Merge branch 'testing' into dev-01-version-check

.github/workflows/mega-linter.yml

@@ -0,0 +1,181 @@
+# MegaLinter GitHub Action configuration file
+# More info at https://megalinter.io
+---
+  name: MegaLinter
+
+  # Trigger mega-linter at every push. Action will also be visible from Pull Requests to main
+  on:
+    # Comment this line to trigger action only on pull-requests
+    # (not recommended if you don't pay for GH Actions)
+    push:
+
+    pull_request:
+      branches:
+        - main
+        - testing
+        - dev
+        - experimental
+
+  # Comment env block if you do not want to apply fixes
+  env:
+    # Apply linter fixes configuration
+    #
+    # When active, APPLY_FIXES must also be defined as environment variable
+    # (in github/workflows/mega-linter.yml or other CI tool)
+    APPLY_FIXES: all
+
+    # Decide which event triggers application of fixes in a commit or a PR
+    # (pull_request, push, all)
+    APPLY_FIXES_EVENT: pull_request
+
+    # If APPLY_FIXES is used, defines if the fixes are directly committed (commit)
+    # or posted in a PR (pull_request)
+    APPLY_FIXES_MODE: commit
+
+  concurrency:
+    group: ${{ github.ref }}-${{ github.workflow }}
+    cancel-in-progress: true
+
+  jobs:
+    megalinter:
+      name: MegaLinter
+      runs-on: ubuntu-latest
+
+      # Give the default GITHUB_TOKEN write permission to commit and push, comment
+      # issues & post new PR; remove the ones you do not need
+      permissions:
+        contents: write
+        issues: write
+        pull-requests: write
+
+      steps:
+
+        # Git Checkout
+        - name: Checkout Code
+          uses: actions/checkout@v4
+          with:
+            token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
+
+            # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to
+            # improve performance
+            fetch-depth: 0
+
+        # MegaLinter
+        - name: MegaLinter
+
+          # You can override MegaLinter flavor used to have faster performances
+          # More info at https://megalinter.io/flavors/
+          # The dotnet flavor includes PowerShell, MD, YAML, JSON, spelling, and more.
+          uses: oxsecurity/megalinter/flavors/dotnet@v7.7.0
+
+          id: ml
+
+          # All available variables are described in documentation
+          # https://megalinter.io/configuration/
+          env:
+
+            # Validates all source when push on main, else just the git diff with
+            # main. Override with true if you always want to lint all sources
+            #
+            # To validate the entire codebase, set to:
+            # VALIDATE_ALL_CODEBASE: true
+            #
+            # To validate only diff with main, set to:
+            # VALIDATE_ALL_CODEBASE: >-
+            #   ${{
+            #     github.event_name == 'push' &&
+            #     contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)
+            #   }}
+            VALIDATE_ALL_CODEBASE: >-
+              ${{
+                github.event_name == 'push' &&
+                contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)
+              }}
+
+            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+            # ADD YOUR CUSTOM ENV VARIABLES HERE OR DEFINE THEM IN A FILE
+            # .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY
+
+            # Uncomment to disable copy-paste and spell checks
+            # DISABLE: COPYPASTE,SPELL
+            DISABLE_ERRORS: true
+            DISABLE_LINTERS: SPELL_LYCHEE
+            # Uncomment DISABLE_ERRORS_LINTERS if you want to turn errors back on selectively.
+            # DISABLE_ERRORS_LINTERS: REPOSITORY_DEVSKIM,REPOSITORY_KICS,REPOSITORY_CHECKOV,POWERSHELL_POWERSHELL,SPELL_CSPELL
+
+        # Upload MegaLinter artifacts
+        - name: Archive production artifacts
+          uses: actions/upload-artifact@v4
+          if: success() || failure()
+          with:
+            name: MegaLinter reports
+            path: |
+              megalinter-reports
+              mega-linter.log
+
+        # Set APPLY_FIXES_IF var for use in future steps
+        - name: Set APPLY_FIXES_IF var
+          run: |
+            printf 'APPLY_FIXES_IF=%s\n' "${{
+              steps.ml.outputs.has_updated_sources == 1 &&
+              (
+                env.APPLY_FIXES_EVENT == 'all' ||
+                env.APPLY_FIXES_EVENT == github.event_name
+              ) &&
+              (
+                github.event_name == 'push' ||
+                github.event.pull_request.head.repo.full_name == github.repository
+              )
+            }}" >> "${GITHUB_ENV}"
+
+        # Set APPLY_FIXES_IF_* vars for use in future steps
+        - name: Set APPLY_FIXES_IF_* vars
+          run: |
+            printf 'APPLY_FIXES_IF_PR=%s\n' "${{
+              env.APPLY_FIXES_IF == 'true' &&
+              env.APPLY_FIXES_MODE == 'pull_request'
+            }}" >> "${GITHUB_ENV}"
+            printf 'APPLY_FIXES_IF_COMMIT=%s\n' "${{
+              env.APPLY_FIXES_IF == 'true' &&
+              env.APPLY_FIXES_MODE == 'commit' &&
+              (!contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref))
+            }}" >> "${GITHUB_ENV}"
+
+        # Create pull request if applicable
+        # (for now works only on PR from same repository, not from forks)
+        - name: Create Pull Request with applied fixes
+          uses: peter-evans/create-pull-request@v5
+          id: cpr
+          if: env.APPLY_FIXES_IF_PR == 'true'
+          with:
+            token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
+            commit-message: "[MegaLinter] Apply linters automatic fixes"
+            title: "[MegaLinter] Apply linters automatic fixes"
+            labels: bot
+
+        - name: Create PR output
+          if: env.APPLY_FIXES_IF_PR == 'true'
+          run: |
+            echo "PR Number - ${{ steps.cpr.outputs.pull-request-number }}"
+            echo "PR URL - ${{ steps.cpr.outputs.pull-request-url }}"
+
+        # Push new commit if applicable
+        # (for now works only on PR from same repository, not from forks)
+        - name: Prepare commit
+          if: env.APPLY_FIXES_IF_COMMIT == 'true'
+          run: sudo chown -Rc $UID .git/
+
+        - name: Commit and push applied linter fixes
+          uses: stefanzweifel/git-auto-commit-action@v5
+          if: env.APPLY_FIXES_IF_COMMIT == 'true'
+          with:
+            branch: >-
+              ${{
+                github.event.pull_request.head.ref ||
+                github.head_ref ||
+                github.ref
+              }}
+            commit_message: "[MegaLinter] Apply linters fixes"
+            commit_user_name: megalinter-bot
+            commit_user_email: megalinter@dotdot.horse

Build/Build-Module.ps1

@@ -24,6 +24,7 @@ Build-Module -ModuleName 'Locksmith' {
         Copyright            = "(c) 2022 - $((Get-Date).Year). All rights reserved."
         Description          = 'A small tool to find and fix common misconfigurations in Active Directory Certificate Services.'
         ProjectUri           = 'https://github.com/TrimarcJake/Locksmith'
+        IconUri              = 'https://github.com/TrimarcJake/Locksmith/Images/locksmith.ico'
         PowerShellVersion    = '5.1'
         Tags                 = @('Windows', 'Locksmith', 'CA', 'PKI', 'ActiveDirectory', 'CertificateServices','ADCS')
     }

README.md

@@ -2,14 +2,26 @@
  _       _____  _______ _     _ _______ _______ _____ _______ _     _
  |      |     | |       |____/  |______ |  |  |   |      |    |_____|
  |_____ |_____| |_____  |    \_ ______| |  |  | __|__    |    |     |
-     .--.                  .--.                  .--.            
+     .--.                  .--.                  .--.
     /.-. '----------.     /.-. '----------.     /.-. '----------.
     \'-' .---'-''-'-'     \'-' .--'--''-'-'     \'-' .--'--'-''-'
-     '--'                  '--'                  '--'  
+     '--'                  '--'                  '--'
 ```
 
 A ~~tiny~~ small tool built to detect and fix common misconfigurations in Active Directory Certificate Services.
 
+<!-- locksmith-badges-start -->
+![GitHub release](https://img.shields.io/github/v/release/trimarcjake/locksmith?sort=semver)
+![GitHub top language](https://img.shields.io/github/languages/top/trimarcjake/locksmith)
+![PowerShell Gallery Platform Support](https://img.shields.io/powershellgallery/p/locksmith)
+[![GitHub contributors](https://img.shields.io/github/contributors/trimarcjake/locksmith.svg)](https://github.com/trimarcjake/locksmith/graphs/contributors/)
+[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](http://makeapullrequest.com)
+![GitHub Actions Workflow Status](https://img.shields.io/github/actions/workflow/status/trimarcjake/Locksmith/powershell.yml?logo=github&label=PSScriptAnalyzer)
+[![MegaLinter](https://github.com/trimarcjake/locksmith/workflows/MegaLinter/badge.svg?branch=testing)](https://github.com/trimarcjake/locksmith/actions?query=workflow%3AMegaLinter+branch%3Atesting)
+![PowerShell Gallery Downloads](https://img.shields.io/powershellgallery/dt/locksmith?logo=powershell&label=PowerShell%20Gallery%20Downloads&color=blue)
+[![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Checkout+Locksmith+and+fix+common+misconfigurations+in+Active+Directory+Certificate+Services.&url=https://github.com/trimarcjake/locksmith&hashtags=ADCS,PKI,infosec,powershell)
+<!-- locksmith-badges-end -->
+
 # Contents
 1. [Installation](#Installation)
 2. [Run Locksmith](#RunLocksmith)
@@ -27,7 +39,7 @@ A ~~tiny~~ small tool built to detect and fix common misconfigurations in Active
 ### Install module manually from GitHub:
 1. Download the [latest module version](https://github.com/TrimarcJake/Locksmith/releases/latest) ( **Locksmith-v**\<YEAR\>**.**\<MONTH\>**.zip** )
 2. Extract the downloaded zip file
-3. Open a PowerShell prompt to the loction of the extracted file and run `Import-Module Locksmith.psd1`
+3. Open a PowerShell prompt to the location of the extracted file and run `Import-Module Locksmith.psd1`
 
 ## Script
 ### Download the standalone script (classic) without module:
@@ -42,11 +54,11 @@ A ~~tiny~~ small tool built to detect and fix common misconfigurations in Active
 Running `Invoke-Locksmith.ps1` with no parameters or with `-Mode 0` will scan the current Active Directory forest and output all discovered AD CS issues to the console in **Table** format.
 ``` powershell
 # Module Syntax
-PS> Invoke-Locksmith
+Invoke-Locksmith
 ```
 ``` powershell
 # Script Syntax
-PS> .\Invoke-Locksmith.ps1
+.\Invoke-Locksmith.ps1
 ```
 
 Example Output for Mode 0: https://github.com/TrimarcJake/Locksmith/blob/main/examples/Mode0.md
@@ -57,11 +69,11 @@ Example Output for Mode 0: https://github.com/TrimarcJake/Locksmith/blob/main/ex
 This mode scans the current forest and outputs all discovered AD CS issues and possible fixes to the console in **List** format.
 ``` powershell
 # Module Syntax
-PS> Invoke-Locksmith -Mode 1
+Invoke-Locksmith -Mode 1
 ```
 ``` powershell
 # Script Syntax
-PS> .\Invoke-Locksmith.ps1 -Mode 1
+.\Invoke-Locksmith.ps1 -Mode 1
 ```
 
 Example Output for Mode 1: https://github.com/TrimarcJake/Locksmith/blob/main/examples/Mode1.md
@@ -72,11 +84,11 @@ Example Output for Mode 1: https://github.com/TrimarcJake/Locksmith/blob/main/ex
 Locksmith Mode 2 scans the current forest and outputs all discovered AD CS issues to ADCSIssues.CSV in the present working directory.
 ``` powershell
 # Module Syntax
-PS> Invoke-Locksmith -Mode 2
+Invoke-Locksmith -Mode 2
 ```
 ``` powershell
 # Script Syntax
-PS> .\Invoke-Locksmith.ps1 -Mode 2
+.\Invoke-Locksmith.ps1 -Mode 2
 ```
 
 Example Output for Mode 2: https://github.com/TrimarcJake/Locksmith/blob/main/examples/Mode2.md
@@ -87,11 +99,11 @@ Example Output for Mode 2: https://github.com/TrimarcJake/Locksmith/blob/main/ex
 In Mode 3, Locksmith scans the current forest and outputs all discovered AD CS issues and example fixes to ADCSRemediation.CSV in the present working directory.
 ``` powershell
 # Module Syntax
-PS> Invoke-Locksmith -Mode 3
+Invoke-Locksmith -Mode 3
 ```
 ``` powershell
 # Script Syntax
-PS> .\Invoke-Locksmith.ps1 -Mode 3
+.\Invoke-Locksmith.ps1 -Mode 3
 ```
 
 Example Output for Mode 3: https://github.com/TrimarcJake/Locksmith/blob/main/examples/Mode3.md
@@ -102,11 +114,36 @@ Example Output for Mode 3: https://github.com/TrimarcJake/Locksmith/blob/main/ex
 Mode 4 is the "easy button." Running Locksmith in Mode 4 will identify all misconfigurations and offer to fix each issue. If there is any possible operational impact, Locksmith will warn you.
 ``` powershell
 # Module Syntax
-PS> Invoke-Locksmith -Mode 4
+Invoke-Locksmith -Mode 4
 ```
 ``` powershell
 # Script Syntax
-PS> .\Invoke-Locksmith.ps1 -Mode 4 
+.\Invoke-Locksmith.ps1 -Mode 4
 ```
 
 Example Output for Mode 4: https://github.com/TrimarcJake/Locksmith/blob/main/examples/Mode4.md
+<br>
+<br>
+<a name="Scans" id="Scans"></a>
+## Scans:  Select Which Scans to Run
+Use the `-Scans` parameter to choose which vulnerabilities to scan for. Acceptable values include `All`, `Auditing`, `ESC1`, `ESC2`, `ESC3`, `ESC4`, `ESC5`, `ESC6`, `ESC8`, or `PromptMe`. The `PromptMe` option presents an interactive list allowing you to select scans.
+
+``` powershell
+# Run all scans
+Invoke-Locksmith -Scan All
+```
+
+``` powershell
+# Prompt the user for a list of scans to select
+Invoke-Locksmith.ps1 -Scans PromptMe
+```
+
+``` powershell
+# Scan for ESC1 vulnerable paths
+Invoke-Locksmith.ps1 -Scans ESC1
+```
+
+``` powershell
+# Scan for ESC1, ESC2, and ESC8 vulnerable paths
+Invoke-Locksmith.ps1 -Scans ESC1,ESC2,ESC8
+```