go.mondoo.com/cnquery@v0.0.0-20231005093811-59568235f6ea/providers/os/resources/windows/security_health.go (about) 1 // Copyright (c) Mondoo, Inc. 2 // SPDX-License-Identifier: BUSL-1.1 3 4 package windows 5 6 import ( 7 "encoding/json" 8 "io" 9 10 "go.mondoo.com/cnquery/providers/os/connection/shared" 11 "go.mondoo.com/cnquery/providers/os/resources/powershell" 12 ) 13 14 // This implements the Windows Security Center API 15 // PowerShell does not offer a native method to gather this information, therefore we need 16 // to write a C# script that is encapsulated in PowerShell 17 // 18 // https://docs.microsoft.com/en-us/windows/win32/api/Wscapi/ne-wscapi-wsc_security_provider 19 // https://github.com/microsoft/Windows-classic-samples/tree/main/Samples/WebSecurityCenter 20 21 // https://docs.microsoft.com/en-us/windows/win32/api/wscapi/ne-wscapi-wsc_security_provider_health 22 var securityHealthStatusValues = map[int64]string{ 23 0: "GOOD", 24 1: "NOT_MONITORED", 25 2: "POOR", 26 3: "SNOOZE", 27 } 28 29 // The available security provider are documented in 30 // https://docs.microsoft.com/en-us/windows/win32/api/wscapi/ne-wscapi-wsc_security_provider 31 const windowsSecurityHealthScript = ` 32 $MethodDefinition = @" 33 [DllImport("wscapi.dll",CharSet = CharSet.Unicode, SetLastError = true)] 34 private static extern int WscGetSecurityProviderHealth(int inValue, ref int outValue); 35 36 public static int GetSecurityProviderHealth(int inValue) 37 { 38 int outValue = -1; 39 int result = WscGetSecurityProviderHealth(inValue, ref outValue); 40 return outValue; 41 } 42 "@ 43 44 $mondoo_wscapi = Add-Type -MemberDefinition $MethodDefinition -Name ‘mondoo_wscapi’ -Namespace ‘Win32’ -PassThru 45 46 $WSC_SECURITY_PROVIDER_FIREWALL = 1 47 $WSC_SECURITY_PROVIDER_AUTOUPDATE_SETTINGS = 2 48 $WSC_SECURITY_PROVIDER_ANTIVIRUS = 4 49 $WSC_SECURITY_PROVIDER_ANTISPYWARE = 8 50 $WSC_SECURITY_PROVIDER_INTERNET_SETTINGS = 16 51 $WSC_SECURITY_PROVIDER_USER_ACCOUNT_CONTROL = 32 52 $WSC_SECURITY_PROVIDER_SERVICE = 64 53 54 $securityProviderHealth = New-Object PSObject 55 Add-Member -InputObject $securityProviderHealth -MemberType NoteProperty -Name firewall -Value $mondoo_wscapi::GetSecurityProviderHealth($WSC_SECURITY_PROVIDER_FIREWALL) 56 Add-Member -InputObject $securityProviderHealth -MemberType NoteProperty -Name autoUpdate -Value $mondoo_wscapi::GetSecurityProviderHealth($WSC_SECURITY_PROVIDER_AUTOUPDATE_SETTINGS) 57 Add-Member -InputObject $securityProviderHealth -MemberType NoteProperty -Name antiVirus -Value $mondoo_wscapi::GetSecurityProviderHealth($WSC_SECURITY_PROVIDER_ANTIVIRUS) 58 Add-Member -InputObject $securityProviderHealth -MemberType NoteProperty -Name antiSpyware -Value $mondoo_wscapi::GetSecurityProviderHealth($WSC_SECURITY_PROVIDER_ANTISPYWARE) 59 Add-Member -InputObject $securityProviderHealth -MemberType NoteProperty -Name internetSettings -Value $mondoo_wscapi::GetSecurityProviderHealth($WSC_SECURITY_PROVIDER_INTERNET_SETTINGS) 60 Add-Member -InputObject $securityProviderHealth -MemberType NoteProperty -Name uac -Value $mondoo_wscapi::GetSecurityProviderHealth($WSC_SECURITY_PROVIDER_USER_ACCOUNT_CONTROL) 61 Add-Member -InputObject $securityProviderHealth -MemberType NoteProperty -Name securityCenterService -Value $mondoo_wscapi::GetSecurityProviderHealth($WSC_SECURITY_PROVIDER_SERVICE) 62 63 ConvertTo-Json -Depth 3 -Compress $securityProviderHealth 64 ` 65 66 type powershellSecurityHealthStatus struct { 67 Firewall int64 68 AutoUpdate int64 69 AntiVirus int64 70 AntiSpyware int64 71 InternetSettings int64 72 Uac int64 73 SecurityCenterService int64 74 } 75 76 type windowsSecurityHealth struct { 77 Firewall statusCode 78 AutoUpdate statusCode 79 AntiVirus statusCode 80 AntiSpyware statusCode 81 InternetSettings statusCode 82 Uac statusCode 83 SecurityCenterService statusCode 84 } 85 86 func GetSecurityProviderHealth(p shared.Connection) (*windowsSecurityHealth, error) { 87 c, err := p.RunCommand(powershell.Encode(windowsSecurityHealthScript)) 88 if err != nil { 89 return nil, err 90 } 91 92 return ParseSecurityProviderHealth(c.Stdout) 93 } 94 95 func ParseSecurityProviderHealth(r io.Reader) (*windowsSecurityHealth, error) { 96 data, err := io.ReadAll(r) 97 if err != nil { 98 return nil, err 99 } 100 101 var status powershellSecurityHealthStatus 102 err = json.Unmarshal(data, &status) 103 if err != nil { 104 return nil, err 105 } 106 107 return &windowsSecurityHealth{ 108 Firewall: statusCode{ 109 Code: status.Firewall, 110 Text: securityHealthStatusValues[status.Firewall], 111 }, 112 AutoUpdate: statusCode{ 113 Code: status.AutoUpdate, 114 Text: securityHealthStatusValues[status.AutoUpdate], 115 }, 116 Uac: statusCode{ 117 Code: status.Uac, 118 Text: securityHealthStatusValues[status.Uac], 119 }, 120 AntiSpyware: statusCode{ 121 Code: status.AntiSpyware, 122 Text: securityHealthStatusValues[status.AntiSpyware], 123 }, 124 AntiVirus: statusCode{ 125 Code: status.AntiVirus, 126 Text: securityHealthStatusValues[status.AntiVirus], 127 }, 128 InternetSettings: statusCode{ 129 Code: status.InternetSettings, 130 Text: securityHealthStatusValues[status.InternetSettings], 131 }, 132 SecurityCenterService: statusCode{ 133 Code: status.SecurityCenterService, 134 Text: securityHealthStatusValues[status.SecurityCenterService], 135 }, 136 }, nil 137 }