Add windows_security_policy resource

Signed-off-by: NAshwini <ashwini.nehate@msystechnologies.com>

2 files changed, 112 insertions, 0 deletions

diff --git a/lib/chef/resource/windows_security_policy.rb b/lib/chef/resource/windows_security_policy.rb
new file mode 100644
index 0000000000..aae32950bd
--- /dev/null
+++ b/lib/chef/resource/windows_security_policy.rb
@@ -0,0 +1,111 @@
+#
+# Author:: Ashwini Nehate (<anehate@chef.io>)
+# Author:: Davin Taddeo (<davin@chef.io>)
+# Author:: Jeff Brimager (<jbrimager@chef.io>)
+# Copyright:: 2019-2020, Chef Software Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative "../resource"
+require_relative "../mixin/powershell_out"
+
+class Chef
+  class Resource
+    class WindowsSecurityPolicy < Chef::Resource
+      include Chef::Mixin::PowershellOut
+      resource_name :windows_security_policy
+
+      policy_names = %w(MinimumPasswordAge
+                MaximumPasswordAge
+                MinimumPasswordLength
+                PasswordComplexity
+                PasswordHistorySize
+                LockoutBadCount
+                RequireLogonToChangePassword
+                ForceLogoffWhenHourExpire
+                NewAdministratorName
+                NewGuestName
+                ClearTextPassword
+                LSAAnonymousNameLookup
+                EnableAdminAccount
+                EnableGuestAccount
+                )
+
+      property :id, String, name_property: true, equal_to: policy_names
+      property :secoption, String, required: false, equal_to: policy_names
+      property :secvalue, String, required: true
+      property :sensitive, [true, false], default: true
+     
+      default_action :set
+
+      action :set do
+        new_resource.secoption.nil? ? (security_option = new_resource.id) : (security_option = new_resource.secoption)
+
+        psversion = node['languages']['powershell']['version'].to_i
+        if psversion >= 5
+          if powershell_out!('(Get-PackageSource -Name PSGallery -WarningAction SilentlyContinue).name').stdout.empty? || powershell_out!('(Get-Package -Name cSecurityOptions -WarningAction SilentlyContinue).name').stdout.empty?
+            raise "This resource needs Powershell module cSecurityOptions to be installed. \n Please install it and then re-run the recipe. \n https://www.powershellgallery.com/packages/cSecurityOptions/3.1.3"
+          end
+      
+          sec_hash = {
+            security_option => new_resource.secvalue,
+          }
+          dsc_resource 'AccountSettings' do
+            module_name 'cSecurityOptions'
+            resource :AccountAndBasicAuditing
+            property :Enable, '$true'
+            property :AccountAndBasicAuditing, sec_hash
+            sensitive new_resource.sensitive
+          end
+        elsif security_option == ('NewAdministratorName' || 'NewGuestName')
+          desiredname = new_resource.secvalue
+
+          uid = '500' if security_option == 'NewAdministratorName'
+          uid = '501' if security_option == 'NewGuestName'
+
+          powershell_script security_option do
+            code <<-EOH
+              if ((Get-WMIObject -Class Win32_Account -Filter "LocalAccount = True And SID Like '%#{uid}%'").Name -ne '#{desiredname}')
+                {
+                  $Administrator = Get-WmiObject -query "Select * From Win32_UserAccount Where LocalAccount = TRUE AND SID LIKE 'S-1-5%-#{uid}'"
+                  $Administrator.rename("#{desiredname}")
+                }
+              EOH
+            guard_interpreter :powershell_script
+              only_if <<-EOH
+                  Get-WMIObject -Class Win32_Account -Filter "LocalAccount = True And SID Like '%#{uid}%'").Name -ne '#{desiredname}')
+                EOH
+          end
+        else
+          security_value = new_resource.secvalue
+          directory 'c:\\temp'
+          powershell_script "#{security_option} set to #{security_value}" do
+            code <<-EOH
+              $#{security_option}_Export = secedit /export /cfg 'c:\\temp\\#{security_option}_Export.inf'
+              $#{security_option}_ExportAudit = (Get-Content c:\\temp\\#{security_option}_Export.inf | Select-String -Pattern #{security_option})
+              if ($#{security_option}_ExportAudit -match '#{security_option} = #{security_value}') 
+                { Remove-Item 'c:\\temp\\#{security_option}_Export.inf' -force }
+              else
+                {
+                  $#{security_option}_Remediation = (Get-Content c:\\temp\\#{security_option}_Export.inf) | Foreach-Object { $_ -replace "#{security_option}\s*=\s*\d*", "#{security_option}=#{security_value}" } | Set-Content 'c:\\temp\\#{security_option}_Export.inf'
+                  secedit /configure /db $env:windir\\security\\new.sdb /cfg 'c:\\temp\\#{security_option}_Export.inf' /areas SECURITYPOLICY
+                  Remove-Item 'c:\\temp\\#{security_option}_Export.inf' -force
+                }
+            EOH
+          end
+        end
+      end
+    end
+  end
+end
+
diff --git a/lib/chef/resources.rb b/lib/chef/resources.rb
index 8bdd207e84..7d9a24c830 100644
--- a/lib/chef/resources.rb
+++ b/lib/chef/resources.rb
@@ -159,3 +159,4 @@ require_relative "resource/windows_uac"
 require_relative "resource/windows_workgroup"
 require_relative "resource/timezone"
 require_relative "resource/windows_user_privilege"
+require_relative "resource/windows_security_policy"