using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Management.Automation; using System.Management.Automation.Provider; using System.Xml; using System.Security.Cryptography.X509Certificates; using System.Security.Cryptography; using Intel.Management.Wsman; namespace Intel.Management.PSModule.Amt { class AuditorService : SettingsContainer { public AuditorService(DriveItem parent) : base("AccessMonitor", parent) { _value = new LogContent(); } public override void GetChildItems(ChildWriter writer) { IWsmanConnection conn = ((AmtRootService)GetRoot()).Connection; IWsmanEnumeration colObj = conn.ExecQuery("SELECT * FROM AMT_AuditLog"); foreach (IWsmanItem item in colObj) { if (item.Object.GetProperty("Name").ToString().Equals("Intel(r) AMT:Audit Log")) { //AuditState String[] //EnabledState _settingsObj=item.Object; _refToSettings = conn.NewReference(item.Object.ResourceUri); _refToSettings.AddSelector("Name",item.Object.GetProperty("Name").ToString()); writer.Add(new AuditState(this)); writer.Add(new UIntSetting("CurrentNumberOfRecords",this)); writer.Add(new UIntSetting("MaxAllowedAuditors",this)); writer.Add(new UIntSetting("MaxNumberOfRecords",this)); if (this.HasSetting("MinDaysToKeep")) writer.Add(new UIntSetting("MinDaysToKeep",this)); if (this.HasSetting("OverwritePolicy")) writer.Add(new ValueMapSetting("OverwritePolicy", ValueList.StoragePolicy, this)); writer.Add(new UIntSetting("PercentageFree",this)); //StoragePolicy if (this.HasSetting("StoragePolicy")) writer.Add(new ValueMapSetting("StoragePolicy", ValueList.StoragePolicy, this)); writer.Add(new DriveEntry("TimeOfLastRecord", AmtDriveInfo.FormatDate(item.Object.GetProperty("TimeOfLastRecord")),this)); writer.Add(new Enabled(item.Object.GetProperty("EnabledState").ToString(), this)); writer.Add(new Signature(this)); writer.Add(new Events(this)); } } } /*public IManagedReference GetReference() { IWsmanConnection conn = ((AmtRootService)GetRoot()).Connection; return conn.NewReference("SELECT * FROM AMT_AuditLog WHERE Name='Intel(r) AMT:Audit Log'"); }*/ public override object GetReturnObject() { return new NameValuePairItem(Name, Value); } //static readonly int AUDIT_DISABLED = 1; //static readonly int AUDIT_NO_SIGNATURE = 16; enum AuditPolicyType { None=0, Critical=1, } class AuditGroupValue { int _groupId; public AuditGroupValue(int id) { _groupId = id; } public int GroupId { get { return _groupId; } } public override string ToString() { return "PolicyGroup"; } } class AuditPolicyValue { int _eventId; bool _enabled; AuditPolicyType _policyType; int _appId; public AuditPolicyValue(int eventId,int appId,bool enabled,AuditPolicyType policyType) { _eventId = eventId; _appId = appId; _enabled=enabled; _policyType=policyType; } public AuditPolicyValue(AuditPolicyValue copy) { _eventId = copy._eventId; _appId = copy._appId; _enabled = copy._enabled; _policyType = copy._policyType; } public int GroupId { get { return _appId; } } public int EventId { get { return _eventId; } } public bool Enabled { get { return _enabled; } set { _enabled = value; } } public AuditPolicyType PolicyType { get { return _policyType; } set { _policyType = value; } } public override string ToString() { string result = "Disabled"; if (_enabled && _policyType == AuditPolicyType.None) result = "Enabled"; if (_enabled && _policyType == AuditPolicyType.Critical) result = "Critical"; return result; } } class AuditPolicy : DriveItem { public AuditPolicy(string name, int eventId, int appId, bool enabled, AuditPolicyType policyType, DriveItem parent) : base(name, new AuditPolicyValue(eventId,appId,enabled,policyType), parent) { } public override void SetItem(object values, DriveProvider provider) { IWsmanConnection conn = ((AmtRootService)GetRoot()).Connection; AuditPolicyValue policy = new AuditPolicyValue((AuditPolicyValue)_value); IManagedReference refToPolicy = conn.NewReference("SELECT * FROM AMT_AuditPolicyRule"); IManagedInstance input = refToPolicy.CreateMethodInput("SetAuditPolicy"); if (string.Compare(values.ToString(), "Disable", true) == 0) { policy.Enabled = false; policy.PolicyType = AuditPolicyType.None; } else if (string.Compare(values.ToString(), "Enabled", true) == 0) { policy.Enabled = true; policy.PolicyType = AuditPolicyType.None; } else if (string.Compare(values.ToString(), "Critical", true) == 0) { policy.Enabled = true; policy.PolicyType = AuditPolicyType.Critical; } else { throw new PSArgumentException(); } input.SetProperty("Enable", policy.Enabled.ToString().ToLower()); input.SetProperty("AuditedAppID", policy.GroupId.ToString()); input.SetProperty("EventID", policy.EventId.ToString()); input.SetProperty("PolicyType", ((int)(policy.PolicyType)).ToString()); IManagedInstance outObj = refToPolicy.InvokeMethod(input); switch (outObj.GetProperty("ReturnValue").ToString()) { case "0": _value = policy; break; case "1": AmtException.ThrowInvokeError(outObj, "Internal Error"); break; case "2": AmtException.ThrowInvokeError(outObj, "Not Ready"); break; case "16": AmtException.ThrowInvokeError(outObj, "Not Permitted"); break; case "36": AmtException.ThrowInvokeError(outObj, "Invalid Parameter"); break; case "38": AmtException.ThrowInvokeError(outObj, "Flash write limit exceeded"); break; case "2075": AmtException.ThrowInvokeError(outObj, "Audit Fail"); break; default: AmtException.ThrowInvokeError(outObj); break; } } public override object GetReturnObject() { return new WideValueItem(Name, Value); } } class AuditGroup : DriveContainer { int _groupId; public AuditGroup(string name, int groupId, DriveItem parent) : base(name , parent) { //_value = new AuditGroupValue(groupId); _groupId = groupId; } private bool FindPolicyType(IManagedInstance ruleObj,int eventId, out AuditPolicyType policyType) { IWsmanItem eventItems = ruleObj.GetProperty("AuditApplicationEventID"); IWsmanItem ruleItems = ruleObj.GetProperty("PolicyType"); policyType = AuditPolicyType.None; bool result = false; for (int i = 0; i < eventItems.Count; i++) { string appevent = eventItems.Item(i).ToString(); // read policyNumer (appID + EventID) uint policyNumber = uint.Parse(appevent); // get policy Data byte[] policyData = BitConverter.GetBytes(policyNumber); //Array.Reverse(policyData); //read event/App IDs ushort eventNum = BitConverter.ToUInt16(policyData, 0); ushort appId = BitConverter.ToUInt16(policyData, 2); if ((int)eventNum == eventId && (int)appId == _groupId) { policyType = (AuditPolicyType)int.Parse(ruleItems.Item(i).ToString()); result = true; break; } } return result; } public override void GetChildItems(ChildWriter writer) { IWsmanConnection conn = ((AmtRootService)GetRoot()).Connection; IManagedReference refToPolicy = conn.NewReference("SELECT * FROM AMT_AuditPolicyRule"); IManagedInstance ruleObj = refToPolicy.Get(); XmlDocument doc = new XmlDocument(); doc.LoadXml(Intel.Management.PSModule.Properties.Resources.AuditEventsXML); XmlNode groupNode = doc.DocumentElement.SelectSingleNode(string.Format( "Group[@AppId=\"{0}\"]", _groupId.ToString())); XmlNodeList list = groupNode.ChildNodes; foreach (XmlNode node in list) { if (node.LocalName.Equals("Event")) { string name = ((XmlElement)node).GetAttribute("Name"); int eventId = int.Parse(((XmlElement)node).GetAttribute("EventId")); AuditPolicyType policyType; bool enabled=FindPolicyType(ruleObj,eventId, out policyType); writer.Add(new AuditPolicy(name, eventId,_groupId,enabled,policyType, this)); } } } public static DriveContainer LoadEvents(DriveItem parent) { DriveContainer result = new DriveContainer("Events", parent); XmlDocument doc = new XmlDocument(); doc.LoadXml(Intel.Management.PSModule.Properties.Resources.AuditEventsXML); XmlNodeList list = doc.DocumentElement.ChildNodes; foreach (XmlNode node in list) { if (node.LocalName.Equals("Group")) { string name = ((XmlElement)node).GetAttribute("Name"); int appId = int.Parse(((XmlElement)node).GetAttribute("AppId")); result.AddChildItem(new AuditGroup(name, appId, result)); } } return result; } public override object GetReturnObject() { return new NameValuePairItem(Name, Value); } } class Events : DriveContainer { public Events(DriveItem parent) : base("Events", parent) { } public override void GetChildItems(ChildWriter writer) { XmlDocument doc = new XmlDocument(); doc.LoadXml(Intel.Management.PSModule.Properties.Resources.AuditEventsXML); XmlNodeList list = doc.DocumentElement.ChildNodes; foreach (XmlNode node in list) { if (node.LocalName.Equals("Group")) { string name = ((XmlElement)node).GetAttribute("Name"); int appId = int.Parse(((XmlElement)node).GetAttribute("AppId")); writer.Add(new AuditGroup(name, appId, this)); } } } } class SignatureMaterial : X509Certificate2 { public SignatureMaterial(byte[] rawData) : base(rawData) { } } class AuditWriter : IContentWriter { IManagedReference _refToLog; public AuditWriter(IManagedReference refToLog) { _refToLog = refToLog; } public void Dispose() { } public void Close() { } public void Seek(long offset, System.IO.SeekOrigin origin) { } public System.Collections.IList Write(System.Collections.IList content) { byte[] keyData = null; byte[] certData = null; if (content.Count > 0) { X509Certificate2 cert2 = null; if (content[0] is PSObject) { if (((PSObject)content[0]).BaseObject is X509Certificate2) cert2 = (X509Certificate2)content[0]; else if (((PSObject)content[0]).BaseObject is X509CertificateCollection) { foreach (X509Certificate2 cert in (X509CertificateCollection)content[0]) { if (cert.HasPrivateKey) cert2 = cert; } } } else if ((content[0] is X509Certificate2)) cert2 = (X509Certificate2)content[0]; if (cert2 == null) throw new FormatException(); if (cert2.HasPrivateKey) { if (cert2.PrivateKey is RSACryptoServiceProvider) { keyData=Intel.Management.Mei.KeyFormatter.EncodeKey(cert2.PrivateKey as RSACryptoServiceProvider, true); certData = cert2.RawData; } } if (keyData == null) throw new PSArgumentException("Certificate does not contain private key"); IManagedInstance inputObj = _refToLog.CreateMethodInput("SetSigningKeyMaterial"); inputObj.SetProperty("SigningMechanismType", "0"); inputObj.SetProperty("SigningKey", Convert.ToBase64String(keyData)); inputObj.SetProperty("LengthOfCertificates", certData.Length.ToString()); inputObj.SetProperty("Certificates", Convert.ToBase64String(certData)); IManagedInstance outObj = _refToLog.InvokeMethod(inputObj); if (!outObj.GetProperty("ReturnValue").ToString().Equals("0")) { ValueMap map = ValueMap.Create(outObj.GetProperty("ReturnValue").ToString(),ValueList.AuditSetKeyResult); AmtException.ThrowInvokeError(outObj, map.ToString()); } } return content; } } class AuditReader : IContentReader { IManagedReference _refToLog; List _list; public AuditReader(IManagedReference refToLog) { _refToLog = refToLog; } public void Dispose() { } public void Close() { } public void Seek(long offset, System.IO.SeekOrigin origin) { } public System.Collections.IList Read(long size) { System.Collections.IList content = new System.Collections.ArrayList(); if (_list == null) { _list = new List(); IManagedInstance inputObj = _refToLog.CreateMethodInput("ExportAuditLogSignature"); inputObj.SetProperty("SigningMechanism", "0"); IManagedInstance outObj = _refToLog.InvokeMethod(inputObj); string result = outObj.GetProperty("ReturnValue").ToString(); if (result.Equals("1")) { AmtException.ThrowInvokeError(outObj, "Internal Error"); } else if (result.Equals("2")) { AmtException.ThrowInvokeError(outObj, "Not Ready"); } else if (result.Equals("16")) { AmtException.ThrowInvokeError(outObj, "Not Permitted"); } byte[] certData = Convert.FromBase64String(outObj.GetProperty("Certificates").ToString()); int offset = 0; foreach (IWsmanItem item in outObj.GetProperty("LengthOfCertificates")) { int length = int.Parse(item.ToString()); byte[] rawData = new byte[length]; Array.Copy(certData, offset, rawData, 0, length); X509Certificate2 cert = new X509Certificate2(rawData); _list.Add(cert); offset = offset + length; } } if (_list != null) { for(long i=0;i0;i++) { content.Add(_list[0]); _list.RemoveAt(0); } } return content; } } class AuditState : SettingsItem { public AuditState(SettingsContainer parent) : base("AuditState", parent) { List list = new List(); int state=int.Parse(parent.GetSetting("AuditState").ToString()); if ((state & 0x01) != 0) list.Add("Disabled"); else list.Add("Enabled"); if ((state & 0x02) !=0 ) list.Add("Locked"); if ((state & 0x04) !=0 ) list.Add("Almost Full - The storage area dedicated for the audit log reached 85% full"); if ((state & 0x08) != 0) list.Add("Full - The storage area dedicated for the audit log is completely full; no events will be logged and critical events in policy will not be executed."); if ((state & 0x10) !=0 ) list.Add("No Key - No key and certificate were set for the signing of the audit log. Feature cannot be enabled"); _value = list.ToArray(); } } class Enabled : SettingsItem { public Enabled(string state,SettingsContainer parent) : base("Enabled", parent) { _value = state.Equals("2") || state.Equals("6"); } public override void SetItem(object values, DriveProvider provider) { SettingsContainer settings = (SettingsContainer)_parent; IManagedReference refToLog = settings.GetReference(); IManagedInstance inputObj = refToLog.CreateMethodInput("RequestStateChange"); IManagedInstance outObj=null; bool changeTo = bool.Parse(values.ToString()); if (changeTo != (bool)_value && changeTo==true) { inputObj.SetProperty("RequestedState", "2"); outObj = refToLog.InvokeMethod(inputObj); } else if (changeTo != (bool)_value && changeTo==false) { inputObj.SetProperty("RequestedState", "3"); outObj = refToLog.InvokeMethod(inputObj); } switch (outObj.GetProperty("ReturnValue").ToString()) { case "0": //refresh the container _value = changeTo; break; case "32770": AmtException.ThrowInvokeError(outObj, "Not ready"); break; case "32784": AmtException.ThrowInvokeError(outObj, "Not Permitted"); break; case "32806": AmtException.ThrowInvokeError(outObj, "Invalid Parameter"); break; case "2076": AmtException.ThrowInvokeError(outObj, "Flash write limit exceeded"); break; default: AmtException.ThrowInvokeError(outObj); break; } } } class Signature : SettingsItem { public Signature(SettingsContainer parent) : base("Signature", parent) { _value = new Content(); } public override IContentReader GetContentReader(DriveProvider provider) { return new AuditReader(((AuditorService)_parent).GetReference()); } public override IContentWriter GetContentWriter(DriveProvider provider) { return new AuditWriter(((AuditorService)_parent).GetReference()); } public override void ClearContent(DriveProvider provider) { } } } //End AuditorService }//end namepsace