go.mondoo.com/cnquery@v0.0.0-20231005093811-59568235f6ea/providers/os/resources/windows/secpol.go

go.mondoo.com/cnquery@v0.0.0-20231005093811-59568235f6ea/providers/os/resources/windows/secpol.go (about)

     1  // Copyright (c) Mondoo, Inc.
     2  // SPDX-License-Identifier: BUSL-1.1
     3  
     4  package windows
     5  
     6  import (
     7  	"io"
     8  	"sort"
     9  	"strings"
    10  
    11  	"github.com/cockroachdb/errors"
    12  	"gopkg.in/ini.v1"
    13  )
    14  
    15  type Secpol struct {
    16  	SystemAccess    map[string]interface{}
    17  	EventAudit      map[string]interface{}
    18  	RegistryValues  map[string]interface{}
    19  	PrivilegeRights map[string]interface{}
    20  }
    21  
    22  func ParseSecpol(r io.Reader) (*Secpol, error) {
    23  	res := &Secpol{
    24  		SystemAccess:    map[string]interface{}{}, // except for NewAdministratorName & NewGuestName, parse everything as int64
    25  		EventAudit:      map[string]interface{}{}, // parse to int
    26  		RegistryValues:  map[string]interface{}{}, // keep strings
    27  		PrivilegeRights: map[string]interface{}{}, // split entries with ,
    28  	}
    29  
    30  	cfg, err := ini.Load(r)
    31  	if err != nil {
    32  		return nil, errors.Wrap(err, "could not parse secpol")
    33  	}
    34  
    35  	sysAccess, err := cfg.GetSection("System Access")
    36  	if err != nil {
    37  		return nil, err
    38  	}
    39  	keys := sysAccess.Keys()
    40  	for i := range keys {
    41  		entry := keys[i]
    42  		key := entry.Name()
    43  		rawValue := entry.Value()
    44  
    45  		if key == "NewAdministratorName" || key == "NewGuestName" {
    46  			res.SystemAccess[key] = rawValue
    47  			continue
    48  		}
    49  
    50  		res.SystemAccess[key] = rawValue
    51  	}
    52  
    53  	eventAudit, err := cfg.GetSection("Event Audit")
    54  	if err != nil {
    55  		return nil, err
    56  	}
    57  	keys = eventAudit.Keys()
    58  	for i := range keys {
    59  		entry := keys[i]
    60  
    61  		rawValue := entry.Value()
    62  		res.EventAudit[entry.Name()] = rawValue
    63  	}
    64  
    65  	registryValues, err := cfg.GetSection("Registry Values")
    66  	if err != nil {
    67  		return nil, err
    68  	}
    69  	keys = registryValues.Keys()
    70  	for i := range keys {
    71  		entry := keys[i]
    72  		res.RegistryValues[entry.Name()] = entry.Value()
    73  	}
    74  
    75  	privilegeRights, err := cfg.GetSection("Privilege Rights")
    76  	if err != nil {
    77  		return nil, err
    78  	}
    79  	keys = privilegeRights.Keys()
    80  	for i := range keys {
    81  		entry := keys[i]
    82  		rawValue := entry.Value()
    83  
    84  		valuesT := strings.Split(rawValue, ",")
    85  		sort.Sort(sort.StringSlice(valuesT))
    86  
    87  		values := make([]interface{}, len(valuesT))
    88  		for i := range valuesT {
    89  			val := valuesT[i]
    90  			val = strings.Replace(val, "*S", "S", 1)
    91  			values[i] = val
    92  		}
    93  
    94  		res.PrivilegeRights[entry.Name()] = values
    95  	}
    96  
    97  	return res, nil
    98  }
    99  
   100  const SecpolScript = `
   101  secedit /export /cfg out.cfg  | Out-Null
   102  $raw = Get-Content out.cfg
   103  Remove-Item .\out.cfg | Out-Null
   104  Write-Output $raw
   105  `