diff options
| author | Davin Taddeo <davin@chef.io> | 2020-06-15 16:06:28 -0400 |
|---|---|---|
| committer | Davin Taddeo <davin@chef.io> | 2020-06-15 16:06:28 -0400 |
| commit | 96f152f0a87440b4b7b788f62173ebfea72ab0f3 (patch) | |
| tree | c2385476150b0d9de9636af04a0a427ab69b433a | |
| parent | 689484b3cc0c71dd0abc1e3736d4ad7a9d86ddb9 (diff) | |
| parent | ad345a5d39e3aa36b56b94481a010dcef0571dda (diff) | |
| download | chef-96f152f0a87440b4b7b788f62173ebfea72ab0f3.tar.gz | |
Merge branch 'master' of github.com:chef/chef into windows_firewall_profile
Signed-off-by: Davin Taddeo <davin@chef.io>
| -rw-r--r-- | CHANGELOG.md | 10 | ||||
| -rw-r--r-- | Gemfile.lock | 22 | ||||
| -rw-r--r-- | VERSION | 2 | ||||
| -rw-r--r-- | chef-bin/lib/chef-bin/version.rb | 2 | ||||
| -rw-r--r-- | chef-config/lib/chef-config/version.rb | 2 | ||||
| -rw-r--r-- | chef-utils/lib/chef-utils/version.rb | 2 | ||||
| -rw-r--r-- | cspell.json | 5 | ||||
| -rw-r--r-- | lib/chef/application/apply.rb | 2 | ||||
| -rw-r--r-- | lib/chef/formatters/error_inspectors/compile_error_inspector.rb | 2 | ||||
| -rw-r--r-- | lib/chef/formatters/error_inspectors/resource_failure_inspector.rb | 2 | ||||
| -rw-r--r-- | lib/chef/resource/windows_audit_policy.rb | 227 | ||||
| -rw-r--r-- | lib/chef/resource/windows_auto_run.rb | 2 | ||||
| -rw-r--r-- | lib/chef/resource/windows_certificate.rb | 2 | ||||
| -rw-r--r-- | lib/chef/resources.rb | 1 | ||||
| -rw-r--r-- | lib/chef/version.rb | 2 | ||||
| -rw-r--r-- | spec/unit/application_spec.rb | 7 | ||||
| -rw-r--r-- | spec/unit/resource/windows_audit_policy_spec.rb | 64 |
17 files changed, 332 insertions, 24 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 28da4fb39d..c219d56057 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,15 +1,19 @@ <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ --> -<!-- latest_release 16.2.32 --> -## [v16.2.32](https://github.com/chef/chef/tree/v16.2.32) (2020-06-15) +<!-- latest_release 16.2.36 --> +## [v16.2.36](https://github.com/chef/chef/tree/v16.2.36) (2020-06-15) #### Merged Pull Requests -- Disable snap dokken tests for now [#9993](https://github.com/chef/chef/pull/9993) ([tas50](https://github.com/tas50)) +- Improve resource documentation [#9995](https://github.com/chef/chef/pull/9995) ([tas50](https://github.com/tas50)) <!-- latest_release --> <!-- release_rollup since=16.1.16 --> ### Changes not yet released to stable #### Merged Pull Requests +- Improve resource documentation [#9995](https://github.com/chef/chef/pull/9995) ([tas50](https://github.com/tas50)) <!-- 16.2.36 --> +- Add "most recent call first" to traceback message [#9967](https://github.com/chef/chef/pull/9967) ([zfjagann](https://github.com/zfjagann)) <!-- 16.2.35 --> +- Create windows_audit_policy resource [#9980](https://github.com/chef/chef/pull/9980) ([chef-davin](https://github.com/chef-davin)) <!-- 16.2.34 --> +- Fix how enforce_license is set in run method for chef-apply [#9963](https://github.com/chef/chef/pull/9963) ([ramereth](https://github.com/ramereth)) <!-- 16.2.33 --> - Disable snap dokken tests for now [#9993](https://github.com/chef/chef/pull/9993) ([tas50](https://github.com/tas50)) <!-- 16.2.32 --> - Use .match? not =~ when match values aren't necessary [#9989](https://github.com/chef/chef/pull/9989) ([tas50](https://github.com/tas50)) <!-- 16.2.31 --> - Fix snap_package bugs [#9944](https://github.com/chef/chef/pull/9944) ([jaymzh](https://github.com/jaymzh)) <!-- 16.2.30 --> diff --git a/Gemfile.lock b/Gemfile.lock index 201a6c19cd..15d0e36cd6 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -28,12 +28,12 @@ GIT PATH remote: . specs: - chef (16.2.32) + chef (16.2.36) addressable bcrypt_pbkdf (= 1.1.0.rc1) bundler (>= 1.10) - chef-config (= 16.2.32) - chef-utils (= 16.2.32) + chef-config (= 16.2.36) + chef-utils (= 16.2.36) chef-vault chef-zero (>= 14.0.11) diff-lcs (~> 1.2, >= 1.2.4) @@ -62,12 +62,12 @@ PATH train-winrm (>= 0.2.5) tty-screen (~> 0.6) uuidtools (~> 2.1.5) - chef (16.2.32-universal-mingw32) + chef (16.2.36-universal-mingw32) addressable bcrypt_pbkdf (= 1.1.0.rc1) bundler (>= 1.10) - chef-config (= 16.2.32) - chef-utils (= 16.2.32) + chef-config (= 16.2.36) + chef-utils (= 16.2.36) chef-vault chef-zero (>= 14.0.11) diff-lcs (~> 1.2, >= 1.2.4) @@ -112,15 +112,15 @@ PATH PATH remote: chef-bin specs: - chef-bin (16.2.32) - chef (= 16.2.32) + chef-bin (16.2.36) + chef (= 16.2.36) PATH remote: chef-config specs: - chef-config (16.2.32) + chef-config (16.2.36) addressable - chef-utils (= 16.2.32) + chef-utils (= 16.2.36) fuzzyurl mixlib-config (>= 2.2.12, < 4.0) mixlib-shellout (>= 2.0, < 4.0) @@ -129,7 +129,7 @@ PATH PATH remote: chef-utils specs: - chef-utils (16.2.32) + chef-utils (16.2.36) GEM remote: https://rubygems.org/ @@ -1 +1 @@ -16.2.32
\ No newline at end of file +16.2.36
\ No newline at end of file diff --git a/chef-bin/lib/chef-bin/version.rb b/chef-bin/lib/chef-bin/version.rb index 20da1e6d2f..e740829915 100644 --- a/chef-bin/lib/chef-bin/version.rb +++ b/chef-bin/lib/chef-bin/version.rb @@ -21,7 +21,7 @@ module ChefBin CHEFBIN_ROOT = File.expand_path("../..", __FILE__) - VERSION = "16.2.32".freeze + VERSION = "16.2.36".freeze end # diff --git a/chef-config/lib/chef-config/version.rb b/chef-config/lib/chef-config/version.rb index 6efae1e2ba..0da772ff4c 100644 --- a/chef-config/lib/chef-config/version.rb +++ b/chef-config/lib/chef-config/version.rb @@ -15,5 +15,5 @@ module ChefConfig CHEFCONFIG_ROOT = File.expand_path("../..", __FILE__) - VERSION = "16.2.32".freeze + VERSION = "16.2.36".freeze end diff --git a/chef-utils/lib/chef-utils/version.rb b/chef-utils/lib/chef-utils/version.rb index c3f58e501f..b0da1db688 100644 --- a/chef-utils/lib/chef-utils/version.rb +++ b/chef-utils/lib/chef-utils/version.rb @@ -15,5 +15,5 @@ module ChefUtils CHEFUTILS_ROOT = File.expand_path("../..", __FILE__) - VERSION = "16.2.32".freeze + VERSION = "16.2.36".freeze end diff --git a/cspell.json b/cspell.json index 01d684b77a..e76e32973c 100644 --- a/cspell.json +++ b/cspell.json @@ -73,6 +73,7 @@ "attribs", "attrname", "auditd", + "auditpol", "AUTHN", "AUTHROOT", "AUTHZ", @@ -440,6 +441,7 @@ "downcased", "downcases", "downto", + "DPAPI", "Dpkg", "dracut", "dragonflybsd", @@ -1050,6 +1052,7 @@ "MAKELONG", "MAKEWORD", "malloc", + "Mandi", "mandriva", "Mangeia", "mangeia", @@ -1125,6 +1128,7 @@ "mountpoint", "mounttab", "mpkg", + "MPSSVC", "MSDNQTR", "Msftedit", "msgarbossa", @@ -1155,6 +1159,7 @@ "munge", "Murawski", "Mutators", + "mutexes", "MUXWAITERS", "Mware", "myapp", diff --git a/lib/chef/application/apply.rb b/lib/chef/application/apply.rb index 33a8a97f5b..4ed2d2a1f2 100644 --- a/lib/chef/application/apply.rb +++ b/lib/chef/application/apply.rb @@ -233,7 +233,7 @@ class Chef::Application::Apply < Chef::Application end # Get this party started - def run(enforce_license = false) + def run(enforce_license: false) reconfigure check_license_acceptance if enforce_license run_application diff --git a/lib/chef/formatters/error_inspectors/compile_error_inspector.rb b/lib/chef/formatters/error_inspectors/compile_error_inspector.rb index cb88cef1af..d765e66e7a 100644 --- a/lib/chef/formatters/error_inspectors/compile_error_inspector.rb +++ b/lib/chef/formatters/error_inspectors/compile_error_inspector.rb @@ -41,7 +41,7 @@ class Chef if found_error_in_cookbooks? traceback = filtered_bt.map { |line| " #{line}" }.join("\n") - error_description.section("Cookbook Trace:", traceback) + error_description.section("Cookbook Trace: (most recent call first)", traceback) error_description.section("Relevant File Content:", context) end diff --git a/lib/chef/formatters/error_inspectors/resource_failure_inspector.rb b/lib/chef/formatters/error_inspectors/resource_failure_inspector.rb index 439bcbb8a3..fa7580d2c3 100644 --- a/lib/chef/formatters/error_inspectors/resource_failure_inspector.rb +++ b/lib/chef/formatters/error_inspectors/resource_failure_inspector.rb @@ -37,7 +37,7 @@ class Chef error_description.section(exception.class.name, exception.message) unless filtered_bt.empty? - error_description.section("Cookbook Trace:", filtered_bt.join("\n")) + error_description.section("Cookbook Trace: (most recent call first)", filtered_bt.join("\n")) end unless dynamic_resource? diff --git a/lib/chef/resource/windows_audit_policy.rb b/lib/chef/resource/windows_audit_policy.rb new file mode 100644 index 0000000000..684fafcd15 --- /dev/null +++ b/lib/chef/resource/windows_audit_policy.rb @@ -0,0 +1,227 @@ +# +# Author:: Ross Moles (<rmoles@chef.io>) +# Author:: Rachel Rice (<rrice@chef.io>) +# Author:: Davin Taddeo (<davin@chef.io>) +# Copyright:: Copyright (c) Chef Software Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require_relative "../resource" + +class Chef + class Resource + class WindowsAuditPolicy < Chef::Resource + WIN_AUDIT_SUBCATEGORIES = ["Account Lockout", + "Application Generated", + "Application Group Management", + "Audit Policy Change", + "Authentication Policy Change", + "Authorization Policy Change", + "Central Policy Staging", + "Certification Services", + "Computer Account Management", + "Credential Validation", + "DPAPI Activity", + "Detailed Directory Service Replication", + "Detailed File Share", + "Directory Service Access", + "Directory Service Changes", + "Directory Service Replication", + "Distribution Group Management", + "File Share", + "File System", + "Filtering Platform Connection", + "Filtering Platform Packet Drop", + "Filtering Platform Policy Change", + "Group Membership", + "Handle Manipulation", + "IPsec Driver", + "IPsec Extended Mode", + "IPsec Main Mode", + "IPsec Quick Mode", + "Kerberos Authentication Service", + "Kerberos Service Ticket Operations", + "Kernel Object", + "Logoff", + "Logon", + "MPSSVC Rule-Level Policy Change", + "Network Policy Server", + "Non Sensitive Privilege Use", + "Other Account Logon Events", + "Other Account Management Events", + "Other Logon/Logoff Events", + "Other Object Access Events", + "Other Policy Change Events", + "Other Privilege Use Events", + "Other System Events", + "Plug and Play Events", + "Process Creation", + "Process Termination", + "RPC Events", + "Registry", + "Removable Storage", + "SAM", + "Security Group Management", + "Security State Change", + "Security System Extension", + "Sensitive Privilege Use", + "Special Logon", + "System Integrity", + "Token Right Adjusted Events", + "User / Device Claims", + "User Account Management", + ].freeze + provides :windows_audit_policy + + description "Use the **windows_audit_policy** resource to configure system level and per-user Windows advanced audit policy settings." + introduced "16.2" + + examples <<~DOC + **Set Logon and Logoff policy to "Success and Failure"**: + + ```ruby + windows_audit_policy "Set Audit Policy for 'Logon and Logoff' actions to 'Success and Failure'" do + subcategory %w(Logon Logoff) + success true + failure true + action :set + end + ``` + + **Set Credential Validation policy to "Success"**: + + ```ruby + windows_audit_policy "Set Audit Policy for 'Credential Validation' actions to 'Success'" do + subcategory 'Credential Validation' + success true + failure false + action :set + end + ``` + + **Enable CrashOnAuditFail option**: + + ```ruby + windows_audit_policy 'Enable CrashOnAuditFail option' do + crash_on_audit_fail true + action :set + end + ``` + DOC + + property :subcategory, [String, Array], + coerce: proc { |p| Array(p) }, + description: "The audit policy subcategory, specified by GUID or name. Applied system-wide if no user is specified.", + callbacks: { "Subcategories entered should be actual advanced audit policy subcategories" => proc { |n| (Array(n) - WIN_AUDIT_SUBCATEGORIES).empty? } } + + property :success, [true, false], + description: "Specify success auditing. By setting this property to true the resource will enable success for the category or sub category. Success is the default and is applied if neither success nor failure are specified." + + property :failure, [true, false], + description: "Specify failure auditing. By setting this property to true the resource will enable failure for the category or sub category. Success is the default and is applied if neither success nor failure are specified." + + property :include_user, String, + description: "The audit policy specified by the category or subcategory is applied per-user if specified. When a user is specified, include user. Include and exclude cannot be used at the same time." + + property :exclude_user, String, + description: "The audit policy specified by the category or subcategory is applied per-user if specified. When a user is specified, exclude user. Include and exclude cannot be used at the same time." + + property :crash_on_audit_fail, [true, false], + description: "Setting this audit policy option to true will cause the system to crash if the auditing system is unable to log events." + + property :full_privilege_auditing, [true, false], + description: "Setting this audit policy option to true will force the audit of all privilege changes except SeAuditPrivilege. Setting this property may cause the logs to fill up more quickly." + + property :audit_base_objects, [true, false], + description: "Setting this audit policy option to true will force the system to assign a System Access Control List to named objects to enable auditing of base objects such as mutexes." + + property :audit_base_directories, [true, false], + description: "Setting this audit policy option to true will force the system to assign a System Access Control List to named objects to enable auditing of container objects such as directories." + + def subcategory_configured?(sub_cat, success_value, failure_value) + setting = if success_value && failure_value + "Success and Failure$" + elsif success_value && !failure_value + "Success$" + elsif !success_value && failure_value + "(Failure$)&!(Success and Failure$)" + else + "No Auditing" + end + powershell_exec(<<-CODE).result + $auditpol_config = auditpol /get /subcategory:"#{sub_cat}" + if ($auditpol_config | Select-String "#{setting}") { return $true } else { return $false } + CODE + end + + def option_configured?(option_name, option_setting) + setting = option_setting ? "Enabled$" : "Disabled$" + powershell_exec(<<-CODE).result + $auditpol_config = auditpol /get /option:#{option_name} + if ($auditpol_config | Select-String "#{setting}") { return $true } else { return $false } + CODE + end + + action :set do + unless new_resource.subcategory.empty? + new_resource.subcategory.each do |subcategory| + next if subcategory_configured?(subcategory, new_resource.success, new_resource.failure) + + s_val = new_resource.success ? "enable" : "disable" + f_val = new_resource.failure ? "enable" : "disable" + converge_by "Update Audit Policy for \"#{subcategory}\" to Success:#{s_val} and Failure:#{f_val}" do + cmd = "auditpol /set " + cmd += "/user:\"#{new_resource.include_user}\" /include " if new_resource.include_user + cmd += "/user:\"#{new_resource.exclude_user}\" /exclude " if new_resource.exclude_user + cmd += "/subcategory:\"#{subcategory}\" /success:#{s_val} /failure:#{f_val}" + powershell_exec!(cmd) + end + end + end + + if !new_resource.crash_on_audit_fail.nil? && option_configured?("CrashOnAuditFail", new_resource.crash_on_audit_fail) + val = new_resource.crash_on_audit_fail ? "Enable" : "Disable" + converge_by "Configure Audit: CrashOnAuditFail to #{val}" do + cmd = "auditpol /set /option:CrashOnAuditFail /value:#{val}" + powershell_exec!(cmd) + end + end + + if !new_resource.full_privilege_auditing.nil? && option_configured?("FullPrivilegeAuditing", new_resource.full_privilege_auditing) + val = new_resource.full_privilege_auditing ? "Enable" : "Disable" + converge_by "Configure Audit: FullPrivilegeAuditing to #{val}" do + cmd = "auditpol /set /option:FullPrivilegeAuditing /value:#{val}" + powershell_exec!(cmd) + end + end + + if !new_resource.audit_base_directories.nil? && option_configured?("AuditBaseDirectories", new_resource.audit_base_directories) + val = new_resource.audit_base_directories ? "Enable" : "Disable" + converge_by "Configure Audit: AuditBaseDirectories to #{val}" do + cmd = "auditpol /set /option:AuditBaseDirectories /value:#{val}" + powershell_exec!(cmd) + end + end + + if !new_resource.audit_base_objects.nil? && option_configured?("AuditBaseObjects", new_resource.audit_base_objects) + val = new_resource.audit_base_objects ? "Enable" : "Disable" + converge_by "Configure Audit: AuditBaseObjects to #{val}" do + cmd = "auditpol /set /option:AuditBaseObjects /value:#{val}" + powershell_exec!(cmd) + end + end + end + end + end +end diff --git a/lib/chef/resource/windows_auto_run.rb b/lib/chef/resource/windows_auto_run.rb index 11f383b9d3..0b34d6c971 100644 --- a/lib/chef/resource/windows_auto_run.rb +++ b/lib/chef/resource/windows_auto_run.rb @@ -26,7 +26,7 @@ class Chef description "Use the **windows_auto_run** resource to set applications to run at login." introduced "14.0" examples <<~DOC - **Run BGInfo at login**: + **Run BGInfo at login** ```ruby windows_auto_run 'BGINFO' do diff --git a/lib/chef/resource/windows_certificate.rb b/lib/chef/resource/windows_certificate.rb index 967ef2f811..bb3733cd75 100644 --- a/lib/chef/resource/windows_certificate.rb +++ b/lib/chef/resource/windows_certificate.rb @@ -36,7 +36,7 @@ class Chef ```ruby windows_certificate 'c:/test/mycert.pfx' do pfx_password 'password' - private_key_acl ["acme\fred", "pc\jane"] + private_key_acl ["acme\\fred", "pc\\jane"] end ``` diff --git a/lib/chef/resources.rb b/lib/chef/resources.rb index 6aa328c073..cf48e8f4bc 100644 --- a/lib/chef/resources.rb +++ b/lib/chef/resources.rb @@ -142,6 +142,7 @@ require_relative "resource/cab_package" require_relative "resource/powershell_package" require_relative "resource/msu_package" require_relative "resource/windows_ad_join" +require_relative "resource/windows_audit_policy" require_relative "resource/windows_auto_run" require_relative "resource/windows_certificate" require_relative "resource/windows_dfs_folder" diff --git a/lib/chef/version.rb b/lib/chef/version.rb index 7ccdc46b37..e10a103ba8 100644 --- a/lib/chef/version.rb +++ b/lib/chef/version.rb @@ -23,7 +23,7 @@ require_relative "version_string" class Chef CHEF_ROOT = File.expand_path("../..", __FILE__) - VERSION = Chef::VersionString.new("16.2.32") + VERSION = Chef::VersionString.new("16.2.36") end # diff --git a/spec/unit/application_spec.rb b/spec/unit/application_spec.rb index ea784f1d55..031132f31d 100644 --- a/spec/unit/application_spec.rb +++ b/spec/unit/application_spec.rb @@ -94,6 +94,13 @@ describe Chef::Application do end end + describe "when enforce_license is set to false" do + it "should not check the license acceptance" do + expect(@app).to_not receive(:check_license_acceptance) + @app.run(enforce_license: false) + end + end + it "should run the actual application" do expect(@app).to receive(:run_application).and_return(true) @app.run diff --git a/spec/unit/resource/windows_audit_policy_spec.rb b/spec/unit/resource/windows_audit_policy_spec.rb new file mode 100644 index 0000000000..80a92f2656 --- /dev/null +++ b/spec/unit/resource/windows_audit_policy_spec.rb @@ -0,0 +1,64 @@ +# +# Copyright:: Copyright (c) Chef Software Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require "spec_helper" + +describe Chef::Resource::WindowsAuditPolicy do + let(:resource) { Chef::Resource::WindowsAuditPolicy.new("fakey_fakerton") } + + it "sets resource name as :windows_audit_policy" do + expect(resource.resource_name).to eql(:windows_audit_policy) + end + + it "expects crash_on_audit_fail to have a true or false value if entered" do + expect { resource.crash_on_audit_fail "not_a_true_or_false" }.to raise_error(Chef::Exceptions::ValidationFailed) + end + + it "expects full_privilege_auditing to have a true or false value if entered" do + expect { resource.full_privilege_auditing "not_a_true_or_false" }.to raise_error(Chef::Exceptions::ValidationFailed) + end + + it "expects audit_base_objects to have a true or false value if entered" do + expect { resource.audit_base_objects "not_a_true_or_false" }.to raise_error(Chef::Exceptions::ValidationFailed) + end + + it "expects audit_base_directories to have a true or false value if entered" do + expect { resource.audit_base_directories "not_a_true_or_false" }.to raise_error(Chef::Exceptions::ValidationFailed) + end + + it "expects success property to have a true or false value if entered" do + expect { resource.success "not_a_true_or_false" }.to raise_error(Chef::Exceptions::ValidationFailed) + end + + it "expects failure property to have a true or false value if entered" do + expect { resource.failure "not_a_true_or_false" }.to raise_error(Chef::Exceptions::ValidationFailed) + end + + Chef::Resource::WindowsAuditPolicy::WIN_AUDIT_SUBCATEGORIES.each do |val| + it "the subcategory property accepts :#{val}" do + expect { resource.subcategory val }.not_to raise_error + end + end + + it "the resource raises an ArgumentError if invalid subcategory property is set" do + expect { resource.subcategory "Logount" }.to raise_error(ArgumentError) + end + + it "sets the default action as :set" do + expect(resource.action).to eql([:set]) + end +end |