CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2025-12-06 17:22:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #25 from Yamato-Security/19-check-file-size

Browse Source 
feat: check file size
This commit is contained in:
Zach Mathis (田中ザック)
2025-04-20 10:27:25 +09:00
committed by GitHub
parent 0964246ff6 b3f672733d
commit 1cd6ae8a66
2 changed files with 95 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
.github/workflows/check-audit.yml vendored
View File

@@ -47,9 +47,13 @@ jobs:
# $duration = $endTime - $startTime # $duration = $endTime - $startTime
# Write-Output "Duration: $duration" # Write-Output "Duration: $duration"
- name: Run WELA.ps1 - name: Run WELA.ps1 audit-settings
run: | run: |
./WELA.ps1 audit ./WELA.ps1 audit-settings
- name: Run WELA.ps1 audit-filesize
run: |
./WELA.ps1 audit-filesize
- name: Output UsableRules.csv - name: Output UsableRules.csv
run: | run: |

93
WELA.ps1
View File

@@ -1428,6 +1428,86 @@ function AuditLogSetting {
} }
function AuditFileSize {
# 対象のイベントログ名をハッシュテーブル化
$logNames = @{
"Application" = @("20 MB", "128 MB+")
"Microsoft-Windows-AppLocker/EXE and DLL" = @("1 MB", "256 MB+")
"Microsoft-Windows-AppLocker/MSI and Script" = @("1 MB", "256 MB+")
"Microsoft-Windows-AppLocker/Packaged app-Deployment" = @("1 MB", "256 MB+")
"Microsoft-Windows-AppLocker/Packaged app-Execution" = @("1 MB", "256 MB+")
"Microsoft-Windows-Bits-Client/Analytic" = @("1 MB", "128 MB+")
"Microsoft-Windows-Bits-Client/Operational" = @("1 MB", "128 MB+")
"Microsoft-Windows-CodeIntegrity/Operational" = @("1 MB", "128 MB+")
"Microsoft-Windows-DriverFrameworks-UserMode/Operational" = @("1 MB", "128 MB+")
"Microsoft-Windows-NTLM/Operational" = @("1 MB", "128 MB+")
"Microsoft-Windows-PowerShell/Operational" = @("20 MB", "256 MB+")
"Microsoft-Windows-PrintService/Admin" = @("1 MB", "128 MB+")
"Microsoft-Windows-PrintService/Operational" = @("1 MB", "128 MB+")
"Microsoft-Windows-Security-Mitigations/KernelMode" = @("1 MB", "128 MB+")
"Microsoft-Windows-Security-Mitigations/UserMode" = @("1 MB", "128 MB+")
"Microsoft-Windows-SmbClient/Security" = @("8 MB", "128 MB+")
"Microsoft-Windows-TaskScheduler/Operational" = @("1 MB", "128 MB+")
"Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" = @("1 MB", "128 MB+")
"Microsoft-Windows-Windows Defender/Operational" = @("16MB", "128 MB+")
"Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" = @("1 MB", "256 MB+")
"Microsoft-Windows-WMI-Activity/Operational" = @("1 MB", "128 MB+")
"Security" = @("20 MB", "256 MB+")
"System" = @("20 MB", "128 MB+")
"Windows PowerShell" = @("15 MB", "256 MB+")
}
$results = @()
foreach ($logName in $logNames.Keys | Sort-Object) {
$logInfo = Get-WinEvent -ListLog $logName -ErrorAction Stop
$maxLogSize = [math]::Floor($logInfo.MaximumSizeInBytes / 1MB)
$recommendedSize = [int]($logNames[$logName][1] -replace " MB\+?", "")
$correctSetting = if ($maxLogSize -ge $recommendedSize) { "Y" } else { "N" }
$results += [PSCustomObject]@{
LogFile = Split-Path $logInfo.LogFilePath -Leaf
CurrentLogSize = "{0:N2} MB" -f ($logInfo.FileSize / 1MB)
MaxLogSize = "$maxLogSize MB"
Default = $logNames[$logName][0]
Recommended = $logNames[$logName][1]
CorrectSetting = $correctSetting
}
}
# Format-Tableには色つき出力の機能はないので、Write-Hostで色をつける
$tableLayout = "{0,-75} {1,-15} {2,-15} {3,-15} {4,-15} {5,-10}"
Write-Host ($tableLayout -f `
"Log File", `
"Current Size", `
"Max Size", `
"Default", `
"Recommended", `
"Correct Setting")
Write-Host ($tableLayout -f `
"--------", `
"------------", `
"--------", `
"------", `
"-----------", `
"--------------")
foreach ($result in $results) {
$color = if ($result.CorrectSetting -eq "Y") { "Green" } else { "Red" }
Write-Host ($tableLayout -f `
$result.LogFile, `
$result.CurrentLogSize, `
$result.MaxLogSize, `
$result.Default, `
$result.Recommended, `
$result.CorrectSetting) -ForegroundColor $color
}
$results | Export-Csv -Path "WELA-FileSize-Result.csv" -NoTypeInformation
Write-Host ""
Write-Host "Audit file size result saved to: WELA-FileSize-Result.csv"
}
$logo = @" $logo = @"
@@ -1441,9 +1521,10 @@ $logo = @"
$help = @" $help = @"
Usage: Usage:
./WELA.ps1 audit # Audit current setting and show in stdout, save to csv ./WELA.ps1 audit-settings # Audit current setting and show in stdout, save to csv
./WELA.ps1 audit gui # Audit current setting and show in gui, save to csv ./WELA.ps1 audit-settings gui # Audit current setting and show in gui, save to csv
./WELA.ps1 audit table # Audit current setting and show in table layout, save to csv ./WELA.ps1 audit-settings table # Audit current setting and show in table layout, save to csv
./WELA.ps1 audit-filesize # Audit current file size and show in stdout, save to csv
./WELA.ps1 help # Show this help ./WELA.ps1 help # Show this help
"@ "@
@@ -1458,7 +1539,7 @@ if ($args.Count -eq 0) {
$command = $args[0].ToLower() $command = $args[0].ToLower()
switch ($command) { switch ($command) {
"audit" { "audit-settings" {
$outType = "std" $outType = "std"
$debug = $false $debug = $false
if ($args.Count -eq 2) { if ($args.Count -eq 2) {
@@ -1470,6 +1551,10 @@ switch ($command) {
} }
AuditLogSetting $outType $debug AuditLogSetting $outType $debug
} }
"audit-filesize" {
AuditFileSize
}
"help" { "help" {
Write-Host $help Write-Host $help
} }