1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
#
# Author:: Ashwini Nehate (<anehate@chef.io>)
# Author:: Davin Taddeo (<davin@chef.io>)
# Author:: Jeff Brimager (<jbrimager@chef.io>)
# Copyright:: 2019-2020, Chef Software Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
require_relative "../resource"
class Chef
class Resource
class WindowsSecurityPolicy < Chef::Resource
resource_name :windows_security_policy
# The valid policy_names options found here
# https://github.com/ChrisAWalker/cSecurityOptions under 'AccountSettings'
policy_names = %w{MinimumPasswordAge
MaximumPasswordAge
MinimumPasswordLength
PasswordComplexity
PasswordHistorySize
LockoutBadCount
RequireLogonToChangePassword
ForceLogoffWhenHourExpire
NewAdministratorName
NewGuestName
ClearTextPassword
LSAAnonymousNameLookup
EnableAdminAccount
EnableGuestAccount
}
description "Use the windows_security_policy resource to set a security policy on the Microsoft Windows platform."
introduced "16.0"
property :secoption, String, name_property: true, required: true, equal_to: policy_names,
description: "The name of the policy to be set on windows platform to maintain its security."
property :secvalue, String, required: true,
description: "Policy value to be set for policy name."
action :set do
security_option = new_resource.secoption
security_value = new_resource.secvalue
powershell_script "#{security_option} set to #{security_value}" do
convert_boolean_return true
code <<-EOH
$security_option = "#{security_option}"
if ( ($security_option -match "NewGuestName") -Or ($security_option -match "NewAdministratorName") )
{
$#{security_option}_Remediation = (Get-Content $env:TEMP\\#{security_option}_Export.inf) | Foreach-Object { $_ -replace '#{security_option}\\s*=\\s*\\"\\w*\\"', '#{security_option} = "#{security_value}"' } | Set-Content $env:TEMP\\#{security_option}_Export.inf
C:\\Windows\\System32\\secedit /configure /db $env:windir\\security\\new.sdb /cfg $env:TEMP\\#{security_option}_Export.inf /areas SECURITYPOLICY
}
else
{
$#{security_option}_Remediation = (Get-Content $env:TEMP\\#{security_option}_Export.inf) | Foreach-Object { $_ -replace "#{security_option}\\s*=\\s*\\d*", "#{security_option} = #{security_value}" } | Set-Content $env:TEMP\\#{security_option}_Export.inf
C:\\Windows\\System32\\secedit /configure /db $env:windir\\security\\new.sdb /cfg $env:TEMP\\#{security_option}_Export.inf /areas SECURITYPOLICY
}
Remove-Item $env:TEMP\\#{security_option}_Export.inf -force
EOH
not_if <<-EOH
$#{security_option}_Export = C:\\Windows\\System32\\secedit /export /cfg $env:TEMP\\#{security_option}_Export.inf
$ExportAudit = (Get-Content $env:TEMP\\#{security_option}_Export.inf | Select-String -Pattern #{security_option})
$check_digit = $ExportAudit -match '#{security_option} = #{security_value}'
$check_string = $ExportAudit -match '#{security_option} = "#{security_value}"'
if ( $check_string -Or $check_digit )
{
Remove-Item $env:TEMP\\#{security_option}_Export.inf -force
$true
}
else
{
$false
}
EOH
end
end
end
end
end
|