v1.117.0: service certificate binding audit (new module 78)#53
Merged
Conversation
Add 78-CertificateAudit, a read-only audit of the certificates bound to this host's service listeners, surfaced under Security & Access [12] Certificate Binding Audit, plus a CLI action. - CertBindingAudit (read-only): reports which certificate is bound to the RDP-Tcp listener and the WinRM HTTPS listener, with subject, days-to- expiry, and whether it has a usable private key. Binding-aware (vs the generic expiry check). JSON-aware; makes no changes. Scope: automated RDP cert ROTATION was prototyped and then DEFERRED after a 3-agent adversarial security review surfaced a real RDP lock-out risk (a self-signed cert's private key is not readable by NETWORK SERVICE by default) plus inconsistent CIM writability of SSLCertificateSHA1Hash across builds. That mutation needs validation on a live elevated RDP server before it ships, so this release lands the audit (which shows exactly what to rotate manually and when) and the rotation follows once verifiable safely. New module 78-CertificateAudit. Modules 78 -> 79. CLI actions 198 -> 199. Section 184 added; 5121 structural tests green.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
v1.117.0 — Service certificate binding audit
New module 78-CertificateAudit, surfaced under Security & Access → [12] Certificate Binding Audit, plus a read-only CLI action.
CertBindingAudit(read-only) — which certificate is bound to the RDP-Tcp listener and the WinRM HTTPS listener, with subject, days-to-expiry, and whether it has a usable private key. Binding-aware (unlike the generic expiry check). JSON-aware; makes no changes.Scope — rotation deferred (honest): automated RDP cert rotation was prototyped and then deferred after a 3-agent adversarial security review surfaced a real RDP lock-out risk (a self-signed cert's private key isn't readable by
NETWORK SERVICEby default) plus inconsistent CIM writability ofSSLCertificateSHA1Hashacross Windows builds. That mutation needs validation on a live elevated RDP server before it ships. This release lands the audit (which shows exactly what to rotate manually and when); rotation follows once it can be verified safely.New module 78-CertificateAudit. Modules 78 → 79. CLI actions 198 → 199. Section 184 added (5121 structural tests, all green).