Add new AppLocker template

Author: nyanhp

templates/AppLockerProject/.github/workflows/publish.yml

@@ -0,0 +1,34 @@
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  publish:
+
+    runs-on: windows-latest
+
+    steps:
+    - uses: actions/checkout@v1
+    - name: Install Prerequisites
+      run: .\build\vsts-prerequisites.ps1
+      shell: powershell
+    - name: Validate Configuration Data
+      run: .\build\vsts-validate.ps1 -TestType ConfigurationData
+      shell: powershell
+    - name: Build
+      run: .\build\vsts-build.ps1 -IncludeRsop
+      shell: powershell
+    - uses: actions/upload-artifact@v3
+      with:
+        name: build-artifacts
+        path: |
+          .\output\rsop
+          .\output\policies
+    - name: Validate Integration Tests
+      run: .\build\vsts-validate.ps1 -TestType Integration
+      shell: powershell
+    - name: Publish
+      run: .\build\vsts-publish.ps1
+      shell: powershell

templates/AppLockerProject/.github/workflows/validate.yml

@@ -0,0 +1,24 @@
+on: [pull_request]
+
+jobs:
+  validate:
+
+    runs-on: windows-latest
+
+    steps:
+    - uses: actions/checkout@v1
+    - name: Install Prerequisites
+      run: .\build\vsts-prerequisites.ps1
+      shell: powershell
+    - name: Validate
+      run: .\build\vsts-validate.ps1 -TestType ConfigurationData
+      shell: powershell
+    - name: Build
+      run: .\build\vsts-build.ps1 -IncludeRsop
+      shell: powershell
+    - uses: actions/upload-artifact@v3
+      with:
+        name: build-artifacts
+        path: |
+          .\output\rsop
+          .\output\policies

templates/AppLockerProject/.gitignore

@@ -0,0 +1,2 @@
+output
+testresults.xml

templates/AppLockerProject/azurepipelines.yml

@@ -0,0 +1,147 @@
+trigger:
+  branches:
+    include:
+    - main
+
+stages:
+  - stage: build
+    jobs:
+      - job: Build
+        displayName: 'Build AppLocker Artifacts'
+        pool:
+          name: Default
+        workspace:
+          clean: all
+        steps:
+          - task: PowerShell@2
+            name: build
+            displayName: 'Download prerequisites'
+            inputs:
+              filePath: '.\build\vsts-prerequisites.ps1'
+          - task: PowerShell@2
+            name: build
+            displayName: Validate Configuration Data
+            inputs:
+              filePath: '.\build\vsts-validate.ps1'
+              arguments: '-TestType ConfigurationData'
+          - task: PowerShell@2
+            name: build
+            displayName: Build policy XML
+            inputs:
+              filePath: '.\build\vsts-build.ps1'
+              arguments: '-IncludeRsop'
+
+          - task: PublishBuildArtifacts@1
+            displayName: 'Publish Policy XML Files'
+            inputs:
+              PathtoPublish: 'output/Policies'
+              ArtifactName: Policies
+
+          - task: PublishBuildArtifacts@1
+            displayName: 'Publish Policy RSOP Files'
+            inputs:
+              PathtoPublish: 'output/Rsop'
+              ArtifactName: Rsop
+
+  - stage: publish
+    dependsOn: build
+    jobs:
+      - deployment: Dev
+        displayName: Dev Deployment
+        environment: Dev
+        pool:
+          name: Default
+        workspace:
+          clean: all
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+              - download: None
+
+              - task: DownloadBuildArtifacts@0
+                displayName: 'Download Build Artifact: Rsop'
+                inputs:
+                  buildType: 'current'
+                  artifactName: Rsop
+                  downloadPath: $(Build.SourcesDirectory)
+              - task: DownloadBuildArtifacts@0
+                displayName: 'Download Build Artifact: Policies'
+                inputs:
+                  buildType: 'current'
+                  artifactName: Policies
+                  downloadPath: $(Build.SourcesDirectory)
+              - task: PowerShell@2
+                name: publishpolicies
+                displayName: Publish policies
+                inputs:
+                  filePath: '.\build\vsts-publish.ps1'
+                  arguments: '-OutputPath  $(Build.SourcesDirectory)'
+
+  - stage: DscDeploymentTest
+    dependsOn:
+      - build
+      - DscDeploymentDev
+    jobs:
+      - deployment: Test
+        displayName: Test Deployment
+        environment: Test
+        pool:
+          name: Default
+        workspace:
+          clean: all
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+              - download: None
+
+              - task: DownloadBuildArtifacts@0
+                displayName: 'Download Build Artifact: MOF'
+                inputs:
+                  buildType: 'current'
+                  artifactName: MOF
+                  downloadPath: $(Build.SourcesDirectory)
+
+              - task: CopyFiles@2
+                name: DeployMofsToPullServer
+                displayName: 'Deploy MOF Files to Pull Server'
+                inputs:
+                  SourceFolder: '$(Build.SourcesDirectory)/MOF/$(Environment.Name)'
+                  Contents: '**'
+                  TargetFolder: '\\dscpull01\DscConfiguration'
+                  OverWrite: true
+
+  - stage: DscDeploymentProd
+    dependsOn:
+      - build
+      - DscDeploymentTest
+    jobs:
+      - deployment: Prod
+        displayName: Prodt Deployment
+        environment: Prod
+        pool:
+          name: Default
+        workspace:
+          clean: all
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+              - download: None
+
+              - task: DownloadBuildArtifacts@0
+                displayName: 'Download Build Artifact: MOF'
+                inputs:
+                  buildType: 'current'
+                  artifactName: MOF
+                  downloadPath: $(Build.SourcesDirectory)
+
+              - task: CopyFiles@2
+                name: DeployMofsToPullServer
+                displayName: 'Deploy MOF Files to Pull Server'
+                inputs:
+                  SourceFolder: '$(Build.SourcesDirectory)/MOF/$(Environment.Name)'
+                  Contents: '**'
+                  TargetFolder: '\\dscpull01\DscConfiguration'
+                  OverWrite: true

templates/AppLockerProject/build/build.ps1

@@ -0,0 +1,40 @@
+
+param
+(
+    [string]
+    $SourcePath = (Resolve-Path "$PSScriptRoot\..\configurationdata").Path,
+
+    [string]
+    $OutputPath = (Resolve-Path "$PSScriptRoot\..\output").Path,
+
+    [switch]
+    $IncludeRsop
+)
+
+$rsopPath = Join-Path -Path $OutputPath -ChildPath rsop
+$policyPath = Join-Path -Path $OutputPath -ChildPath policies
+if (-not (Test-Path -Path $rsopPath))
+{
+    $null = New-Item -Path $rsopPath -ItemType Directory -Force
+}
+
+if (-not (Test-Path -Path $policyPath))
+{
+    $null = New-Item -Path $policyPath -ItemType Directory -Force
+}
+
+$datum = New-DatumStructure -DefinitionFile (Join-Path $SourcePath Datum.yml)
+$rsops = Get-DatumRsop $datum (Get-DatumNodesRecursive -AllDatumNodes $Datum.AllNodes)
+$rsops | Export-AlfXml -Path $policyPath
+
+if (-not $IncludeRsop) { return }
+
+foreach ($rsop in $rsops)
+{
+    $domainPath = Join-Path -Path $rsopPath -ChildPath $rsop.Domain
+    if (-not (Test-Path -Path $domainPath))
+    {
+        $null = New-Item -Path $domainPath -ItemType Directory -Force
+    }
+    $rsop | ConvertTo-Yaml -OutFile (Join-Path -Path $domainPath -ChildPath "$($rsop.PolicyName).yml") -Force
+}

templates/AppLockerProject/build/prerequisites.ps1

@@ -0,0 +1,19 @@
+param
+(
+    [string]
+    $DependencyPath = (Resolve-Path "$PSScriptRoot\requiredModules.psd1").Path
+)
+
+$psdependConfig = Import-PowerShellDataFile -Path $DependencyPath
+
+$null = Get-PackageProvider -Name NuGet -ForceBootstrap
+
+Save-Module -Name PackageManagement, PowerShellGet, PSDepend -Repository $psdependConfig.PSDependOptions.Parameters.Repository -Path $psdependConfig.PSDependOptions.Target -Force
+
+Remove-Module -Name PowerShellGet -ErrorAction SilentlyContinue -Force
+Remove-Module -Name PackageManagement -ErrorAction SilentlyContinue -Force
+Import-Module -Force -Name (Join-Path -Path $psdependConfig.PSDependOptions.Target -ChildPath PackageManagement\*\PackageManagement.psd1 -Resolve)
+Import-Module -Force -Name (Join-Path -Path $psdependConfig.PSDependOptions.Target -ChildPath PowerShellGet\*\PowerShellGet.psd1 -Resolve)
+Import-Module -Name (Join-Path -Path $psdependConfig.PSDependOptions.Target -ChildPath PSDepend\*\PSDepend.psd1 -Resolve)
+
+Invoke-PSDepend -Path $DependencyPath -Force

templates/AppLockerProject/build/publish.ps1

@@ -0,0 +1,21 @@
+param
+(
+    [string]
+    $OutputPath = (Resolve-Path "$PSScriptRoot\..\output").Path
+)
+
+foreach ($policy in (Get-ChildItem -Path (Join-Path -Path $OutputPath -ChildPath Policies) -Recurse -Filter *.xml))
+{
+    $searcher = [adsisearcher]::new()
+    $searcher.Filter = "(&(objectClass=groupPolicyContainer)(displayName=$($policy.BaseName)))"
+    $policyFound = $searcher.FindOne()
+
+    if (-not $policyFound)
+    {
+        $null = New-GPO -Name $policy.BaseName -Comment "Auto-updated applocker policy" -Domain $policy.Directory.Name
+    }
+
+    $policyFound = $searcher.FindOne()
+
+    Set-AppLockerPolicy -XmlPolicy (Get-Content -Path $policy.FullName) -Ldap $policyFound.Path
+}

templates/AppLockerProject/build/requiredModules.psd1

@@ -0,0 +1,18 @@
+@{
+    PSDependOptions       = @{
+        AddToPath  = $true
+        Target     = 'output\RequiredModules'
+        Parameters = @{
+            Repository      = 'PSGallery'
+            AllowPreRelease = $true
+        }
+    }
+
+    'powershell-yaml'     = '0.4.7'
+    PSScriptAnalyzer      = '1.21.0'
+    Pester                = '5.4.1'
+    'Sampler.DscPipeline' = '0.2.0-preview0015' # Unfortunately still in preview
+    Datum                 = '0.40.1'
+    'Datum.InvokeCommand' = '0.3.0'
+    AppLockerFoundry      = '1.1.0'
+}

templates/AppLockerProject/build/validate.ps1

@@ -0,0 +1,25 @@
+[CmdletBinding()]
+param
+(
+    [string]
+    $ProjectRoot = (Resolve-Path "$PSScriptRoot\..").Path,
+
+    [ValidateSet('Unit', 'ConfigurationData', 'Integration')]
+    [string]
+    $TestType
+)
+
+Import-Module Pester
+
+$po = [PesterConfiguration]::New()
+$po.Run.Path = Join-Path $ProjectRoot "tests/$TestType"
+$po.Run.PassThru = $true
+$po.Output.Verbosity = 'Detailed'
+$po.TestResult.Enabled = $true
+$po.TestResult.OutputPath = Join-Path $ProjectRoot 'testresults.xml'
+$po.TestResult.OutputFormat = 'NUnit2.5'
+
+$result = Invoke-Pester -Configuration $po
+if ($result.FailedCount -gt 0) {
+    throw "Pester tests failed"
+}

templates/AppLockerProject/configurationdata/Apps/Git.yml

@@ -0,0 +1,30 @@
+Configurations:
+  - RuleCollections
+
+RuleCollections:
+  Exe:
+    EnforcementMode: AuditOnly
+    Rules:
+      - Name: Allow git.exe
+        Description: Allow all users to run git.exe
+        Path: '%PROGRAMFILES%\git\cmd\git.exe'
+        UserOrGroupSid: S-1-1-0
+        Action: Allow
+      - Name: Allow specific hashed git
+        Description: Allow all users to run git.exe that has a specific hash
+        Type: SHA256
+        Data: "0xC659F4712B60C25E86A927E0C0121C301075F2D0754506140F8B9812B5FDBA3C"
+        SourceFileName: git.exe
+        SourceFileLength: 45104
+        UserOrGroupSid: S-1-1-0
+        Action: Allow
+      - Name: Allow signed git
+        Description: Allow all users to run git.exe that was signed by a specific publisher
+        PublisherName: O=JOHANNES SCHINDELIN, S=NORDRHEIN-WESTFALEN, C=DE
+        ProductName: GIT
+        BinaryName: GIT.EXE
+        BinaryVersionRange:
+          LowSection: 2.40.1.1
+          HighSection: 2.40.1.1
+        UserOrGroupSid: S-1-1-0
+        Action: Allow