internal static void ErrorLogging_Level()
{
try
{
if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.logging_level) == false)
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]);
}
else
{
Settings.Logging_Level_To_Report = Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level);
}
int index = Array.FindIndex(Severity_Levels, row => row == Settings.Logging_Level_To_Report);
Logging_Level_To_Report = Convert.ToInt32(index);
}
catch (Exception e)
{
if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.logging_level))
{
Settings.Logging_Level_To_Report = Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level);
}
else
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, "warning");
Settings.Logging_Level_To_Report = "warning";
Logging_Level_To_Report = 3;
}
}
}
internal static void CHECK_Reg_vs_File_Config(string Settings_FilePath)
{
if (Settings.GET_AppConfigFile_Path == Settings_FilePath)//Appconfig
{
if (CHECK_File_vs_Reg_Contents(Settings_FilePath, Reg_Operation.REG_KEY.ConsoleAppConfig_Contents) == false)
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The app config file(ConsoleAppConfig.conf) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath);
if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents))
{
File_Operation.DELETE_AND_CREATE_File(Settings.GET_AppConfigFile_Path);
File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Config_File_Location, Settings.AppConfigFile_FileName, File_Operation.GET_Default_ConsoleAppConfig_File_Contents);
}
else
{
File_Operation.DELETE_AND_CREATE_File(Settings.GET_AppConfigFile_Path);
File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Config_File_Location, Settings.AppConfigFile_FileName, Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents));
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents, Crypto_Operation.Decrypt_File_Contents(Settings.GET_AppConfigFile_Path));
}
}
}
else if (Settings.GET_EventLogID_PlaceHolder_Path == Settings_FilePath)//EventLog ID
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The file that tracks the event id of an eventlog config file (Eventlog_with_PlaceKeeper.txt) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath);
File_Operation.DELETE_AND_CREATE_File(Settings.GET_EventLogID_PlaceHolder_Path);
File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Config_File_Location, Settings.AppConfigFile_FileName, File_Operation.GET_Default_ConsoleAppConfig_File_Contents);
}
else if (Settings.GET_SearchTermsFile_Path == Settings_FilePath)//Search SearchFile
{
if (CHECK_File_vs_Reg_Contents(Settings_FilePath, Reg_Operation.REG_KEY.SearchTerms_File_Contents) == false)
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The Search term file (Searchs.txt) config file did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath);
File_Operation.DELETE_AND_CREATE_File(Settings.GET_SearchTermsFile_Path);
File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Search_File_Location, Settings.SearchTermsFileName_FileName, File_Operation.GET_Default_Eventlog_with_PlaceKeeper_File_Contents);
}
}
else if (Settings.GET_WhiteList_SearchTermsFile_Path == Settings_FilePath)//Search WHitelist
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The white list search terms file (WhiteList_Searchs.txt) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath);
File_Operation.DELETE_AND_CREATE_File(Settings.GET_WhiteList_SearchTermsFile_Path);
File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Search_File_Location, Settings.Search_WhiteList_FileName, File_Operation.GET_Default_Whitelist_File_Contents);
}
else if (Settings.GET_SearchTermsFile_PLUGIN_Path == Settings_FilePath)//PLUGIN Search
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The Plugin config file (Search.txt in the Plugins Folder) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath);
File_Operation.DELETE_AND_CREATE_File(Settings.GET_SearchTermsFile_PLUGIN_Path);
File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Plugin_Files_Location, Settings.SearchTermsFileName_FileName, File_Operation.GET_Default_Powershell_Plugins_File_Contents);
}
else if (Settings.GET_WhiteList_SearchTermsFile_PLUGIN_Path == Settings_FilePath)//PLugin WHitelist
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The Plugin config file (WhiteList_Searchs.txt in the Plugins Folder) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath);
File_Operation.DELETE_AND_CREATE_File(Settings.GET_WhiteList_SearchTermsFile_PLUGIN_Path);
File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Plugin_Files_Location, Settings.Search_WhiteList_FileName, File_Operation.GET_Default_Whitelist_File_Contents);
}
else
{
LOG_SEC_CHECK_Fail("CHECK_Reg_vs_File_Config() File Path:" + Settings_FilePath + " did not match encrypted config file path");
}
}
internal static void ErrorLogging_Level()
{
try
{
if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.logging_level) == false)
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]);
}
else if (string.IsNullOrEmpty(Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level)))
{
if (File_Operation.CHECK_File_Encrypted(Settings.GET_AppConfigFile_Path) && File_Operation.GET_CreationTime(Settings.GET_AppConfigFile_Path) == Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_CreationDate))
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]);
}
else
{
//error in logic here
}
}
else if (Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level) != Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]])
{
if (File_Operation.CHECK_File_Encrypted(Settings.GET_AppConfigFile_Path) && File_Operation.GET_CreationTime(Settings.GET_AppConfigFile_Path) == Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_CreationDate))
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]);
}
else
{
ErrorsLog.Add("ErrorLogging_Level()" + "Possible Tampering (Reg.Reg_Keys_and_Values[\"logging_level\"] != Settings.AppConfig_File_Args[\"logging_level\"] settings changed to match.");
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]);
}
}
else
{
Settings.Logging_Level_To_Report = Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level);
}
int index = Array.FindIndex(Severity_Levels, row => row == Settings.Logging_Level_To_Report);
Logging_Level_To_Report = Convert.ToInt32(index);
}
catch (Exception e)
{
if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.logging_level))
{
Settings.Logging_Level_To_Report = Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level);
}
else
{
Settings.Logging_Level_To_Report = Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level);
Logging_Level_To_Report = 1;
}
}
}
internal static void UnSecure_File(string FilePath, int RetryNumber = 0)
{
try
{
if (File_Operation.CHECK_File_Encrypted(FilePath) == true)
{
File.AppendAllText(FilePath, Decrypt_File_Contents(FilePath));
}
File.Decrypt(FilePath);
}
catch (Exception e)
{
if (RetryNumber == 0)
{
if (e.Message.ToString().Contains("The input data is not a complete block.") && File_Operation.CHECK_File_Encrypted(FilePath) == false)
{
Encrypt_File_Contents(FilePath);
File.Encrypt(FilePath);
UnSecure_File(FilePath, 1);
}
else
{
File.Decrypt(FilePath);
}
}
if (e.Message.Contains("Padding"))
{
Sec_Checks.CHECK_Reg_vs_File_Config(FilePath);
}
else if (e.Message.Contains("The input data is not a complete block."))
{
if (FilePath.Contains(Settings.AppConfigFile_FileName) && Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents))
{
File.WriteAllText(Settings.GET_AppConfigFile_Path, Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents));
}
else if (FilePath.Contains(Settings.SearchTermsFileName_FileName) && Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.SearchTerms_File_Contents))
{
File.WriteAllText(Settings.GET_AppConfigFile_Path, Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.SearchTerms_File_Contents));
}
else
{
//error is logic
}
}
else
{
Error_Operation.Log_Error("UnLock_File()", e.Message.ToString() + " " + FilePath + " retry=" + RetryNumber, "", Error_Operation.LogSeverity.FailureAudit);
}
}
}
private static void RUN_Thread_Whitelist_SearchFile()
{
if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents))//use reg
{
READ_WhiteList_Search_Terms_File(Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents));
}
else if (File_Operation.CHECK_if_File_Exists(GET_WhiteList_SearchTermsFile_Path))//no reg, look for file
{
READ_WhiteList_Search_Terms_File(File_Operation.READ_AllText(GET_WhiteList_SearchTermsFile_Path));
File_Operation.DELETE_File(GET_WhiteList_SearchTermsFile_Path);
}
else//no file, no reg, Create Default then load it into the reg to use later
{
File_Operation.VERIFY_Search_Default_Files_Ready();
READ_WhiteList_Search_Terms_File(File_Operation.READ_AllText(GET_WhiteList_SearchTermsFile_Path));
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents, File_Operation.READ_AllText(GET_WhiteList_SearchTermsFile_Path));
}
++ThreadsDone_Setup;
}
private static void RUN_Thread_Plugins()
{
if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents))//use reg
{
READ_Powershell_SearchTerms(Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents));
}
else if (File_Operation.CHECK_if_File_Exists(Settings.GET_SearchTermsFile_PLUGIN_Path))//no reg, look for file
{
READ_Powershell_SearchTerms(File_Operation.READ_AllText(GET_SearchTermsFile_PLUGIN_Path));
File_Operation.DELETE_File(GET_SearchTermsFile_PLUGIN_Path);
}
else//no file, no reg, Create Default then load it into the reg to use later
{
File_Operation.VERIFY_Search_Default_Files_Ready();
File_Operation.GET_Plugin_Scripts_Ready();
READ_Powershell_SearchTerms(File_Operation.READ_AllText(GET_SearchTermsFile_PLUGIN_Path));
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents, File_Operation.READ_AllText(GET_SearchTermsFile_PLUGIN_Path));
}
++ThreadsDone_Setup;
}
private static string GET_Password()
{
if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.Encryption) == false)
{
if (string.IsNullOrEmpty(Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.Encryption, false)) == true)
{
Reg_Operation.BASE_SWELF_KEY.SetValue(Reg_Operation.SWELF_Keys[(int)Reg_Operation.REG_KEY.Encryption].ToString(), Protect_Data_Value(Generate_Decrypt()));
}
else
{
Settings.WRITE_Default_Configs_Files_and_Reg();
}
}
string password = (Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.Encryption));
string content = "";
string[] PWarray = (password).Split(',').ToArray();
for (int x = 0; x < PWarray.Length; ++x)
{
content += (Cipher_Parts.ElementAt(System.Convert.ToInt32(PWarray[x])));
}
return(Hash(content));
}
private static void RUN_Setup_AppConfig()
{
if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents))//use reg
{
READ_and_Parse_Console_App_Config_Contents(Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents));
}
else if (File_Operation.CHECK_if_File_Exists(GET_AppConfigFile_Path))//no reg, look for file
{
READ_and_Parse_Console_App_Config_Contents(File_Operation.READ_AllText(GET_AppConfigFile_Path));
File_Operation.DELETE_File(GET_AppConfigFile_Path);
}
else//no file, no reg, Create Default then load it into the reg to use later
{
File_Operation.VERIFY_AppConfig_Default_Files_Ready();
READ_and_Parse_Console_App_Config_Contents(File_Operation.READ_AllText(GET_AppConfigFile_Path));
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents, File_Operation.READ_AllText(GET_AppConfigFile_Path));
}
//Check for CENTRAL CONFIG's, if yes check for update, update if needed.
//Appconfig
if (AppConfig_File_Args.ContainsKey(SWELF_AppConfig_Args[7]))//arg for central app config
{
if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents) == false)
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents, "");
}
if (Web_Operation.VERIFY_Central_Reg_Config_Hash(AppConfig_File_Args[SWELF_AppConfig_Args[7]], Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents)) == false)
{
if (Web_Operation.Connection_Successful)
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents, Web_Operation.UPDATE_Reg_Config_With_Central_Config(AppConfig_File_Args[SWELF_AppConfig_Args[7]].ToString()));
Error_Operation.Log_Error("RUN_Setup_AppConfig()", "Reg key for Central Config ConsoleAppConfig_Contents source updated from web source.", "", Error_Operation.LogSeverity.Informataion, Error_Operation.EventID.SWELF_Central_Config_Changed);
}
}
}
//Searchterms
if (AppConfig_File_Args.ContainsKey(SWELF_AppConfig_Args[6]))//arg for central search config
{
if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.SearchTerms_File_Contents) == false)
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.SearchTerms_File_Contents, "");
}
if (Web_Operation.VERIFY_Central_Reg_Config_Hash(AppConfig_File_Args[SWELF_AppConfig_Args[6]], Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.SearchTerms_File_Contents)) == false)
{
if (Web_Operation.Connection_Successful)
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.SearchTerms_File_Contents, Web_Operation.UPDATE_Reg_Config_With_Central_Config(AppConfig_File_Args[SWELF_AppConfig_Args[6]].ToString()));
Error_Operation.Log_Error("RUN_Setup_AppConfig()", "Reg key for Central Config SearchTerms_File_Contents source updated from web source.", "", Error_Operation.LogSeverity.Informataion, Error_Operation.EventID.SWELF_Central_Config_Changed);
}
}
}
//Whitelist
if (AppConfig_File_Args.ContainsKey(SWELF_AppConfig_Args[9]))//arg for central search config
{
if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents) == false)
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents, "");
}
if (Web_Operation.VERIFY_Central_Reg_Config_Hash(AppConfig_File_Args[SWELF_AppConfig_Args[9]], Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents)) == false)
{
if (Web_Operation.Connection_Successful)
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents, Web_Operation.UPDATE_Reg_Config_With_Central_Config(AppConfig_File_Args[SWELF_AppConfig_Args[9]].ToString()));
Error_Operation.Log_Error("RUN_Setup_AppConfig()", "Reg key for Central Config WhiteList_SearchTerms_File_Contents source updated from web source.", "", Error_Operation.LogSeverity.Informataion, Error_Operation.EventID.SWELF_Central_Config_Changed);
}
}
}
//Powershell plugin
if (AppConfig_File_Args.ContainsKey(SWELF_AppConfig_Args[8]))//arg for central search config
{
if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents) == false)
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents, "");
}
if (Web_Operation.VERIFY_Central_Reg_Config_Hash(AppConfig_File_Args[SWELF_AppConfig_Args[8]], Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents)) == false)
{
if (Web_Operation.Connection_Successful)
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents, Web_Operation.UPDATE_Reg_Config_With_Central_Config(AppConfig_File_Args[SWELF_AppConfig_Args[8]].ToString()));
Error_Operation.Log_Error("RUN_Setup_AppConfig()", "Reg key for Central Config PLUGIN_SearchTerms_File_Contents source updated from web source.", "", Error_Operation.LogSeverity.Informataion, Error_Operation.EventID.SWELF_Central_Config_Changed);
}
}
}
Log_Forwarders_HostNames = GET_LogCollector_Locations();//GatherLog Collector Locations
++ThreadsDone_Setup;
if (AppConfig_File_Args.ContainsKey(SWELF_AppConfig_Args[16]))
{
Logging_Level_To_Report = "verbose";
}
}
