diff --git a/source/Module/Rule.AuditPolicy/Convert/AuditPolicyRuleAdvanced.Convert.psm1 b/source/Module/Rule.AuditPolicy/Convert/AuditPolicyRuleAdvanced.Convert.psm1 new file mode 100644 index 000000000..afb4c58c8 --- /dev/null +++ b/source/Module/Rule.AuditPolicy/Convert/AuditPolicyRuleAdvanced.Convert.psm1 @@ -0,0 +1,128 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +using module .\..\..\Common\Common.psm1 +using module .\..\AuditPolicyRule.psm1 +using namespace System.Text +# Header + +<# + .SYNOPSIS + Converts the xccdf check-content element into an audit policy object. +#> +class AuditPolicyRuleAdvancedConvert : AuditPolicyRule +{ + <# + .SYNOPSIS + Empty constructor for SplitFactory + #> + AuditPolicyRuleAdvancedConvert () + { + } + + <# + .SYNOPSIS + Converts an xccdf stig rule element into a Audit Policy Rule + .PARAMETER XccdfRule + The STIG rule to convert + #> + AuditPolicyRuleAdvancedConvert ([xml.xmlelement] $XccdfRule) : base ($XccdfRule, $true) + { + $tokens = $this.ExtractProperties() + $this.SetSubcategory($tokens) + $this.SetAuditFlag($tokens) + $this.Ensure = [Ensure]::Present + $this.SetDuplicateRule() + $this.SetDscResource() + } + + <# + .SYNOPSIS + Extracts and returns the audit policy settings from the check-content. + .DESCRIPTION + This match looks for the policy path and the required audit flag in + the following format: + + Computer Configuration >> ... >> Audit . + If "Audit " is not set to "", this is a finding + + The subcategory is taken from the final line of the RawString (the + leading "Audit " prefix is dropped), and the audit flag is taken from + the quoted value in the "is [not] set to" clause. + .NOTES + If any rule does not match this pattern, please update the xccdf + change log file to align to this option. + #> + [RegularExpressions.MatchCollection] ExtractProperties () + { + return [regex]::Matches( + $this.RawString, + '"(?:Audit\s+)?(?[^"]+)"\s+is(?: not)? set to\s+"(?[^"]+)"' + ) + } + + <# + .SYNOPSIS + Set the subcategory name + .DESCRIPTION + Set the subcategory value. If the returned audit policy subcategory + is not valid, the parser status is set to fail. + #> + [void] SetSubcategory ([RegularExpressions.MatchCollection] $Regex) + { + $thisSubcategory = $regex.Groups.Where( + { $_.Name -eq 'subcategory' } + ).Value + + if (-not $this.SetStatus($thisSubcategory)) + { + $this.set_Subcategory($thisSubcategory.trim()) + } + } + + <# + .SYNOPSIS + Set the subcategory flag + .DESCRIPTION + Set the subcategory flag. If the returned audit policy subcategory + is not valid, the parser status is set to fail. + #> + [void] SetAuditFlag ([RegularExpressions.MatchCollection] $Regex) + { + $thisAuditFlag = $Regex.Groups.Where( + { $_.Name -eq 'auditflag' } + ).Value + + if (-not $this.SetStatus($thisAuditFlag)) + { + $this.set_AuditFlag($thisAuditFlag) + } + } + + hidden [void] SetDscResource () + { + if ($null -eq $this.DuplicateOf) + { + $this.DscResource = 'AuditPolicySubcategory' + } + else + { + $this.DscResource = 'None' + } + } + + <# + .SYNOPSIS + Checks if a rule matches an audit policy setting. + #> + static [bool] Match ([string] $CheckContent) + { + if + ( + $CheckContent -Match ">> Advanced Audit Policy Configuration >>" + ) + { + return $true + } + return $false + } +} diff --git a/source/Module/Rule/Convert/ConvertFactory.psm1 b/source/Module/Rule/Convert/ConvertFactory.psm1 index 7ede2e8d2..9a3548aab 100644 --- a/source/Module/Rule/Convert/ConvertFactory.psm1 +++ b/source/Module/Rule/Convert/ConvertFactory.psm1 @@ -4,6 +4,7 @@ using module .\..\..\Common\Common.psm1 using module .\..\..\Rule.HardCoded\Convert\HardCodedRule.Convert.psm1 using module .\..\..\Rule.AccountPolicy\Convert\AccountPolicyRule.Convert.psm1 using module .\..\..\Rule.AuditPolicy\Convert\AuditPolicyRule.Convert.psm1 +using module .\..\..\Rule.AuditPolicy\Convert\AuditPolicyRuleAdvanced.Convert.psm1 using module .\..\..\Rule.DnsServerRootHint\Convert\DnsServerRootHintRule.Convert.psm1 using module .\..\..\Rule.DnsServerSetting\Convert\DnsServerSettingRule.Convert.psm1 using module .\..\..\Rule.Document\Convert\DocumentRule.Convert.psm1 @@ -148,6 +149,12 @@ class ConvertFactory [AuditPolicyRuleConvert]::new($Rule).AsRule() ) } + {[AuditPolicyRuleAdvancedConvert]::Match($PSItem)} + { + $null = $ruleTypeList.Add( + [AuditPolicyRuleAdvancedConvert]::new($Rule).AsRule() + ) + } {[DnsServerSettingRuleConvert]::Match($PSItem)} { $null = $ruleTypeList.Add(