From 436359c40767a614b03694c81d8333a9f2a639e5 Mon Sep 17 00:00:00 2001 From: bk-cs <54042976+bk-cs@users.noreply.github.com> Date: Tue, 21 May 2024 11:11:16 -0700 Subject: [PATCH] Issue #380 Reapplying some bug fixes that were implemented for properly evaluating `FirewallGroup` and accidentally removed in a later commit --- public/psf-config.ps1 | 111 ++++++++++++++++++++++++------------------ 1 file changed, 63 insertions(+), 48 deletions(-) diff --git a/public/psf-config.ps1 b/public/psf-config.ps1 index d40fa90..92ce110 100644 --- a/public/psf-config.ps1 +++ b/public/psf-config.ps1 @@ -252,46 +252,56 @@ https://github.com/crowdstrike/psfalcon/wiki/Import-FalconConfig } function Compare-ImportData ([string]$Item) { if ($Config.$Item.Cid) { - # Determine if platform is defined for item $Platform = @{} - $Property = @('platform','platform_name').foreach{ if ($Config.$Item.Cid.$_) { $_ } } - @($Config.$Item.Cid.$Property | Select-Object -Unique).foreach{ $Platform[$_] = @{} } + @('platform','platform_name').foreach{ + if ($Config.$Item.Cid.$_) { + @($Config.$Item.Cid.$_ | Select-Object -Unique).foreach{ $Platform[$_] = @{} } + } + } if ($Platform.Count -gt 0) { foreach ($Key in $Platform.Keys) { # Define properties for comparison between imported and existing items (by platform) @('Cid','Import').foreach{ - $Platform.$Key[$_] = @($Config.$Item.$_).Where({ $_.$Property -eq $Key }) + $Platform.$Key[$_] = @($Config.$Item.$_).Where({ + $_.platform -eq $Key -or $_.platform_name -eq $Key + }) } [string[]]$Available = ($Platform.$Key.Cid | Get-Member -MemberType NoteProperty | Select-Object -Unique).Name [string[]]$Compare = @('name','type','value').Where({ $Available -contains $_ }) Write-Log 'Import-FalconConfig' "Evaluating $Key $Item using '$($Compare -join ',')'" - $FilterScript = [scriptblock]::Create((@($Compare).foreach{ "`$_.$_ -eq `$i.$_" }) -join ' -and ') - foreach ($i in $Platform.$Key.Import) { - if (!@($Platform.$Key.Cid).Where({ $FilterScript })) { - # Capture import that doesn't exist - Write-Log 'Import-FalconConfig' "Selecting '$( - if ($i.value) { - if ($i.type) { $i.type,$i.value -join ':' } else { $i.value } - } elseif ($i.precedence -and $Item -eq 'FileVantageRule') { - $i.precedence - } else { - $i.name - } - )' for import" - $i - } elseif (@($Platform.$Key.Cid).Where({ $FilterScript }) -and $ModifyExisting -contains $Item) { - # Capture modification when 'ModifyExisting' is defined + $FilterScript = [scriptblock]::Create( + (@($Compare).foreach{ "`$Platform.`$Key.Cid.$_ -notcontains `$_.$_" }) -join ' -and ' + ) + @($Platform.$Key.Import | Where-Object -FilterScript $FilterScript).foreach{ + # Capture items for import (by platform) + Write-Log 'Import-FalconConfig' "Selecting '$( + if ($_.value) { + if ($_.type) { $_.type,$_.value -join ':' } else { $_.value } + } elseif ($_.precedence -and $Item -eq 'FileVantageRule') { + $_.precedence + } else { + $_.name + } + )' for import" + $_ + } + if ($ModifyExisting -contains $Item) { + # Capture (non-policy) items to modify + $FilterScript = [scriptblock]::Create( + (@($Compare).foreach{ "`$Platform.`$Key.Cid.$_ -eq `$_.$_" }) -join ' -and ' + ) + @($Platform.$Key.Import | Where-Object -FilterScript $FilterScript).foreach{ Write-Log 'Import-FalconConfig' "Selecting '$( - if ($i.value) { - if ($i.type) { $i.type,$i.value -join ':' } else { $i.value } - } elseif ($i.precedence -and $Item -eq 'FileVantageRule') { - $i.precedence + if ($_.value) { + if ($_.type) { $_.type,$_.value -join ':' } else { $_.value } + } elseif ($_.precedence -and $Item -eq 'FileVantageRule') { + $_.precedence } else { - $i.name + $_.name } )' for modification" - $Config.$Item.Modify.Add($i) + $Config.$Item.Modify.Add($_) } } } @@ -301,32 +311,37 @@ https://github.com/crowdstrike/psfalcon/wiki/Import-FalconConfig Select-Object -Unique).Name [string[]]$Compare = @('name','type','value').Where({ $Available -contains $_ }) Write-Log 'Import-FalconConfig' "Evaluating $Item using '$($Compare -join ',')'" - $FilterScript = [scriptblock]::Create((@($Compare).foreach{ "`$_.$_ -eq `$i.$_" }) -join ' -and ') - foreach ($i in $Config.$Item.Import) { - if (!@($Config.$Item.Cid).Where({ $FilterScript })) { - # Capture import that doesn't exist - Write-Log 'Import-FalconConfig' "Selecting '$( - if ($i.value) { - if ($i.type) { $i.type,$i.value -join ':' } else { $i.value } - } elseif ($i.precedence -and $Item -eq 'FileVantageRule') { - $i.precedence - } else { - $i.name - } - )' for import" - $i - } elseif (@($Config.$Item.Cid).Where({ $FilterScript }) -and $ModifyExisting -contains $Item) { - # Capture modification when 'ModifyExisting' is defined + $FilterScript = [scriptblock]::Create( + (@($Compare).foreach{ "`$Config.$Item.Cid.$_ -notcontains `$_.$_" }) -join ' -and ' + ) + @($Config.$Item.Import | Where-Object -FilterScript $FilterScript).foreach{ + # Capture items for import + Write-Log 'Import-FalconConfig' "Selecting '$( + if ($_.value) { + if ($_.type) { $_.type,$_.value -join ':' } else { $_.value } + } elseif ($_.precedence -and $Item -eq 'FileVantageRule') { + $_.precedence + } else { + $_.name + } + )' for import" + $_ + } + if ($ModifyExisting -contains $Item) { + # Capture (non-policy) items to modify + $FilterScript = [scriptblock]::Create((@($Compare).foreach{ + "`$Config.$Item.Cid.$_ -eq `$_.$_" }) -join ' -and ') + @($Config.$Item.Import | Where-Object -FilterScript $FilterScript).foreach{ Write-Log 'Import-FalconConfig' "Selecting '$( - if ($i.value) { - if ($i.type) { $i.type,$i.value -join ':' } else { $i.value } - } elseif ($i.precedence -and $Item -eq 'FileVantageRule') { - $i.precedence + if ($_.value) { + if ($_.type) { $_.type,$_.value -join ':' } else { $_.value } + } elseif ($_.precedence -and $Item -eq 'FileVantageRule') { + $_.precedence } else { - $i.name + $_.name } )' for modification" - $Config.$Item.Modify.Add($i) + $Config.$Item.Modify.Add($_) } } }