poshspec
poshspec copied to clipboard
Unable to test PowerShell Auditing Settings via registry
When testing for PowerShell auditing settings I am unable to test for the following value as it contains a "*"
The code below is what I'm currently using which doesn't work. I have tried escaping the * by "*" but that doesn't work.
Registry 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames\' "*" { Should -Be '*'}
The problem code is the expandproperty as shown below.
Get-ItemProperty HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames\ | Select-Object -ExpandProperty '*'
Here is the Full Context that I'm using for the PowerShell Audit Settings.
Context -Name 'Powershell Auditing' -Fixture {
#Turn on Module Logging: Enabled
Registry 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging\' 'EnableModuleLogging' { Should -BeExactly 1}
#* Module Names: *
Registry 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames\' "*" { Should -Be '*'}
#* Turn on Powershell Script Block Logging:
# * Enabled
Registry 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\' 'EnableScriptBlockLogging' { Should -Be 1}
#* Log script block invocation start / stop events:
# * Disabled
IF (Test-Path 'HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockInvocationLogging') {
#If Value doesn't exist it defaults to 0
Registry 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\' 'EnableScriptBlockInvocationLogging' {Should -BeLessOrEqual 0}
}
}
I have created a workaround for my issue by using ".PSObject.Properties.Where{$_.Name -eq '*'}.Value" as shown below.
Context -Name 'Powershell Auditing' -Fixture {
#Turn on Module Logging: Enabled
Registry 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging\' 'EnableModuleLogging' { Should -BeExactly 1}
#* Module Names: *
#Registry 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames\' "*" { Should -Be '*'}
It -Name 'Log all modules (ModuleNames: *)' -test {
(Get-ItemProperty HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames\).PSObject.Properties.Where{$_.Name -eq '*'}.Value | Should -BeExactly '*'
}
#* Turn on Powershell Script Block Logging:
# * Enabled
Registry 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\' 'EnableScriptBlockLogging' { Should -Be 1}
#* Log script block invocation start / stop events:
# * Disabled
IF (Test-Path 'HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockInvocationLogging') {
#If Value doesn't exist it defaults to 0
Registry 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\' 'EnableScriptBlockInvocationLogging' {Should -BeLessOrEqual 0}
}
}
That is an interesting scenario. I would suggest a new function for testing PowerShell Auditing but 👍 on the workaround. Using an asterisk is an annoying name for a property.