diff options
| author | Tim Smith <tsmith@chef.io> | 2020-09-30 16:14:23 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-09-30 16:14:23 -0700 |
| commit | a5380b6503b1c3d07f524df471df4aa06f598997 (patch) | |
| tree | 41e4924a70899b7542d823cd7f5d94ec90190fcf | |
| parent | 4c2e588d8b7152ef15693c55454222adf7859007 (diff) | |
| parent | a4018a9e47913d7a22288e02968cdb48b29f3b0a (diff) | |
| download | chef-a5380b6503b1c3d07f524df471df4aa06f598997.tar.gz | |
Merge pull request #10473 from chef-davin/main
Signed-off-by: Tim Smith <tsmith@chef.io>
| -rw-r--r-- | kitchen-tests/cookbooks/end_to_end/recipes/windows.rb | 24 | ||||
| -rw-r--r-- | lib/chef/resource/windows_audit_policy.rb | 50 |
2 files changed, 50 insertions, 24 deletions
diff --git a/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb b/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb index 33fc16e38a..2ed8e0a8a6 100644 --- a/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb +++ b/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb @@ -42,6 +42,30 @@ windows_firewall_profile "Public" do action :disable end +windows_audit_policy "Update Some Advanced Audit Policies to Success and Failure" do + subcategory ["Application Generated", "Application Group Management", "Audit Policy Change"] + success true + failure true +end + +windows_audit_policy "Update Some Advanced Audit Policies to Success only" do + subcategory ["Authentication Policy Change", "Authorization Policy Change"] + success true + failure false +end + +windows_audit_policy "Update Some Advanced Audit Policies to Failure only" do + subcategory ["Central Policy Staging", "Certification Services", "Computer Account Management"] + success false + failure true +end + +windows_audit_policy "Update Some Advanced Audit Policies to No Auditing" do + subcategory ["Credential Validation", "DPAPI Activity", "Detailed File Share"] + success false + failure false +end + users_manage "remove sysadmin" do group_name "sysadmin" group_id 2300 diff --git a/lib/chef/resource/windows_audit_policy.rb b/lib/chef/resource/windows_audit_policy.rb index 230dd3eb80..433e18e197 100644 --- a/lib/chef/resource/windows_audit_policy.rb +++ b/lib/chef/resource/windows_audit_policy.rb @@ -152,30 +152,6 @@ class Chef property :audit_base_directories, [true, false], description: "Setting this audit policy option to true will force the system to assign a System Access Control List to named objects to enable auditing of container objects such as directories." - def subcategory_configured?(sub_cat, success_value, failure_value) - setting = if success_value && failure_value - "Success and Failure$" - elsif success_value && !failure_value - "Success$" - elsif !success_value && failure_value - "(Failure$)&!(Success and Failure$)" - else - "No Auditing" - end - powershell_exec(<<-CODE).result - $auditpol_config = auditpol /get /subcategory:"#{sub_cat}" - if ($auditpol_config | Select-String "#{setting}") { return $true } else { return $false } - CODE - end - - def option_configured?(option_name, option_setting) - setting = option_setting ? "Enabled$" : "Disabled$" - powershell_exec(<<-CODE).result - $auditpol_config = auditpol /get /option:#{option_name} - if ($auditpol_config | Select-String "#{setting}") { return $true } else { return $false } - CODE - end - action :set do unless new_resource.subcategory.nil? new_resource.subcategory.each do |subcategory| @@ -225,6 +201,32 @@ class Chef end end end + + action_class do + def subcategory_configured?(sub_cat, success_value, failure_value) + setting = if success_value && failure_value + "Success and Failure$" + elsif success_value && !failure_value + "Success$" + elsif !success_value && failure_value + "#{sub_cat}\\s+Failure$" + else + "No Auditing" + end + powershell_exec!(<<-CODE).result + $auditpol_config = auditpol /get /subcategory:"#{sub_cat}" + if ($auditpol_config | Select-String "#{setting}") { return $true } else { return $false } + CODE + end + + def option_configured?(option_name, option_setting) + setting = option_setting ? "Enabled$" : "Disabled$" + powershell_exec!(<<-CODE).result + $auditpol_config = auditpol /get /option:#{option_name} + if ($auditpol_config | Select-String "#{setting}") { return $true } else { return $false } + CODE + end + end end end end |