diff --git a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py index d9ac15f978..c6be40985f 100644 --- a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py +++ b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py @@ -1,6 +1,7 @@ import wmi, sys, winreg, os, subprocess, json, re from datetime import datetime, timedelta - +import argparse +import configparser ## Define modules modules=[] @@ -333,22 +334,18 @@ def check_password_enforcement(): print("Failed to check password enforcement for users.", file=sys.stderr) -def check_login_audit_policy(): +def check_login_audit_policy(auditpol_logon_category, auditpol_logon_success_conf, auditpol_logon_noaudit_conf): try: # Run the auditpol command to check the audit policy for Logon/Logoff - cmd_command = "auditpol /get /subcategory:Logon" + cmd_command = f'auditpol /get /subcategory:"{auditpol_logon_category}"' result = subprocess.run(cmd_command, shell=True, capture_output=True, text=True, check=True) last_line = result.stdout.strip().split('\n')[-1] cleaned_line = re.sub(' +', ' ', last_line) # Interpret the result - if "Success and Failure" in result.stdout: + if auditpol_logon_success_conf in result.stdout: result = 1 - elif "Aciertos y errores" in result.stdout: - result = 1 - elif "No Auditing" in result.stdout: - result = 0 - elif "Sin auditoría" in result.stdout: + elif auditpol_logon_noaudit_conf in result.stdout: result = 0 else: print("Unable to determine audit policy for Logon/Logoff events.", file=sys.stderr) @@ -366,14 +363,36 @@ def check_login_audit_policy(): print("Failed to check audit policy using auditpol command.", file=sys.stderr) return +def parse_parameter(config=None, key="", default=""): + try: + return config.get("CONF", key) + except Exception as e: + return default if __name__ == "__main__": + + # Parse arguments + parser = argparse.ArgumentParser(description= "", formatter_class=argparse.RawTextHelpFormatter) + parser.add_argument('--conf', help='Path to configuration file', metavar='', required=False) + args = parser.parse_args() + config = configparser.ConfigParser() + + if(args.conf): + try: + config.read_string('[CONF]\n' + open(args.conf).read()) + except Exception as e: + print("Error while reading configuration file, using default values: "+str(e), file=sys.stderr) + + auditpol_logon_category = parse_parameter(config, "auditpol_logon_category", "Logon") + auditpol_logon_success_conf = parse_parameter(config, "auditpol_logon_success_conf", "Success and Failure") + auditpol_logon_noaudit_conf = parse_parameter(config, "auditpol_logon_noaudit_conf", "No Auditing") + check_antivirus_status() check_locksreen_enables() get_windows_update_info() is_firewall_enabled() check_password_enforcement() - check_login_audit_policy() + check_login_audit_policy(auditpol_logon_category, auditpol_logon_success_conf, auditpol_logon_noaudit_conf) for module in modules: print_module(module, True) diff --git a/pandora_agents/win32/bin/util/pandora_security_win.conf b/pandora_agents/win32/bin/util/pandora_security_win.conf new file mode 100644 index 0000000000..7986220bb4 --- /dev/null +++ b/pandora_agents/win32/bin/util/pandora_security_win.conf @@ -0,0 +1,8 @@ +auditpol_logon_category = Logon +#auditpol_logon_category = Inicio de sesión + +auditpol_logon_success_conf = Success and Failure +#auditpol_logon_success_conf = Aciertos y errores + +auditpol_logon_noaudit_conf = No Auditing +#auditpol_logon_noaudit_conf = Sin auditoría \ No newline at end of file