upstream/icinga-powershell-framework
1
0
Fork 0
mirror of https://github.com/Icinga/icinga-powershell-framework.git synced 2026-02-03 04:09:29 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Adds security hardening to JEA profiles by always prohibit certain cmdlets

Browse source
This commit is contained in:
Lord Hepipud 2024-03-15 12:42:37 +01:00
parent 117d20f6e6
commit 5e0b3a6113
10 changed files with 123 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
doc/100-General/10-Changelog.md
View file

@ -7,12 +7,15 @@ documentation before upgrading to a new release.
Released closed milestones can be found on [GitHub](https://github.com/Icinga/icinga-powershell-framework/milestones?state=closed).
## 1.12.0 (tbd)
## 1.12.0 (2024-03-26)
[Issues and PRs](https://github.com/Icinga/icinga-powershell-framework/milestone/28)
### Bugfixes
* [#673](https://github.com/Icinga/icinga-powershell-framework/pull/673) Fixes a memory leak while fetching Windows EventLog information by using CLI tools and inside the Hyper-V provide
* [#678](https://github.com/Icinga/icinga-powershell-framework/pull/678) Fixes various memory leaks in Icinga for Windows API core and check handler
* [#680](https://github.com/Icinga/icinga-powershell-framework/pull/680) Fixes exception in some cases, when provider or metrics return values as `null` instead of `0` while units are being used for check objects
* [#683](https://github.com/Icinga/icinga-powershell-framework/pull/683) Fixes JEA installer to exclude domain from user name length check, which can easily exceed the Windows 20 digits username limit
* [#685](https://github.com/Icinga/icinga-powershell-framework/pull/685) Fixes an issue while trying to stop the JEA process in certain cases, which results in an error during installation but has no other effect on the environment
* [#686](https://github.com/Icinga/icinga-powershell-framework/pull/686) Fixes certutil error handling and message output in case the icingaforwindows.pfx could not be created
@ -30,16 +33,7 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic
* [#692](https://github.com/Icinga/icinga-powershell-framework/pull/692) Renames `Restart-IcingaWindowsService` to `Restart-IcingaForWindows` and adds alias for backwards compatibility to start unifying the Icinga for Windows cmdlets
* [#693](https://github.com/Icinga/icinga-powershell-framework/pull/693) Adds new command `Restart-Icinga` to restart both, the Icinga Agent and Icinga for Windows
* [#694](https://github.com/Icinga/icinga-powershell-framework/pull/694) Adds support for check objects not being added to summary header
## 1.11.2 (tbd)
[Issues and PRs](https://github.com/Icinga/icinga-powershell-framework/milestone/30)
### Bugfixes
* [#673](https://github.com/Icinga/icinga-powershell-framework/pull/673) Fixes a memory leak while fetching Windows EventLog information by using CLI tools and inside the Hyper-V provide
* [#678](https://github.com/Icinga/icinga-powershell-framework/pull/678) Fixes various memory leaks in Icinga for Windows API core and check handler
* [#680](https://github.com/Icinga/icinga-powershell-framework/pull/680) Fixes exception in some cases, when provider or metrics return values as `null` instead of `0` while units are being used for check objects
* [#695](https://github.com/Icinga/icinga-powershell-framework/pull/695) Adds security hardening to JEA profiles by always prohibit certain cmdlets
## 1.11.1 (2023-11-07)

2
doc/110-Installation/02-Icinga-Management-Console.md
View file

@ -49,7 +49,7 @@ In this case, `master` would be our value we want to add and can confirm this by
```text
*******************************************
** Icinga for Windows Management Console **
** Copyright (c) 2021 Icinga GmbH | MIT **
** Copyright (c) 2024 Icinga GmbH | MIT **
** User environment ws-icinga\icinga **
** Icinga PowerShell Framework v1.6.0 **
*******************************************

4
doc/110-Installation/03-Installation-with-IMC.md
View file

@ -15,7 +15,7 @@ By pressing `0` on the `main menu`, we can start the entire `Installation`:
```text
*******************************************
** Icinga for Windows Management Console **
** Copyright (c) 2021 Icinga GmbH | MIT **
** Copyright (c) 2024 Icinga GmbH | MIT **
** User environment ws-icinga\icinga **
** Icinga PowerShell Framework v1.6.0 **
*******************************************
@ -41,7 +41,7 @@ In case you already deployed a configuration before or aborted your previous att
```text
*******************************************
** Icinga for Windows Management Console **
** Copyright (c) 2021 Icinga GmbH | MIT **
** Copyright (c) 2024 Icinga GmbH | MIT **
** User environment ws-icinga\icinga **
** Icinga PowerShell Framework v1.6.0 **
*******************************************

2
icinga-powershell-framework.psd1
View file

@ -4,7 +4,7 @@
GUID = 'fcd7a805-a41b-49f9-afee-9d17a2b76d42'
Author = 'Lord Hepipud'
CompanyName = 'Icinga GmbH'
Copyright = '(c) 2023 Icinga GmbH | MIT'
Copyright = '(c) 2024 Icinga GmbH | MIT'
Description = 'Icinga for Windows module which allows to entirely monitor the Windows Host system.'
PowerShellVersion = '4.0'
NestedModules = @( '.\cache\framework_cache.psm1' )

96
lib/core/jea/Deny-IcingaJEACommand.psm1 Normal file
View file

@ -0,0 +1,96 @@
function Deny-IcingaJEACommand()
{
param (
[string]$Command = $null,
[string]$FileComments = $null
);
if ([string]::IsNullOrEmpty($Command) -eq $FALSE) {
# Ensure certain commands are not added to the JEA profile
switch ($Command.ToLower()) {
'Register-ScheduledTask'.ToLower() {
return $TRUE;
};
'Start-ScheduledTask'.ToLower() {
return $TRUE;
};
'Unregister-ScheduledTask'.ToLower() {
return $TRUE;
};
'New-ScheduledTaskAction'.ToLower() {
return $TRUE;
};
'Invoke-IcingaWindowsScheduledTask'.ToLower() {
return $TRUE;
};
'Start-IcingaWindowsScheduledTaskRenewCertificate'.ToLower() {
return $TRUE;
};
'Register-IcingaWindowsScheduledTaskRenewCertificate'.ToLower() {
return $TRUE;
};
'Stop-Process'.ToLower() {
return $TRUE;
};
'Remove-EventLog'.ToLower() {
return $TRUE;
};
'Unregister-IcingaEventLog'.ToLower() {
return $TRUE;
};
'Remove-Item'.ToLower() {
return $TRUE;
};
'Remove-ItemSecure'.ToLower() {
return $TRUE;
};
'Stop-Service'.ToLower() {
return $TRUE;
};
'Restart-Service'.ToLower() {
return $TRUE;
};
'Copy-ItemSecure'.ToLower() {
return $TRUE;
};
'Copy-Item'.ToLower() {
return $TRUE;
};
'Move-Item'.ToLower() {
return $TRUE;
};
'Restart-IcingaService'.ToLower() {
return $TRUE;
};
'Restart-IcingaForWindows'.ToLower() {
return $TRUE;
};
'Stop-IcingaWindowsService'.ToLower() {
return $TRUE;
};
'Stop-IcingaService'.ToLower() {
return $TRUE;
};
'Restart-IcingaService'.ToLower() {
return $TRUE;
};
'Restart-IcingaForWindows'.ToLower() {
return $TRUE;
};
'Remove-IcingaPowerShellConfig'.ToLower() {
return $TRUE;
};
'Add-Content'.ToLower() {
return $TRUE;
};
}
}
if ([string]::IsNullOrEmpty($FileComments) -eq $FALSE) {
if ($FileComments.ToLower().Contains('ignorejea')) {
return $TRUE;
}
}
return $FALSE;
}

4
lib/core/jea/Get-IcingaCommandDependency.psm1
View file

@ -12,6 +12,10 @@ function Get-IcingaCommandDependency()
return $CompiledList;
}
if (Deny-IcingaJEACommand -Command $CmdName) {
return $CompiledList;
}
# Create the list container for our object type if not existing
# => Function, Cmdlet, Alias, Modules, Application
if ($CompiledList.ContainsKey($CmdType) -eq $FALSE) {

4
lib/core/jea/Get-IcingaFrameworkDependency.psm1
View file

@ -16,6 +16,10 @@ function Get-IcingaFrameworkDependency()
$DeserializedFile = Read-IcingaPowerShellModuleFile -FileContent $ModuleContent;
[array]$CheckCmd = $DeserializedFile.CommandList + $DeserializedFile.FunctionList;
if (Deny-IcingaJEACommand -Command $Command -FileComment $DeserializedFile.Comment) {
return $DependencyList;
}
foreach ($cmd in $CheckCmd) {
if ($cmd -eq $Command) {
continue;

8
lib/core/jea/Get-IcingaJEAConfiguration.psm1
View file

@ -102,6 +102,10 @@ function Get-IcingaJEAConfiguration()
$DeserializedFile = Read-IcingaPowerShellModuleFile -File $ModuleFile.FullName;
if (Deny-IcingaJEACommand -FileComments $DeserializedFile.Comments) {
continue;
}
foreach ($FoundFunction in $DeserializedFile.FunctionList) {
$DependencyList = Get-IcingaFrameworkDependency `
-Command $FoundFunction `
@ -187,6 +191,10 @@ function Get-IcingaJEAConfiguration()
$CommandType = ([string]$CmdData.CommandType).Replace(' ', '');
if (Deny-IcingaJEACommand -Command $cmd) {
continue;
}
$UsedCmdlets = Get-IcingaCommandDependency `
-DependencyList $DependencyList `
-CompiledList $UsedCmdlets `

1
lib/core/jea/Read-IcingaPowerShellModuleFile.psm1
View file

@ -177,5 +177,6 @@ function Read-IcingaPowerShellModuleFile()
'AliasList' = $AliasList;
'ExportFunction' = $ExportFunctionList;
'ExportCmdlet' = $ExportCmdletList;
'Comments' = $Comments;
};
}

2
templates/IcingaForWindows.psrc.template
View file

@ -9,7 +9,7 @@
# Company associated with this document
CompanyName = 'Icinga GmbH'
# Copyright statement for this document
Copyright = '(c) 2021 Icinga GmbH | MIT'
Copyright = '(c) 2024 Icinga GmbH | MIT'
# Modules to import when applied to a session
ModulesToImport = ''
# Cmdlets to make visible when applied to a session