I would like to create relevance based on the hash algorithm of a certificate. For example, if a specific certificate has a has algorithm of SHA1, I would like my fixlet to be relevant.
For comparison, I can get this using Powershell or the CertMgr.msc. In powershell it might look something like this:
$thumb = “3643DAF129E4CBA15489EAD9695C2717A3DDD430”
(Get-ChildItem Cert:\LocalMachine -recurse | where {$_.thumbprint -eq $thumb} | select -first 1).SignatureAlgorithm.FriendlyName
I don’t think BigFix has an inspector that provides what you are looking for, but I did find an open source project hashID that could help get you the regular expressions needed to build your own version in BigFix. For example, check out the prototypes.json page of that project.
What inspector would you think is missing? I’ve been trying to get a set of new inspectors for certificates figured out. Expiration Date etc would be an obvious set but any input would help
Alan, have you seen the Certificate Probe that @strawgate built for C3? It mines the cert store and throws everything in the registry for a related analysis to pick up. So having inspectors to replace those analysis properties would be awesome. And I guess another inspector for “Cert Algorithm” or something to cover the needs of @dhale72.
The certificate store probe should be capturing certificate algorithm. I’m not sure the analysis pulls it in but you’re just a registry key read away from getting it
Thank fermt. Unfortunately, I am not looking for the SHA1 of a certificate, I am looking to determine if the hash algorithm of a certificate is SHA1 or SHA256.
Hi Sean, thank you for the response. I am very unfamiliar with Python, will this allow us to create custom inspectors that may be used in relevance of a fixlet or a task?
Good morning AlanM, I would like for the relevance inspectors to be able to identify certificate hash algorithm and possibly the template used to enroll the certificate. I believe that inspecting the registry blob of a certificate can reveal the valid dates of the certificate and the store location.
The ideal update to relevance for me as a Windows administrator is to be able to use Powershell cmdlets to determine relevance on a Windows endpoint either from within the proprietary relevance language or in place of the relevance language. I may just be dreaming though.
Thank you strawgate. I actually have already created an analysis to pull in the information I need but it is rather clunky as I send out a task to create a XML file and simply pull that information into the analysis. What I am looking to do is create a fixlet that replaces a specific certificate if it has a hash algorithm of SHA1 and not SHA256.
@dhale72 forget about the python package I linked to, because as @strawgate corrected me, I do see now that his script adds the cert hash algorithm to the registry already.
Unfortunately until the BigFix team is able to release these types of inspectors for the cert attributes, I think you are stuck with the two pronged approach that sounds similar to what @strawgate and what we all do in these situations: create a regularly scheduled job to run a script / create a file / create registry keys. Then the data is there for you to use in analyses / fixlets / etc.
