#-------------------------------------------------------------------------------------------------------------------- # Author: Hector Szabo # Date: Juin, 2015 / L2.2015 # versions # 1.0 Validates root CA, issuing CA for Production and Partenaire environments # 1.1 [HS]Juillet, 2015 Exposes machine name and implements -ver (describes version and validity of present certificates) # 1.2 [HS]Août, 2015Mise à jour des certificats de production et prise en charge du contrôle de validité selon l'avis de sécurité de Microsoft #-------------------------------------------------------------------------------------------------------------------- <# .SYNOPSIS Script De validation des "chaînes de confiance" (selon le switch -essai ou -production) Valide que les certificats requis soient installés aux magasins de certificats nécessaires: . Syntax Chaines2.ps1 {-essai | -production} [-NTAuth] [-Ver] un paramètre est obligatoire .DESCRIPTION Script De validation des "chaînes de confiance" (selon le switch -essai ou -production) Valide que les certificats requis soient installés aux magasins de certificats nécessaires: MAGASIN DES AUTORITÉS DE CERTIFICATION RACINE DE CONFIANCE - AC Racine G1 ([essais]/[prod]AC Racine.crt, SHA1, 2048) - AC Racine G2 ([essais]Ac Racine SecurSante RAMQ PARTE.crt, SHA1, 2048/ [prod] Non applicable) - AC Racine G3 ([essais]AC Racine SecurSante RAMQ PARTE G3.crt, SHA2, 4096/ [prod] AC Racine SecurSante G3.crt,SHA2,4096) MAGASIN DES AUTORITÉS DE CERTIFICATION INTERMÉDIAIRES - AC Racine G3 "croisé" ([essais]AC Racine SecurSante RAMQ PARTE G3X.crt, SHA1,4091,[prod])AC Racine SecurSante G3X.crt,SHA1,4096 MAGASIN DES AUTORITÉS DE CERTIFICATION ÉMETTRICES - AC(s) émettrices G1([essais]AC Emettrice Dev.crt,SHA1,2048/[prod]AC Emettrice ProdA.crt, AC Emettrice ProdB.crt,SHA1,2028) - AC émettrice G2([essais]AC SecurSante RAMQ PARTE.crt,SHA1,2048/[prod]AC SecurSante.crt,SHA1,2048) - AC émettrice G3([essais]AC SecurSante RAMQ PARTE.crt,SHA2,2048/[prod]AC SecurSante.crt,SHA2,2048) .PARAMETER essai Valide les chaînes de confiance d'un poste prévu pour les environnements d'essai, maintenance corrective et formation .PARAMETER production Valide les chaînes de confiance d'un poste prévu pour l'environnement de production .PARAMETER NTAuth Valide les magasins d'entreprise NTAuth pour les machines controleur de domaine, IIS et toute machine sur laquelle on ouvre une session Windows par carte à puce .EXAMPLE .\chaines.ps1 -essai Valide les chaînes de confiance d'un poste prévu pour les environnements d'essai, maintenance corrective et formation .EXAMPLE .\chaines.ps1 -production Valide les chaînes de confiance d'un poste prévu pour l'environnement de production .EXAMPLE #> [CmdletBinding()]Param( [Parameter(Mandatory=$True)][string]$mode, [Parameter(Mandatory=$False)][switch]$NtAuth, [Parameter(Mandatory=$False)][switch]$ver ) #-------------------------------------------------------------------------------------------------------------------- # Get script directory. $ComputerName = $MachineName=[system.environment]::MachineName $base = $MyInvocation.ScriptName if (!$base) { $base = $MyInvocation.MyCommand.Definition } $base = Split-Path -parent $base if (!$base) { $base = Get-Location } if($NtAuth -eq $True) #if($NtAuth.toUpper() -eq "OUI" -or $NtAuth.toUpper() -eq "YES" -or $NtAuth.toUpper() -eq "1") { $NtauthStr="NTAUTH";$NTAuthEval=$true } else { $NtauthStr = "NONTAUTH";$NTAuthEval=$False } if($mode.toUpper() -eq "PRODUCTION" ) { $Palier = "Production" } else { $Palier = "Essai" } #-------------------------------------------------------------------------------------------------------------------- # Constants [string]$SOURCE = "SRC" # source de l'eventlog prévue pour la sortie, si existante [string]$Err="Error" # avis d'erreur [string]$Inf="Information" # avis informatif, sans eventlog, en console et sur les fichiers de log si le mode est verbose [string]$War="Warning" # avis d'un potentiel problème qui pourrait causer des erreurs [string]$Mut="Mute" # pas en console, pas en eventlog identique à info [string]$Not="Notification" # Information sur l'eventlog [int]$LineLength = 90 #-------------------------------------------------------------------------------------------------------------------- $script:ErrorActionPreference = "Stop" [String]$hodFile = Get-Date -f "yyyyMMddhhmm" [String]$ReportFile = "C:\Temp\" + "SécurSanté_Rapport_des_Chaînes_de_confiance_le_"+ $hodFile + ".txt" # ------------------------------------------------------------------------------------------------------------------- # Certificate data # ------------------------------------------------------------------------------------------------------------------- [xml]$CertificateData = [xml] @" "@ Function Process-Trap([System.Management.Automation.ErrorRecord]$ex) { Try { $ii = $ex.InvocationInfo if ($script:RAMQAux_logStarted) { RAMQ-Log "FATAL: $($ii.MyCommand.Name): $($ex.Exception.Message)`r`n$($ii.ScriptName):$($ii.ScriptLineNumber)" $Err 199 } else { Write-Host "FATAL: $($ii.MyCommand.Name): $($ex.Exception.Message)`r`n$($ii.ScriptName):$($ii.ScriptLineNumber)" -foregroundColor Magenta } } Catch { $ErrorMessage = $_.Exception.Message Write-EventLog -logname Application -source Application -EventId 1001 -message "FATAL:$($ErrorMessage)" -EntryType Error } Finally { exit 1 } } function RAMQ-Write([string]$msg, [string]$Just, [string]$PaddingChar, [string]$Fcolor, [string]$Bcolor) { $hod = ("{0:yyyy-MM-dd HH:mm:ss}" -f $(Get-Date)) if ($Just -eq "" -or $Just -eq $null){$Just = "Left"} $opts = @{} if ($Fcolor -ne $null -and $Fcolor -ne "" -and $Fcolor -ne "DEF"){$opts= $opts + @{ForegroundColor=$Fcolor} } if ($Bcolor -ne $null -and $Bcolor -ne "" -and $Bcolor -ne "DEF"){$opts= $opts + @{BackgroundColor=$Bcolor} } if ($PaddingChar -eq "" -or $PaddingChar -eq $null -OR $PaddingChar -eq "DEF"){$PaddingChar = " "} if($msg.Trim() -ne "") {$msg = $msg.Trim()} $LeftPadding = "" $RightPadding = "" if($Just -ne "Left") { [int] $LeftPaddingLength = ($LineLength - $msg.length) / 2 if($LeftPaddingLength -gt 0) {$LeftPadding = $PaddingChar * $LeftPaddingLength} } else { $LeftPaddingLength = 0 $LeftPadding = "" } $RigthPaddingLength = $LineLength - ($msg.length + $LeftPaddingLength) if($RigthPaddingLength -gt 0) {$RigthPadding = $PaddingChar * $RigthPaddingLength} $Line = "[$hod] !"+$LeftPadding+$msg+$RigthPadding+"!" #$opts = @{ForegroundColor=$Fcolor; BackgroundColor=$Bcolor} Write-Host @opts $Line if(test-Path $ReportFile){ write-output "$Line" >> $ReportFile }else{ write-output "$Line" > $ReportFile } } function RAMQ-Log([string]$msg, [string]$severity, [int]$eventID) { $hod = ("{0:HH:mm:ss}" -f $(Get-Date)) if ($severity -eq $Err) { Write-Host "[$hod][$severity][$eventID][$msg]" -foregroundColor Red Write-Eventlog -Logname Application -EntryType $severity -eventID $eventID -message $msg -source $SOURCE } if ($severity -eq $War) { Write-Host "[$hod][$severity][$eventID][$msg]" -foregroundColor Yellow Write-Eventlog -Logname Application -EntryType $severity -eventID $eventID -message $msg -source $SOURCE } if (($severity -eq $Inf) -or ($severity -eq $Mut)) { $severity=$Inf Write-Verbose "[$hod][$severity][$eventID][$msg]" -foregroundColor Green } if ($severity -eq $Not) { Write-Host "[$hod][$severity][$eventID][$msg]" -foregroundColor Blue Write-Eventlog -Logname Application -EntryType $Inf -eventID $eventID -message $msg -source $SOURCE } $msgSeverity = $severity.Substring(0,4) if(test-Path $LogFileName){ write-output "[$hod][$msgSeverity][$eventID][$msg]" >> $LogFileName }else{ write-output "[$hod][$msgSeverity][$eventID][$msg]" > $LogFileName } } #------------------------------------------------------------------------------------------------------------- $today=$(Get-Date) $SHA1Date = [DateTime]$CertificateData.Validations.SHA1Date.Date #------------------------------------------------------------------------------------------------------------- RAMQ-Write "-" "Center" "-" RAMQ-Write "Rapport de validation d'état des magasins de certificat - certificats requis pour DSQ" "Center" " " RAMQ-Write "-" "Center" "-" RAMQ-Write "-[$Computername]-[$Palier]-" "Center" " " RAMQ-Write "-" "Center" "-" #if($today -ge $SHA1Date) #{ #RAMQ-Write "ATTENTION - ATTENTION : Certains des certificats " "Center" " " #RAMQ-Write "-" "Center" "-" #RAMQ-Write "-[$Computername]-[$Palier]-" "Center" " " #RAMQ-Write "-" "Center" "-" #} foreach ($Val in ($CertificateData.Validations.Validation | where-object {$_.Context -eq $Palier})) { foreach ($Chk in $Val.Checks.Check) { $msg = "Validation du magasin:[" + $Chk.StoreName + "/" + $Chk.StoreLocation + "] ("+ $Chk.FriendlyName+")" RAMQ-Write $msg "Center" RAMQ-Write "-" "Center" "-" $st = $null $st = New-Object Security.Cryptography.X509Certificates.X509Store $Chk.StoreName,$Chk.StoreLocation $st.Open("ReadOnly") foreach ($CertCode in ($Chk.CertificateNameList.Certificate | %{$_.CodeName})) { #echo $CertCode $Cert = ($CertificateData.Validations.Certificates.Certificate | where {$_.Codename -eq $CertCode}) $ThumbPrint = $Cert.Thumbprint $Res=$null $Res=$st.Certificates.Find("FindByThumbprint", $ThumbPrint, $false) if($Res.count -eq 0) { $msg="[ERREUR] Certificat:"+$Cert.FriendlyName +" manquant" RAMQ-Write $msg "Left" " " "Red" } else { $msg="[OK ] Certificat:"+$Cert.FriendlyName +" présent" RAMQ-Write $msg } } $st.Close() $st=$null RAMQ-Write "-" "Center" "-" } } if($NTAuthEval) { $st = $null $st = New-Object Security.Cryptography.X509Certificates.X509Store "NTAuth" $st.Open("ReadOnly") RAMQ-Write "-" "Center" "-" RAMQ-Write "Validation des magasins NTAUTH [pour AD, IIS et consoles]-Certificats requis pour DSQ" "Center" " " RAMQ-Write "-" "Center" "-" RAMQ-Write "-[Enterprise NTAuth Store] -$Palier-" "Center" " " RAMQ-Write "-" "Center" "-" foreach ($Val in ($CertificateData.Validations.NtAuth | where-object {$_.Context -eq $Palier})) { foreach ($Chk in $Val.Checks.Check) { $msg = "Validation du "+$Chk.FriendlyName RAMQ-Write $msg "Center" $msg = " vérification des certificats requis pour l'environnement: "+$Palier RAMQ-Write $msg "Center" RAMQ-Write "-" "Center" "-" foreach ($CertCode in ($Chk.CertificateNameList.Certificate | %{$_.CodeName})) { $Cert = ($CertificateData.Validations.Certificates.Certificate | where {$_.Codename -eq $CertCode}) $ThumbPrint = $Cert.Thumbprint $Res=$null $Res=$st.Certificates.Find("FindByThumbprint", $ThumbPrint, $false) if($Res.count -eq 0) { $msg="[ERREUR] Certificat:"+$Cert.FriendlyName +" manquant" RAMQ-Write $msg "Left" " " "Red" } else { $msg="[OK ] Certificat:"+$Cert.FriendlyName +" présent" RAMQ-Write $msg } } RAMQ-Write "-" "Center" "-" } } } RAMQ-Write "-FIN DU RAPPORT -[$Computername]-[$Palier]-" "Center" " " RAMQ-Write "-" "Center" "-"