identityList = @() + + foreach ($identity in $identitySplit) { - if ($identity -notmatch "Schema Admins|Enterprise Admins|security|Domain Admins|auditors") + if (-not ([string]::IsNullorWhitespace($domainName)) -and $domainGroupTranslation.Contains($identity)) + { + [void] $identityList.Add($domainGroupTranslation.$identity -f $DomainName ) + } + elseif (-not ([string]::IsNullorWhitespace($forestName)) -and $forestGroupTranslation.Contains($identity)) + { + [void] $identityList.Add($forestGroupTranslation.$identity -f $ForestName ) + } + # Default to adding the identify as provided for any non-default identities. + else { - [void] $identityList.Add($identity) + if ($identity -notmatch "Schema Admins|Enterprise Admins|security|Domain Admins|auditors") + { + [void] $identityList.Add($identity) + } } } } From 67acd9891c388de964c20006e9a0b7e4bfc4d8ce Mon Sep 17 00:00:00 2001 From: Brian Wilhite Date: Mon, 30 Aug 2021 15:17:42 -0400 Subject: [PATCH 2/4] Fixed: PowerSTIG should honor Boolean with all composite resources (#970) * fixed bool composite issue * fixed typo * adjusted test case for string instead of bool --- CHANGELOG.md | 1 + Tests/Unit/Module/UserRightRule.tests.ps1 | 24 +++++++++---------- .../Resources/Vsphere.VmHostService.ps1 | 5 +++- .../windows.UserRightsAssignment.ps1 | 5 +++- .../Resources/windows.WindowsEventLog.ps1 | 5 +++- .../Rule.Permission/PermissionRule.psm1 | 2 +- .../Module/Rule.UserRight/UserRightRule.psm1 | 2 +- .../VsphereServiceRule.psm1 | 2 +- .../Rule.WinEventLog/WinEventLogRule.psm1 | 2 +- 9 files changed, 29 insertions(+), 19 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2c8c3b081..86e7dfb31 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## [Unreleased] * Fixed: Windows Server 2019 V2R1 V-205763 generating an exception [#827](https://github.com/microsoft/PowerStig/issues/827) +* Fixed: PowerSTIG should honor Boolean with all composite resources [#969](https://github.com/microsoft/PowerStig/issues/969) ## [4.10.0] - 2021-08-20 diff --git a/Tests/Unit/Module/UserRightRule.tests.ps1 b/Tests/Unit/Module/UserRightRule.tests.ps1 index 62226c96f..1975d4d16 100644 --- a/Tests/Unit/Module/UserRightRule.tests.ps1 +++ b/Tests/Unit/Module/UserRightRule.tests.ps1 @@ -11,7 +11,7 @@ try DisplayName = 'Deny access to this computer from the network' Constant = 'SeDenyNetworkLogonRight' Identity = 'Guests' - Force = $false + Force = 'false' OrganizationValueRequired = $false CheckContent = 'Run "gpedit.msc". @@ -25,7 +25,7 @@ try DisplayName = 'Access this computer from the network' Constant = 'SeNetworkLogonRight' Identity = 'Administrators,Authenticated Users,Enterprise Domain Controllers' - Force = $true + Force = 'true' OrganizationValueRequired = $false CheckContent = 'Run "gpedit.msc". @@ -41,7 +41,7 @@ try DisplayName = 'Debug programs' Constant = 'SeDebugPrivilege' Identity = 'Administrators' - Force = $true + Force = 'true' OrganizationValueRequired = $false CheckContent = 'Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -56,7 +56,7 @@ try DisplayName = 'Create a token object' Constant = 'SeCreateTokenPrivilege' Identity = 'NULL' - Force = $true + Force = 'true' OrganizationValueRequired = $false CheckContent = 'Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -69,7 +69,7 @@ try DisplayName = 'Access Credential Manager as a trusted caller' Constant = 'SeTrustedCredManAccessPrivilege' Identity = 'NULL' - Force = $true + Force = 'true' OrganizationValueRequired = $false CheckContent = 'Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -82,7 +82,7 @@ try DisplayName = 'Deny log on as a service' Constant = 'SeDenyServiceLogonRight' Identity = 'NULL' - Force = $true + Force = 'true' OrganizationValueRequired = $false CheckContent = 'Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -95,7 +95,7 @@ try DisplayName = 'Manage auditing and security log' Constant = 'SeSecurityPrivilege' Identity = 'Administrators' - Force = $true + Force = 'true' OrganizationValueRequired = $false CheckContent = 'Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -121,7 +121,7 @@ try DisplayName = 'Take ownership of files or other objects' Constant = 'SeTakeOwnershipPrivilege' Identity = 'Administrators' - Force = $true + Force = 'true' OrganizationValueRequired = $false CheckContent = 'Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -136,7 +136,7 @@ try DisplayName = 'Lock pages in memory' Constant = 'SeLockMemoryPrivilege' Identity = 'NULL' - Force = $true + Force = 'true' OrganizationValueRequired = $false CheckContent = 'Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -149,7 +149,7 @@ try DisplayName = 'Deny log on through Remote Desktop Services' Constant = 'SeDenyRemoteInteractiveLogonRight' Identity = 'Enterprise Admins,Domain Admins,Local account,Guests' - Force = $false + Force = 'false' OrganizationValueRequired = $false CheckContent = 'Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -176,7 +176,7 @@ try DisplayName = 'Deny log on locally' Constant = 'SeDenyInteractiveLogonRight' Identity = 'Enterprise Admins,Domain Admins,Guests' - Force = $false + Force = 'false' OrganizationValueRequired = $false CheckContent = 'Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -198,7 +198,7 @@ try DisplayName = 'Access this computer from the network' Constant = 'SeNetworkLogonRight' Identity = 'Administrators,Authenticated Users,Enterprise Domain Controllers' - Force = $true + Force = 'true' OrganizationValueRequired = $false CheckContent = 'This applies to domain controllers. It is NA for other systems. diff --git a/source/DSCResources/Resources/Vsphere.VmHostService.ps1 b/source/DSCResources/Resources/Vsphere.VmHostService.ps1 index dc8530ab4..6c87e78ce 100644 --- a/source/DSCResources/Resources/Vsphere.VmHostService.ps1 +++ b/source/DSCResources/Resources/Vsphere.VmHostService.ps1 @@ -5,12 +5,15 @@ $rules = $stig.RuleList | Select-Rule -Type 'VsphereServiceRule' foreach ($rule in $rules) { + $ruleRunning = $null + [void][bool]::TryParse($rule.Running, [ref] $ruleRunning) + VmHostService (Get-ResourceTitle -Rule $rule) { Name = $HostIP Server = $ServerIP Credential = $Credential - Running = $rule.Running + Running = $ruleRunning Key = $rule.Key Policy = $rule.Policy } diff --git a/source/DSCResources/Resources/windows.UserRightsAssignment.ps1 b/source/DSCResources/Resources/windows.UserRightsAssignment.ps1 index 1c0737ea9..948d861f1 100644 --- a/source/DSCResources/Resources/windows.UserRightsAssignment.ps1 +++ b/source/DSCResources/Resources/windows.UserRightsAssignment.ps1 @@ -64,10 +64,13 @@ foreach ($rule in $rules) } } + $ruleForce = $null + [void][bool]::TryParse($rule.Force, [ref] $ruleForce) + UserRightsAssignment (Get-ResourceTitle -Rule $rule) { Policy = ($rule.DisplayName -replace " ", "_") Identity = $identityList - Force = [bool] $rule.Force + Force = $ruleForce } } diff --git a/source/DSCResources/Resources/windows.WindowsEventLog.ps1 b/source/DSCResources/Resources/windows.WindowsEventLog.ps1 index 7c4446b42..402eb86dd 100644 --- a/source/DSCResources/Resources/windows.WindowsEventLog.ps1 +++ b/source/DSCResources/Resources/windows.WindowsEventLog.ps1 @@ -5,9 +5,12 @@ $rules = $stig.RuleList | Select-Rule -Type WinEventLogRule foreach ( $rule in $rules ) { + $ruleIsEnabled = $null + [void][bool]::TryParse($rule.IsEnabled, [ref] $ruleIsEnabled) + WindowsEventLog (Get-ResourceTitle -Rule $rule) { LogName = $rule.LogName - IsEnabled = [boolean]$($rule.IsEnabled) + IsEnabled = $ruleIsEnabled } } diff --git a/source/Module/Rule.Permission/PermissionRule.psm1 b/source/Module/Rule.Permission/PermissionRule.psm1 index 5d4b74ca1..93f427090 100644 --- a/source/Module/Rule.Permission/PermissionRule.psm1 +++ b/source/Module/Rule.Permission/PermissionRule.psm1 @@ -20,7 +20,7 @@ class PermissionRule : Rule { [string] $Path [object[]] $AccessControlEntry <#(ExceptionValue)#> - [bool] $Force + [string] $Force <# .SYNOPSIS diff --git a/source/Module/Rule.UserRight/UserRightRule.psm1 b/source/Module/Rule.UserRight/UserRightRule.psm1 index 33e468097..cbca0bd23 100644 --- a/source/Module/Rule.UserRight/UserRightRule.psm1 +++ b/source/Module/Rule.UserRight/UserRightRule.psm1 @@ -23,7 +23,7 @@ class UserRightRule : Rule [ValidateNotNullOrEmpty()] [string] $DisplayName [ValidateNotNullOrEmpty()] [string] $Constant [ValidateNotNullOrEmpty()] [string] $Identity <#(ExceptionValue)#> - [bool] $Force = $false + [string] $Force = $false <# .SYNOPSIS diff --git a/source/Module/Rule.VsphereService/VsphereServiceRule.psm1 b/source/Module/Rule.VsphereService/VsphereServiceRule.psm1 index 801dd205b..2bc4c92ef 100644 --- a/source/Module/Rule.VsphereService/VsphereServiceRule.psm1 +++ b/source/Module/Rule.VsphereService/VsphereServiceRule.psm1 @@ -20,7 +20,7 @@ class VsphereServiceRule : Rule { [string] $Key [string] $Policy - [bool] $Running + [string] $Running <# .SYNOPSIS diff --git a/source/Module/Rule.WinEventLog/WinEventLogRule.psm1 b/source/Module/Rule.WinEventLog/WinEventLogRule.psm1 index 5ae14d320..71f2c2571 100644 --- a/source/Module/Rule.WinEventLog/WinEventLogRule.psm1 +++ b/source/Module/Rule.WinEventLog/WinEventLogRule.psm1 @@ -17,7 +17,7 @@ using module .\..\Rule\Rule.psm1 class WinEventLogRule : Rule { [string] $LogName - [bool] $IsEnabled <#(ExceptionValue)#> + [string] $IsEnabled <#(ExceptionValue)#> <# .SYNOPSIS From 85c96f2ba08fe5a84e06948c2559a4b3c94bf757 Mon Sep 17 00:00:00 2001 From: Brian Wilhite Date: Tue, 31 Aug 2021 14:10:45 -0400 Subject: [PATCH 3/4] updating changelog and filehash for release --- CHANGELOG.md | 6 ++++-- FILEHASH.md | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 86e7dfb31..35d075ebb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,8 +2,10 @@ ## [Unreleased] -* Fixed: Windows Server 2019 V2R1 V-205763 generating an exception [#827](https://github.com/microsoft/PowerStig/issues/827) -* Fixed: PowerSTIG should honor Boolean with all composite resources [#969](https://github.com/microsoft/PowerStig/issues/969) +## [4.10.1] - 2021-08-31 + +* Fixed: Windows Server 2019 V2R1 V-205763 generating an exception: [#827](https://github.com/microsoft/PowerStig/issues/827) +* Fixed: PowerSTIG should honor Boolean with all composite resources: [#969](https://github.com/microsoft/PowerStig/issues/969) ## [4.10.0] - 2021-08-20 diff --git a/FILEHASH.md b/FILEHASH.md index 04d7a11ff..251deded0 100644 --- a/FILEHASH.md +++ b/FILEHASH.md @@ -1,4 +1,4 @@ -# PowerSTIG File Hashes : Module Version 4.10.0 +# PowerSTIG File Hashes : Module Version 4.10.1 Hashes for **PowerSTIG** files are listed in the following table: From 7f4dbab5f9a49faf9855f98f970ee454826cd8d2 Mon Sep 17 00:00:00 2001 From: hinderjd Date: Fri, 29 Oct 2021 09:08:07 -0600 Subject: [PATCH 4/4] Update azure-pipelines.yml --- azure-pipelines.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index d37b83fec..41fda2e38 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -155,7 +155,7 @@ stages: dependsOn: Test_Unit condition: succeededOrFailed() pool: - vmImage: 'ubuntu 16.04' + vmImage: 'ubuntu 18.04' timeoutInMinutes: 0 steps: - pwsh: |