diff options
author | Davin Taddeo <davin@chef.io> | 2020-09-30 14:17:37 -0400 |
---|---|---|
committer | Davin Taddeo <davin@chef.io> | 2020-09-30 14:17:37 -0400 |
commit | fa0c3ce1e6bb7d7fcbc1928a58f0253a879d051b (patch) | |
tree | 966e18e5ade65269af516d69b5676193f7862201 | |
parent | 3017f86f0363f6fb0b0d1dea32a4bb637055158a (diff) | |
download | chef-fa0c3ce1e6bb7d7fcbc1928a58f0253a879d051b.tar.gz |
fix for the windows_audit_policy resource and added some tests for it into the windows end-to-end kitchen testing.
Signed-off-by: Davin Taddeo <davin@chef.io>
-rw-r--r-- | kitchen-tests/cookbooks/end_to_end/recipes/windows.rb | 24 | ||||
-rw-r--r-- | lib/chef/resource/windows_audit_policy.rb | 50 |
2 files changed, 50 insertions, 24 deletions
diff --git a/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb b/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb index 6a60c1f305..37f8d9dc66 100644 --- a/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb +++ b/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb @@ -47,6 +47,30 @@ windows_firewall_profile "Public" do action :disable end +windows_audit_policy "Update Some Advanced Audit Policies to Success and Failure" do + subcategory subcategory ["Application Generated", "Application Group Management", "Audit Policy Change"] + success true + failure true +end + +windows_audit_policy "Update Some Advanced Audit Policies to Success only" do + subcategory subcategory ["Authentication Policy Change", "Authorization Policy Change"] + success true + failure false +end + +windows_audit_policy "Update Some Advanced Audit Policies to Failure only" do + subcategory subcategory ["Central Policy Staging", "Certification Services", "Computer Account Management"] + success false + failure true +end + +windows_audit_policy "Update Some Advanced Audit Policies to No Auditing" do + subcategory subcategory ["Credential Validation", "DPAPI Activity", "Detailed File Share"] + success false + failure false +end + users_manage "remove sysadmin" do group_name "sysadmin" group_id 2300 diff --git a/lib/chef/resource/windows_audit_policy.rb b/lib/chef/resource/windows_audit_policy.rb index 230dd3eb80..5bc844f46d 100644 --- a/lib/chef/resource/windows_audit_policy.rb +++ b/lib/chef/resource/windows_audit_policy.rb @@ -152,30 +152,6 @@ class Chef property :audit_base_directories, [true, false], description: "Setting this audit policy option to true will force the system to assign a System Access Control List to named objects to enable auditing of container objects such as directories." - def subcategory_configured?(sub_cat, success_value, failure_value) - setting = if success_value && failure_value - "Success and Failure$" - elsif success_value && !failure_value - "Success$" - elsif !success_value && failure_value - "(Failure$)&!(Success and Failure$)" - else - "No Auditing" - end - powershell_exec(<<-CODE).result - $auditpol_config = auditpol /get /subcategory:"#{sub_cat}" - if ($auditpol_config | Select-String "#{setting}") { return $true } else { return $false } - CODE - end - - def option_configured?(option_name, option_setting) - setting = option_setting ? "Enabled$" : "Disabled$" - powershell_exec(<<-CODE).result - $auditpol_config = auditpol /get /option:#{option_name} - if ($auditpol_config | Select-String "#{setting}") { return $true } else { return $false } - CODE - end - action :set do unless new_resource.subcategory.nil? new_resource.subcategory.each do |subcategory| @@ -225,6 +201,32 @@ class Chef end end end + + action_class do + def subcategory_configured?(sub_cat, success_value, failure_value) + setting = if success_value && failure_value + "Success and Failure$" + elsif success_value && !failure_value + "Success$" + elsif !success_value && failure_value + "#{sub_cat} \\s+ Failure$" + else + "No Auditing" + end + powershell_exec!(<<-CODE).result + $auditpol_config = auditpol /get /subcategory:"#{sub_cat}" + if ($auditpol_config | Select-String "#{setting}") { return $true } else { return $false } + CODE + end + + def option_configured?(option_name, option_setting) + setting = option_setting ? "Enabled$" : "Disabled$" + powershell_exec!(<<-CODE).result + $auditpol_config = auditpol /get /option:#{option_name} + if ($auditpol_config | Select-String "#{setting}") { return $true } else { return $false } + CODE + end + end end end end |