Skip to content

Commit

Permalink
Add support for Defender Firewall Rules in powershell audit, only whe…
Browse files Browse the repository at this point in the history 
…n running as an agent.
  • Loading branch information
@mark-unwin
mark-unwin committed Sep 8, 2024
1 parent 468bf23 commit e0ce3f2
Show file tree
Hide file tree
Showing 9 changed files with 460 additions and 286 deletions.
3 changes: 3 additions & 0 deletions app/Helpers/components_helper.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,9 @@ function match_columns($table)
if ($table === 'firewall') {
$match_columns = array('name');
}
if ($table === 'firewall_rule') {
$match_columns = array('name', 'profile', 'enabled', 'direction', 'action', 'local_port', 'remote_port', 'firewall');
}
if ($table === 'log') {
$match_columns = array('name', 'file_name', 'overwrite');
}
Expand Down
4 changes: 2 additions & 2 deletions app/Models/ComponentsModel.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ public function collection(object $resp): array
}
if ($table === '') {
// No components.type requested, return all the below
$tables = array('antivirus', 'benchmarks_result', 'bios', 'certificate', 'disk', 'dns', 'executable', 'file', 'firewall', 'ip', 'log', 'memory', 'module', 'monitor', 'motherboard', 'netstat', 'network', 'nmap', 'optical', 'pagefile', 'partition', 'policy', 'print_queue', 'processor', 'radio', 'route', 'san', 'scsi', 'server', 'server_item', 'service', 'share', 'software', 'software_key', 'sound', 'task', 'usb', 'user', 'user_group', 'variable', 'video', 'vm', 'warranty', 'windows');
$tables = array('antivirus', 'benchmarks_result', 'bios', 'certificate', 'disk', 'dns', 'executable', 'file', 'firewall', 'firewall_rule', 'ip', 'log', 'memory', 'module', 'monitor', 'motherboard', 'netstat', 'network', 'nmap', 'optical', 'pagefile', 'partition', 'policy', 'print_queue', 'processor', 'radio', 'route', 'san', 'scsi', 'server', 'server_item', 'service', 'share', 'software', 'software_key', 'sound', 'task', 'usb', 'user', 'user_group', 'variable', 'video', 'vm', 'warranty', 'windows');
}
$orgs = array();
$count = count($resp->meta->filter);
Expand All @@ -67,7 +67,7 @@ public function collection(object $resp): array
}
}
if (empty($tables)) {
if (!in_array($table, ['antivirus', 'audit_log', 'benchmarks_result', 'bios', 'certificate', 'change_log', 'discovery_log', 'disk', 'dns', 'edit_log', 'executable', 'file', 'firewall', 'ip', 'log', 'memory', 'module', 'monitor', 'motherboard', 'netstat', 'network', 'nmap', 'optical', 'pagefile', 'partition', 'policy', 'print_queue', 'processor', 'radio', 'route', 'san', 'scsi', 'server', 'server_item', 'service', 'share', 'software', 'software_key', 'sound', 'task', 'usb', 'user', 'user_group', 'variable', 'video', 'vm', 'warranty', 'windows'])) {
if (!in_array($table, ['antivirus', 'audit_log', 'benchmarks_result', 'bios', 'certificate', 'change_log', 'discovery_log', 'disk', 'dns', 'edit_log', 'executable', 'file', 'firewall', 'firewall_rule', 'ip', 'log', 'memory', 'module', 'monitor', 'motherboard', 'netstat', 'network', 'nmap', 'optical', 'pagefile', 'partition', 'policy', 'print_queue', 'processor', 'radio', 'route', 'san', 'scsi', 'server', 'server_item', 'service', 'share', 'software', 'software_key', 'sound', 'task', 'usb', 'user', 'user_group', 'variable', 'video', 'vm', 'warranty', 'windows'])) {
# Invalid table
log_message('error', 'Invalid table provided to ComponentsModel::collection, ' . $table);
$_SESSION['error'] = 'Invalid table provided to ComponentsModel::collection, ' . htmlentities($table);
Expand Down
6 changes: 3 additions & 3 deletions app/Models/DevicesModel.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -364,9 +364,9 @@ public function includedCollection(): array

$included = array();
// No excecutable, file, radio, san, scsi, usb
$current = array('antivirus', 'audit_log', 'bios', 'change_log', 'disk', 'dns', 'edit_log', 'file', 'firewall', 'ip', 'log', 'memory', 'module', 'monitor', 'motherboard', 'netstat', 'network', 'nmap', 'optical', 'pagefile', 'partition', 'policy', 'print_queue', 'processor', 'route', 'server', 'server_item', 'service', 'share', 'software', 'software_key', 'sound', 'task', 'user', 'user_group', 'variable', 'video', 'vm', 'windows');
$current = array('antivirus', 'audit_log', 'bios', 'change_log', 'disk', 'dns', 'edit_log', 'file', 'firewall', 'firewall_rule', 'ip', 'log', 'memory', 'module', 'monitor', 'motherboard', 'netstat', 'network', 'nmap', 'optical', 'pagefile', 'partition', 'policy', 'print_queue', 'processor', 'route', 'server', 'server_item', 'service', 'share', 'software', 'software_key', 'sound', 'task', 'user', 'user_group', 'variable', 'video', 'vm', 'windows');
if (!empty($instance->config->feature_executables) and $instance->config->feature_executables === 'y') {
$current = array('antivirus', 'audit_log', 'bios', 'change_log', 'disk', 'dns', 'edit_log', 'file', 'firewall', 'executable', 'ip', 'log', 'memory', 'module', 'monitor', 'motherboard', 'netstat', 'network', 'nmap', 'optical', 'pagefile', 'partition', 'policy', 'print_queue', 'processor', 'route', 'server', 'server_item', 'service', 'share', 'software', 'software_key', 'sound', 'task', 'user', 'user_group', 'variable', 'video', 'vm', 'windows');
$current = array('antivirus', 'audit_log', 'bios', 'change_log', 'disk', 'dns', 'edit_log', 'file', 'firewall', 'firewall_rule', 'executable', 'ip', 'log', 'memory', 'module', 'monitor', 'motherboard', 'netstat', 'network', 'nmap', 'optical', 'pagefile', 'partition', 'policy', 'print_queue', 'processor', 'route', 'server', 'server_item', 'service', 'share', 'software', 'software_key', 'sound', 'task', 'user', 'user_group', 'variable', 'video', 'vm', 'windows');
}

foreach ($current as $table) {
Expand Down Expand Up @@ -397,7 +397,7 @@ public function includedRead(int $id = 0): array
}

$include = array();
$current = array('antivirus', 'bios', 'certificate', 'disk', 'dns', 'executable', 'file', 'firewall', 'ip', 'log', 'memory', 'module', 'monitor', 'motherboard', 'netstat', 'network', 'nmap', 'optical', 'pagefile', 'partition', 'policy', 'print_queue', 'processor', 'radio', 'route', 'san', 'scsi', 'server_item', 'service', 'share', 'software', 'software_key', 'sound', 'task', 'usb', 'user', 'user_group', 'variable', 'video', 'vm', 'warranty', 'windows');
$current = array('antivirus', 'bios', 'certificate', 'disk', 'dns', 'executable', 'file', 'firewall', 'firewall_rule', 'ip', 'log', 'memory', 'module', 'monitor', 'motherboard', 'netstat', 'network', 'nmap', 'optical', 'pagefile', 'partition', 'policy', 'print_queue', 'processor', 'radio', 'route', 'san', 'scsi', 'server_item', 'service', 'share', 'software', 'software_key', 'sound', 'task', 'usb', 'user', 'user_group', 'variable', 'video', 'vm', 'warranty', 'windows');
foreach ($current as $table) {
if (empty($resp_include) or in_array($table, $resp_include)) {
$sql = "SELECT * FROM `$table` WHERE device_id = ? and current = 'y'";
Expand Down
33 changes: 33 additions & 0 deletions app/Models/db_upgrades/db_5.5.0.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,39 @@
log_message('info', (string)$db->getLastQuery());
}

if (!$db->tableExists('firewall_rule')) {
$sql = "CREATE TABLE `firewall_rule` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`device_id` int(10) unsigned DEFAULT NULL,
`current` enum('y','n') NOT NULL DEFAULT 'y',
`first_seen` datetime NOT NULL DEFAULT '2000-01-01 00:00:00',
`last_seen` datetime NOT NULL DEFAULT '2000-01-01 00:00:00',
`name` varchar(200) NOT NULL DEFAULT '',
`description` text NOT NULL,
`action` varchar(100) NOT NULL DEFAULT '',
`direction` varchar(100) NOT NULL DEFAULT '',
`enabled` varchar(100) NOT NULL DEFAULT '',
`external_ident` varchar(100) NOT NULL DEFAULT '',
`group` varchar(100) NOT NULL DEFAULT '',
`local_port` varchar(100) NOT NULL DEFAULT '',
`profile` varchar(100) NOT NULL DEFAULT '',
`protocol` varchar(100) NOT NULL DEFAULT '',
`remote_address` varchar(100) NOT NULL DEFAULT '',
`remote_port` varchar(100) NOT NULL DEFAULT '',
`rule_group` varchar(100) NOT NULL DEFAULT '',
`firewall` varchar(100) NOT NULL DEFAULT 'Windows Defender',
PRIMARY KEY (`id`),
KEY `system_id` (`device_id`),
KEY `first_seen` (`first_seen`),
KEY `last_seen` (`last_seen`),
KEY `name` (`name`),
CONSTRAINT `firewall_rule_system_id` FOREIGN KEY (`device_id`) REFERENCES `devices` (`id`) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb3 COLLATE=utf8mb3_general_ci";
$db->query($sql);
$output .= str_replace("\n", " ", (string)$db->getLastQuery()) . "\n\n";
log_message('info', (string)$db->getLastQuery());
}

if (!$db->tableExists('packages')) {
$sql = "CREATE TABLE `packages` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
Expand Down
41 changes: 40 additions & 1 deletion app/Views/devicesRead.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@

<?php
$show = false;
$sections = array('antivirus', 'firewall', 'server', 'service', 'software', 'software_key');
$sections = array('antivirus', 'firewall', 'firewall_rule', 'server', 'service', 'software', 'software_key');
foreach ($sections as $section) {
if (!empty($included[$section])) {
$show = true;
Expand Down Expand Up @@ -1711,6 +1711,45 @@
</div>
</div>

<div style="margin-bottom:20px; display:none;" class="card" id="firewall_rule_section">
<?php $count = !empty($included['firewall_rule']) ? count($included['firewall_rule']) : 0; ?>
<?= device_panel('firewall_rule', $user->toolbar_style, $resource->id, '', false, $count); ?>
<div class="card-body">
<div class="row">
<table class="table <?= $GLOBALS['table'] ?> table-striped table-hover dataTable" data-order='[[1,"asc"]]'>
<thead>
<tr>
<th class="text-center" data-orderable="false"><?= __('View') ?></th>
<th><?= __('Name') ?></th>
<th><?= __('Profile') ?></th>
<th><?= __('Enabled') ?></th>
<th><?= __('Direction') ?></th>
<th><?= __('Action') ?></th>
<th><?= __('Local Port') ?></th>
<th><?= __('Remote Port') ?></th>
</tr>
</thead>
<tbody>
<?php if (!empty($included['firewall_rule'])) {
foreach ($included['firewall_rule'] as $row) { ?>
<tr>
<?= device_component_button_read('firewall_rule', $row->id) ?>
<td><?= $row->name ?></td>
<td><?= $row->profile ?></td>
<td><?= $row->enabled ?></td>
<td><?= $row->direction ?></td>
<td><?= $row->action ?></td>
<td><?= $row->local_port ?></td>
<td><?= $row->remote_port ?></td>
</tr>
<?php } ?>
<?php } ?>
</tbody>
</table>
</div>
</div>
</div>

<div style="margin-bottom:20px; display:none;" class="card" id="service_section">
<?php $count = !empty($included['service']) ? count($included['service']) : 0; ?>
<?= device_panel('service', $user->toolbar_style, $resource->id, '', false, $count); ?>
Expand Down
5 changes: 5 additions & 0 deletions app/Views/lang/en.inc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -548,6 +548,7 @@ $GLOBALS["lang"]["Devices Updated in Open-AudIT"]="Devices Updated in Open-AudIT
$GLOBALS["lang"]["Devices Without Credentials"]="Devices Without Credentials";
$GLOBALS["lang"]["Device Types"]="Device Types";
$GLOBALS["lang"]["DHCP"]="DHCP";
$GLOBALS["lang"]["Direction"]="Direction";
$GLOBALS["lang"]["Directory"]="Directory";
$GLOBALS["lang"]["Disabled"]="Disabled";
$GLOBALS["lang"]["Disaster Recovery"]="Disaster Recovery";
Expand Down Expand Up @@ -708,6 +709,7 @@ $GLOBALS["lang"]["Files ID"]="Files ID";
$GLOBALS["lang"]["Fire Station"]="Fire Station";
$GLOBALS["lang"]["Firewall"]="Firewall";
$GLOBALS["lang"]["firewall"]="firewall";
$GLOBALS["lang"]["Firewall Rule"]="Firewall Rule";
$GLOBALS["lang"]["Firmware"]="Firmware";
$GLOBALS["lang"]["First Name"]="First Name";
$GLOBALS["lang"]["First Run"]="First Run";
Expand Down Expand Up @@ -940,6 +942,7 @@ $GLOBALS["lang"]["Load Balancer"]="Load Balancer";
$GLOBALS["lang"]["Load Balancing"]="Load Balancing";
$GLOBALS["lang"]["Local"]="Local";
$GLOBALS["lang"]["Localhost"]="Localhost";
$GLOBALS["lang"]["Local Port"]="Local Port";
$GLOBALS["lang"]["Location"]="Location";
$GLOBALS["lang"]["Location A"]="Location A";
$GLOBALS["lang"]["Location B"]="Location B";
Expand Down Expand Up @@ -1314,6 +1317,7 @@ $GLOBALS["lang"]["Processor Speed"]="Processor Speed";
$GLOBALS["lang"]["Processor Type"]="Processor Type";
$GLOBALS["lang"]["Production"]="Production";
$GLOBALS["lang"]["Product Name"]="Product Name";
$GLOBALS["lang"]["Profile"]="Profile";
$GLOBALS["lang"]["Program"]="Program";
$GLOBALS["lang"]["program"]="program";
$GLOBALS["lang"]["Projector"]="Projector";
Expand Down Expand Up @@ -1369,6 +1373,7 @@ $GLOBALS["lang"]["Remediation OpenShift"]="Remediation OpenShift";
$GLOBALS["lang"]["Remote"]="Remote";
$GLOBALS["lang"]["Remote Access Controller (ILO / RSA)"]="Remote Access Controller (ILO / RSA)";
$GLOBALS["lang"]["Remote Management"]="Remote Management";
$GLOBALS["lang"]["Remote Port"]="Remote Port";
$GLOBALS["lang"]["Remove"]="Remove";
$GLOBALS["lang"]["removed from display, but has been set"]="removed from display, but has been set";
$GLOBALS["lang"]["Remove Exception"]="Remove Exception";
Expand Down
Loading

0 comments on commit e0ce3f2

Please sign in to comment.