Adding STIG baselines for Windows Server 2022 and Windows 11 #76
Conversation
| "".join(line.split("=")[1].split(",")[1:]) | ||
| .strip() | ||
| .strip('"') | ||
| .replace('""', "") |
There was a problem hiding this comment.
Do you remember what required this extra replace()?
There was a problem hiding this comment.
It's in the GptTmpl.inf file within each STIG component from the STIG GPO package.
The actual line is below:
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.,By using this IS (which includes any device attached to this IS)"," you consent to the following conditions:,-The USG routinely intercepts and monitors communications on this IS for purposes including"," but not limited to"," penetration testing"," COMSEC monitoring"," network operations and defense"," personnel misconduct (PM)"," law enforcement (LE)"," and counterintelligence (CI) investigations.,-At any time"," the USG may inspect and seize data stored on this IS.,-Communications using"," or data stored on"," this IS are not private"," are subject to routine monitoring"," interception"," and search"," and may be disclosed or used for any USG-authorized purpose.,-This IS includes security measures (e.g."," authentication and access controls) to protect USG interests--not for your personal benefit or privacy.,-Notwithstanding the above"," using this IS does not constitute consent to PM"," LE or CI investigative searching or monitoring of the content of privileged communications"," or work product"," related to personal representation or services by attorneys"," psychotherapists"," or clergy"," and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
The "," would become "" using the current script. I added the extra replace() to clean things up.
There was a problem hiding this comment.
Hmm. That's interesting. It seems like the double quotes are used to escape the comma. Unescaped commas appear to indicate a newline, perhaps? Maybe we actually want to keep those commas, except the first one... What if we just do this?
| .replace('""', "") | |
| ",".join(line.split("=")[1].split(",")[1:]) | |
| .strip() | |
| .strip('"') |
There was a problem hiding this comment.
The suggestion seems to preserve the ",".
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.,By using this IS (which includes any device attached to this IS)"," you consent to the following conditions:,-The USG routinely intercepts and monitors communications on this IS for purposes including"," but not limited to"," penetration testing"," COMSEC monitoring"," network operations and defense"," personnel misconduct (PM)"," law enforcement (LE)"," and counterintelligence (CI) investigations.,-At any time"," the USG may inspect and seize data stored on this IS.,-Communications using"," or data stored on"," this IS are not private"," are subject to routine monitoring"," interception"," and search"," and may be disclosed or used for any USG-authorized purpose.,-This IS includes security measures (e.g."," authentication and access controls) to protect USG interests--not for your personal benefit or privacy.,-Notwithstanding the above"," using this IS does not constitute consent to PM"," LE or CI investigative searching or monitoring of the content of privileged communications"," or work product"," related to personal representation or services by attorneys"," psychotherapists"," or clergy"," and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
Assuming, I using the suggestions correctly. This is what I'm testing with:
policy["value"] = (
",".join(line.split("=")[1].split(",")[1:])
.strip()
.strip('"')
)
There was a problem hiding this comment.
Hmm. I figure the last .strip('"') would remove the double quotes before the join but it's not doing it for some reason.
There was a problem hiding this comment.
Ohhhhhh, this is MULTISZ! The salt lgpo module didn't handle that type correctly when I first converted to use the python native module. So, we just wrote this entry as SZ, see:
Hmm. I'm not sure that the implementation here is doing the right thing for MULTISZ.... We're actually just treating it the same as SZ anyway, using _encode_string(). The salt upstream module has been updated for MULTISZ since our initial conversion. It uses a list of strings as the value:
Tracing through the code, here's how they join the list of strings to encode it for the regpol:
https://github.com/saltstack/salt/blob/master/salt/utils/win_lgpo_reg.py#L419-L439
There was a problem hiding this comment.
I tried the following:
policy["value"] = ( ",".join(line.split("=")[1].split(",")[1:]) .strip() .strip('"') .replace('","', ',') .replace(',-', '\n-') )
Oh that works. Getting very close. The replace on ',-' misses at least one unescaped comma, that I see. We can close the gap, maybe, by splitting on '","', then just replacing ',' for \n on each segment, and joining again on ",". I'll play around with the python for that locally... Gimme a bit...
There was a problem hiding this comment.
Let's try this:
",".join([segment.replace(",", "\n") for segment in ",".join(line.split("=")[1].split(",")[1:]).split('","')]).strip().strip('"')
Which is giving me this:
'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'
There was a problem hiding this comment.
replace(",", "\n") for segment in ",".join(line.split("=
Okay. This caught that first unescaped comma.
Here's the new yaml and resulting banner:
- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText
policy_type: regpol
value: 'You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent
to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes
including, but not limited to, penetration testing, COMSEC monitoring, network
operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence
(CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject
to routine monitoring, interception, and search, and may be disclosed or used
for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls)
to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE
or CI investigative searching or monitoring of the content of privileged communications,
or work product, related to personal representation or services by attorneys,
psychotherapists, or clergy, and their assistants. Such communications and work
product are private and confidential. See User Agreement for details.'
There was a problem hiding this comment.
Ohhhhhh, this is
MULTISZ! The salt lgpo module didn't handle that type correctly when I first converted to use the python native module. So, we just wrote this entry asSZ, see:Hmm. I'm not sure that the implementation here is doing the right thing for MULTISZ.... We're actually just treating it the same as SZ anyway, using
_encode_string(). The salt upstream module has been updated for MULTISZ since our initial conversion. It uses a list of strings as the value:Tracing through the code, here's how they join the list of strings to encode it for the regpol:
https://github.com/saltstack/salt/blob/master/salt/utils/win_lgpo_reg.py#L419-L439
Okay. Yeah, I kind of dug into this but it seemed more involved and would require more effort. I just re-used _encode_string() to handle MULTISZ. Maybe in the next update. 🙂
No description provided.