tis-audit-bitlocker
6.0-6
Auditing TPM capabilities and if the drive C: is protected with BitLocker
1444 downloads
Description
- package : tis-audit-bitlocker
- version : 6.0-6
- architecture : all
- categories : Security
- maintainer : WAPT Team,Tranquil IT,Jimmy PELÉ,Hübert TOUVET
- description : Auditing TPM capabilities and if the drive C: is protected with BitLocker
- locale :
- target_os : windows
- min_wapt_version : 1.8
- sources :
- installed_size :
- impacted_process :
- description_fr :
- description_pl :
- description_de :
- description_es :
- description_pt :
- description_it :
- description_nl :
- description_ru :
- editor :
- licence :
- signature_date : 2020-09-08T09:44:56.981706
Setup.py
# -*- coding: utf-8 -*-
from setuphelpers import *
import wmi
import pprint
uninstallkey = []
def install():
pass
def audit():
res_tpm = run_powershell("Get-Tpm")
if res_tpm['TpmPresent'] == False:
print('ERROR : no TPM chip on this system')
return "ERROR"
else:
print('OK : TPM chip present on this system')
if res_tpm['TpmReady'] == True:
print('OK : TPM chip ready')
else:
print('WARNING: TPM chip not ready')
wmiserv = wmi.WMI(moniker=r"winmgmts:\\.\root\CIMV2\Security\MicrosoftVolumeEncryption")
items = wmi_as_struct(wmiserv.query("SELECT * FROM Win32_EncryptableVolume"))
maps = {
'EncryptionMethod':("None", "AES 128 With Diffuser", "AES 256 With Diffuser", "AES 128", "AES 256"),
'ProtectionStatus':("Protection Off", "Protection On", "Protection Unknown"),
'ConversionStatus':("Fully Decrypted", "Fully Encrypted", "Encryption In Progress", "Decryption In Progress", "Encryption Paused", "Decryption Paused"),
'LockStatus':("Unlocked", "Locked"),
}
if not isinstance(items,list):
items = [items]
# pour afficher en texte clair au lieu de integer le status
try:
for item in items:
for key in item:
if key in maps:
if item[key] < len(maps[key]):
item[key] = maps[key][item[key]]
except:
print('ERROR: returned items malformed')
pprint.pprint(items)
return 'ERROR'
for mountpoint in run_powershell('(Get-BitLockerVolume).MountPoint'):
try:
recovery_key = run_powershell("(Get-BitLockerVolume -MountPoint {}).KeyProtector[1].RecoveryPassword".format(mountpoint))
print("OK: {} RecoveryKey {}".format(mountpoint,recovery_key))
except:
print("WARNING : failed to recover {} mountpoint key".format(mountpoint))
print('Force saving to Active Directory')
res_mountpoints = run_powershell('(Get-BitLockerVolume).MountPoint')
if res_mountpoints:
if isinstance(res_mountpoints, str):
mountpoint_list = [res_mountpoints]
else:
mountpoint_list = res_mountpoints
for mountpoint in mountpoint_list:
print(mountpoint)
try:
key_protectorid = run_powershell('(Get-BitLockerVolume -MountPoint "{}").KeyProtector[1].KeyProtectorId'.format(mountpoint))
run_powershell('Backup-BitLockerKeyProtector -MountPoint "{}" -KeyProtectorId "{}"'.format(mountpoint,key_protectorid))
except Exception as e:
print("WARNING: Failed to store recovery to AD : {}".format(mountpoint))
for item in items:
if item['DriveLetter'] == 'C:':
if item['ProtectionStatus'] == "Protection Off":
print('ERROR: "C:" Drive is NOT BitLocked !')
return 'ERROR'
else:
print('OK: "C:" Drive is BitLocked.')
return 'OK'
def update_package():
# Initializing variables
version = control.get_software_version()
# Incrementing version of the package
control.version = '%s-%s'%(version,int(control.version.split('-')[-1])+1)
control.save_control_to_wapt()
print('Changing version to: %s in WAPT\\control' % control.version)