tis-audit-bitlocker

6.0-6
Auditing TPM capabilities and if the drive C: is protected with BitLocker
1444 downloads
Download
default icon

  Description 

  • package : tis-audit-bitlocker
  • version : 6.0-6
  • architecture : all
  • categories : Security
  • maintainer : WAPT Team,Tranquil IT,Jimmy PELÉ,Hübert TOUVET
  • description : Auditing TPM capabilities and if the drive C: is protected with BitLocker
  • locale :
  • target_os : windows
  • min_wapt_version : 1.8
  • sources :
  • installed_size :
  • impacted_process :
  • description_fr :
  • description_pl :
  • description_de :
  • description_es :
  • description_pt :
  • description_it :
  • description_nl :
  • description_ru :
  • editor :
  • licence :
  • signature_date : 2020-09-08T09:44:56.981706

  Setup.py 

# -*- coding: utf-8 -*-
from setuphelpers import *
import wmi
import pprint

uninstallkey = []


def install():
    pass


def audit():
    res_tpm = run_powershell("Get-Tpm")
    if res_tpm['TpmPresent'] == False:
        print('ERROR : no TPM chip on this system')
        return "ERROR"
    else:
        print('OK : TPM chip present on this system')
        if res_tpm['TpmReady'] == True:
            print('OK : TPM chip ready')
        else:
            print('WARNING: TPM chip not ready')

    wmiserv = wmi.WMI(moniker=r"winmgmts:\\.\root\CIMV2\Security\MicrosoftVolumeEncryption")
    items = wmi_as_struct(wmiserv.query("SELECT * FROM Win32_EncryptableVolume"))

    maps = {
        'EncryptionMethod':("None", "AES 128 With Diffuser", "AES 256 With Diffuser", "AES 128", "AES 256"),
        'ProtectionStatus':("Protection Off", "Protection On", "Protection Unknown"),
        'ConversionStatus':("Fully Decrypted", "Fully Encrypted", "Encryption In Progress", "Decryption In Progress", "Encryption Paused", "Decryption Paused"),
        'LockStatus':("Unlocked", "Locked"),
    }
    if not isinstance(items,list):
        items = [items]

    # pour afficher en texte clair au lieu de integer le status
    try:
        for item in items:
            for key in item:
                if key in maps:
                    if item[key] < len(maps[key]):
                        item[key] = maps[key][item[key]]
    except:
        print('ERROR: returned items malformed')
        pprint.pprint(items)
        return 'ERROR'

    for mountpoint in run_powershell('(Get-BitLockerVolume).MountPoint'):
        try:
            recovery_key = run_powershell("(Get-BitLockerVolume -MountPoint {}).KeyProtector[1].RecoveryPassword".format(mountpoint))
            print("OK: {} RecoveryKey {}".format(mountpoint,recovery_key))
        except:
            print("WARNING : failed to recover {} mountpoint key".format(mountpoint))

    print('Force saving to Active Directory')
    res_mountpoints = run_powershell('(Get-BitLockerVolume).MountPoint')
    if res_mountpoints:
        if isinstance(res_mountpoints, str):
            mountpoint_list = [res_mountpoints]
        else:
            mountpoint_list = res_mountpoints

        for mountpoint in mountpoint_list:
            print(mountpoint)
            try:
                key_protectorid = run_powershell('(Get-BitLockerVolume -MountPoint "{}").KeyProtector[1].KeyProtectorId'.format(mountpoint))
                run_powershell('Backup-BitLockerKeyProtector -MountPoint "{}" -KeyProtectorId "{}"'.format(mountpoint,key_protectorid))
            except Exception as e:
                print("WARNING: Failed to store recovery to AD : {}".format(mountpoint))

    for item in items:
        if item['DriveLetter'] == 'C:':
            if item['ProtectionStatus'] == "Protection Off":
                print('ERROR: "C:" Drive is NOT BitLocked !')
                return 'ERROR'
            else:
                print('OK: "C:" Drive is BitLocked.')
                return 'OK'



def update_package():
    # Initializing variables
    version = control.get_software_version()

    # Incrementing version of the package
    control.version = '%s-%s'%(version,int(control.version.split('-')[-1])+1)
    control.save_control_to_wapt()
    print('Changing version to: %s in WAPT\\control' % control.version)


										

  Changelog 



No changelog.txt.
									
  manifest.sha256