Adds security hardening to JEA profiles by always prohibit certain cmdlets

LordHepipud · LordHepipud · commit 49a3485ad4ab · 2024-03-15T12:42:37.000+01:00
diff --git a/lib/core/jea/Deny-IcingaJEACommand.psm1 b/lib/core/jea/Deny-IcingaJEACommand.psm1
@@ -0,0 +1,90 @@
+function Deny-IcingaJEACommand()
+{
+    param (
+        [string]$Command      = $null,
+        [string]$FileComments = $null
+    );
+
+    if ([string]::IsNullOrEmpty($Command) -eq $FALSE) {
+        # Ensure certain commands are not added to the JEA profile
+        switch ($Command.ToLower()) {
+            'Register-ScheduledTask'.ToLower() {
+                return $TRUE;
+            };
+            'Start-ScheduledTask'.ToLower() {
+                return $TRUE;
+            };
+            'Unregister-ScheduledTask'.ToLower() {
+                return $TRUE;
+            };
+            'New-ScheduledTaskAction'.ToLower() {
+                return $TRUE;
+            };
+            'Invoke-IcingaWindowsScheduledTask'.ToLower() {
+                return $TRUE;
+            };
+            'Start-IcingaWindowsScheduledTaskRenewCertificate'.ToLower() {
+                return $TRUE;
+            };
+            'Register-IcingaWindowsScheduledTaskRenewCertificate'.ToLower() {
+                return $TRUE;
+            };
+            'Stop-Process'.ToLower() {
+                return $TRUE;
+            };
+            'Remove-EventLog'.ToLower() {
+                return $TRUE;
+            };
+            'Unregister-IcingaEventLog'.ToLower() {
+                return $TRUE;
+            };
+            'Remove-Item'.ToLower() {
+                return $TRUE;
+            };
+            'Remove-ItemSecure'.ToLower() {
+                return $TRUE;
+            };
+            'Stop-Service'.ToLower() {
+                return $TRUE;
+            };
+            'Restart-Service'.ToLower() {
+                return $TRUE;
+            };
+            'Copy-ItemSecure'.ToLower() {
+                return $TRUE;
+            };
+            'Copy-Item'.ToLower() {
+                return $TRUE;
+            };
+            'Move-Item'.ToLower() {
+                return $TRUE;
+            };
+            'Restart-IcingaService'.ToLower() {
+                return $TRUE;
+            };
+            'Restart-IcingaForWindows'.ToLower() {
+                return $TRUE;
+            };
+            'Stop-IcingaWindowsService'.ToLower() {
+                return $TRUE;
+            };
+            'Stop-IcingaService'.ToLower() {
+                return $TRUE;
+            };
+            'Restart-IcingaService'.ToLower() {
+                return $TRUE;
+            };
+            'Restart-IcingaForWindows'.ToLower() {
+                return $TRUE;
+            };
+        }
+    }
+
+    if ([string]::IsNullOrEmpty($FileComments) -eq $FALSE) {
+        if ($FileComments.ToLower().Contains('ignorejea')) {
+            return $TRUE;
+        }
+    }
+
+    return $FALSE;
+}
diff --git a/lib/core/jea/Get-IcingaCommandDependency.psm1 b/lib/core/jea/Get-IcingaCommandDependency.psm1
@@ -12,6 +12,10 @@ function Get-IcingaCommandDependency()
         return $CompiledList;
     }
 
+    if (Deny-IcingaJEACommand -Command $CmdName) {
+        return $CompiledList;
+    }
+
     # Create the list container for our object type if not existing
     # => Function, Cmdlet, Alias, Modules, Application
     if ($CompiledList.ContainsKey($CmdType) -eq $FALSE) {
diff --git a/lib/core/jea/Get-IcingaFrameworkDependency.psm1 b/lib/core/jea/Get-IcingaFrameworkDependency.psm1
@@ -16,6 +16,10 @@ function Get-IcingaFrameworkDependency()
     $DeserializedFile = Read-IcingaPowerShellModuleFile -FileContent $ModuleContent;
     [array]$CheckCmd  = $DeserializedFile.CommandList + $DeserializedFile.FunctionList;
 
+    if (Deny-IcingaJEACommand -Command $Command -FileComment $DeserializedFile.Comment) {
+        return $DependencyList;
+    }
+
     foreach ($cmd in $CheckCmd) {
         if ($cmd -eq $Command) {
             continue;
diff --git a/lib/core/jea/Get-IcingaJEAConfiguration.psm1 b/lib/core/jea/Get-IcingaJEAConfiguration.psm1
@@ -102,6 +102,10 @@ function Get-IcingaJEAConfiguration()
 
             $DeserializedFile = Read-IcingaPowerShellModuleFile -File $ModuleFile.FullName;
 
+            if (Deny-IcingaJEACommand -FileComments $DeserializedFile.Comments) {
+                continue;
+            }
+
             foreach ($FoundFunction in $DeserializedFile.FunctionList) {
                 $DependencyList = Get-IcingaFrameworkDependency `
                     -Command $FoundFunction `
@@ -187,6 +191,10 @@ function Get-IcingaJEAConfiguration()
 
         $CommandType = ([string]$CmdData.CommandType).Replace(' ', '');
 
+        if (Deny-IcingaJEACommand -Command $cmd) {
+            continue;
+        }
+
         $UsedCmdlets = Get-IcingaCommandDependency `
             -DependencyList $DependencyList `
             -CompiledList $UsedCmdlets `
diff --git a/lib/core/jea/Read-IcingaPowerShellModuleFile.psm1 b/lib/core/jea/Read-IcingaPowerShellModuleFile.psm1
@@ -177,5 +177,6 @@ function Read-IcingaPowerShellModuleFile()
         'AliasList'         = $AliasList;
         'ExportFunction'    = $ExportFunctionList;
         'ExportCmdlet'      = $ExportCmdletList;
+        'Comments'          = $Comments;
     };
 }

Original file line number	Diff line number	Diff line change
`@@ -177,5 +177,6 @@ function Read-IcingaPowerShellModuleFile()`
`177`	`177`	`'AliasList' = $AliasList;`
`178`	`178`	`'ExportFunction' = $ExportFunctionList;`
`179`	`179`	`'ExportCmdlet' = $ExportCmdletList;`
	`180`	`+ 'Comments' = $Comments;`
`180`	`181`	`};`
`181`	`182`	`}`