private regkeyeffectiverights_item CreateItemTypeFromWinACE(object collectedData, string regHive, string regKey, string collectedSid) { WMIWinACE systemData = (WMIWinACE)collectedData; return(new regkeyeffectiverights_item() { status = StatusEnumeration.exists, hive = new EntityItemRegistryHiveType() { Value = regHive }, key = OvalHelper.CreateItemEntityWithStringValue(regKey), trustee_sid = OvalHelper.CreateItemEntityWithStringValue(collectedSid), access_system_security = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.ACCESS_SYSTEM_SECURITY), standard_delete = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.DELETE), standard_read_control = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.READ_CONTROL), standard_synchronize = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.SYNCHRONIZE), standard_write_dac = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.WRITE_DAC), standard_write_owner = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.WRITE_OWNER), generic_all = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.GENERIC_ALL), generic_execute = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.GENERIC_EXECUTE), generic_read = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.GENERIC_READ), generic_write = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.GENERIC_WRITE), key_create_link = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_CREATE_LINK), key_create_sub_key = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_CREATE_SUB_KEY), key_enumerate_sub_keys = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_ENUMERATE_SUB_KEYS), key_notify = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_NOTIFY), key_query_value = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_QUERY_VALUE), key_set_value = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_SET_VALUE), key_wow64_32key = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_WOW64_32KEY), key_wow64_64key = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_WOW64_64KEY) }); }
private WMIWinACE CreateEffectiveRightsFromGrantAndDenyDACLsCombination(WMIWinACE denyDACL, WMIWinACE grantDACL) { var effectiveDACL = new WMIWinACE(); effectiveDACL.ACCESS_SYSTEM_SECURITY = denyDACL.ACCESS_SYSTEM_SECURITY ? false : grantDACL.ACCESS_SYSTEM_SECURITY; effectiveDACL.DELETE = denyDACL.DELETE ? false : grantDACL.DELETE; effectiveDACL.FILE_ADD_FILE = denyDACL.FILE_ADD_FILE ? false : grantDACL.FILE_ADD_FILE; effectiveDACL.FILE_ADD_SUBDIRECTORY = denyDACL.FILE_ADD_SUBDIRECTORY ? false : grantDACL.FILE_ADD_SUBDIRECTORY; effectiveDACL.FILE_APPEND_DATA = denyDACL.FILE_APPEND_DATA ? false : grantDACL.FILE_APPEND_DATA; effectiveDACL.FILE_DELETE_CHILD = denyDACL.FILE_DELETE_CHILD ? false : grantDACL.FILE_DELETE_CHILD; effectiveDACL.FILE_EXECUTE = denyDACL.FILE_EXECUTE ? false : grantDACL.FILE_EXECUTE; effectiveDACL.GENERIC_EXECUTE = denyDACL.GENERIC_EXECUTE ? false : grantDACL.GENERIC_EXECUTE; effectiveDACL.GENERIC_READ = denyDACL.GENERIC_READ ? false : grantDACL.GENERIC_READ; effectiveDACL.GENERIC_WRITE = denyDACL.GENERIC_WRITE ? false : grantDACL.GENERIC_WRITE; effectiveDACL.GENERIC_ALL = denyDACL.GENERIC_ALL ? false : grantDACL.GENERIC_ALL; effectiveDACL.FILE_LIST_DIRECTORY = denyDACL.FILE_LIST_DIRECTORY ? false : grantDACL.FILE_LIST_DIRECTORY; effectiveDACL.FILE_READ_ATTRIBUTES = denyDACL.FILE_READ_ATTRIBUTES ? false : grantDACL.FILE_READ_ATTRIBUTES; effectiveDACL.FILE_READ_DATA = denyDACL.FILE_READ_DATA ? false : grantDACL.FILE_READ_DATA; effectiveDACL.FILE_READ_EA = denyDACL.FILE_READ_EA ? false : grantDACL.FILE_READ_EA; effectiveDACL.FILE_TRAVERSE = denyDACL.FILE_TRAVERSE ? false : grantDACL.FILE_TRAVERSE; effectiveDACL.FILE_WRITE_ATTRIBUTES = denyDACL.FILE_WRITE_ATTRIBUTES ? false : grantDACL.FILE_WRITE_ATTRIBUTES; effectiveDACL.FILE_WRITE_DATA = denyDACL.FILE_WRITE_DATA ? false : grantDACL.FILE_WRITE_DATA; effectiveDACL.FILE_WRITE_EA = denyDACL.FILE_WRITE_EA ? false : grantDACL.FILE_WRITE_EA; effectiveDACL.READ_CONTROL = denyDACL.READ_CONTROL ? false : grantDACL.READ_CONTROL; effectiveDACL.SYNCHRONIZE = denyDACL.SYNCHRONIZE ? false : grantDACL.SYNCHRONIZE; effectiveDACL.WRITE_DAC = denyDACL.WRITE_DAC ? false : grantDACL.WRITE_DAC; effectiveDACL.WRITE_OWNER = denyDACL.WRITE_OWNER ? false : grantDACL.WRITE_OWNER; // Like OvalDI, the "Generic All" permission is equal to "File Read Data" permission. It needs to be reviewed. return(effectiveDACL); }
/// <summary> /// Converts a Discretionary Access Mask into WMIWinACE struct. /// </summary> /// <param name="bitwiseAccessMask">The source access mask as unassigned integer;</param> /// <returns>It returns a WMIWinACE struct with all object access rights calculated from Access Mask.</returns> public WMIWinACE GetSecurityDescriptorFromAccessMask(uint bitwiseAccessMask) { WMIWinACE result = new WMIWinACE() { AccessMask = bitwiseAccessMask }; result.CalculateFileAccessRightsFromAccessMask(); result.CalculateRegistryKeyAccessRightsFromAccessMask(); return(result); }
/// <summary> /// Creates a list of WinACEs objects from security descriptor management object. /// </summary> /// <param name="rootManagementObject">The result of invoked method which returns the Security Descriptor as ManagementBaseObject.</param> /// <param name="trusteeName">The username formatted such as: "[DOMAIN]\[USERNAME]". For local users use the machine name on [DOMAIN]</param> /// <returns>Returns a List of WMIWinACE objects.</returns> public virtual IEnumerable <WMIWinACE> GetAllSecurityDescriptorsFromManagementObject(object rootManagementObject) { var ACLs = this.getACLFromManagementObject((ManagementBaseObject)rootManagementObject); var result = new List <WMIWinACE>(); foreach (var acl in ACLs) { var newWinACE = new WMIWinACE() { AccessMask = this.getPropertyValueAsUnsiggnedInteger(acl, "AccessMask"), AceFlags = this.getPropertyValueAsUnsiggnedInteger(acl, "AceFlags"), AceType = this.getPropertyValueAsUnsiggnedInteger(acl, "AceType"), Trustee = this.getWinTrusteeFromManagementObject((ManagementBaseObject)acl.Properties["Trustee"].Value) }; newWinACE.CalculateFileAccessRightsFromAccessMask(); result.Add(newWinACE); } return(result); }
private void AdjustGenericRights(WMIWinACE userEffectiveRights) { userEffectiveRights.GENERIC_READ = userEffectiveRights.READ_CONTROL || userEffectiveRights.FILE_READ_ATTRIBUTES || userEffectiveRights.FILE_READ_DATA || userEffectiveRights.FILE_READ_EA; userEffectiveRights.GENERIC_WRITE = userEffectiveRights.WRITE_OWNER || userEffectiveRights.WRITE_DAC || userEffectiveRights.FILE_WRITE_ATTRIBUTES || userEffectiveRights.FILE_WRITE_DATA || userEffectiveRights.FILE_APPEND_DATA || userEffectiveRights.FILE_WRITE_EA; userEffectiveRights.GENERIC_EXECUTE = userEffectiveRights.FILE_EXECUTE; userEffectiveRights.GENERIC_ALL = userEffectiveRights.GENERIC_READ || userEffectiveRights.GENERIC_WRITE || userEffectiveRights.GENERIC_EXECUTE; }
public void Should_be_possible_to_map_AceFlags_to_AuditEventStatusEnum() { var noneAuditPolicy = new WMIWinACE { AceFlags = 0 }; var successAuditPolicy = new WMIWinACE() { AceFlags = 64 }; var failureAuditPolicy = new WMIWinACE() { AceFlags = 128 }; var allAuditPolicy = new WMIWinACE() { AceFlags = 192 }; Assert.AreEqual(AuditEventStatus.AUDIT_NONE, noneAuditPolicy.AuditEventPolicy); Assert.AreEqual(AuditEventStatus.AUDIT_SUCCESS, successAuditPolicy.AuditEventPolicy); Assert.AreEqual(AuditEventStatus.AUDIT_FAILURE, failureAuditPolicy.AuditEventPolicy); Assert.AreEqual(AuditEventStatus.AUDIT_SUCCESS_FAILURE, allAuditPolicy.AuditEventPolicy); }
/// <summary> /// Creates a list of WinACEs objects from security descriptor management object. /// </summary> /// <param name="rootManagementObject">The result of invoked method which returns the Security Descriptor as ManagementBaseObject.</param> /// <param name="trusteeName">The username formatted such as: "[DOMAIN]\[USERNAME]". For local users use the machine name on [DOMAIN]</param> /// <returns>Returns a List of WMIWinACE objects.</returns> public virtual IEnumerable <WMIWinACE> GetSecurityDescriptorsFromManagementObject(object rootManagementObject, string userTrusteeName, WmiDataProvider wmiProvider) { ManagementBaseObject[] ACLs = this.getACLFromManagementObject((ManagementBaseObject)rootManagementObject); var result = new List <WMIWinACE>(); foreach (var acl in ACLs) { var aclTrustee = (ManagementBaseObject)acl.Properties["Trustee"].Value; if (this.DoesACLBelongToUser(aclTrustee, userTrusteeName, wmiProvider)) { WMIWinACE newWinACE = new WMIWinACE(); newWinACE.AccessMask = this.getPropertyValueAsUnsiggnedInteger(acl, "AccessMask"); newWinACE.AceFlags = this.getPropertyValueAsUnsiggnedInteger(acl, "AceFlags"); newWinACE.AceType = this.getPropertyValueAsUnsiggnedInteger(acl, "AceType"); newWinACE.Trustee = this.getWinTrusteeFromManagementObject(aclTrustee); newWinACE.CalculateFileAccessRightsFromAccessMask(); result.Add(newWinACE); } } return(result); }
public override void FillItemTypeWithData(object collectedData) { WMIWinACE systemData = (WMIWinACE)collectedData; regkeyeffectiverights_item buildingItemType = (regkeyeffectiverights_item)base.BuildingItemType; buildingItemType.access_system_security = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.ACCESS_SYSTEM_SECURITY); buildingItemType.standard_delete = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.DELETE); buildingItemType.standard_read_control = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.READ_CONTROL); buildingItemType.standard_synchronize = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.SYNCHRONIZE); buildingItemType.standard_write_dac = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.WRITE_DAC); buildingItemType.standard_write_owner = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.WRITE_OWNER); buildingItemType.generic_all = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.GENERIC_ALL); buildingItemType.generic_execute = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.GENERIC_EXECUTE); buildingItemType.generic_read = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.GENERIC_READ); buildingItemType.generic_write = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.GENERIC_WRITE); buildingItemType.key_create_link = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_CREATE_LINK); buildingItemType.key_create_sub_key = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_CREATE_SUB_KEY); buildingItemType.key_enumerate_sub_keys = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_ENUMERATE_SUB_KEYS); buildingItemType.key_notify = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_NOTIFY); buildingItemType.key_query_value = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_QUERY_VALUE); buildingItemType.key_set_value = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_SET_VALUE); buildingItemType.key_wow64_32key = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_WOW64_32KEY); buildingItemType.key_wow64_64key = OvalHelper.CreateBooleanEntityItemFromBoolValue(systemData.KEY_WOW64_64KEY); }
public void When_AceFlags_is_not_set_the_audit_event_status_must_be_equals_to_EMPTY() { var WinACE = new WMIWinACE(); Assert.AreEqual(AuditEventStatus.EMPTY, WinACE.AuditEventPolicy); }