From 406ea20d52a141867ee612c888fb63d3c7f7eb62 Mon Sep 17 00:00:00 2001 From: Lord Hepipud Date: Fri, 15 Mar 2024 12:42:37 +0100 Subject: [PATCH] Adds security hardening to JEA profiles by always prohibit certain cmdlets --- doc/100-General/10-Changelog.md | 16 +--- .../02-Icinga-Management-Console.md | 2 +- .../03-Installation-with-IMC.md | 4 +- icinga-powershell-framework.psd1 | 2 +- lib/core/jea/Deny-IcingaJEACommand.psm1 | 96 +++++++++++++++++++ lib/core/jea/Get-IcingaCommandDependency.psm1 | 4 + .../jea/Get-IcingaFrameworkDependency.psm1 | 4 + lib/core/jea/Get-IcingaJEAConfiguration.psm1 | 8 ++ .../jea/Read-IcingaPowerShellModuleFile.psm1 | 1 + templates/IcingaForWindows.psrc.template | 2 +- 10 files changed, 123 insertions(+), 16 deletions(-) create mode 100644 lib/core/jea/Deny-IcingaJEACommand.psm1 diff --git a/doc/100-General/10-Changelog.md b/doc/100-General/10-Changelog.md index ff796759..768733ff 100644 --- a/doc/100-General/10-Changelog.md +++ b/doc/100-General/10-Changelog.md @@ -7,12 +7,15 @@ documentation before upgrading to a new release. Released closed milestones can be found on [GitHub](https://github.com/Icinga/icinga-powershell-framework/milestones?state=closed). -## 1.12.0 (tbd) +## 1.12.0 (2024-03-26) [Issues and PRs](https://github.com/Icinga/icinga-powershell-framework/milestone/28) ### Bugfixes +* [#673](https://github.com/Icinga/icinga-powershell-framework/pull/673) Fixes a memory leak while fetching Windows EventLog information by using CLI tools and inside the Hyper-V provide +* [#678](https://github.com/Icinga/icinga-powershell-framework/pull/678) Fixes various memory leaks in Icinga for Windows API core and check handler +* [#680](https://github.com/Icinga/icinga-powershell-framework/pull/680) Fixes exception in some cases, when provider or metrics return values as `null` instead of `0` while units are being used for check objects * [#683](https://github.com/Icinga/icinga-powershell-framework/pull/683) Fixes JEA installer to exclude domain from user name length check, which can easily exceed the Windows 20 digits username limit * [#685](https://github.com/Icinga/icinga-powershell-framework/pull/685) Fixes an issue while trying to stop the JEA process in certain cases, which results in an error during installation but has no other effect on the environment * [#686](https://github.com/Icinga/icinga-powershell-framework/pull/686) Fixes certutil error handling and message output in case the icingaforwindows.pfx could not be created @@ -30,16 +33,7 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic * [#692](https://github.com/Icinga/icinga-powershell-framework/pull/692) Renames `Restart-IcingaWindowsService` to `Restart-IcingaForWindows` and adds alias for backwards compatibility to start unifying the Icinga for Windows cmdlets * [#693](https://github.com/Icinga/icinga-powershell-framework/pull/693) Adds new command `Restart-Icinga` to restart both, the Icinga Agent and Icinga for Windows * [#694](https://github.com/Icinga/icinga-powershell-framework/pull/694) Adds support for check objects not being added to summary header - -## 1.11.2 (tbd) - -[Issues and PRs](https://github.com/Icinga/icinga-powershell-framework/milestone/30) - -### Bugfixes - -* [#673](https://github.com/Icinga/icinga-powershell-framework/pull/673) Fixes a memory leak while fetching Windows EventLog information by using CLI tools and inside the Hyper-V provide -* [#678](https://github.com/Icinga/icinga-powershell-framework/pull/678) Fixes various memory leaks in Icinga for Windows API core and check handler -* [#680](https://github.com/Icinga/icinga-powershell-framework/pull/680) Fixes exception in some cases, when provider or metrics return values as `null` instead of `0` while units are being used for check objects +* [#695](https://github.com/Icinga/icinga-powershell-framework/pull/695) Adds security hardening to JEA profiles by always prohibit certain cmdlets ## 1.11.1 (2023-11-07) diff --git a/doc/110-Installation/02-Icinga-Management-Console.md b/doc/110-Installation/02-Icinga-Management-Console.md index eb8a0be6..694029f4 100644 --- a/doc/110-Installation/02-Icinga-Management-Console.md +++ b/doc/110-Installation/02-Icinga-Management-Console.md @@ -49,7 +49,7 @@ In this case, `master` would be our value we want to add and can confirm this by ```text ******************************************* ** Icinga for Windows Management Console ** -** Copyright (c) 2021 Icinga GmbH | MIT ** +** Copyright (c) 2024 Icinga GmbH | MIT ** ** User environment ws-icinga\icinga ** ** Icinga PowerShell Framework v1.6.0 ** ******************************************* diff --git a/doc/110-Installation/03-Installation-with-IMC.md b/doc/110-Installation/03-Installation-with-IMC.md index 02e33734..27e8dfdc 100644 --- a/doc/110-Installation/03-Installation-with-IMC.md +++ b/doc/110-Installation/03-Installation-with-IMC.md @@ -15,7 +15,7 @@ By pressing `0` on the `main menu`, we can start the entire `Installation`: ```text ******************************************* ** Icinga for Windows Management Console ** -** Copyright (c) 2021 Icinga GmbH | MIT ** +** Copyright (c) 2024 Icinga GmbH | MIT ** ** User environment ws-icinga\icinga ** ** Icinga PowerShell Framework v1.6.0 ** ******************************************* @@ -41,7 +41,7 @@ In case you already deployed a configuration before or aborted your previous att ```text ******************************************* ** Icinga for Windows Management Console ** -** Copyright (c) 2021 Icinga GmbH | MIT ** +** Copyright (c) 2024 Icinga GmbH | MIT ** ** User environment ws-icinga\icinga ** ** Icinga PowerShell Framework v1.6.0 ** ******************************************* diff --git a/icinga-powershell-framework.psd1 b/icinga-powershell-framework.psd1 index e36657d7..e0caef85 100644 --- a/icinga-powershell-framework.psd1 +++ b/icinga-powershell-framework.psd1 @@ -4,7 +4,7 @@ GUID = 'fcd7a805-a41b-49f9-afee-9d17a2b76d42' Author = 'Lord Hepipud' CompanyName = 'Icinga GmbH' - Copyright = '(c) 2023 Icinga GmbH | MIT' + Copyright = '(c) 2024 Icinga GmbH | MIT' Description = 'Icinga for Windows module which allows to entirely monitor the Windows Host system.' PowerShellVersion = '4.0' NestedModules = @( '.\cache\framework_cache.psm1' ) diff --git a/lib/core/jea/Deny-IcingaJEACommand.psm1 b/lib/core/jea/Deny-IcingaJEACommand.psm1 new file mode 100644 index 00000000..b69530a4 --- /dev/null +++ b/lib/core/jea/Deny-IcingaJEACommand.psm1 @@ -0,0 +1,96 @@ +function Deny-IcingaJEACommand() +{ + param ( + [string]$Command = $null, + [string]$FileComments = $null + ); + + if ([string]::IsNullOrEmpty($Command) -eq $FALSE) { + # Ensure certain commands are not added to the JEA profile + switch ($Command.ToLower()) { + 'Register-ScheduledTask'.ToLower() { + return $TRUE; + }; + 'Start-ScheduledTask'.ToLower() { + return $TRUE; + }; + 'Unregister-ScheduledTask'.ToLower() { + return $TRUE; + }; + 'New-ScheduledTaskAction'.ToLower() { + return $TRUE; + }; + 'Invoke-IcingaWindowsScheduledTask'.ToLower() { + return $TRUE; + }; + 'Start-IcingaWindowsScheduledTaskRenewCertificate'.ToLower() { + return $TRUE; + }; + 'Register-IcingaWindowsScheduledTaskRenewCertificate'.ToLower() { + return $TRUE; + }; + 'Stop-Process'.ToLower() { + return $TRUE; + }; + 'Remove-EventLog'.ToLower() { + return $TRUE; + }; + 'Unregister-IcingaEventLog'.ToLower() { + return $TRUE; + }; + 'Remove-Item'.ToLower() { + return $TRUE; + }; + 'Remove-ItemSecure'.ToLower() { + return $TRUE; + }; + 'Stop-Service'.ToLower() { + return $TRUE; + }; + 'Restart-Service'.ToLower() { + return $TRUE; + }; + 'Copy-ItemSecure'.ToLower() { + return $TRUE; + }; + 'Copy-Item'.ToLower() { + return $TRUE; + }; + 'Move-Item'.ToLower() { + return $TRUE; + }; + 'Restart-IcingaService'.ToLower() { + return $TRUE; + }; + 'Restart-IcingaForWindows'.ToLower() { + return $TRUE; + }; + 'Stop-IcingaWindowsService'.ToLower() { + return $TRUE; + }; + 'Stop-IcingaService'.ToLower() { + return $TRUE; + }; + 'Restart-IcingaService'.ToLower() { + return $TRUE; + }; + 'Restart-IcingaForWindows'.ToLower() { + return $TRUE; + }; + 'Remove-IcingaPowerShellConfig'.ToLower() { + return $TRUE; + }; + 'Add-Content'.ToLower() { + return $TRUE; + }; + } + } + + if ([string]::IsNullOrEmpty($FileComments) -eq $FALSE) { + if ($FileComments.ToLower().Contains('ignorejea')) { + return $TRUE; + } + } + + return $FALSE; +} diff --git a/lib/core/jea/Get-IcingaCommandDependency.psm1 b/lib/core/jea/Get-IcingaCommandDependency.psm1 index fdcd6dac..5a1b1483 100644 --- a/lib/core/jea/Get-IcingaCommandDependency.psm1 +++ b/lib/core/jea/Get-IcingaCommandDependency.psm1 @@ -12,6 +12,10 @@ function Get-IcingaCommandDependency() return $CompiledList; } + if (Deny-IcingaJEACommand -Command $CmdName) { + return $CompiledList; + } + # Create the list container for our object type if not existing # => Function, Cmdlet, Alias, Modules, Application if ($CompiledList.ContainsKey($CmdType) -eq $FALSE) { diff --git a/lib/core/jea/Get-IcingaFrameworkDependency.psm1 b/lib/core/jea/Get-IcingaFrameworkDependency.psm1 index 5eb3abec..08fb465c 100644 --- a/lib/core/jea/Get-IcingaFrameworkDependency.psm1 +++ b/lib/core/jea/Get-IcingaFrameworkDependency.psm1 @@ -16,6 +16,10 @@ function Get-IcingaFrameworkDependency() $DeserializedFile = Read-IcingaPowerShellModuleFile -FileContent $ModuleContent; [array]$CheckCmd = $DeserializedFile.CommandList + $DeserializedFile.FunctionList; + if (Deny-IcingaJEACommand -Command $Command -FileComment $DeserializedFile.Comment) { + return $DependencyList; + } + foreach ($cmd in $CheckCmd) { if ($cmd -eq $Command) { continue; diff --git a/lib/core/jea/Get-IcingaJEAConfiguration.psm1 b/lib/core/jea/Get-IcingaJEAConfiguration.psm1 index 4917f979..562fd670 100644 --- a/lib/core/jea/Get-IcingaJEAConfiguration.psm1 +++ b/lib/core/jea/Get-IcingaJEAConfiguration.psm1 @@ -102,6 +102,10 @@ function Get-IcingaJEAConfiguration() $DeserializedFile = Read-IcingaPowerShellModuleFile -File $ModuleFile.FullName; + if (Deny-IcingaJEACommand -FileComments $DeserializedFile.Comments) { + continue; + } + foreach ($FoundFunction in $DeserializedFile.FunctionList) { $DependencyList = Get-IcingaFrameworkDependency ` -Command $FoundFunction ` @@ -187,6 +191,10 @@ function Get-IcingaJEAConfiguration() $CommandType = ([string]$CmdData.CommandType).Replace(' ', ''); + if (Deny-IcingaJEACommand -Command $cmd) { + continue; + } + $UsedCmdlets = Get-IcingaCommandDependency ` -DependencyList $DependencyList ` -CompiledList $UsedCmdlets ` diff --git a/lib/core/jea/Read-IcingaPowerShellModuleFile.psm1 b/lib/core/jea/Read-IcingaPowerShellModuleFile.psm1 index 71c1d23a..096e9ae4 100644 --- a/lib/core/jea/Read-IcingaPowerShellModuleFile.psm1 +++ b/lib/core/jea/Read-IcingaPowerShellModuleFile.psm1 @@ -177,5 +177,6 @@ function Read-IcingaPowerShellModuleFile() 'AliasList' = $AliasList; 'ExportFunction' = $ExportFunctionList; 'ExportCmdlet' = $ExportCmdletList; + 'Comments' = $Comments; }; } diff --git a/templates/IcingaForWindows.psrc.template b/templates/IcingaForWindows.psrc.template index d10d32d8..8b35c982 100644 --- a/templates/IcingaForWindows.psrc.template +++ b/templates/IcingaForWindows.psrc.template @@ -9,7 +9,7 @@ # Company associated with this document CompanyName = 'Icinga GmbH' # Copyright statement for this document - Copyright = '(c) 2021 Icinga GmbH | MIT' + Copyright = '(c) 2024 Icinga GmbH | MIT' # Modules to import when applied to a session ModulesToImport = '' # Cmdlets to make visible when applied to a session