public void Should_be_possible_to_map_AceFlags_to_AuditEventStatusEnum()
        {
            var noneAuditPolicy = new WMIWinACE { AceFlags = 0 };
            var successAuditPolicy = new WMIWinACE() { AceFlags = 64 };
            var failureAuditPolicy = new WMIWinACE() { AceFlags = 128 };
            var allAuditPolicy = new WMIWinACE() { AceFlags = 192 };

            Assert.AreEqual(AuditEventStatus.AUDIT_NONE, noneAuditPolicy.AuditEventPolicy);
            Assert.AreEqual(AuditEventStatus.AUDIT_SUCCESS, successAuditPolicy.AuditEventPolicy);
            Assert.AreEqual(AuditEventStatus.AUDIT_FAILURE, failureAuditPolicy.AuditEventPolicy);
            Assert.AreEqual(AuditEventStatus.AUDIT_SUCCESS_FAILURE, allAuditPolicy.AuditEventPolicy);
        }
        /// <summary>
        /// Creates a list of WinACEs objects from security descriptor management object.
        /// </summary>
        /// <param name="rootManagementObject">The result of invoked method which returns the Security Descriptor as ManagementBaseObject.</param>
        /// <param name="trusteeName">The username formatted such as: "[DOMAIN]\[USERNAME]". For local users use the machine name on [DOMAIN]</param>
        /// <returns>Returns a List of WMIWinACE objects.</returns>
        public virtual IEnumerable<WMIWinACE> GetSecurityDescriptorsFromManagementObject(object rootManagementObject, string userTrusteeName, WmiDataProvider wmiProvider)
        {
            ManagementBaseObject[] ACLs = this.getACLFromManagementObject((ManagementBaseObject)rootManagementObject);

            var result = new List<WMIWinACE>();
            foreach (var acl in ACLs)
            {
                var aclTrustee = (ManagementBaseObject)acl.Properties["Trustee"].Value;
                if (this.DoesACLBelongToUser(aclTrustee, userTrusteeName, wmiProvider))
                {
                    WMIWinACE newWinACE = new WMIWinACE();
                    newWinACE.AccessMask = this.getPropertyValueAsUnsiggnedInteger(acl, "AccessMask");
                    newWinACE.AceFlags = this.getPropertyValueAsUnsiggnedInteger(acl, "AceFlags");
                    newWinACE.AceType = this.getPropertyValueAsUnsiggnedInteger(acl, "AceType");
                    newWinACE.Trustee = this.getWinTrusteeFromManagementObject(aclTrustee);
                    newWinACE.CalculateFileAccessRightsFromAccessMask();

                    result.Add(newWinACE);
                }
            }

            return result;
        }
        /// <summary>
        /// Converts a Discretionary Access Mask into WMIWinACE struct.
        /// </summary>
        /// <param name="bitwiseAccessMask">The source access mask as unassigned integer;</param>
        /// <returns>It returns a WMIWinACE struct with all object access rights calculated from Access Mask.</returns>
        public WMIWinACE GetSecurityDescriptorFromAccessMask(uint bitwiseAccessMask)
        {
            WMIWinACE result = new WMIWinACE() { AccessMask = bitwiseAccessMask };
            result.CalculateFileAccessRightsFromAccessMask();
            result.CalculateRegistryKeyAccessRightsFromAccessMask();

            return result;
        }
        /// <summary>
        /// Creates a list of WinACEs objects from security descriptor management object.
        /// </summary>
        /// <param name="rootManagementObject">The result of invoked method which returns the Security Descriptor as ManagementBaseObject.</param>
        /// <param name="trusteeName">The username formatted such as: "[DOMAIN]\[USERNAME]". For local users use the machine name on [DOMAIN]</param>
        /// <returns>Returns a List of WMIWinACE objects.</returns>
        public virtual IEnumerable<WMIWinACE> GetAllSecurityDescriptorsFromManagementObject(object rootManagementObject)
        {
            var ACLs = this.getACLFromManagementObject((ManagementBaseObject)rootManagementObject);

            var result = new List<WMIWinACE>();
            foreach (var acl in ACLs)
            {
                var newWinACE = new WMIWinACE()
                {
                    AccessMask = this.getPropertyValueAsUnsiggnedInteger(acl, "AccessMask"),
                    AceFlags = this.getPropertyValueAsUnsiggnedInteger(acl, "AceFlags"),
                    AceType = this.getPropertyValueAsUnsiggnedInteger(acl, "AceType"),
                    Trustee = this.getWinTrusteeFromManagementObject((ManagementBaseObject)acl.Properties["Trustee"].Value)
                };
                newWinACE.CalculateFileAccessRightsFromAccessMask();

                result.Add(newWinACE);
            }

            return result;
        }
Esempio n. 5
0
        public static WMIFileInfo CollectFileInfo(ManagementScope scope, string path)
        {
            WMIFileInfo retVal = new WMIFileInfo();

            // Atributes from from CIM_DataFile (creation date, size, etc)
            string pathDrive = Path.GetPathRoot(path);
            string pathPath = Path.GetDirectoryName(path);
            string pathFilename = Path.GetFileNameWithoutExtension(path);
            string pathExtension = Path.GetExtension(path);

            if (pathDrive[1] != ':')
                throw new CollectorException(String.Format("Invalid path '{0}': must be a full path with drive letter", path));
            pathDrive = pathDrive.Substring(0, 2);
            pathPath = pathPath.Substring(2);
            if (pathPath[pathPath.Length - 1] != '\\')
            {
                pathPath += '\\';
            }
            pathPath = pathPath.Replace("\\", "\\\\");
            if (Path.HasExtension(path))
                pathExtension = pathExtension.Substring(1);

            try
            {
                ManagementObject queryObj = null;
                retVal.Query = String.Format("SELECT * FROM CIM_LogicalFile WHERE Drive = '{0}' AND path = '{1}' AND FileName = '{2}' AND Extension = '{3}'", pathDrive, pathPath, pathFilename, pathExtension);
                ManagementObjectSearcher searcher = MyGetSearcher(scope, retVal.Query);
                foreach (ManagementObject tempQueryObj in searcher.Get())
                {
                    queryObj = tempQueryObj;
                    break;
                }
                if (queryObj == null)
                {
                    retVal.Query = String.Format("SELECT * FROM CIM_LogicalFile WHERE Drive = '{0}' AND path = '{1}' AND FileName = '{2}.{3}' AND Extension = ''", pathDrive, pathPath, pathFilename, pathExtension);
                    searcher = MyGetSearcher(scope, retVal.Query);
                    foreach (ManagementObject tempQueryObj in searcher.Get())
                    {
                        queryObj = tempQueryObj;
                        break;
                    }
                }

                if (queryObj == null)
                {
                    retVal.Found = false;
                    retVal.ErrorMsg = "File not found";
                }
                else
                {
                    retVal.Found = true;

                    retVal.Drive = (string)queryObj["Drive"];
                    retVal.Path = (string)queryObj["path"];
                    retVal.Extension = (string)queryObj["Extension"];
                    retVal.FileName = (string)queryObj["FileName"];
                    retVal.Name = (string)queryObj["Name"];

                    retVal.Archive = (bool)queryObj["Archive"];
                    retVal.Compressed = (bool)queryObj["Compressed"];
                    retVal.EightDotThreeFileName = (string)queryObj["EightDotThreeFileName"];
                    retVal.Encrypted = (bool)queryObj["Encrypted"];
                    retVal.FileType = (string)queryObj["FileType"];
                    retVal.Hidden = (bool)queryObj["Hidden"];
                    retVal.System = (bool)queryObj["System"];

                    retVal.Writeable = (bool)queryObj["Writeable"];
                    retVal.CreationDate = DateTime.ParseExact(((string)queryObj["CreationDate"]).Substring(0, 21), "yyyyMMddHHmmss.ffffff", System.Globalization.CultureInfo.InvariantCulture);
                    retVal.InstallDate = DateTime.ParseExact(((string)queryObj["InstallDate"]).Substring(0, 21), "yyyyMMddHHmmss.ffffff", System.Globalization.CultureInfo.InvariantCulture);
                    retVal.LastAccessed = DateTime.ParseExact(((string)queryObj["LastAccessed"]).Substring(0, 21), "yyyyMMddHHmmss.ffffff", System.Globalization.CultureInfo.InvariantCulture);
                    retVal.LastModified = DateTime.ParseExact(((string)queryObj["LastModified"]).Substring(0, 21), "yyyyMMddHHmmss.ffffff", System.Globalization.CultureInfo.InvariantCulture);

                    string wtfIsThis = queryObj.ClassPath.ClassName;
                    switch (wtfIsThis)
                    {
                        case "Win32_Directory":
                            retVal.IsDirectory = true;
                            break;
                        case "CIM_DataFile":
                            retVal.IsDirectory = false;
                            retVal.FileSize = (ulong)queryObj["FileSize"];
                            retVal.Manufacturer = (string)queryObj["Manufacturer"];
                            retVal.Version = (string)queryObj["Version"];
                            break;
                        default:
                            retVal.IsDirectory = false;
                            retVal.ErrorMsg = "Unexpected obect type '" + queryObj.ClassPath.ClassName + "'";
                            break;
                    }
                }

                // Attributes from Win32_LogicalFileSecuritySetting (Owner, Group, ACLs)
                ManagementObject mgmt = new ManagementObject(scope, new ManagementPath(String.Format("Win32_LogicalFileSecuritySetting.path='{0}'", path)), null);
                ManagementBaseObject secDesc = mgmt.InvokeMethod("GetSecurityDescriptor", null, null);
                ManagementBaseObject descriptor = secDesc.Properties["Descriptor"].Value as ManagementBaseObject;

                ManagementBaseObject owner = descriptor.Properties["Owner"].Value as ManagementBaseObject;
                retVal.Owner = String.Format("{0}\\{1}", owner.Properties["Domain"].Value, owner.Properties["Name"].Value);

                ManagementBaseObject group = descriptor.Properties["Group"].Value as ManagementBaseObject;
                retVal.Group = String.Format("{0}\\{1}", group.Properties["Domain"].Value, group.Properties["Name"].Value);

                retVal.DACL = new List<WMIWinACE>();
                ManagementBaseObject[] acls = descriptor.Properties["DACL"].Value as ManagementBaseObject[];
                if (acls != null)
                {
                    foreach (ManagementBaseObject thisacl in acls)
                    {
                        WMIWinACE thisace = new WMIWinACE();
                        thisace.IsDirectory = retVal.IsDirectory;
                        thisace.AccessMask = (UInt32)thisacl.Properties["AccessMask"].Value;
                        thisace.AceFlags = (UInt32)thisacl.Properties["AceFlags"].Value;
                        thisace.AceType = (UInt32)thisacl.Properties["AceType"].Value;
                        thisace.GuidInheritedObjectType = thisacl.Properties["GuidInheritedObjectType"].Value as string;
                        thisace.GuidObjectType = thisacl.Properties["GuidObjectType"].Value as string;

                        thisace.Trustee = new WMIWinTrustee();
                        ManagementBaseObject trustee = thisacl.Properties["Trustee"].Value as ManagementBaseObject;
                        thisace.Trustee.Domain = trustee.Properties["Domain"].Value as string;
                        thisace.Trustee.Name = trustee.Properties["Name"].Value as string;
                        thisace.Trustee.SID = trustee.Properties["SID"].Value as Byte[];
                        thisace.Trustee.SidLength = (UInt32)trustee.Properties["SidLength"].Value;
                        thisace.Trustee.SIDString = trustee.Properties["SIDString"].Value as string;

                        retVal.DACL.Add(thisace);
                    }
                }
            }
            catch (Exception excp)
            {
                retVal.ErrorMsg = String.Format("{0}: {1}", excp.GetType(), excp.Message);
            }

            return retVal;
        }
        public void When_AceFlags_is_not_set_the_audit_event_status_must_be_equals_to_EMPTY()
        {
            var WinACE = new WMIWinACE();

            Assert.AreEqual(AuditEventStatus.EMPTY, WinACE.AuditEventPolicy);
        }
Esempio n. 7
0
        public static WMIFileInfo CollectFileInfo(ManagementScope scope, string path)
        {
            WMIFileInfo retVal = new WMIFileInfo();

            // Atributes from from CIM_DataFile (creation date, size, etc)
            string pathDrive     = Path.GetPathRoot(path);
            string pathPath      = Path.GetDirectoryName(path);
            string pathFilename  = Path.GetFileNameWithoutExtension(path);
            string pathExtension = Path.GetExtension(path);

            if (pathDrive[1] != ':')
            {
                throw new CollectorException(String.Format("Invalid path '{0}': must be a full path with drive letter", path));
            }
            pathDrive = pathDrive.Substring(0, 2);
            pathPath  = pathPath.Substring(2);
            if (pathPath[pathPath.Length - 1] != '\\')
            {
                pathPath += '\\';
            }
            pathPath = pathPath.Replace("\\", "\\\\");
            if (Path.HasExtension(path))
            {
                pathExtension = pathExtension.Substring(1);
            }

            try
            {
                ManagementObject queryObj = null;
                retVal.Query = String.Format("SELECT * FROM CIM_LogicalFile WHERE Drive = '{0}' AND path = '{1}' AND FileName = '{2}' AND Extension = '{3}'", pathDrive, pathPath, pathFilename, pathExtension);
                ManagementObjectSearcher searcher = MyGetSearcher(scope, retVal.Query);
                foreach (ManagementObject tempQueryObj in searcher.Get())
                {
                    queryObj = tempQueryObj;
                    break;
                }
                if (queryObj == null)
                {
                    retVal.Query = String.Format("SELECT * FROM CIM_LogicalFile WHERE Drive = '{0}' AND path = '{1}' AND FileName = '{2}.{3}' AND Extension = ''", pathDrive, pathPath, pathFilename, pathExtension);
                    searcher     = MyGetSearcher(scope, retVal.Query);
                    foreach (ManagementObject tempQueryObj in searcher.Get())
                    {
                        queryObj = tempQueryObj;
                        break;
                    }
                }

                if (queryObj == null)
                {
                    retVal.Found    = false;
                    retVal.ErrorMsg = "File not found";
                }
                else
                {
                    retVal.Found = true;

                    retVal.Drive     = (string)queryObj["Drive"];
                    retVal.Path      = (string)queryObj["path"];
                    retVal.Extension = (string)queryObj["Extension"];
                    retVal.FileName  = (string)queryObj["FileName"];
                    retVal.Name      = (string)queryObj["Name"];

                    retVal.Archive               = (bool)queryObj["Archive"];
                    retVal.Compressed            = (bool)queryObj["Compressed"];
                    retVal.EightDotThreeFileName = (string)queryObj["EightDotThreeFileName"];
                    retVal.Encrypted             = (bool)queryObj["Encrypted"];
                    retVal.FileType              = (string)queryObj["FileType"];
                    retVal.Hidden = (bool)queryObj["Hidden"];
                    retVal.System = (bool)queryObj["System"];

                    retVal.Writeable    = (bool)queryObj["Writeable"];
                    retVal.CreationDate = DateTime.ParseExact(((string)queryObj["CreationDate"]).Substring(0, 21), "yyyyMMddHHmmss.ffffff", System.Globalization.CultureInfo.InvariantCulture);
                    retVal.InstallDate  = DateTime.ParseExact(((string)queryObj["InstallDate"]).Substring(0, 21), "yyyyMMddHHmmss.ffffff", System.Globalization.CultureInfo.InvariantCulture);
                    retVal.LastAccessed = DateTime.ParseExact(((string)queryObj["LastAccessed"]).Substring(0, 21), "yyyyMMddHHmmss.ffffff", System.Globalization.CultureInfo.InvariantCulture);
                    retVal.LastModified = DateTime.ParseExact(((string)queryObj["LastModified"]).Substring(0, 21), "yyyyMMddHHmmss.ffffff", System.Globalization.CultureInfo.InvariantCulture);

                    string wtfIsThis = queryObj.ClassPath.ClassName;
                    switch (wtfIsThis)
                    {
                    case "Win32_Directory":
                        retVal.IsDirectory = true;
                        break;

                    case "CIM_DataFile":
                        retVal.IsDirectory  = false;
                        retVal.FileSize     = (ulong)queryObj["FileSize"];
                        retVal.Manufacturer = (string)queryObj["Manufacturer"];
                        retVal.Version      = (string)queryObj["Version"];
                        break;

                    default:
                        retVal.IsDirectory = false;
                        retVal.ErrorMsg    = "Unexpected obect type '" + queryObj.ClassPath.ClassName + "'";
                        break;
                    }
                }

                // Attributes from Win32_LogicalFileSecuritySetting (Owner, Group, ACLs)
                ManagementObject     mgmt       = new ManagementObject(scope, new ManagementPath(String.Format("Win32_LogicalFileSecuritySetting.path='{0}'", path)), null);
                ManagementBaseObject secDesc    = mgmt.InvokeMethod("GetSecurityDescriptor", null, null);
                ManagementBaseObject descriptor = secDesc.Properties["Descriptor"].Value as ManagementBaseObject;

                ManagementBaseObject owner = descriptor.Properties["Owner"].Value as ManagementBaseObject;
                retVal.Owner = String.Format("{0}\\{1}", owner.Properties["Domain"].Value, owner.Properties["Name"].Value);

                ManagementBaseObject group = descriptor.Properties["Group"].Value as ManagementBaseObject;
                retVal.Group = String.Format("{0}\\{1}", group.Properties["Domain"].Value, group.Properties["Name"].Value);

                retVal.DACL = new List <WMIWinACE>();
                ManagementBaseObject[] acls = descriptor.Properties["DACL"].Value as ManagementBaseObject[];
                if (acls != null)
                {
                    foreach (ManagementBaseObject thisacl in acls)
                    {
                        WMIWinACE thisace = new WMIWinACE();
                        thisace.IsDirectory             = retVal.IsDirectory;
                        thisace.AccessMask              = (UInt32)thisacl.Properties["AccessMask"].Value;
                        thisace.AceFlags                = (UInt32)thisacl.Properties["AceFlags"].Value;
                        thisace.AceType                 = (UInt32)thisacl.Properties["AceType"].Value;
                        thisace.GuidInheritedObjectType = thisacl.Properties["GuidInheritedObjectType"].Value as string;
                        thisace.GuidObjectType          = thisacl.Properties["GuidObjectType"].Value as string;

                        thisace.Trustee = new WMIWinTrustee();
                        ManagementBaseObject trustee = thisacl.Properties["Trustee"].Value as ManagementBaseObject;
                        thisace.Trustee.Domain    = trustee.Properties["Domain"].Value as string;
                        thisace.Trustee.Name      = trustee.Properties["Name"].Value as string;
                        thisace.Trustee.SID       = trustee.Properties["SID"].Value as Byte[];
                        thisace.Trustee.SidLength = (UInt32)trustee.Properties["SidLength"].Value;
                        thisace.Trustee.SIDString = trustee.Properties["SIDString"].Value as string;

                        retVal.DACL.Add(thisace);
                    }
                }
            }
            catch (Exception excp)
            {
                retVal.ErrorMsg = String.Format("{0}: {1}", excp.GetType(), excp.Message);
            }

            return(retVal);
        }
        private WMIWinACE CreateEffectiveRightsFromGrantAndDenyDACLsCombination(WMIWinACE denyDACL, WMIWinACE grantDACL)
        {
            var effectiveDACL = new WMIWinACE();
            effectiveDACL.ACCESS_SYSTEM_SECURITY = denyDACL.ACCESS_SYSTEM_SECURITY ? false : grantDACL.ACCESS_SYSTEM_SECURITY;
            effectiveDACL.DELETE = denyDACL.DELETE ? false : grantDACL.DELETE;
            effectiveDACL.FILE_ADD_FILE = denyDACL.FILE_ADD_FILE ? false : grantDACL.FILE_ADD_FILE;
            effectiveDACL.FILE_ADD_SUBDIRECTORY = denyDACL.FILE_ADD_SUBDIRECTORY ? false : grantDACL.FILE_ADD_SUBDIRECTORY;
            effectiveDACL.FILE_APPEND_DATA = denyDACL.FILE_APPEND_DATA ? false : grantDACL.FILE_APPEND_DATA;
            effectiveDACL.FILE_DELETE_CHILD = denyDACL.FILE_DELETE_CHILD ? false : grantDACL.FILE_DELETE_CHILD;
            effectiveDACL.FILE_EXECUTE = denyDACL.FILE_EXECUTE ? false : grantDACL.FILE_EXECUTE;
            effectiveDACL.GENERIC_EXECUTE = denyDACL.GENERIC_EXECUTE ? false : grantDACL.GENERIC_EXECUTE;
            effectiveDACL.GENERIC_READ = denyDACL.GENERIC_READ ? false : grantDACL.GENERIC_READ;
            effectiveDACL.GENERIC_WRITE = denyDACL.GENERIC_WRITE ? false : grantDACL.GENERIC_WRITE;
            effectiveDACL.GENERIC_ALL = denyDACL.GENERIC_ALL ? false : grantDACL.GENERIC_ALL;
            effectiveDACL.FILE_LIST_DIRECTORY = denyDACL.FILE_LIST_DIRECTORY ? false : grantDACL.FILE_LIST_DIRECTORY;
            effectiveDACL.FILE_READ_ATTRIBUTES = denyDACL.FILE_READ_ATTRIBUTES ? false : grantDACL.FILE_READ_ATTRIBUTES;
            effectiveDACL.FILE_READ_DATA = denyDACL.FILE_READ_DATA ? false : grantDACL.FILE_READ_DATA;
            effectiveDACL.FILE_READ_EA = denyDACL.FILE_READ_EA ? false : grantDACL.FILE_READ_EA;
            effectiveDACL.FILE_TRAVERSE = denyDACL.FILE_TRAVERSE ? false : grantDACL.FILE_TRAVERSE;
            effectiveDACL.FILE_WRITE_ATTRIBUTES = denyDACL.FILE_WRITE_ATTRIBUTES ? false : grantDACL.FILE_WRITE_ATTRIBUTES;
            effectiveDACL.FILE_WRITE_DATA = denyDACL.FILE_WRITE_DATA ? false : grantDACL.FILE_WRITE_DATA;
            effectiveDACL.FILE_WRITE_EA = denyDACL.FILE_WRITE_EA ? false : grantDACL.FILE_WRITE_EA;
            effectiveDACL.READ_CONTROL = denyDACL.READ_CONTROL ? false : grantDACL.READ_CONTROL;
            effectiveDACL.SYNCHRONIZE = denyDACL.SYNCHRONIZE ? false : grantDACL.SYNCHRONIZE;
            effectiveDACL.WRITE_DAC = denyDACL.WRITE_DAC ? false : grantDACL.WRITE_DAC;
            effectiveDACL.WRITE_OWNER = denyDACL.WRITE_OWNER ? false : grantDACL.WRITE_OWNER;
            // Like OvalDI, the "Generic All" permission is equal to "File Read Data" permission. It needs to be reviewed.

            return effectiveDACL;
        }
        private void AdjustGenericRights(WMIWinACE userEffectiveRights)
        {
            userEffectiveRights.GENERIC_READ =
                userEffectiveRights.READ_CONTROL ||
                userEffectiveRights.FILE_READ_ATTRIBUTES ||
                userEffectiveRights.FILE_READ_DATA ||
                userEffectiveRights.FILE_READ_EA;

            userEffectiveRights.GENERIC_WRITE =
                userEffectiveRights.WRITE_OWNER ||
                userEffectiveRights.WRITE_DAC ||
                userEffectiveRights.FILE_WRITE_ATTRIBUTES ||
                userEffectiveRights.FILE_WRITE_DATA || 
                userEffectiveRights.FILE_APPEND_DATA ||
                userEffectiveRights.FILE_WRITE_EA;

            userEffectiveRights.GENERIC_EXECUTE = userEffectiveRights.FILE_EXECUTE;

            userEffectiveRights.GENERIC_ALL =
                userEffectiveRights.GENERIC_READ ||
                userEffectiveRights.GENERIC_WRITE ||
                userEffectiveRights.GENERIC_EXECUTE;
        }