Skip to content

Commit

Permalink
Merge branch 'testing' into add-ownership-remediation-to-mode-4
Browse files Browse the repository at this point in the history
  • Loading branch information
@TrimarcJake
TrimarcJake authored Jan 20, 2024
2 parents 66c6670 + cf01a2a commit 76e3c19
Show file tree
Hide file tree
Showing 5 changed files with 269 additions and 1 deletion.
181 changes: 181 additions & 0 deletions .github/workflows/mega-linter.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,181 @@
# MegaLinter GitHub Action configuration file
# More info at https://megalinter.io
---
name: MegaLinter

# Trigger mega-linter at every push. Action will also be visible from Pull Requests to main
on:
# Comment this line to trigger action only on pull-requests
# (not recommended if you don't pay for GH Actions)
push:

pull_request:
branches:
- main
- testing
- dev
- experimental

# Comment env block if you do not want to apply fixes
env:
# Apply linter fixes configuration
#
# When active, APPLY_FIXES must also be defined as environment variable
# (in github/workflows/mega-linter.yml or other CI tool)
APPLY_FIXES: all

# Decide which event triggers application of fixes in a commit or a PR
# (pull_request, push, all)
APPLY_FIXES_EVENT: pull_request

# If APPLY_FIXES is used, defines if the fixes are directly committed (commit)
# or posted in a PR (pull_request)
APPLY_FIXES_MODE: commit

concurrency:
group: ${{ github.ref }}-${{ github.workflow }}
cancel-in-progress: true

jobs:
megalinter:
name: MegaLinter
runs-on: ubuntu-latest

# Give the default GITHUB_TOKEN write permission to commit and push, comment
# issues & post new PR; remove the ones you do not need
permissions:
contents: write
issues: write
pull-requests: write

steps:

# Git Checkout
- name: Checkout Code
uses: actions/checkout@v4
with:
token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}

# If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to
# improve performance
fetch-depth: 0

# MegaLinter
- name: MegaLinter

# You can override MegaLinter flavor used to have faster performances
# More info at https://megalinter.io/flavors/
# The dotnet flavor includes PowerShell, MD, YAML, JSON, spelling, and more.
uses: oxsecurity/megalinter/flavors/dotnet@v7.7.0

id: ml

# All available variables are described in documentation
# https://megalinter.io/configuration/
env:

# Validates all source when push on main, else just the git diff with
# main. Override with true if you always want to lint all sources
#
# To validate the entire codebase, set to:
# VALIDATE_ALL_CODEBASE: true
#
# To validate only diff with main, set to:
# VALIDATE_ALL_CODEBASE: >-
# ${{
# github.event_name == 'push' &&
# contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)
# }}
VALIDATE_ALL_CODEBASE: >-
${{
github.event_name == 'push' &&
contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)
}}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

# ADD YOUR CUSTOM ENV VARIABLES HERE OR DEFINE THEM IN A FILE
# .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY

# Uncomment to disable copy-paste and spell checks
# DISABLE: COPYPASTE,SPELL
DISABLE_ERRORS: true
DISABLE_LINTERS: SPELL_LYCHEE
# Uncomment DISABLE_ERRORS_LINTERS if you want to turn errors back on selectively.
# DISABLE_ERRORS_LINTERS: REPOSITORY_DEVSKIM,REPOSITORY_KICS,REPOSITORY_CHECKOV,POWERSHELL_POWERSHELL,SPELL_CSPELL

# Upload MegaLinter artifacts
- name: Archive production artifacts
uses: actions/upload-artifact@v4
if: success() || failure()
with:
name: MegaLinter reports
path: |
megalinter-reports
mega-linter.log
# Set APPLY_FIXES_IF var for use in future steps
- name: Set APPLY_FIXES_IF var
run: |
printf 'APPLY_FIXES_IF=%s\n' "${{
steps.ml.outputs.has_updated_sources == 1 &&
(
env.APPLY_FIXES_EVENT == 'all' ||
env.APPLY_FIXES_EVENT == github.event_name
) &&
(
github.event_name == 'push' ||
github.event.pull_request.head.repo.full_name == github.repository
)
}}" >> "${GITHUB_ENV}"
# Set APPLY_FIXES_IF_* vars for use in future steps
- name: Set APPLY_FIXES_IF_* vars
run: |
printf 'APPLY_FIXES_IF_PR=%s\n' "${{
env.APPLY_FIXES_IF == 'true' &&
env.APPLY_FIXES_MODE == 'pull_request'
}}" >> "${GITHUB_ENV}"
printf 'APPLY_FIXES_IF_COMMIT=%s\n' "${{
env.APPLY_FIXES_IF == 'true' &&
env.APPLY_FIXES_MODE == 'commit' &&
(!contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref))
}}" >> "${GITHUB_ENV}"
# Create pull request if applicable
# (for now works only on PR from same repository, not from forks)
- name: Create Pull Request with applied fixes
uses: peter-evans/create-pull-request@v5
id: cpr
if: env.APPLY_FIXES_IF_PR == 'true'
with:
token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
commit-message: "[MegaLinter] Apply linters automatic fixes"
title: "[MegaLinter] Apply linters automatic fixes"
labels: bot

- name: Create PR output
if: env.APPLY_FIXES_IF_PR == 'true'
run: |
echo "PR Number - ${{ steps.cpr.outputs.pull-request-number }}"
echo "PR URL - ${{ steps.cpr.outputs.pull-request-url }}"
# Push new commit if applicable
# (for now works only on PR from same repository, not from forks)
- name: Prepare commit
if: env.APPLY_FIXES_IF_COMMIT == 'true'
run: sudo chown -Rc $UID .git/

- name: Commit and push applied linter fixes
uses: stefanzweifel/git-auto-commit-action@v5
if: env.APPLY_FIXES_IF_COMMIT == 'true'
with:
branch: >-
${{
github.event.pull_request.head.ref ||
github.head_ref ||
github.ref
}}
commit_message: "[MegaLinter] Apply linters fixes"
commit_user_name: megalinter-bot
commit_user_email: megalinter@dotdot.horse
49 changes: 49 additions & 0 deletions .github/workflows/powershell.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
#
# https://github.com/microsoft/action-psscriptanalyzer
# For more information on PSScriptAnalyzer in general, see
# https://github.com/PowerShell/PSScriptAnalyzer

name: PSScriptAnalyzer

on:
push:
branches: [ "testing" ]
pull_request:
branches: [ "testing" ]
schedule:
- cron: '41 14 * * 4'

permissions:
contents: read

jobs:
build:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: PSScriptAnalyzer
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3

- name: Run PSScriptAnalyzer
uses: microsoft/psscriptanalyzer-action@6b2948b1944407914a58661c49941824d149734f
with:
# Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options.
# The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules.
path: .\
recurse: true
# Include your own basic security rules. Removing this option will run all the rules
includeRule: '"PSAvoidGlobalAliases", "PSAvoidUsingConvertToSecureStringWithPlainText"'
output: results.sarif

# Upload the SARIF file generated in the previous step
- name: Upload SARIF results file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
1 change: 1 addition & 0 deletions Build/Build-Module.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ Build-Module -ModuleName 'Locksmith' {
Copyright = "(c) 2022 - $((Get-Date).Year). All rights reserved."
Description = 'A small tool to find and fix common misconfigurations in Active Directory Certificate Services.'
ProjectUri = 'https://github.com/TrimarcJake/Locksmith'
IconUri = 'https://github.com/TrimarcJake/Locksmith/Images/locksmith.ico'
PowerShellVersion = '5.1'
Tags = @('Windows', 'Locksmith', 'CA', 'PKI', 'ActiveDirectory', 'CertificateServices','ADCS')
}
Expand Down
Binary file added Images/locksmith.ico
View file
Binary file not shown.
39 changes: 38 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,18 @@

A ~~tiny~~ small tool built to detect and fix common misconfigurations in Active Directory Certificate Services.

<!-- locksmith-badges-start -->
![GitHub release](https://img.shields.io/github/v/release/trimarcjake/locksmith?sort=semver)
![GitHub top language](https://img.shields.io/github/languages/top/trimarcjake/locksmith)
![PowerShell Gallery Platform Support](https://img.shields.io/powershellgallery/p/locksmith)
[![GitHub contributors](https://img.shields.io/github/contributors/trimarcjake/locksmith.svg)](https://github.com/trimarcjake/locksmith/graphs/contributors/)
[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](http://makeapullrequest.com)
![GitHub Actions Workflow Status](https://img.shields.io/github/actions/workflow/status/trimarcjake/Locksmith/powershell.yml?logo=github&label=PSScriptAnalyzer)
[![MegaLinter](https://github.com/trimarcjake/locksmith/workflows/MegaLinter/badge.svg?branch=testing)](https://github.com/trimarcjake/locksmith/actions?query=workflow%3AMegaLinter+branch%3Atesting)
![PowerShell Gallery Downloads](https://img.shields.io/powershellgallery/dt/locksmith?logo=powershell&label=PowerShell%20Gallery%20Downloads&color=blue)
[![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Checkout+Locksmith+and+fix+common+misconfigurations+in+Active+Directory+Certificate+Services.&url=https://github.com/trimarcjake/locksmith&hashtags=ADCS,PKI,infosec,powershell)
<!-- locksmith-badges-end -->

# Contents
1. [Installation](#Installation)
2. [Run Locksmith](#RunLocksmith)
Expand All @@ -27,7 +39,7 @@ A ~~tiny~~ small tool built to detect and fix common misconfigurations in Active
### Install module manually from GitHub:
1. Download the [latest module version](https://github.com/TrimarcJake/Locksmith/releases/latest) ( **Locksmith-v**\<YEAR\>**.**\<MONTH\>**.zip** )
2. Extract the downloaded zip file
3. Open a PowerShell prompt to the loction of the extracted file and run `Import-Module Locksmith.psd1`
3. Open a PowerShell prompt to the location of the extracted file and run `Import-Module Locksmith.psd1`

## Script
### Download the standalone script (classic) without module:
Expand Down Expand Up @@ -110,3 +122,28 @@ Invoke-Locksmith -Mode 4
```

Example Output for Mode 4: https://github.com/TrimarcJake/Locksmith/blob/main/examples/Mode4.md
<br>
<br>
<a name="Scans" id="Scans"></a>
## Scans:  Select Which Scans to Run
Use the `-Scans` parameter to choose which vulnerabilities to scan for. Acceptable values include `All`, `Auditing`, `ESC1`, `ESC2`, `ESC3`, `ESC4`, `ESC5`, `ESC6`, `ESC8`, or `PromptMe`. The `PromptMe` option presents an interactive list allowing you to select scans.

``` powershell
# Run all scans
Invoke-Locksmith -Scan All
```

``` powershell
# Prompt the user for a list of scans to select
Invoke-Locksmith.ps1 -Scans PromptMe
```

``` powershell
# Scan for ESC1 vulnerable paths
Invoke-Locksmith.ps1 -Scans ESC1
```

``` powershell
# Scan for ESC1, ESC2, and ESC8 vulnerable paths
Invoke-Locksmith.ps1 -Scans ESC1,ESC2,ESC8
```

0 comments on commit 76e3c19

Please sign in to comment.