diff options
author | NAshwini <ashwini.nehate@msystechnologies.com> | 2020-01-27 17:42:48 +0530 |
---|---|---|
committer | NAshwini <ashwini.nehate@msystechnologies.com> | 2020-03-05 11:19:16 +0530 |
commit | c5f1a4f274deeffa6afa499518be0c89991265c7 (patch) | |
tree | 600965d5a66773c557052508d4be44251fa035dc | |
parent | 70279cd7b3221a5aa7a91965e463548cb5e2a507 (diff) | |
download | chef-c5f1a4f274deeffa6afa499518be0c89991265c7.tar.gz |
Add windows_security_policy resource
Signed-off-by: NAshwini <ashwini.nehate@msystechnologies.com>
-rw-r--r-- | lib/chef/resource/windows_security_policy.rb | 111 | ||||
-rw-r--r-- | lib/chef/resources.rb | 1 |
2 files changed, 112 insertions, 0 deletions
diff --git a/lib/chef/resource/windows_security_policy.rb b/lib/chef/resource/windows_security_policy.rb new file mode 100644 index 0000000000..aae32950bd --- /dev/null +++ b/lib/chef/resource/windows_security_policy.rb @@ -0,0 +1,111 @@ +# +# Author:: Ashwini Nehate (<anehate@chef.io>) +# Author:: Davin Taddeo (<davin@chef.io>) +# Author:: Jeff Brimager (<jbrimager@chef.io>) +# Copyright:: 2019-2020, Chef Software Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +require_relative "../resource" +require_relative "../mixin/powershell_out" + +class Chef + class Resource + class WindowsSecurityPolicy < Chef::Resource + include Chef::Mixin::PowershellOut + resource_name :windows_security_policy + + policy_names = %w(MinimumPasswordAge + MaximumPasswordAge + MinimumPasswordLength + PasswordComplexity + PasswordHistorySize + LockoutBadCount + RequireLogonToChangePassword + ForceLogoffWhenHourExpire + NewAdministratorName + NewGuestName + ClearTextPassword + LSAAnonymousNameLookup + EnableAdminAccount + EnableGuestAccount + ) + + property :id, String, name_property: true, equal_to: policy_names + property :secoption, String, required: false, equal_to: policy_names + property :secvalue, String, required: true + property :sensitive, [true, false], default: true + + default_action :set + + action :set do + new_resource.secoption.nil? ? (security_option = new_resource.id) : (security_option = new_resource.secoption) + + psversion = node['languages']['powershell']['version'].to_i + if psversion >= 5 + if powershell_out!('(Get-PackageSource -Name PSGallery -WarningAction SilentlyContinue).name').stdout.empty? || powershell_out!('(Get-Package -Name cSecurityOptions -WarningAction SilentlyContinue).name').stdout.empty? + raise "This resource needs Powershell module cSecurityOptions to be installed. \n Please install it and then re-run the recipe. \n https://www.powershellgallery.com/packages/cSecurityOptions/3.1.3" + end + + sec_hash = { + security_option => new_resource.secvalue, + } + dsc_resource 'AccountSettings' do + module_name 'cSecurityOptions' + resource :AccountAndBasicAuditing + property :Enable, '$true' + property :AccountAndBasicAuditing, sec_hash + sensitive new_resource.sensitive + end + elsif security_option == ('NewAdministratorName' || 'NewGuestName') + desiredname = new_resource.secvalue + + uid = '500' if security_option == 'NewAdministratorName' + uid = '501' if security_option == 'NewGuestName' + + powershell_script security_option do + code <<-EOH + if ((Get-WMIObject -Class Win32_Account -Filter "LocalAccount = True And SID Like '%#{uid}%'").Name -ne '#{desiredname}') + { + $Administrator = Get-WmiObject -query "Select * From Win32_UserAccount Where LocalAccount = TRUE AND SID LIKE 'S-1-5%-#{uid}'" + $Administrator.rename("#{desiredname}") + } + EOH + guard_interpreter :powershell_script + only_if <<-EOH + Get-WMIObject -Class Win32_Account -Filter "LocalAccount = True And SID Like '%#{uid}%'").Name -ne '#{desiredname}') + EOH + end + else + security_value = new_resource.secvalue + directory 'c:\\temp' + powershell_script "#{security_option} set to #{security_value}" do + code <<-EOH + $#{security_option}_Export = secedit /export /cfg 'c:\\temp\\#{security_option}_Export.inf' + $#{security_option}_ExportAudit = (Get-Content c:\\temp\\#{security_option}_Export.inf | Select-String -Pattern #{security_option}) + if ($#{security_option}_ExportAudit -match '#{security_option} = #{security_value}') + { Remove-Item 'c:\\temp\\#{security_option}_Export.inf' -force } + else + { + $#{security_option}_Remediation = (Get-Content c:\\temp\\#{security_option}_Export.inf) | Foreach-Object { $_ -replace "#{security_option}\s*=\s*\d*", "#{security_option}=#{security_value}" } | Set-Content 'c:\\temp\\#{security_option}_Export.inf' + secedit /configure /db $env:windir\\security\\new.sdb /cfg 'c:\\temp\\#{security_option}_Export.inf' /areas SECURITYPOLICY + Remove-Item 'c:\\temp\\#{security_option}_Export.inf' -force + } + EOH + end + end + end + end + end +end + diff --git a/lib/chef/resources.rb b/lib/chef/resources.rb index 8bdd207e84..7d9a24c830 100644 --- a/lib/chef/resources.rb +++ b/lib/chef/resources.rb @@ -159,3 +159,4 @@ require_relative "resource/windows_uac" require_relative "resource/windows_workgroup" require_relative "resource/timezone" require_relative "resource/windows_user_privilege" +require_relative "resource/windows_security_policy" |