search

TrimarcJake / Locksmith

A small tool built to find and fix common misconfigurations in Active Directory Certificate Services.
https://github.com/TrimarcJake/Locksmith
Other
901 stars 89 forks source link

Improve ESC3 Condition 2 detections #162

Closed TrimarcJake closed 3 months ago

TrimarcJake commented 3 months ago

The msPKI-Certiticate-Name-Flag isn't important for this check and was causing false negatives. FIXED!

github-actions[bot] commented 3 months ago

🦙 MegaLinter status: ⚠️ WARNING

Descriptor Linter Files Fixed Errors Elapsed time
⚠️ COPYPASTE jscpd yes 16 2.26s
⚠️ EDITORCONFIG editorconfig-checker 9 1 0.19s
⚠️ POWERSHELL powershell 9 8 19.67s
✅ POWERSHELL powershell_formatter 9 0 12.47s
⚠️ REPOSITORY checkov yes 1 11.62s
✅ REPOSITORY gitleaks yes no 0.61s
✅ REPOSITORY git_diff yes no 0.01s
✅ REPOSITORY grype yes no 16.12s
✅ REPOSITORY secretlint yes no 0.94s
✅ REPOSITORY trivy yes no 5.72s
✅ REPOSITORY trivy-sbom yes no 2.67s
✅ REPOSITORY trufflehog yes no 7.96s
⚠️ SPELL cspell 10 215 10.81s

See detailed report in MegaLinter reports _Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff_

_MegaLinter is graciously provided by OX Security_

TrimarcJake commented 3 months ago

Looks good. I'm just curious, though: why did you change -eq to -match here?

msPKI-RA-Application-Policies is a multi-value attribute, so -eq could create false negatives in the case where multiple Application Policies are specified.

It should technically be -match '1\.\3\.\6\.\1\.\4\.\1\.311\.20\.2\.1', I guess.