Skip to content

Add WDAC Audit logging 3 #19641

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
daxian-dbw merged 60 commits into from
May 22, 2023
Merged

Add WDAC Audit logging 3 #19641

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
60 commits
Select commit Hold shift + click to select a range
f643a88
Initial check in
PaulHigin Mar 14, 2023
73cbf1b
Second wave implementation
PaulHigin Mar 15, 2023
26dddfe
Third wave implementation
PaulHigin Mar 16, 2023
b2d6504
Fix up FL checks
PaulHigin Mar 16, 2023
7c0e06d
Fix up CL checks
PaulHigin Mar 16, 2023
e5dce9e
Fix file check
PaulHigin Mar 16, 2023
bf98edf
Fix missing method invocation logs
PaulHigin Mar 20, 2023
eb7977d
Fix target type name.
PaulHigin Mar 20, 2023
10f0362
Add FQID to log
PaulHigin Mar 21, 2023
ea46b6d
Add actual logging calls
PaulHigin Mar 21, 2023
909e4ae
Fix log logic
PaulHigin Mar 21, 2023
af2ed43
Fix logic and clean up
PaulHigin Mar 21, 2023
3310de3
Add stub for LogWDACAuditMessage
PaulHigin Mar 22, 2023
3c60d6c
Add missing language mode to stub
PaulHigin Mar 22, 2023
c774587
Fix CodeFactor and logic bug
PaulHigin Mar 22, 2023
9d5b9de
Fix logic bug for COM
PaulHigin Mar 22, 2023
3b82f9a
Add Audit mode to binding language transition.
PaulHigin Mar 22, 2023
8161f8d
Begin adding WDAC audit log strings to resources.
PaulHigin Mar 27, 2023
d6dab7e
Move more WDAC messages to resources
PaulHigin Mar 28, 2023
5706591
Final WDAC messages to resources
PaulHigin Mar 28, 2023
075c6ff
Make experimental feature.
PaulHigin Apr 3, 2023
4f2a7f9
Add scriptblock Id
PaulHigin Apr 3, 2023
01c636a
Add debugger drop
PaulHigin Apr 4, 2023
82f8965
Add debugger conditions
PaulHigin Apr 4, 2023
55cdeba
Fix debug break
PaulHigin Apr 4, 2023
dd921d7
Fix non-Windows build
PaulHigin Apr 4, 2023
4680b26
Add script context to messages
PaulHigin Apr 13, 2023
c79cb53
Fix debug position message
PaulHigin Apr 13, 2023
2ed7819
Fix position message for remote session
PaulHigin Apr 17, 2023
bcb4286
Add execution context to WDAC log method
PaulHigin Apr 19, 2023
db5b4ae
Fix LogWDACAuditMessage stub
PaulHigin Apr 19, 2023
9e7dbf5
Fix codeql, improve event messages.
PaulHigin Apr 25, 2023
388bd73
Address code review feedback 1
PaulHigin May 5, 2023
a0b92b0
Initial submission
PaulHigin May 10, 2023
782b2e9
Add missing audit message
PaulHigin May 12, 2023
48db313
Fix logic in AddType
PaulHigin May 15, 2023
4d4b785
Refactor to make audit patterns consistent
PaulHigin May 15, 2023
ccea1d0
Part 2 code review feedback
PaulHigin May 18, 2023
943a303
Update src/System.Management.Automation/resources/Modules.resx
PaulHigin May 18, 2023
692d278
Update src/System.Management.Automation/resources/Modules.resx
PaulHigin May 18, 2023
b6f1123
Update src/System.Management.Automation/resources/ParameterBinderStri…
PaulHigin May 18, 2023
5b12cbb
Update src/System.Management.Automation/resources/ParameterBinderStri…
PaulHigin May 18, 2023
23a5fe9
Update src/Microsoft.PowerShell.Commands.Utility/resources/NewObjectS…
PaulHigin May 22, 2023
0bf466a
Update event messages based on review feedback
PaulHigin May 22, 2023
3c58c21
Update src/Microsoft.PowerShell.Commands.Utility/commands/utility/New…
PaulHigin May 22, 2023
40811ce
Update src/Microsoft.PowerShell.Commands.Utility/commands/utility/New…
PaulHigin May 22, 2023
9de50b6
Update src/System.Management.Automation/engine/CommandProcessorBase.cs
PaulHigin May 22, 2023
ec44bce
Update src/System.Management.Automation/engine/Modules/ModuleCmdletBa…
PaulHigin May 22, 2023
1cb2f58
Update src/System.Management.Automation/engine/Modules/ModuleCmdletBa…
PaulHigin May 22, 2023
6659779
Update src/System.Management.Automation/engine/Modules/ModuleCmdletBa…
PaulHigin May 22, 2023
e7691c9
Update src/System.Management.Automation/engine/Modules/NewModuleComma…
PaulHigin May 22, 2023
cae42e4
Update src/System.Management.Automation/engine/LanguagePrimitives.cs
PaulHigin May 22, 2023
5136c3d
Update src/System.Management.Automation/engine/debugger/debugger.cs
PaulHigin May 22, 2023
c17fd21
Update src/System.Management.Automation/engine/Modules/ModuleCmdletBa…
PaulHigin May 22, 2023
ce8f375
Implement CR suggestions
PaulHigin May 22, 2023
d00e431
Update src/System.Management.Automation/resources/ParserStrings.resx
PaulHigin May 22, 2023
01bad2c
Fix message tense
PaulHigin May 22, 2023
6816980
Update src/System.Management.Automation/engine/runtime/Operations/Mis…
PaulHigin May 22, 2023
a88ef43
Update src/System.Management.Automation/engine/Modules/ModuleCmdletBa…
PaulHigin May 22, 2023
9816fb8
More CR changes
PaulHigin May 22, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 17 additions & 8 deletions src/Microsoft.PowerShell.Commands.Utility/commands/utility/AddType.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -556,15 +556,24 @@ protected override void BeginProcessing()
{
// Prevent code compilation in ConstrainedLanguage mode, or NoLanguage mode under system lock down.
if (SessionState.LanguageMode == PSLanguageMode.ConstrainedLanguage ||
(SessionState.LanguageMode == PSLanguageMode.NoLanguage &&
SystemPolicy.GetSystemLockdownPolicy() == SystemEnforcementMode.Enforce))
(SessionState.LanguageMode == PSLanguageMode.NoLanguage && SystemPolicy.GetSystemLockdownPolicy() == SystemEnforcementMode.Enforce))
{
ThrowTerminatingError(
new ErrorRecord(
new PSNotSupportedException(AddTypeStrings.CannotDefineNewType),
nameof(AddTypeStrings.CannotDefineNewType),
ErrorCategory.PermissionDenied,
targetObject: null));
if (SystemPolicy.GetSystemLockdownPolicy() != SystemEnforcementMode.Audit)
{
ThrowTerminatingError(
new ErrorRecord(
new PSNotSupportedException(AddTypeStrings.CannotDefineNewType),
nameof(AddTypeStrings.CannotDefineNewType),
ErrorCategory.PermissionDenied,
targetObject: null));
}

SystemPolicy.LogWDACAuditMessage(
context: Context,
title: AddTypeStrings.AddTypeLogTitle,
message: AddTypeStrings.AddTypeLogMessage,
fqid: "AddTypeCmdletDisabled",
dropIntoDebugger: true);
}

// 'ConsoleApplication' and 'WindowsApplication' types are currently not working in .NET Core
Expand Down
12 changes: 10 additions & 2 deletions src/Microsoft.PowerShell.Commands.Utility/commands/utility/Import-LocalizedData.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
using System.IO;
using System.Management.Automation;
using System.Management.Automation.Internal;
using System.Management.Automation.Security;

namespace Microsoft.PowerShell.Commands
{
Expand Down Expand Up @@ -146,16 +147,23 @@ protected override void ProcessRecord()
}

// Prevent additional commands in ConstrainedLanguage mode
if (Context.LanguageMode == PSLanguageMode.ConstrainedLanguage)
if (_setSupportedCommand && Context.LanguageMode == PSLanguageMode.ConstrainedLanguage)
{
if (_setSupportedCommand)
if (SystemPolicy.GetSystemLockdownPolicy() != SystemEnforcementMode.Audit)
{
NotSupportedException nse =
PSTraceSource.NewNotSupportedException(
ImportLocalizedDataStrings.CannotDefineSupportedCommand);
ThrowTerminatingError(
new ErrorRecord(nse, "CannotDefineSupportedCommand", ErrorCategory.PermissionDenied, null));
}

SystemPolicy.LogWDACAuditMessage(
context: Context,
title: ImportLocalizedDataStrings.WDACLogTitle,
message: ImportLocalizedDataStrings.WDACLogMessage,
fqid: "SupportedCommandsDisabled",
dropIntoDebugger: true);
}

string script = GetScript(path);
Expand Down
11 changes: 11 additions & 0 deletions src/Microsoft.PowerShell.Commands.Utility/commands/utility/InvokeExpressionCommand.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
using System;
using System.Management.Automation;
using System.Management.Automation.Internal;
using System.Management.Automation.Security;

namespace Microsoft.PowerShell.Commands
{
Expand Down Expand Up @@ -43,6 +44,16 @@ protected override void ProcessRecord()
myScriptBlock.LanguageMode = PSLanguageMode.ConstrainedLanguage;
}

if (SystemPolicy.GetSystemLockdownPolicy() == SystemEnforcementMode.Audit)
{
SystemPolicy.LogWDACAuditMessage(
context: Context,
title: UtilityCommonStrings.IEXWDACLogTitle,
message: UtilityCommonStrings.IEXWDACLogMessage,
fqid: "InvokeExpressionCmdletConstrained",
dropIntoDebugger: true);
}

var emptyArray = Array.Empty<object>();
myScriptBlock.InvokeUsingCmdlet(
contextCmdlet: this,
Expand Down
65 changes: 43 additions & 22 deletions src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -187,18 +187,30 @@ protected override void BeginProcessing()
targetObject: null));
}

if (Context.LanguageMode == PSLanguageMode.ConstrainedLanguage)
{
if (!CoreTypes.Contains(type))
{
ThrowTerminatingError(
new ErrorRecord(
new PSNotSupportedException(NewObjectStrings.CannotCreateTypeConstrainedLanguage), "CannotCreateTypeConstrainedLanguage", ErrorCategory.PermissionDenied, null));
}
}

switch (Context.LanguageMode)
{
case PSLanguageMode.ConstrainedLanguage:
if (!CoreTypes.Contains(type))
{
if (SystemPolicy.GetSystemLockdownPolicy() != SystemEnforcementMode.Audit)
{
ThrowTerminatingError(
new ErrorRecord(
new PSNotSupportedException(NewObjectStrings.CannotCreateTypeConstrainedLanguage),
"CannotCreateTypeConstrainedLanguage",
ErrorCategory.PermissionDenied,
targetObject: null));
}

SystemPolicy.LogWDACAuditMessage(
context: Context,
title: NewObjectStrings.TypeWDACLogTitle,
message: StringUtil.Format(NewObjectStrings.TypeWDACLogMessage, type.FullName),
fqid: "NewObjectCmdletCannotCreateType",
dropIntoDebugger: true);
}
break;

case PSLanguageMode.NoLanguage:
case PSLanguageMode.RestrictedLanguage:
if (SystemPolicy.GetSystemLockdownPolicy() == SystemEnforcementMode.Enforce
Expand All @@ -212,8 +224,7 @@ protected override void BeginProcessing()
ErrorCategory.PermissionDenied,
targetObject: null));
}

break;
break;
}

// WinRT does not support creating instances of attribute & delegate WinRT types.
Expand Down Expand Up @@ -301,21 +312,31 @@ protected override void BeginProcessing()
bool isAllowed = false;

// If it's a system-wide lockdown, we may allow additional COM types
if (SystemPolicy.GetSystemLockdownPolicy() == SystemEnforcementMode.Enforce)
var systemLockdownPolicy = SystemPolicy.GetSystemLockdownPolicy();
if (systemLockdownPolicy == SystemEnforcementMode.Enforce || systemLockdownPolicy == SystemEnforcementMode.Audit)
{
if ((result >= 0) &&
SystemPolicy.IsClassInApprovedList(_comObjectClsId))
{
isAllowed = true;
}
isAllowed = (result >= 0) && SystemPolicy.IsClassInApprovedList(_comObjectClsId);
}

if (!isAllowed)
{
ThrowTerminatingError(
new ErrorRecord(
new PSNotSupportedException(NewObjectStrings.CannotCreateTypeConstrainedLanguage), "CannotCreateComTypeConstrainedLanguage", ErrorCategory.PermissionDenied, null));
return;
if (SystemPolicy.GetSystemLockdownPolicy() != SystemEnforcementMode.Audit)
{
ThrowTerminatingError(
new ErrorRecord(
new PSNotSupportedException(NewObjectStrings.CannotCreateTypeConstrainedLanguage),
"CannotCreateComTypeConstrainedLanguage",
ErrorCategory.PermissionDenied,
targetObject: null));
return;
}

SystemPolicy.LogWDACAuditMessage(
context: Context,
title: NewObjectStrings.ComWDACLogTitle,
message: StringUtil.Format(NewObjectStrings.ComWDACLogMessage, ComObject ?? string.Empty),
fqid: "NewObjectCmdletCannotCreateCOM",
dropIntoDebugger: true);
}
}

Expand Down
6 changes: 6 additions & 0 deletions src/Microsoft.PowerShell.Commands.Utility/resources/AddTypeStrings.resx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,4 +150,10 @@
<data name="AssemblyTypeNotSupported" xml:space="preserve">
<value>Both the assembly types 'ConsoleApplication' and 'WindowsApplication' are not currently supported.</value>
</data>
<data name="AddTypeLogTitle" xml:space="preserve">
<value>Add-Type Cmdlet</value>
</data>
<data name="AddTypeLogMessage" xml:space="preserve">
<value>Add-Type cmdlet will not be allowed in ConstrainedLanguage mode.</value>
</data>
</root>
6 changes: 6 additions & 0 deletions src/Microsoft.PowerShell.Commands.Utility/resources/ImportLocalizedDataStrings.resx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -143,4 +143,10 @@
<data name="IncorrectVariableName" xml:space="preserve">
<value>The BindingVariable name '{0}' is invalid.</value>
</data>
<data name="WDACLogTitle" xml:space="preserve">
<value>Import-LocalizedData Cmdlet</value>
</data>
<data name="WDACLogMessage" xml:space="preserve">
<value>Additional supported commands (via SupportedCommand parameter) will not be allowed in ConstrainedLanguage mode.</value>
</data>
</root>
12 changes: 12 additions & 0 deletions src/Microsoft.PowerShell.Commands.Utility/resources/NewObjectStrings.resx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,4 +147,16 @@
<data name="CannotCreateTypeLanguageMode" xml:space="preserve">
<value>Cannot create type. Only core types are supported in {0} language mode on a policy locked down machine.</value>
</data>
<data name="TypeWDACLogTitle" xml:space="preserve">
<value>New-Object Cmdlet Type Creation</value>
</data>
<data name="TypeWDACLogMessage" xml:space="preserve">
<value>The type '{0}' will not be created in ConstrainedLanguage mode.</value>
</data>
<data name="ComWDACLogTitle" xml:space="preserve">
<value>New-Object Cmdlet COM Object Creation</value>
</data>
<data name="ComWDACLogMessage" xml:space="preserve">
<value>The COM object '{0}' will not be created in ConstrainedLanguage mode.</value>
</data>
</root>
6 changes: 6 additions & 0 deletions src/Microsoft.PowerShell.Commands.Utility/resources/UtilityCommonStrings.resx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -168,4 +168,10 @@
<data name="InvalidSDDL" xml:space="preserve">
<value>Cannot construct a security descriptor from the given SDDL due to the following error: {0}</value>
</data>
<data name="IEXWDACLogTitle" xml:space="preserve">
<value>Invoke-Expression Cmdlet</value>
</data>
<data name="IEXWDACLogMessage" xml:space="preserve">
<value>Invoke-Expression cmdlet script block will be run in ConstrainedLanguage mode.</value>
</data>
</root>
10 changes: 9 additions & 1 deletion src/Microsoft.PowerShell.ConsoleHost/host/msh/ConsoleHost.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
using System.Management.Automation.Remoting;
using System.Management.Automation.Remoting.Server;
using System.Management.Automation.Runspaces;
using System.Management.Automation.Security;
using System.Management.Automation.Subsystem.Feedback;
using System.Management.Automation.Tracing;
using System.Reflection;
Expand Down Expand Up @@ -1839,7 +1840,14 @@ private void DoRunspaceInitialization(RunspaceCreationEventArgs args)
switch (languageMode)
{
case PSLanguageMode.ConstrainedLanguage:
s_theConsoleHost.UI.WriteLine(ManagedEntranceStrings.ShellBannerCLMode);
if (SystemPolicy.GetSystemLockdownPolicy() != SystemEnforcementMode.Audit)
{
s_theConsoleHost.UI.WriteLine(ManagedEntranceStrings.ShellBannerCLMode);
}
else
{
s_theConsoleHost.UI.WriteLine(ManagedEntranceStrings.ShellBannerCLAuditMode);
}
break;

case PSLanguageMode.NoLanguage:
Expand Down
3 changes: 3 additions & 0 deletions src/Microsoft.PowerShell.ConsoleHost/resources/ManagedEntranceStrings.resx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,9 @@
<data name="ShellBannerCLMode" xml:space="preserve">
<value>[Constrained Language Mode]</value>
</data>
<data name="ShellBannerCLAuditMode" xml:space="preserve">
<value>[Constrained Language AUDIT Mode : No Restrictions]</value>
</data>
<data name="ShellBannerNLMode" xml:space="preserve">
<value>[No Language Mode]</value>
</data>
Expand Down
24 changes: 23 additions & 1 deletion src/System.Management.Automation/CoreCLR/CorePsStub.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -435,6 +435,23 @@ internal sealed class SystemPolicy
{
private SystemPolicy() { }

/// <summary>
/// Writes to PowerShell WDAC Audit mode ETW log.
/// </summary>
/// <param name="context">Current execution context.</param>
/// <param name="title">Audit message title.</param>
/// <param name="message">Audit message message.</param>
/// <param name="fqid">Fully Qualified ID.</param>
/// <param name="dropIntoDebugger">Stops code execution and goes into debugger mode.</param>
internal static void LogWDACAuditMessage(
ExecutionContext context,
string title,
string message,
string fqid,
bool dropIntoDebugger = false)
{
}

/// <summary>
/// Gets the system lockdown policy.
/// </summary>
Expand Down Expand Up @@ -511,7 +528,12 @@ public enum SystemScriptFileEnforcement
/// <summary>
/// Script file is allowed to run in ConstrainedLanguage mode only.
/// </summary>
AllowConstrained = 3
AllowConstrained = 3,

/// <summary>
/// Script file is allowed to run in FullLanguage mode but will emit ConstrainedLanguage restriction audit logs.
/// </summary>
AllowConstrainedAudit = 4
}
}

Expand Down
21 changes: 16 additions & 5 deletions src/System.Management.Automation/engine/Attributes.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
using System.Linq;
using System.Management.Automation.Internal;
using System.Management.Automation.Language;
using System.Management.Automation.Security;
using System.Runtime.CompilerServices;
using System.Text.RegularExpressions;
using System.Threading.Tasks;
Expand Down Expand Up @@ -1829,11 +1830,21 @@ protected override void Validate(object arguments, EngineIntrinsics engineIntrin
{
if (ExecutionContext.IsMarkedAsUntrusted(arguments))
{
throw new ValidationMetadataException(
"ValidateTrustedDataFailure",
null,
Metadata.ValidateTrustedDataFailure,
arguments);
if (SystemPolicy.GetSystemLockdownPolicy() != SystemEnforcementMode.Audit)
{
throw new ValidationMetadataException(
"ValidateTrustedDataFailure",
null,
Metadata.ValidateTrustedDataFailure,
arguments);
}

SystemPolicy.LogWDACAuditMessage(
context: null,
title: Metadata.WDACParameterArgNotTrustedLogTitle,
message: StringUtil.Format(Metadata.WDACParameterArgNotTrustedMessage, arguments),
fqid: "ParameterArgumentNotTrusted",
dropIntoDebugger: true);
}
}
}
Expand Down
3 changes: 2 additions & 1 deletion src/System.Management.Automation/engine/CommandProcessor.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,7 @@ internal override void Prepare(IDictionary psDefaultParameterValues)
Context.LanguageMode = scriptCmdletInfo.ScriptBlock.LanguageMode.Value;

// If it's from ConstrainedLanguage to FullLanguage, indicate the transition before parameter binding takes place.
// When transitioning to FullLanguage mode, we don't want any ConstrainedLanguage restrictions or incorrect Audit messages.
if (oldLanguageMode == PSLanguageMode.ConstrainedLanguage && Context.LanguageMode == PSLanguageMode.FullLanguage)
{
oldLangModeTransitionStatus = Context.LanguageModeTransitionInParameterBinding;
Expand Down Expand Up @@ -779,7 +780,7 @@ private void Init(IScriptCommandInfo scriptCommandInfo)
// If the script has been dotted, throw an error if it's from a different language mode.
if (!this.UseLocalScope)
{
ValidateCompatibleLanguageMode(scriptCommandInfo.ScriptBlock, _context.LanguageMode, Command.MyInvocation);
ValidateCompatibleLanguageMode(scriptCommandInfo.ScriptBlock, _context, Command.MyInvocation);
}
}

Expand Down
Loading