search

nsacyber / Windows-Secure-Host-Baseline

Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. #nsacyber
Other
1.56k stars 286 forks source link

The output of Test-Compliance #13

Closed JasonFossen closed 7 years ago

JasonFossen commented 7 years ago

Hello IAD:

There will be people who will want to run commands like this to save the output of Test-Compliance:

Test-Compliance -Path '..\..\Windows\Compliance\Windows 10.audit' | Out-File -FilePath .\Report.txt

But this will fail because of the Write-Host commands in the function. The following command will work though:

Test-Compliance -Path '..\..\Windows\Compliance\Windows 10.audit' *> .\Report.txt

The "*>" redirection operator is available on PowerShell 3.0 and later.

Please consider adding some guidance on the Compliance Checks page's README.md about how to save the output of Test-Compliance using "*>" since this is not an obvious trick, and showing a one-liner using "Select-String -Pattern 'FAILED'" on the output file to extract the important stuff could also be nice.

(Btw, the above audit file, "Windows 10.audit", has a space character in its name (sorry to nitpick!) and, when used with Test-Compliance, the output includes Get-ChildItem and Get-Service exception errors when there is no McAfee software installed. This is a trivial issue, but it does clutter the output when redirecting the output to a file.)

I'm sure this is not news to you, you're probably planning/working on this already, but it would be even better to change the output of Test-Compliance to an array of objects with properties like ComputerName, Status, Description, Info, etc. This would make it much nicer for the sake of remote compliance scanning with Invoke-Command and saving the output in different formats like CSV, XML or JSON. Most people will just use Nessus of course, so it's not a burning issue.

Thanks for the great project!

Cheers, Jason

iadgovuser1 commented 7 years ago

Good feedback. We definitely need to improve the compliance script to output actual objects which then could be piped intothe various CSV and JSON formatting cmdlets available in PowerShell. For now I will update the document as you suggested but leave this issue open to reminds us to improve the script to output objects.

Also it sounds like we need to do better error handling to handle McAfee not being installed which I will open separate issues for.

Thanks for the valuable feedback.

iadgovuser1 commented 7 years ago

6d02c90 and c314755 address the documentation issue that you mentioned.

16 is the issue I filed to have better error handling when AV is not installed.

17 is the issue I filed to improve script output to be objects.

I'm going to close this issue since I've address the documentation here and opened separate issues for the other items.