Adds security hardening to JEA profiles by always prohibit certain cm…

…dlets
Icinga · Mar 19, 2024 · 406ea20 · 406ea20
1 parent fcd2d52
commit 406ea20
Show file tree

Hide file tree

Showing 10 changed files with 123 additions and 16 deletions.
diff --git a/doc/100-General/10-Changelog.md b/doc/100-General/10-Changelog.md
@@ -7,12 +7,15 @@ documentation before upgrading to a new release.
 
 Released closed milestones can be found on [GitHub](https://github.com/Icinga/icinga-powershell-framework/milestones?state=closed).
 
-## 1.12.0 (tbd)
+## 1.12.0 (2024-03-26)
 
 [Issues and PRs](https://github.com/Icinga/icinga-powershell-framework/milestone/28)
 
 ### Bugfixes
 
+* [#673](https://github.com/Icinga/icinga-powershell-framework/pull/673) Fixes a memory leak while fetching Windows EventLog information by using CLI tools and inside the Hyper-V provide
+* [#678](https://github.com/Icinga/icinga-powershell-framework/pull/678) Fixes various memory leaks in Icinga for Windows API core and check handler
+* [#680](https://github.com/Icinga/icinga-powershell-framework/pull/680) Fixes exception in some cases, when provider or metrics return values as `null` instead of `0` while units are being used for check objects
 * [#683](https://github.com/Icinga/icinga-powershell-framework/pull/683) Fixes JEA installer to exclude domain from user name length check, which can easily exceed the Windows 20 digits username limit
 * [#685](https://github.com/Icinga/icinga-powershell-framework/pull/685) Fixes an issue while trying to stop the JEA process in certain cases, which results in an error during installation but has no other effect on the environment
 * [#686](https://github.com/Icinga/icinga-powershell-framework/pull/686) Fixes certutil error handling and message output in case the icingaforwindows.pfx could not be created
@@ -30,16 +33,7 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic
 * [#692](https://github.com/Icinga/icinga-powershell-framework/pull/692) Renames `Restart-IcingaWindowsService` to `Restart-IcingaForWindows` and adds alias for backwards compatibility to start unifying the Icinga for Windows cmdlets
 * [#693](https://github.com/Icinga/icinga-powershell-framework/pull/693) Adds new command `Restart-Icinga` to restart both, the Icinga Agent and Icinga for Windows
 * [#694](https://github.com/Icinga/icinga-powershell-framework/pull/694) Adds support for check objects not being added to summary header
-
-## 1.11.2 (tbd)
-
-[Issues and PRs](https://github.com/Icinga/icinga-powershell-framework/milestone/30)
-
-### Bugfixes
-
-* [#673](https://github.com/Icinga/icinga-powershell-framework/pull/673) Fixes a memory leak while fetching Windows EventLog information by using CLI tools and inside the Hyper-V provide
-* [#678](https://github.com/Icinga/icinga-powershell-framework/pull/678) Fixes various memory leaks in Icinga for Windows API core and check handler
-* [#680](https://github.com/Icinga/icinga-powershell-framework/pull/680) Fixes exception in some cases, when provider or metrics return values as `null` instead of `0` while units are being used for check objects
+* [#695](https://github.com/Icinga/icinga-powershell-framework/pull/695) Adds security hardening to JEA profiles by always prohibit certain cmdlets
 
 ## 1.11.1 (2023-11-07)
 

diff --git a/doc/110-Installation/02-Icinga-Management-Console.md b/doc/110-Installation/02-Icinga-Management-Console.md
@@ -49,7 +49,7 @@ In this case, `master` would be our value we want to add and can confirm this by
 ```text
 *******************************************
 ** Icinga for Windows Management Console **
-** Copyright (c) 2021 Icinga GmbH | MIT  **
+** Copyright (c) 2024 Icinga GmbH | MIT  **
 **   User environment ws-icinga\icinga   **
 **  Icinga PowerShell Framework v1.6.0   **
 *******************************************

diff --git a/doc/110-Installation/03-Installation-with-IMC.md b/doc/110-Installation/03-Installation-with-IMC.md
@@ -15,7 +15,7 @@ By pressing `0` on the `main menu`, we can start the entire `Installation`:
 ```text
 *******************************************
 ** Icinga for Windows Management Console **
-** Copyright (c) 2021 Icinga GmbH | MIT  **
+** Copyright (c) 2024 Icinga GmbH | MIT  **
 **   User environment ws-icinga\icinga   **
 **  Icinga PowerShell Framework v1.6.0   **
 *******************************************
@@ -41,7 +41,7 @@ In case you already deployed a configuration before or aborted your previous att
 ```text
 *******************************************
 ** Icinga for Windows Management Console **
-** Copyright (c) 2021 Icinga GmbH | MIT  **
+** Copyright (c) 2024 Icinga GmbH | MIT  **
 **   User environment ws-icinga\icinga   **
 **  Icinga PowerShell Framework v1.6.0   **
 *******************************************

diff --git a/icinga-powershell-framework.psd1 b/icinga-powershell-framework.psd1
@@ -4,7 +4,7 @@
     GUID              = 'fcd7a805-a41b-49f9-afee-9d17a2b76d42'
     Author            = 'Lord Hepipud'
     CompanyName       = 'Icinga GmbH'
-    Copyright         = '(c) 2023 Icinga GmbH | MIT'
+    Copyright         = '(c) 2024 Icinga GmbH | MIT'
     Description       = 'Icinga for Windows module which allows to entirely monitor the Windows Host system.'
     PowerShellVersion = '4.0'
     NestedModules     = @( '.\cache\framework_cache.psm1' )

diff --git a/lib/core/jea/Deny-IcingaJEACommand.psm1 b/lib/core/jea/Deny-IcingaJEACommand.psm1
@@ -0,0 +1,96 @@
+function Deny-IcingaJEACommand()
+{
+    param (
+        [string]$Command      = $null,
+        [string]$FileComments = $null
+    );
+
+    if ([string]::IsNullOrEmpty($Command) -eq $FALSE) {
+        # Ensure certain commands are not added to the JEA profile
+        switch ($Command.ToLower()) {
+            'Register-ScheduledTask'.ToLower() {
+                return $TRUE;
+            };
+            'Start-ScheduledTask'.ToLower() {
+                return $TRUE;
+            };
+            'Unregister-ScheduledTask'.ToLower() {
+                return $TRUE;
+            };
+            'New-ScheduledTaskAction'.ToLower() {
+                return $TRUE;
+            };
+            'Invoke-IcingaWindowsScheduledTask'.ToLower() {
+                return $TRUE;
+            };
+            'Start-IcingaWindowsScheduledTaskRenewCertificate'.ToLower() {
+                return $TRUE;
+            };
+            'Register-IcingaWindowsScheduledTaskRenewCertificate'.ToLower() {
+                return $TRUE;
+            };
+            'Stop-Process'.ToLower() {
+                return $TRUE;
+            };
+            'Remove-EventLog'.ToLower() {
+                return $TRUE;
+            };
+            'Unregister-IcingaEventLog'.ToLower() {
+                return $TRUE;
+            };
+            'Remove-Item'.ToLower() {
+                return $TRUE;
+            };
+            'Remove-ItemSecure'.ToLower() {
+                return $TRUE;
+            };
+            'Stop-Service'.ToLower() {
+                return $TRUE;
+            };
+            'Restart-Service'.ToLower() {
+                return $TRUE;
+            };
+            'Copy-ItemSecure'.ToLower() {
+                return $TRUE;
+            };
+            'Copy-Item'.ToLower() {
+                return $TRUE;
+            };
+            'Move-Item'.ToLower() {
+                return $TRUE;
+            };
+            'Restart-IcingaService'.ToLower() {
+                return $TRUE;
+            };
+            'Restart-IcingaForWindows'.ToLower() {
+                return $TRUE;
+            };
+            'Stop-IcingaWindowsService'.ToLower() {
+                return $TRUE;
+            };
+            'Stop-IcingaService'.ToLower() {
+                return $TRUE;
+            };
+            'Restart-IcingaService'.ToLower() {
+                return $TRUE;
+            };
+            'Restart-IcingaForWindows'.ToLower() {
+                return $TRUE;
+            };
+            'Remove-IcingaPowerShellConfig'.ToLower() {
+                return $TRUE;
+            };
+            'Add-Content'.ToLower() {
+                return $TRUE;
+            };
+        }
+    }
+
+    if ([string]::IsNullOrEmpty($FileComments) -eq $FALSE) {
+        if ($FileComments.ToLower().Contains('ignorejea')) {
+            return $TRUE;
+        }
+    }
+
+    return $FALSE;
+}
diff --git a/lib/core/jea/Get-IcingaCommandDependency.psm1 b/lib/core/jea/Get-IcingaCommandDependency.psm1
@@ -12,6 +12,10 @@ function Get-IcingaCommandDependency()
         return $CompiledList;
     }
 
+    if (Deny-IcingaJEACommand -Command $CmdName) {
+        return $CompiledList;
+    }
+
     # Create the list container for our object type if not existing
     # => Function, Cmdlet, Alias, Modules, Application
     if ($CompiledList.ContainsKey($CmdType) -eq $FALSE) {

diff --git a/lib/core/jea/Get-IcingaFrameworkDependency.psm1 b/lib/core/jea/Get-IcingaFrameworkDependency.psm1
@@ -16,6 +16,10 @@ function Get-IcingaFrameworkDependency()
     $DeserializedFile = Read-IcingaPowerShellModuleFile -FileContent $ModuleContent;
     [array]$CheckCmd  = $DeserializedFile.CommandList + $DeserializedFile.FunctionList;
 
+    if (Deny-IcingaJEACommand -Command $Command -FileComment $DeserializedFile.Comment) {
+        return $DependencyList;
+    }
+
     foreach ($cmd in $CheckCmd) {
         if ($cmd -eq $Command) {
             continue;

diff --git a/lib/core/jea/Get-IcingaJEAConfiguration.psm1 b/lib/core/jea/Get-IcingaJEAConfiguration.psm1
@@ -102,6 +102,10 @@ function Get-IcingaJEAConfiguration()
 
             $DeserializedFile = Read-IcingaPowerShellModuleFile -File $ModuleFile.FullName;
 
+            if (Deny-IcingaJEACommand -FileComments $DeserializedFile.Comments) {
+                continue;
+            }
+
             foreach ($FoundFunction in $DeserializedFile.FunctionList) {
                 $DependencyList = Get-IcingaFrameworkDependency `
                     -Command $FoundFunction `
@@ -187,6 +191,10 @@ function Get-IcingaJEAConfiguration()
 
         $CommandType = ([string]$CmdData.CommandType).Replace(' ', '');
 
+        if (Deny-IcingaJEACommand -Command $cmd) {
+            continue;
+        }
+
         $UsedCmdlets = Get-IcingaCommandDependency `
             -DependencyList $DependencyList `
             -CompiledList $UsedCmdlets `

diff --git a/lib/core/jea/Read-IcingaPowerShellModuleFile.psm1 b/lib/core/jea/Read-IcingaPowerShellModuleFile.psm1
@@ -177,5 +177,6 @@ function Read-IcingaPowerShellModuleFile()
         'AliasList'         = $AliasList;
         'ExportFunction'    = $ExportFunctionList;
         'ExportCmdlet'      = $ExportCmdletList;
+        'Comments'          = $Comments;
     };
 }
diff --git a/templates/IcingaForWindows.psrc.template b/templates/IcingaForWindows.psrc.template
@@ -9,7 +9,7 @@
     # Company associated with this document
     CompanyName         = 'Icinga GmbH'
     # Copyright statement for this document
-    Copyright           = '(c) 2021 Icinga GmbH | MIT'
+    Copyright           = '(c) 2024 Icinga GmbH | MIT'
     # Modules to import when applied to a session
     ModulesToImport     = ''
     # Cmdlets to make visible when applied to a session