- Add support for a new app server
- Add a new audit rule
- Add a new report template
- Extract input data for IIS
Follow these steps.
Step 1:
Add a new audit rules JSON file in this folder and follow this naming convention.
Ex: apache.json
Step 2:
Add the technology to this enumeration and use the uppercase name for the technology for the enum name of the new item (continue the integer sequence for the value of the new item).
Ex: APACHE
Step 3:
Add new dedicated parsing function in this module using this name and signature: def parse_config_data_[technology_lowercase](config_file_name, audit_rules)
Ex: parse_config_data_apache(config_file_name, audit_rules)
Step 4:
Add a new condition to this block of the main for the new technology added.
A audit rule is based on one or several regular expressions.
- Reference audit rules: Audit rules are defined in this file.
- Triggering test config: Test configuration snippet that trigger all the rules are defined in this file.
- No triggering test config: Test configuration snippet that trigger NO rules are defined in this file.
- Reference audit rules: Audit rules are defined in this file.
- Triggering test config: Test configuration snippet that trigger all the rules are defined in this file.
- No triggering test config: Test configuration snippet that trigger NO rules are defined in this file.
- Reference audit rules: Audit rules are defined in this file.
- Triggering test config: Test configuration snippet that trigger all the rules are defined in this file.
- No triggering test config: Test configuration snippet that trigger NO rules are defined in this file.
Follow these steps.
Step 1:
Add a new rule block in the reference audit rules following this naming convention.
Step 2:
Add a configuraton snippet in the triggering test config that will trigger the rule added.
Step 3:
Add a configuraton snippet in the no triggering test config that will NOT trigger the rule added.
Step 4:
Run the following command line to ensure that your configuration is valid:
$ pytest✅ If all unit tests pass then your new rule is correctly added.
This helper site can be used to debug a regex.
The following python script can be used to test a audit rule (regex), for example, once it was created using a helper site like regex101.com:
Script:
import re, sys
# Take regex to test as parameter
current_regex = sys.argv[1]
# Read the configruation against which the regex must be tested
with open("test-configuration.txt","r") as f:
content = f.read()
# Display the regex received and that will be applied
print(f"[+] Regex:\n{current_regex}")
# Apply the regex using the same code than the tools
pattern = re.compile(current_regex, re.DOTALL | re.MULTILINE)
identified = pattern.findall(content)
# Display results found
print("[+] findall() results:")
print(identified)Usage example:
$ python test.py "Export-DataPoint71=.*('Status':'Missing','Property':'Strict-Transport-Security')"
[+] Regex:
Export-DataPoint71=.*('Status':'Missing','Property':'Strict-Transport-Security')
[+] findall() results:
["'Status':'Missing','Property':'Strict-Transport-Security'"] Regarding regex101.com, take care to the following elements:
Point 1: Set the FLAVOR flag to Python.
Point 2: All Group matches will be captured by the tool.
Template use the JINJA template engine, the syntax is available here.
Each template receive an instance of the object ReportData in its context at runtime under the variable named
datain order to give it data to render.
A reference to the package
os.pathunder the variable namedutil_fileis passed in order to allow the report to work with filename in case of need.
A reference to the function
datetime.datetime.now()under the variable namedutil_dateis passed in order to allow the report to work with current date/time in case of need.
.txt
ℹ️ Report example.
Add a new text file in the folder templates with this naming convention template_[identifier].txt where identifier is a word that indicate the format and a qualifier for the type of report.
Syntax expected for the identifier is [a-z0-9_]{1,20}.
✅ No sensitive data is extracted and only read operations are performed.
⚠️ It is important that the client ensure that the JSON file do not contains any sensitive data prior to send the file to XLM!
⚠️ The script must be executed with a user having local admin rights.
A dedicated PowerShell script was created in order to allow a client to extract the data without the help of XLM.
The script is here and generate a JSON file.
The following paragraph describe how to use it from a PowerShell shell window.
PS> .\export-iis-config.ps1
[+] Verify that the current user 'XLM' have local admin rights...
[+] Verify the installed roles...
[+] Gathering information: Finished with 0 error(s).
[+] Generate and save the JSON file...
[+] Content saved to file LABWIN2019-IIS.json.
[+] File SHA256 hash:
A2DF20F445F68183CA029940A2D3DFB1FE89EDDAE5B2DCF991315865306D6153PS> .\export-iis-config.ps1
[+] Verify that the current user 'XLM' have local admin rights...
The user did not have the local admin rights, extraction cancelled!PS> .\export-iis-config.ps1
[+] Verify that the current user 'XLM' as local admin rights...
[+] Verify the installed roles...
The IIS roles 'Web-Server' and 'Web-WebServer' are not installed, extraction cancelled!Once the JSON is generated, it must be provided to XLM (with its hash) and will be used as input source for the review tool.
📌 Compatibility matrix
Table generated using this site.
| Windows | IIS | Testing | Supported |
|---|---|---|---|
| 2003 | 6.0 | Not tested | ❌ |
| 2008 | 7.0 | Not tested | ❌ |
| 2008 | 7.5 | Not tested | ❌ |
| 2012 | 8.0 | Not tested | ❌ |
| 2012 | 8.5 | Manually | ✔️ |
| 2016 | 10.0 | Continuous via GH | ✔️ |
| 2019 | 10.0 | Continuous via GH | ✔️ |
Regarding Continuous via GH, see here.