tis-audit-local-admins

70-8
Audits local administrators
2972 downloads
Download
See build result See VirusTotal scan
tis-audit-local-admins icon
  • package : tis-audit-local-admins
  • name : Audit Local Admins
  • version : 70-8
  • categories : Security
  • maintainer : WAPT Team,Tranquil IT,Simon Fonteneau,Jimmy PELÉ
  • editor :
  • licence :
  • locale : all
  • target_os : windows
  • impacted_process :
  • architecture : all
  • signature_date : 2024-04-27 10:00
  • size : 8.02 Ko
package           : tis-audit-local-admins
version           : 70-8
architecture      : all
section           : base
priority          : optional
name              : Audit Local Admins
categories        : Security
maintainer        : WAPT Team,Tranquil IT,Simon Fonteneau,Jimmy PELÉ
description       : Audits local administrators
depends           : 
conflicts         : 
maturity          : PROD
locale            : all
target_os         : windows
min_wapt_version  : 2.3
sources           : 
installed_size    : 
impacted_process  : 
description_fr    : Audite les administrateurs locaux
description_pl    : Audyty lokalnych administratorów
description_de    : prüft lokale Verwalter
description_es    : Audita a los administradores locales
description_pt    : Audita os administradores locais
description_it    : Verifica gli amministratori locali
description_nl    : Audits van lokale beheerders
description_ru    : Проверяет локальных администраторов
audit_schedule    : 2h
editor            : 
keywords          : 
licence           : 
homepage          : 
package_uuid      : 4d04b553-b096-4fa5-a5a7-17ae4632827d
valid_from        : 
valid_until       : 
forced_install_on : 
changelog         : 
min_os_version    : 
max_os_version    : 
icon_sha256sum    : 4e424cf16b749d1dff5b232130000cd4b633399ee5dddce76f8d8a95117ae105
signer            : Tranquil IT
signer_fingerprint: 8c5127a75392be9cc9afd0dbae1222a673072c308c14d88ab246e23832e8c6bb
signature         : VJrj883hFUNsxtGbSIaEVmght5I+mkd1uPYFo77eR2yaHsb4uoaNWyY4/LiA4Sw+TBVxKejIRSfRMjU/YF0rFCS5cKmSDKPtroF9d4UTYAau+LjLZl7m4Lapagz4HjRgI5Vz8LE6MfiLWwdOCBmoD7DAbl/cbWFq+bvlUmi2BzHVBy7ROIY6sOLcNeBnwCzzUuHuUHVjx0KKPPpmyX8ofqnxAVlrke31Mwl+03Epm8C2hxaG95110hcoE4Y/6Eg8tASm8a/y/iLIApMRN3eof+vJ/Iwt/dgdGcZEm7dUHvLf9E6PwZeph4cX1Wcjn9ZburDTlOedtoqdbpdKfsZosg==
signature_date    : 2024-04-27T10:00:27.763719
signed_attributes : package,version,architecture,section,priority,name,categories,maintainer,description,depends,conflicts,maturity,locale,target_os,min_wapt_version,sources,installed_size,impacted_process,description_fr,description_pl,description_de,description_es,description_pt,description_it,description_nl,description_ru,audit_schedule,editor,keywords,licence,homepage,package_uuid,valid_from,valid_until,forced_install_on,changelog,min_os_version,max_os_version,icon_sha256sum,signer,signer_fingerprint,signature_date,signed_attributes
# -*- coding: utf-8 -*-
from setuphelpers import *
import win32security
import win32net
import os


audit_local_admins = None
# Give domain Name
domain_name = os.environ["USERDOMAIN"]

# Define allowed users in admin group
allowed_admins_list = [
    rf"{get_computername()}\tisadmin",
    rf"{domain_name}\tis-adm",
]
dict_sid_name = {}


def install():
    pass


def audit():
    global dict_sid_name, audit_local_admins

    if len(get_computername()) > 15:
        print("Computer name longer than 15 characters.")
        return "ERROR"

    audit_local_admins = makepath(install_location("WAPT_is1"), "private", "persistent", control.package_uuid, "audit-local-admins-cache.json")

    try:
        dict_sid_name = cache_info()
    except:
        dict_sid_name = {}

    # domain admins group name
    name_group_admin = get_name_with_sid("S-1-5-32-544")

    # local user administrator group name
    local_administrator = str(
        get_computername()
        + "\\"
        + get_name_with_sid(win32security.ConvertSidToStringSid(win32net.NetUserModalsGet(get_computername(), 2)["domain_id"]) + "-500")
    ).lower()

    # allowed for local administror user and domain name ...
    allow_admin = [local_administrator, domain_name.lower() + "\\"]

    # Try add "domain admins" group in allow admin list
    try:
        allow_admin.append(str("%s\\%s".lower() % (domain_name, get_name_with_sid("%s-512" % get_domain_sid()))).lower())
    except:
        print("Domain Controleur unavailed ?")
        raise

    # convert allowed_admins_list in lower and add in allow_admin liste
    newlist = []
    for l in allowed_admins_list:
        newlist.append(l.lower())
    allow_admin.extend(newlist)

    json_write_file(audit_local_admins, dict_sid_name)

    # print bad user in admin list
    unallowed_user_in_admins_group = False
    listerror = []
    admins_users = local_group_members(name_group_admin)

    admins_dict = {"unallowed": {}, "allowed": {}}

    for user in admins_users:
        domain = user.split("\\")[0]
        username = user.split("\\")[-1]

        if not user.lower() in allow_admin:
            listerror.append(user)
            admins_dict["unallowed"][domain] = admins_dict["unallowed"].get(domain, [])
            admins_dict["unallowed"][domain].append(username)
        else:
            admins_dict["allowed"][domain] = admins_dict["allowed"].get(domain, [])
            admins_dict["allowed"][domain].append(username)

    if listerror:
        print("UNALLOWED ADMINS LIST : %s" % ",".join(listerror))  # Bad users in admin list:
        unallowed_user_in_admins_group = True
    print("ALLOWED ADMINS LIST : %s" % ",".join(admins_users))  # Allowed users in admin list:

    WAPT.write_audit_data_if_changed("audit-local-admins", "audit-local-admins", admins_dict)

    if unallowed_user_in_admins_group:
        return "ERROR"

    return "OK"


def cache_info():
    global audit_local_admins
    return json_load_file(audit_local_admins)


# Get Name With SID
def get_name_with_sid(osid):
    global dict_sid_name
    try:
        sid = win32security.GetBinarySid(osid)
        name, domain, typ = win32security.LookupAccountSid(wincomputername(), sid)
        dict_sid_name[osid] = name
        return name
    except:
        if osid in dict_sid_name:
            return dict_sid_name[osid]
        error("Failed name resolution for %s" % osid)


# Found Domain SID
def get_domain_sid():
    global dict_sid_name
    try:
        umi2 = win32net.NetUserModalsGet(win32net.NetGetDCName(), 2)
        domain_sid = umi2["domain_id"]
        name = win32security.ConvertSidToStringSid(domain_sid)
        dict_sid_name["get_domain_sid"] = name
        return name
    except:
        if "get_domain_sid" in dict_sid_name:
            return dict_sid_name["get_domain_sid"]
        error("Domain SID is not available")

6805fbc2bcc0ed85d819df1d8624ba15d21b9b28eaac693db8480d7e1c3e67d2 : setup.py
4e424cf16b749d1dff5b232130000cd4b633399ee5dddce76f8d8a95117ae105 : WAPT/icon.png
a5a97261381e1d0ad46ee15916abec9c2631d0201f5cc50ceb0197a165a0bbbf : WAPT/certificate.crt
f5c12b2f86c8c43ce1774d74df22d0ed801bcae977fd4cae46538c59c687a1f7 : luti.json
4627542b6b67a7bea2b342c2657aa83bca92e243d3130eb875ca3dbf59a2763d : WAPT/control