Add Script Checks

Create a Script-based Check

  1. In VS Code, create a new file with this content:
    <# This script checks the TPM status using TPM. #>
    
    # clear all errors
    $error.Clear()
    
    # check tpm is present and ready
    try {
      $TPM = Get-TPM
    
      # write TPM details to stdout so they get captured for debugging purposes
      Write-Output $TPM
    
      if ($TPM -and $TPM.TpmPresent -and $TPM.TpmReady) {
          Write-Output "Result: PASS"
          exit $env:XCCDF_RESULT_PASS
      } else {
          Write-Output "Result: FAIL"
          exit $env:XCCDF_RESULT_FAIL
      }
    } catch {
      Write-Output $_
      Write-Output "Result: ERROR"
      exit $env:XCCDF_RESULT_ERROR
    }
    
  2. Save it as ~/Slang/check_scripts/tpm.present.ps1Tip: all script-based checks should be kept in ~/Slang/check_scripts.

Add the Script-based Check to a Rule

Once you have added scripts to your ~/Slang/check_scripts folder,
you can use them in Slang rules.

  1. Open the QuickStart project in VS Code (File, Open Folder)
  2. Create a new file in the QuickStart project, tpm.slang with the following content:
    Rule:
      title: TPM is present and enabled
      checks:
        - common.script:
            script_file: tpm.present.ps1
    
    • Save!
  3. From the Terminal, run slang export QuickStart quickstart.xml to export your Slang project including the new script-based check.

Test Your New Check

If you have access to a Windows 10 device to scan against and have completed the Testing QuickStart, run slang export QuickStart quickstart.xml --scan_config QuickTest --profile profile.general_use.slang --elevate y to export and test your project using the General Use profile.

When you review the results, you’ll see that the local_admin_disabled rule is marked “NOT SELECTED”

More About Script-Based Checks

  • Scripts can be in any format or language that will run on the scan target. For Windows, you can probably use a Batch file, PowerShell, VBScript, or JScript. For Linux, you can probably use Bash or perl. But if you know your scan targets support Python or Ruby or anything else, feel free to use that!
  • Script-based checks indicate their result (PASS, FAIL, etc.) via their exit code. The scanner will set environment variables for each that your script should exit with: XCCDF_RESULT_PASS, XCCDF_RESULT_FAIL, XCCDF_RESULT_ERROR, or XCCDF_RESULT_UNKNOWN.
  • Script checks use the Script Check Engine (“SCE”) standard. Learn more about SCE here.
  • You can use Slang Parameters with script-based checks, just like you can with regular Slang checks. First, declared a Slang Parameter. Then, pass it to your script via an environment variable like this:
    - common.script:
        script_file: check_scripts\tpm.present.ps1
        set_environment_variables:
          MIN_LENGTH: ${min_length_param}
    

    In this example, the parameter name is min_length_param and your script can access it’s value via an environment variable named XCCDF_VALUE_MIN_LENGTH.

Questions? Feedback?

Please contact your account executive or reach out here!