public void Should_be_possible_to_map_AceFlags_to_AuditEventStatusEnum() { var noneAuditPolicy = new WMIWinACE { AceFlags = 0 }; var successAuditPolicy = new WMIWinACE() { AceFlags = 64 }; var failureAuditPolicy = new WMIWinACE() { AceFlags = 128 }; var allAuditPolicy = new WMIWinACE() { AceFlags = 192 }; Assert.AreEqual(AuditEventStatus.AUDIT_NONE, noneAuditPolicy.AuditEventPolicy); Assert.AreEqual(AuditEventStatus.AUDIT_SUCCESS, successAuditPolicy.AuditEventPolicy); Assert.AreEqual(AuditEventStatus.AUDIT_FAILURE, failureAuditPolicy.AuditEventPolicy); Assert.AreEqual(AuditEventStatus.AUDIT_SUCCESS_FAILURE, allAuditPolicy.AuditEventPolicy); }
/// <summary> /// Creates a list of WinACEs objects from security descriptor management object. /// </summary> /// <param name="rootManagementObject">The result of invoked method which returns the Security Descriptor as ManagementBaseObject.</param> /// <param name="trusteeName">The username formatted such as: "[DOMAIN]\[USERNAME]". For local users use the machine name on [DOMAIN]</param> /// <returns>Returns a List of WMIWinACE objects.</returns> public virtual IEnumerable<WMIWinACE> GetSecurityDescriptorsFromManagementObject(object rootManagementObject, string userTrusteeName, WmiDataProvider wmiProvider) { ManagementBaseObject[] ACLs = this.getACLFromManagementObject((ManagementBaseObject)rootManagementObject); var result = new List<WMIWinACE>(); foreach (var acl in ACLs) { var aclTrustee = (ManagementBaseObject)acl.Properties["Trustee"].Value; if (this.DoesACLBelongToUser(aclTrustee, userTrusteeName, wmiProvider)) { WMIWinACE newWinACE = new WMIWinACE(); newWinACE.AccessMask = this.getPropertyValueAsUnsiggnedInteger(acl, "AccessMask"); newWinACE.AceFlags = this.getPropertyValueAsUnsiggnedInteger(acl, "AceFlags"); newWinACE.AceType = this.getPropertyValueAsUnsiggnedInteger(acl, "AceType"); newWinACE.Trustee = this.getWinTrusteeFromManagementObject(aclTrustee); newWinACE.CalculateFileAccessRightsFromAccessMask(); result.Add(newWinACE); } } return result; }
/// <summary> /// Converts a Discretionary Access Mask into WMIWinACE struct. /// </summary> /// <param name="bitwiseAccessMask">The source access mask as unassigned integer;</param> /// <returns>It returns a WMIWinACE struct with all object access rights calculated from Access Mask.</returns> public WMIWinACE GetSecurityDescriptorFromAccessMask(uint bitwiseAccessMask) { WMIWinACE result = new WMIWinACE() { AccessMask = bitwiseAccessMask }; result.CalculateFileAccessRightsFromAccessMask(); result.CalculateRegistryKeyAccessRightsFromAccessMask(); return result; }
/// <summary> /// Creates a list of WinACEs objects from security descriptor management object. /// </summary> /// <param name="rootManagementObject">The result of invoked method which returns the Security Descriptor as ManagementBaseObject.</param> /// <param name="trusteeName">The username formatted such as: "[DOMAIN]\[USERNAME]". For local users use the machine name on [DOMAIN]</param> /// <returns>Returns a List of WMIWinACE objects.</returns> public virtual IEnumerable<WMIWinACE> GetAllSecurityDescriptorsFromManagementObject(object rootManagementObject) { var ACLs = this.getACLFromManagementObject((ManagementBaseObject)rootManagementObject); var result = new List<WMIWinACE>(); foreach (var acl in ACLs) { var newWinACE = new WMIWinACE() { AccessMask = this.getPropertyValueAsUnsiggnedInteger(acl, "AccessMask"), AceFlags = this.getPropertyValueAsUnsiggnedInteger(acl, "AceFlags"), AceType = this.getPropertyValueAsUnsiggnedInteger(acl, "AceType"), Trustee = this.getWinTrusteeFromManagementObject((ManagementBaseObject)acl.Properties["Trustee"].Value) }; newWinACE.CalculateFileAccessRightsFromAccessMask(); result.Add(newWinACE); } return result; }
public static WMIFileInfo CollectFileInfo(ManagementScope scope, string path) { WMIFileInfo retVal = new WMIFileInfo(); // Atributes from from CIM_DataFile (creation date, size, etc) string pathDrive = Path.GetPathRoot(path); string pathPath = Path.GetDirectoryName(path); string pathFilename = Path.GetFileNameWithoutExtension(path); string pathExtension = Path.GetExtension(path); if (pathDrive[1] != ':') throw new CollectorException(String.Format("Invalid path '{0}': must be a full path with drive letter", path)); pathDrive = pathDrive.Substring(0, 2); pathPath = pathPath.Substring(2); if (pathPath[pathPath.Length - 1] != '\\') { pathPath += '\\'; } pathPath = pathPath.Replace("\\", "\\\\"); if (Path.HasExtension(path)) pathExtension = pathExtension.Substring(1); try { ManagementObject queryObj = null; retVal.Query = String.Format("SELECT * FROM CIM_LogicalFile WHERE Drive = '{0}' AND path = '{1}' AND FileName = '{2}' AND Extension = '{3}'", pathDrive, pathPath, pathFilename, pathExtension); ManagementObjectSearcher searcher = MyGetSearcher(scope, retVal.Query); foreach (ManagementObject tempQueryObj in searcher.Get()) { queryObj = tempQueryObj; break; } if (queryObj == null) { retVal.Query = String.Format("SELECT * FROM CIM_LogicalFile WHERE Drive = '{0}' AND path = '{1}' AND FileName = '{2}.{3}' AND Extension = ''", pathDrive, pathPath, pathFilename, pathExtension); searcher = MyGetSearcher(scope, retVal.Query); foreach (ManagementObject tempQueryObj in searcher.Get()) { queryObj = tempQueryObj; break; } } if (queryObj == null) { retVal.Found = false; retVal.ErrorMsg = "File not found"; } else { retVal.Found = true; retVal.Drive = (string)queryObj["Drive"]; retVal.Path = (string)queryObj["path"]; retVal.Extension = (string)queryObj["Extension"]; retVal.FileName = (string)queryObj["FileName"]; retVal.Name = (string)queryObj["Name"]; retVal.Archive = (bool)queryObj["Archive"]; retVal.Compressed = (bool)queryObj["Compressed"]; retVal.EightDotThreeFileName = (string)queryObj["EightDotThreeFileName"]; retVal.Encrypted = (bool)queryObj["Encrypted"]; retVal.FileType = (string)queryObj["FileType"]; retVal.Hidden = (bool)queryObj["Hidden"]; retVal.System = (bool)queryObj["System"]; retVal.Writeable = (bool)queryObj["Writeable"]; retVal.CreationDate = DateTime.ParseExact(((string)queryObj["CreationDate"]).Substring(0, 21), "yyyyMMddHHmmss.ffffff", System.Globalization.CultureInfo.InvariantCulture); retVal.InstallDate = DateTime.ParseExact(((string)queryObj["InstallDate"]).Substring(0, 21), "yyyyMMddHHmmss.ffffff", System.Globalization.CultureInfo.InvariantCulture); retVal.LastAccessed = DateTime.ParseExact(((string)queryObj["LastAccessed"]).Substring(0, 21), "yyyyMMddHHmmss.ffffff", System.Globalization.CultureInfo.InvariantCulture); retVal.LastModified = DateTime.ParseExact(((string)queryObj["LastModified"]).Substring(0, 21), "yyyyMMddHHmmss.ffffff", System.Globalization.CultureInfo.InvariantCulture); string wtfIsThis = queryObj.ClassPath.ClassName; switch (wtfIsThis) { case "Win32_Directory": retVal.IsDirectory = true; break; case "CIM_DataFile": retVal.IsDirectory = false; retVal.FileSize = (ulong)queryObj["FileSize"]; retVal.Manufacturer = (string)queryObj["Manufacturer"]; retVal.Version = (string)queryObj["Version"]; break; default: retVal.IsDirectory = false; retVal.ErrorMsg = "Unexpected obect type '" + queryObj.ClassPath.ClassName + "'"; break; } } // Attributes from Win32_LogicalFileSecuritySetting (Owner, Group, ACLs) ManagementObject mgmt = new ManagementObject(scope, new ManagementPath(String.Format("Win32_LogicalFileSecuritySetting.path='{0}'", path)), null); ManagementBaseObject secDesc = mgmt.InvokeMethod("GetSecurityDescriptor", null, null); ManagementBaseObject descriptor = secDesc.Properties["Descriptor"].Value as ManagementBaseObject; ManagementBaseObject owner = descriptor.Properties["Owner"].Value as ManagementBaseObject; retVal.Owner = String.Format("{0}\\{1}", owner.Properties["Domain"].Value, owner.Properties["Name"].Value); ManagementBaseObject group = descriptor.Properties["Group"].Value as ManagementBaseObject; retVal.Group = String.Format("{0}\\{1}", group.Properties["Domain"].Value, group.Properties["Name"].Value); retVal.DACL = new List<WMIWinACE>(); ManagementBaseObject[] acls = descriptor.Properties["DACL"].Value as ManagementBaseObject[]; if (acls != null) { foreach (ManagementBaseObject thisacl in acls) { WMIWinACE thisace = new WMIWinACE(); thisace.IsDirectory = retVal.IsDirectory; thisace.AccessMask = (UInt32)thisacl.Properties["AccessMask"].Value; thisace.AceFlags = (UInt32)thisacl.Properties["AceFlags"].Value; thisace.AceType = (UInt32)thisacl.Properties["AceType"].Value; thisace.GuidInheritedObjectType = thisacl.Properties["GuidInheritedObjectType"].Value as string; thisace.GuidObjectType = thisacl.Properties["GuidObjectType"].Value as string; thisace.Trustee = new WMIWinTrustee(); ManagementBaseObject trustee = thisacl.Properties["Trustee"].Value as ManagementBaseObject; thisace.Trustee.Domain = trustee.Properties["Domain"].Value as string; thisace.Trustee.Name = trustee.Properties["Name"].Value as string; thisace.Trustee.SID = trustee.Properties["SID"].Value as Byte[]; thisace.Trustee.SidLength = (UInt32)trustee.Properties["SidLength"].Value; thisace.Trustee.SIDString = trustee.Properties["SIDString"].Value as string; retVal.DACL.Add(thisace); } } } catch (Exception excp) { retVal.ErrorMsg = String.Format("{0}: {1}", excp.GetType(), excp.Message); } return retVal; }
public void When_AceFlags_is_not_set_the_audit_event_status_must_be_equals_to_EMPTY() { var WinACE = new WMIWinACE(); Assert.AreEqual(AuditEventStatus.EMPTY, WinACE.AuditEventPolicy); }
public static WMIFileInfo CollectFileInfo(ManagementScope scope, string path) { WMIFileInfo retVal = new WMIFileInfo(); // Atributes from from CIM_DataFile (creation date, size, etc) string pathDrive = Path.GetPathRoot(path); string pathPath = Path.GetDirectoryName(path); string pathFilename = Path.GetFileNameWithoutExtension(path); string pathExtension = Path.GetExtension(path); if (pathDrive[1] != ':') { throw new CollectorException(String.Format("Invalid path '{0}': must be a full path with drive letter", path)); } pathDrive = pathDrive.Substring(0, 2); pathPath = pathPath.Substring(2); if (pathPath[pathPath.Length - 1] != '\\') { pathPath += '\\'; } pathPath = pathPath.Replace("\\", "\\\\"); if (Path.HasExtension(path)) { pathExtension = pathExtension.Substring(1); } try { ManagementObject queryObj = null; retVal.Query = String.Format("SELECT * FROM CIM_LogicalFile WHERE Drive = '{0}' AND path = '{1}' AND FileName = '{2}' AND Extension = '{3}'", pathDrive, pathPath, pathFilename, pathExtension); ManagementObjectSearcher searcher = MyGetSearcher(scope, retVal.Query); foreach (ManagementObject tempQueryObj in searcher.Get()) { queryObj = tempQueryObj; break; } if (queryObj == null) { retVal.Query = String.Format("SELECT * FROM CIM_LogicalFile WHERE Drive = '{0}' AND path = '{1}' AND FileName = '{2}.{3}' AND Extension = ''", pathDrive, pathPath, pathFilename, pathExtension); searcher = MyGetSearcher(scope, retVal.Query); foreach (ManagementObject tempQueryObj in searcher.Get()) { queryObj = tempQueryObj; break; } } if (queryObj == null) { retVal.Found = false; retVal.ErrorMsg = "File not found"; } else { retVal.Found = true; retVal.Drive = (string)queryObj["Drive"]; retVal.Path = (string)queryObj["path"]; retVal.Extension = (string)queryObj["Extension"]; retVal.FileName = (string)queryObj["FileName"]; retVal.Name = (string)queryObj["Name"]; retVal.Archive = (bool)queryObj["Archive"]; retVal.Compressed = (bool)queryObj["Compressed"]; retVal.EightDotThreeFileName = (string)queryObj["EightDotThreeFileName"]; retVal.Encrypted = (bool)queryObj["Encrypted"]; retVal.FileType = (string)queryObj["FileType"]; retVal.Hidden = (bool)queryObj["Hidden"]; retVal.System = (bool)queryObj["System"]; retVal.Writeable = (bool)queryObj["Writeable"]; retVal.CreationDate = DateTime.ParseExact(((string)queryObj["CreationDate"]).Substring(0, 21), "yyyyMMddHHmmss.ffffff", System.Globalization.CultureInfo.InvariantCulture); retVal.InstallDate = DateTime.ParseExact(((string)queryObj["InstallDate"]).Substring(0, 21), "yyyyMMddHHmmss.ffffff", System.Globalization.CultureInfo.InvariantCulture); retVal.LastAccessed = DateTime.ParseExact(((string)queryObj["LastAccessed"]).Substring(0, 21), "yyyyMMddHHmmss.ffffff", System.Globalization.CultureInfo.InvariantCulture); retVal.LastModified = DateTime.ParseExact(((string)queryObj["LastModified"]).Substring(0, 21), "yyyyMMddHHmmss.ffffff", System.Globalization.CultureInfo.InvariantCulture); string wtfIsThis = queryObj.ClassPath.ClassName; switch (wtfIsThis) { case "Win32_Directory": retVal.IsDirectory = true; break; case "CIM_DataFile": retVal.IsDirectory = false; retVal.FileSize = (ulong)queryObj["FileSize"]; retVal.Manufacturer = (string)queryObj["Manufacturer"]; retVal.Version = (string)queryObj["Version"]; break; default: retVal.IsDirectory = false; retVal.ErrorMsg = "Unexpected obect type '" + queryObj.ClassPath.ClassName + "'"; break; } } // Attributes from Win32_LogicalFileSecuritySetting (Owner, Group, ACLs) ManagementObject mgmt = new ManagementObject(scope, new ManagementPath(String.Format("Win32_LogicalFileSecuritySetting.path='{0}'", path)), null); ManagementBaseObject secDesc = mgmt.InvokeMethod("GetSecurityDescriptor", null, null); ManagementBaseObject descriptor = secDesc.Properties["Descriptor"].Value as ManagementBaseObject; ManagementBaseObject owner = descriptor.Properties["Owner"].Value as ManagementBaseObject; retVal.Owner = String.Format("{0}\\{1}", owner.Properties["Domain"].Value, owner.Properties["Name"].Value); ManagementBaseObject group = descriptor.Properties["Group"].Value as ManagementBaseObject; retVal.Group = String.Format("{0}\\{1}", group.Properties["Domain"].Value, group.Properties["Name"].Value); retVal.DACL = new List <WMIWinACE>(); ManagementBaseObject[] acls = descriptor.Properties["DACL"].Value as ManagementBaseObject[]; if (acls != null) { foreach (ManagementBaseObject thisacl in acls) { WMIWinACE thisace = new WMIWinACE(); thisace.IsDirectory = retVal.IsDirectory; thisace.AccessMask = (UInt32)thisacl.Properties["AccessMask"].Value; thisace.AceFlags = (UInt32)thisacl.Properties["AceFlags"].Value; thisace.AceType = (UInt32)thisacl.Properties["AceType"].Value; thisace.GuidInheritedObjectType = thisacl.Properties["GuidInheritedObjectType"].Value as string; thisace.GuidObjectType = thisacl.Properties["GuidObjectType"].Value as string; thisace.Trustee = new WMIWinTrustee(); ManagementBaseObject trustee = thisacl.Properties["Trustee"].Value as ManagementBaseObject; thisace.Trustee.Domain = trustee.Properties["Domain"].Value as string; thisace.Trustee.Name = trustee.Properties["Name"].Value as string; thisace.Trustee.SID = trustee.Properties["SID"].Value as Byte[]; thisace.Trustee.SidLength = (UInt32)trustee.Properties["SidLength"].Value; thisace.Trustee.SIDString = trustee.Properties["SIDString"].Value as string; retVal.DACL.Add(thisace); } } } catch (Exception excp) { retVal.ErrorMsg = String.Format("{0}: {1}", excp.GetType(), excp.Message); } return(retVal); }
private WMIWinACE CreateEffectiveRightsFromGrantAndDenyDACLsCombination(WMIWinACE denyDACL, WMIWinACE grantDACL) { var effectiveDACL = new WMIWinACE(); effectiveDACL.ACCESS_SYSTEM_SECURITY = denyDACL.ACCESS_SYSTEM_SECURITY ? false : grantDACL.ACCESS_SYSTEM_SECURITY; effectiveDACL.DELETE = denyDACL.DELETE ? false : grantDACL.DELETE; effectiveDACL.FILE_ADD_FILE = denyDACL.FILE_ADD_FILE ? false : grantDACL.FILE_ADD_FILE; effectiveDACL.FILE_ADD_SUBDIRECTORY = denyDACL.FILE_ADD_SUBDIRECTORY ? false : grantDACL.FILE_ADD_SUBDIRECTORY; effectiveDACL.FILE_APPEND_DATA = denyDACL.FILE_APPEND_DATA ? false : grantDACL.FILE_APPEND_DATA; effectiveDACL.FILE_DELETE_CHILD = denyDACL.FILE_DELETE_CHILD ? false : grantDACL.FILE_DELETE_CHILD; effectiveDACL.FILE_EXECUTE = denyDACL.FILE_EXECUTE ? false : grantDACL.FILE_EXECUTE; effectiveDACL.GENERIC_EXECUTE = denyDACL.GENERIC_EXECUTE ? false : grantDACL.GENERIC_EXECUTE; effectiveDACL.GENERIC_READ = denyDACL.GENERIC_READ ? false : grantDACL.GENERIC_READ; effectiveDACL.GENERIC_WRITE = denyDACL.GENERIC_WRITE ? false : grantDACL.GENERIC_WRITE; effectiveDACL.GENERIC_ALL = denyDACL.GENERIC_ALL ? false : grantDACL.GENERIC_ALL; effectiveDACL.FILE_LIST_DIRECTORY = denyDACL.FILE_LIST_DIRECTORY ? false : grantDACL.FILE_LIST_DIRECTORY; effectiveDACL.FILE_READ_ATTRIBUTES = denyDACL.FILE_READ_ATTRIBUTES ? false : grantDACL.FILE_READ_ATTRIBUTES; effectiveDACL.FILE_READ_DATA = denyDACL.FILE_READ_DATA ? false : grantDACL.FILE_READ_DATA; effectiveDACL.FILE_READ_EA = denyDACL.FILE_READ_EA ? false : grantDACL.FILE_READ_EA; effectiveDACL.FILE_TRAVERSE = denyDACL.FILE_TRAVERSE ? false : grantDACL.FILE_TRAVERSE; effectiveDACL.FILE_WRITE_ATTRIBUTES = denyDACL.FILE_WRITE_ATTRIBUTES ? false : grantDACL.FILE_WRITE_ATTRIBUTES; effectiveDACL.FILE_WRITE_DATA = denyDACL.FILE_WRITE_DATA ? false : grantDACL.FILE_WRITE_DATA; effectiveDACL.FILE_WRITE_EA = denyDACL.FILE_WRITE_EA ? false : grantDACL.FILE_WRITE_EA; effectiveDACL.READ_CONTROL = denyDACL.READ_CONTROL ? false : grantDACL.READ_CONTROL; effectiveDACL.SYNCHRONIZE = denyDACL.SYNCHRONIZE ? false : grantDACL.SYNCHRONIZE; effectiveDACL.WRITE_DAC = denyDACL.WRITE_DAC ? false : grantDACL.WRITE_DAC; effectiveDACL.WRITE_OWNER = denyDACL.WRITE_OWNER ? false : grantDACL.WRITE_OWNER; // Like OvalDI, the "Generic All" permission is equal to "File Read Data" permission. It needs to be reviewed. return effectiveDACL; }
private void AdjustGenericRights(WMIWinACE userEffectiveRights) { userEffectiveRights.GENERIC_READ = userEffectiveRights.READ_CONTROL || userEffectiveRights.FILE_READ_ATTRIBUTES || userEffectiveRights.FILE_READ_DATA || userEffectiveRights.FILE_READ_EA; userEffectiveRights.GENERIC_WRITE = userEffectiveRights.WRITE_OWNER || userEffectiveRights.WRITE_DAC || userEffectiveRights.FILE_WRITE_ATTRIBUTES || userEffectiveRights.FILE_WRITE_DATA || userEffectiveRights.FILE_APPEND_DATA || userEffectiveRights.FILE_WRITE_EA; userEffectiveRights.GENERIC_EXECUTE = userEffectiveRights.FILE_EXECUTE; userEffectiveRights.GENERIC_ALL = userEffectiveRights.GENERIC_READ || userEffectiveRights.GENERIC_WRITE || userEffectiveRights.GENERIC_EXECUTE; }