diff --git a/lib/ansible/modules/windows/win_audit_rule.ps1 b/lib/ansible/modules/windows/win_audit_rule.ps1 new file mode 100644 index 00000000000..4eb3ed163ca --- /dev/null +++ b/lib/ansible/modules/windows/win_audit_rule.ps1 @@ -0,0 +1,193 @@ +#!powershell + +# Copyright: (c) 2017, Noah Sparks +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +#Requires -Module Ansible.ModuleUtils.Legacy.psm1 +#Requires -Module Ansible.ModuleUtils.SID.psm1 + +$params = Parse-Args -arguments $args -supports_check_mode $true +$check_mode = Get-AnsibleParam -obj $params -name "_ansible_check_mode" -type "bool" -default $false + +# module parameters +$path = Get-AnsibleParam -obj $params -name "path" -type "path" -failifempty $true -aliases "destination","dest" +$user = Get-AnsibleParam -obj $params -name "user" -type "str" -failifempty $true +$rights = Get-AnsibleParam -obj $params -name "rights" -type "list" +$inheritance_flags = Get-AnsibleParam -obj $params -name "inheritance_flags" -type "list" -default 'ContainerInherit','ObjectInherit' +$propagation_flags = Get-AnsibleParam -obj $params -name "propagation_flags" -type "str" -default "none" -ValidateSet 'InheritOnly','None','NoPropagateInherit' +$audit_flags = Get-AnsibleParam -obj $params -name "audit_flags" -type "list" -default 'success' +$state = Get-AnsibleParam -obj $params -name "state" -type "str" -default "present" -validateset 'present','absent' + +#Make sure target path is valid +If (-not (Test-Path -Path $path) ) +{ + Fail-Json -obj $result -message "defined path ($path) is not found/invalid" +} + +#function get current audit rules and convert to hashtable +Function Get-CurrentAuditRules ($path) { + Try { + $ACL = Get-Acl $path -Audit + } + Catch { + Return "Unable to retrieve the ACL on $Path" + } + + $HT = Foreach ($Obj in $ACL.Audit) + { + @{ + user = $Obj.IdentityReference.ToString() + rights = ($Obj | Select-Object -expand "*rights").ToString() + audit_flags = $Obj.AuditFlags.ToString() + is_inherited = $Obj.IsInherited.ToString() + inheritance_flags = $Obj.InheritanceFlags.ToString() + propagation_flags = $Obj.PropagationFlags.ToString() + } + } + + If (-Not $HT) + { + "No audit rules defined on $path" + } + Else {$HT} +} + +$result = @{ + changed = $false + current_audit_rules = Get-CurrentAuditRules $path +} + +#Make sure identity is valid and can be looked up +Try { + $SID = Convert-ToSid $user +} +Catch { + Fail-Json -obj $result -message "Failed to lookup the identity ($user) - $($_.exception.message)" +} + +#get the path type +$ItemType = (Get-Item $path).GetType() +switch ($ItemType) +{ + ([Microsoft.Win32.RegistryKey]) {$registry = $true; $result.path_type = 'registry'} + ([System.IO.FileInfo]) {$file = $true; $result.path_type = 'file'} + ([System.IO.DirectoryInfo]) {$result.path_type = 'directory'} +} + +#Get current acl/audit rules on the target +Try { + $ACL = Get-Acl $path -Audit +} +Catch { + Fail-Json -obj $result -message "Unable to retrieve the ACL on $Path - $($_.Exception.Message)" +} + +#configure acl object to remove the specified user +If ($state -eq 'absent') +{ + #Try and find an identity on the object that matches user + #We skip inherited items since we can't remove those + $ToRemove = ($ACL.Audit | Where-Object {$_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]) -eq $SID -and + $_.IsInherited -eq $false}).IdentityReference + + #Exit with changed false if no identity is found + If (-Not $ToRemove) + { + $result.current_audit_rules = Get-CurrentAuditRules $path + Exit-Json -obj $result + } + + #update the ACL object if identity found + Try + { + $ToRemove | ForEach-Object { $ACL.PurgeAuditRules($_) } + } + Catch + { + $result.current_audit_rules = Get-CurrentAuditRules $path + Fail-Json -obj $result -message "Failed to remove audit rule: $($_.Exception.Message)" + } +} + +Else +{ + If ($registry) + { + $PossibleRights = [System.Enum]::GetNames([System.Security.AccessControl.RegistryRights]) + + Foreach ($right in $rights) + { + if ($right -notin $PossibleRights) + { + Fail-Json -obj $result -message "$right does not seem to be a valid REGISTRY right" + } + } + + $NewAccessRule = New-Object System.Security.AccessControl.RegistryAuditRule($user,$rights,$inheritance_flags,$propagation_flags,$audit_flags) + } + Else + { + $PossibleRights = [System.Enum]::GetNames([System.Security.AccessControl.FileSystemRights]) + + Foreach ($right in $rights) + { + if ($right -notin $PossibleRights) + { + Fail-Json -obj $result -message "$right does not seem to be a valid FILE SYSTEM right" + } + } + + If ($file -and $inheritance_flags -ne 'none') + { + Fail-Json -obj $result -message "The target type is a file. inheritance_flags must be changed to 'none'" + } + + $NewAccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($user,$rights,$inheritance_flags,$propagation_flags,$audit_flags) + } + + #exit here if any existing rule matches defined rule since no change is needed + #if we need to ignore inherited rules in the future, this would be where to do it + #Just filter out inherited rules from $ACL.Audit + Foreach ($group in $ACL.Audit | Where-Object {$_.IsInherited -eq $false}) + { + If ( + ($group | Select-Object -expand "*Rights") -eq ($NewAccessRule | Select-Object -expand "*Rights") -and + $group.AuditFlags -eq $NewAccessRule.AuditFlags -and + $group.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]) -eq $SID -and + $group.InheritanceFlags -eq $NewAccessRule.InheritanceFlags -and + $group.PropagationFlags -eq $NewAccessRule.PropagationFlags + ) + { + $result.current_audit_rules = Get-CurrentAuditRules $path + Exit-Json -obj $result + } + } + + #try and set the acl object. AddAuditRule allows for multiple entries to exist under the same + #identity...so if someone wanted success: write and failure: delete for example, that setup would be + #possible. The alternative is SetAuditRule which would instead modify an existing rule and not allow + #for setting the above example. + Try + { + $ACL.AddAuditRule($NewAccessRule) + } + Catch + { + Fail-Json -obj $result -message "Failed to set the audit rule: $($_.Exception.Message)" + } +} + + +#finally set the permissions +Try { + Set-Acl -Path $path -ACLObject $ACL -WhatIf:$check_mode +} +Catch { + $result.current_audit_rules = Get-CurrentAuditRules $path + Fail-Json -obj $result -message "Failed to apply audit change: $($_.Exception.Message)" +} + +#exit here after a change is applied +$result.current_audit_rules = Get-CurrentAuditRules $path +$result.changed = $true +Exit-Json -obj $result diff --git a/lib/ansible/modules/windows/win_audit_rule.py b/lib/ansible/modules/windows/win_audit_rule.py new file mode 100644 index 00000000000..be4b10d644e --- /dev/null +++ b/lib/ansible/modules/windows/win_audit_rule.py @@ -0,0 +1,135 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2017, Noah Sparks +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +ANSIBLE_METADATA = {'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community'} + + +DOCUMENTATION = r''' +--- +module: win_audit_rule +short_description: Adds an audit rule to files, folders, or registry keys +description: + - Used to apply audit rules to files, folders or registry keys. + - Once applied, it will begin recording the user who performed the operation defined into the Security + Log in the Event viewer. + - The behavior is designed to ignore inherited rules since those cannot be adjusted without first disabling + the inheritance behavior. It will still print inherited rules in the output though for debugging purposes. +version_added: "2.5" +author: + - Noah Sparks (@nwsparks) +options: + path: + description: + - Path to the file, folder, or registry key. + - Registry paths should be in Powershell format, beginning with an abbreviation for the root + such as, 'hklm:\software'. + required: true + aliases: [ dest, destination ] + user: + description: + - The user or group to adjust rules for. + required: true + rights: + description: + - Comma seperated list of the rights desired. Only required for adding a rule. + - If I(path) is a file or directory, rights can be any right under MSDN + FileSystemRights U(https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemrights.aspx). + - If I(path) is a registry key, rights can be any right under MSDN + RegistryRights U(https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.registryrights.aspx). + required: true + inheritance_flags: + description: + - Defines what objects inside of a folder or registry key will inherit the settings. + - If you are setting a rule on a file, this value has to be changed to C(none). + - For more information on the choices see MSDN PropagationFlags enumeration + at U(https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.inheritanceflags.aspx). + default: "ContainerInherit,ObjectInherit" + choices: [ ContainerInherit, ObjectInherit ] + propagation_flags: + description: + - Propagation flag on the audit rules. + - This value is ignored when the path type is a file. + - For more information on the choices see MSDN PropagationFlags enumeration + at U(https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.propagationflags.aspx). + default: "None" + choices: [ None, InherityOnly, NoPropagateInherit ] + audit_flags: + description: + - Defines whether to log on failure, success, or both. + - To log both define as comma seperated list "Success, Failure". + required: true + choices: [ Success, Failure ] + state: + description: + - Whether the rule should be C(present) or C(absent). + - For absent, only I(path), I(user), and I(state) are required. + - Specifying C(absent) will remove all rules matching the defined I(user). + default: present + choices: [ present, absent ] +''' + +EXAMPLES = r''' +- name: add filesystem audit rule for a folder + win_audit_rule: + path: 'c:\inetpub\wwwroot\website' + user: 'BUILTIN\Users' + rights: 'write,delete,changepermissions' + audit_flags: 'success,failure' + inheritance_flags: 'ContainerInherit,ObjectInherit' + +- name: add filesystem audit rule for a file + win_audit_rule: + path: 'c:\inetpub\wwwroot\website\web.config' + user: 'BUILTIN\Users' + rights: write,delete,changepermissions + audit_flags: success,failure + inheritance_flags: None + +- name: add registry audit rule + win_audit_rule: + path: 'hklm:\software' + user: 'BUILTIN\Users' + rights: 'delete' + audit_flags: 'success' + +- name: remove filesystem audit rule + win_audit_rule: + path: 'c:\inetpub\wwwroot\website' + user: 'BUILTIN\Users' + state: absent + +- name: remove registry audit rule + win_audit_rule: + path: 'hklm:\software' + user: 'BUILTIN\Users' + state: absent +''' + +RETURN = r''' +current_audit_rules: + description: + - The current rules on the defined I(path) + - Will return "No audit rules defined on I(path)" + returned: always + type: dictionary + sample: | + { + "audit_flags": "Success", + "user": "Everyone", + "inheritance_flags": "False", + "is_inherited": "False", + "propagation_flags": "None", + "rights": "Delete" + } +path_type: + description: + - The type of I(path) being targetted. + - Will be one of file, directory, registry. + returned: always + type: string +''' diff --git a/test/integration/targets/win_audit_rule/aliases b/test/integration/targets/win_audit_rule/aliases new file mode 100644 index 00000000000..c6d61981670 --- /dev/null +++ b/test/integration/targets/win_audit_rule/aliases @@ -0,0 +1 @@ +windows/ci/group3 diff --git a/test/integration/targets/win_audit_rule/defaults/main.yml b/test/integration/targets/win_audit_rule/defaults/main.yml new file mode 100644 index 00000000000..f0faa9a56c9 --- /dev/null +++ b/test/integration/targets/win_audit_rule/defaults/main.yml @@ -0,0 +1,7 @@ +test_audit_rule_folder: c:\windows\temp\{{ 'ansible test win_audit_policy' | to_uuid }} +test_audit_rule_file: c:\windows\temp\{{ 'ansible test win_audit_policy' | to_uuid }}.txt +test_audit_rule_registry: HKCU:\{{ 'ansible test win_audit_policy' | to_uuid }} +test_audit_rule_rights: 'delete' +test_audit_rule_new_rights: 'delete,changepermissions' +test_audit_rule_user: 'everyone' +test_audit_rule_audit_flags: success diff --git a/test/integration/targets/win_audit_rule/library/test_get_audit_rule.ps1 b/test/integration/targets/win_audit_rule/library/test_get_audit_rule.ps1 new file mode 100644 index 00000000000..22e86aaf0e2 --- /dev/null +++ b/test/integration/targets/win_audit_rule/library/test_get_audit_rule.ps1 @@ -0,0 +1,98 @@ +#!powershell + +# Copyright (c) 2017 Ansible Project +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +#Requires -Module Ansible.ModuleUtils.Legacy.psm1 +#Requires -Module Ansible.ModuleUtils.SID.psm1 + +$params = Parse-Args -arguments $args -supports_check_mode $true + +# these are your module parameters +$path = Get-AnsibleParam -obj $params -name "path" -type "path" -failifempty $true -aliases "destination","dest" +$user = Get-AnsibleParam -obj $params -name "user" -type "str" -failifempty $true +$rights = Get-AnsibleParam -obj $params -name "rights" -type "list" +$inheritance_flags = Get-AnsibleParam -obj $params -name "inheritance_flags" -type "list" -default 'ContainerInherit','ObjectInherit' # -validateset 'None','ContainerInherit','ObjectInherit' +$propagation_flags = Get-AnsibleParam -obj $params -name "propagation_flags" -type "str" -default "none" -ValidateSet 'InheritOnly','None','NoPropagateInherit' +$audit_flags = Get-AnsibleParam -obj $params -name "audit_flags" -type "list" -default "success" #-ValidateSet 'Success','Failure' +#$state = Get-AnsibleParam -obj $params -name "state" -type "str" -default "present" -validateset 'present','absent' + + +If (! (Test-Path $path) ) +{ + Fail-Json $result "Path not found ($path)" +} + +Function Get-CurrentAuditRules ($path) { + $ACL = Get-Acl -Path $path -Audit + + $HT = Foreach ($Obj in $ACL.Audit) + { + @{ + user = $Obj.IdentityReference.ToString() + rights = ($Obj | Select-Object -expand "*rights").ToString() + audit_flags = $Obj.AuditFlags.ToString() + is_inherited = $Obj.InheritanceFlags.ToString() + inheritance_flags = $Obj.IsInherited.ToString() + propagation_flags = $Obj.PropagationFlags.ToString() + } + } + + If (-Not $HT) + { + "No audit rules defined on $path" + } + Else {$HT} +} + + +$result = @{ + changed = $false + matching_rule_found = $false + current_audit_rules = Get-CurrentAuditRules $path +} + +$ACL = Get-ACL $Path -Audit +$SID = Convert-ToSid $user + +$ItemType = (Get-Item $path).GetType() +switch ($ItemType) +{ + ([Microsoft.Win32.RegistryKey]) { + $rights = [System.Security.AccessControl.RegistryRights]$rights + $result.path_type = 'registry' + } + ([System.IO.FileInfo]) { + $rights = [System.Security.AccessControl.FileSystemRights]$rights + $result.path_type = 'file' + } + ([System.IO.DirectoryInfo]) { + $rights = [System.Security.AccessControl.FileSystemRights]$rights + $result.path_type = 'directory' + } +} + +$flags = [System.Security.AccessControl.AuditFlags]$audit_flags +$inherit = [System.Security.AccessControl.InheritanceFlags]$inheritance_flags +$prop = [System.Security.AccessControl.PropagationFlags]$propagation_flags + +Foreach ($group in $ACL.Audit) +{ + #exit here if any existing rule matches defined rule, otherwise exit below + #with no matches + If ( + ($group | select -expand "*Rights") -eq $rights -and + $group.AuditFlags -eq $flags -and + $group.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]) -eq $SID -and + $group.InheritanceFlags -eq $inherit -and + $group.PropagationFlags -eq $prop + ) + { + $result.matching_rule_found = $true + $result.current_audit_rules = Get-CurrentAuditRules $path + Exit-Json $result + } +} + +$result.current_audit_rules = Get-CurrentAuditRules $path +Exit-Json $result diff --git a/test/integration/targets/win_audit_rule/tasks/add.yml b/test/integration/targets/win_audit_rule/tasks/add.yml new file mode 100644 index 00000000000..76e408f03fa --- /dev/null +++ b/test/integration/targets/win_audit_rule/tasks/add.yml @@ -0,0 +1,172 @@ +###################### +### check mode add ### +###################### +- name: check mode ADD audit policy directory + win_audit_rule: + path: "{{ test_audit_rule_folder }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_rights }}" + state: present + audit_flags: "{{ test_audit_rule_audit_flags }}" + register: directory + check_mode: yes + +- name: check mode ADD audit policy file + win_audit_rule: + path: "{{ test_audit_rule_file }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_rights }}" + state: present + audit_flags: "{{ test_audit_rule_audit_flags }}" + inheritance_flags: none + register: file + check_mode: yes + +- name: check mode ADD audit policy registry + win_audit_rule: + path: "{{ test_audit_rule_registry }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_rights }}" + state: present + audit_flags: "{{ test_audit_rule_audit_flags }}" + register: registry + check_mode: yes + +- name: check mode ADD get directory results + test_get_audit_rule: + path: "{{ test_audit_rule_folder }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_rights }}" + audit_flags: "{{ test_audit_rule_audit_flags }}" + register: directory_results + +- name: check mode ADD get file results + test_get_audit_rule: + path: "{{ test_audit_rule_file }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_rights }}" + audit_flags: "{{ test_audit_rule_audit_flags }}" + inheritance_flags: none + register: file_results + +- name: check mode ADD get REGISTRY results + test_get_audit_rule: + path: "{{ test_audit_rule_registry }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_rights }}" + audit_flags: "{{ test_audit_rule_audit_flags }}" + register: registry_results + +- name: check mode ADD assert that a change is needed, but no change occurred to the audit rules + assert: + that: + - directory | changed + - file | changed + - registry | changed + - not directory_results.matching_rule_found and directory_results.path_type == 'directory' + - not file_results.matching_rule_found and file_results.path_type == 'file' + - not registry_results.matching_rule_found and registry_results.path_type == 'registry' + +################## +### add a rule ### +################## +- name: ADD audit policy directory + win_audit_rule: + path: "{{ test_audit_rule_folder }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_rights }}" + state: present + audit_flags: "{{ test_audit_rule_audit_flags }}" + register: directory + +- name: ADD audit policy file + win_audit_rule: + path: "{{ test_audit_rule_file }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_rights }}" + state: present + audit_flags: "{{ test_audit_rule_audit_flags }}" + inheritance_flags: none + register: file + +- name: ADD audit policy registry + win_audit_rule: + path: "{{ test_audit_rule_registry }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_rights }}" + state: present + audit_flags: "{{ test_audit_rule_audit_flags }}" + register: registry + +- name: ADD get directory results + test_get_audit_rule: + path: "{{ test_audit_rule_folder }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_rights }}" + audit_flags: "{{ test_audit_rule_audit_flags }}" + register: directory_results + +- name: ADD get file results + test_get_audit_rule: + path: "{{ test_audit_rule_file }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_rights }}" + audit_flags: "{{ test_audit_rule_audit_flags }}" + inheritance_flags: none + register: file_results + +- name: ADD get REGISTRY results + test_get_audit_rule: + path: "{{ test_audit_rule_registry }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_rights }}" + audit_flags: "{{ test_audit_rule_audit_flags }}" + register: registry_results + +- name: ADD assert that the rules were added and a change is detected + assert: + that: + - directory | changed + - file | changed + - registry | changed + - directory_results.matching_rule_found and directory_results.path_type == 'directory' + - file_results.matching_rule_found and file_results.path_type == 'file' + - registry_results.matching_rule_found and registry_results.path_type == 'registry' + +############################# +### idempotent add a rule ### +############################# +- name: idempotent ADD audit policy directory + win_audit_rule: + path: "{{ test_audit_rule_folder }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_rights }}" + state: present + audit_flags: "{{ test_audit_rule_audit_flags }}" + register: directory + +- name: idempotent ADD audit policy file + win_audit_rule: + path: "{{ test_audit_rule_file }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_rights }}" + state: present + audit_flags: "{{ test_audit_rule_audit_flags }}" + inheritance_flags: none + register: file + +- name: idempotent ADD audit policy registry idempotent + win_audit_rule: + path: "{{ test_audit_rule_registry }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_rights }}" + state: present + audit_flags: "{{ test_audit_rule_audit_flags }}" + register: registry + +- name: idempotent ADD assert that a change did not occur + assert: + that: + - not directory | changed and directory.path_type == 'directory' + - not file | changed and file.path_type == 'file' + - not registry | changed and registry.path_type == 'registry' diff --git a/test/integration/targets/win_audit_rule/tasks/main.yml b/test/integration/targets/win_audit_rule/tasks/main.yml new file mode 100644 index 00000000000..68fbca768a0 --- /dev/null +++ b/test/integration/targets/win_audit_rule/tasks/main.yml @@ -0,0 +1,33 @@ +- name: create temporary folder to test with + win_file: + path: "{{ test_audit_rule_folder }}" + state: directory + +- name: create temporary file to test with + win_file: + path: "{{ test_audit_rule_file }}" + state: touch + +- name: create temporary registry key to test with + win_regedit: + path: "{{ test_audit_rule_registry }}" + +- block: + - include_tasks: add.yml + - include_tasks: modify.yml + - include_tasks: remove.yml + always: + - name: remove testing folder + win_file: + path: "{{ test_audit_rule_folder }}" + state: absent + + - name: remove testing file + win_file: + path: "{{ test_audit_rule_file }}" + state: absent + + - name: remove registry key + win_regedit: + path: "{{ test_audit_rule_registry }}" + state: absent diff --git a/test/integration/targets/win_audit_rule/tasks/modify.yml b/test/integration/targets/win_audit_rule/tasks/modify.yml new file mode 100644 index 00000000000..5e39b0360ce --- /dev/null +++ b/test/integration/targets/win_audit_rule/tasks/modify.yml @@ -0,0 +1,172 @@ +######################### +### modify check mode ### +######################### +- name: check mode modify audit policy directory + win_audit_rule: + path: "{{ test_audit_rule_folder }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_new_rights }}" + state: present + audit_flags: "{{ test_audit_rule_audit_flags }}" + register: directory + check_mode: yes + +- name: check mode modify audit policy file + win_audit_rule: + path: "{{ test_audit_rule_file }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_new_rights }}" + state: present + audit_flags: "{{ test_audit_rule_audit_flags }}" + inheritance_flags: none + register: file + check_mode: yes + +- name: check mode modify audit policy registry + win_audit_rule: + path: "{{ test_audit_rule_registry }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_new_rights }}" + state: present + audit_flags: "{{ test_audit_rule_audit_flags }}" + register: registry + check_mode: yes + +- name: check mode modify get directory rule results + test_get_audit_rule: + path: "{{ test_audit_rule_folder }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_new_rights }}" + audit_flags: "{{ test_audit_rule_audit_flags }}" + register: directory_results + +- name: check mode modify get file rule results + test_get_audit_rule: + path: "{{ test_audit_rule_file }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_new_rights }}" + audit_flags: "{{ test_audit_rule_audit_flags }}" + inheritance_flags: none + register: file_results + +- name: check mode modify get REGISTRY rule results + test_get_audit_rule: + path: "{{ test_audit_rule_registry }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_new_rights }}" + audit_flags: "{{ test_audit_rule_audit_flags }}" + register: registry_results + +- name: check mode modify assert that change is needed but rights still equal the original rights and not test_audit_rule_new_rights + assert: + that: + - directory | changed + - file | changed + - registry | changed + - not directory_results.matching_rule_found and directory_results.path_type == 'directory' + - not file_results.matching_rule_found and file_results.path_type == 'file' + - not registry_results.matching_rule_found and registry_results.path_type == 'registry' + +############## +### modify ### +############## +- name: modify audit policy directory + win_audit_rule: + path: "{{ test_audit_rule_folder }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_new_rights }}" + state: present + audit_flags: "{{ test_audit_rule_audit_flags }}" + register: directory + +- name: modify audit policy file + win_audit_rule: + path: "{{ test_audit_rule_file }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_new_rights }}" + state: present + audit_flags: "{{ test_audit_rule_audit_flags }}" + inheritance_flags: none + register: file + +- name: modify audit policy registry + win_audit_rule: + path: "{{ test_audit_rule_registry }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_new_rights }}" + state: present + audit_flags: "{{ test_audit_rule_audit_flags }}" + register: registry + +- name: modify get directory rule results + test_get_audit_rule: + path: "{{ test_audit_rule_folder }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_new_rights }}" + audit_flags: "{{ test_audit_rule_audit_flags }}" + register: directory_results + +- name: modify get file rule results + test_get_audit_rule: + path: "{{ test_audit_rule_file }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_new_rights }}" + audit_flags: "{{ test_audit_rule_audit_flags }}" + inheritance_flags: none + register: file_results + +- name: modify get REGISTRY rule results + test_get_audit_rule: + path: "{{ test_audit_rule_registry }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_new_rights }}" + audit_flags: "{{ test_audit_rule_audit_flags }}" + register: registry_results + +- name: modify assert that the rules were modified and a change is detected + assert: + that: + - directory | changed + - file | changed + - registry | changed + - directory_results.matching_rule_found and directory_results.path_type == 'directory' + - file_results.matching_rule_found and file_results.path_type == 'file' + - registry_results.matching_rule_found and registry_results.path_type == 'registry' + +##################################### +### idempotent test modify a rule ### +##################################### +- name: idempotent modify audit policy directory + win_audit_rule: + path: "{{ test_audit_rule_folder }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_new_rights }}" + state: present + audit_flags: "{{ test_audit_rule_audit_flags }}" + register: directory + +- name: idempotent modify audit policy file + win_audit_rule: + path: "{{ test_audit_rule_file }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_new_rights }}" + state: present + audit_flags: "{{ test_audit_rule_audit_flags }}" + inheritance_flags: none + register: file + +- name: idempotent modify audit policy registry + win_audit_rule: + path: "{{ test_audit_rule_registry }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_new_rights }}" + state: present + audit_flags: "{{ test_audit_rule_audit_flags }}" + register: registry + +- name: idempotent modify assert that and a change is not detected + assert: + that: + - not directory | changed and directory.path_type == 'directory' + - not file | changed and file.path_type == 'file' + - not registry | changed and registry.path_type == 'registry' diff --git a/test/integration/targets/win_audit_rule/tasks/remove.yml b/test/integration/targets/win_audit_rule/tasks/remove.yml new file mode 100644 index 00000000000..84e762ef7f4 --- /dev/null +++ b/test/integration/targets/win_audit_rule/tasks/remove.yml @@ -0,0 +1,151 @@ +################################ +### check mode remove a rule ### +################################ +- name: check mode remove directory rule + win_audit_rule: + path: "{{ test_audit_rule_folder }}" + user: "{{ test_audit_rule_user }}" + state: absent + register: directory + check_mode: yes + +- name: check mode remove file rule + win_audit_rule: + path: "{{ test_audit_rule_file }}" + user: "{{ test_audit_rule_user }}" + state: absent + register: file + check_mode: yes + +- name: check mode remove registry rule + win_audit_rule: + path: "{{ test_audit_rule_registry }}" + user: "{{ test_audit_rule_user }}" + state: absent + register: registry + check_mode: yes + +- name: check mode remove get directory rule results + test_get_audit_rule: + path: "{{ test_audit_rule_folder }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_new_rights }}" + audit_flags: "{{ test_audit_rule_audit_flags }}" + register: directory_results + +- name: check mode remove get file rule results + test_get_audit_rule: + path: "{{ test_audit_rule_file }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_new_rights }}" + audit_flags: "{{ test_audit_rule_audit_flags }}" + inheritance_flags: none + register: file_results + +- name: check mode remove get REGISTRY rule results + test_get_audit_rule: + path: "{{ test_audit_rule_registry }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_new_rights }}" + audit_flags: "{{ test_audit_rule_audit_flags }}" + register: registry_results + +- name: check mode remove assert that change detected, but rule is still present + assert: + that: + - directory | changed + - file | changed + - registry | changed + - directory_results.matching_rule_found and directory_results.path_type == 'directory' + - file_results.matching_rule_found and file_results.path_type == 'file' + - registry_results.matching_rule_found and registry_results.path_type == 'registry' + +##################### +### remove a rule ### +##################### +- name: remove directory rule + win_audit_rule: + path: "{{ test_audit_rule_folder }}" + user: "{{ test_audit_rule_user }}" + state: absent + register: directory + +- name: remove file rule + win_audit_rule: + path: "{{ test_audit_rule_file }}" + user: "{{ test_audit_rule_user }}" + state: absent + register: file + +- name: remove registry rule + win_audit_rule: + path: "{{ test_audit_rule_registry }}" + user: "{{ test_audit_rule_user }}" + state: absent + register: registry + +- name: remove get directory rule results + test_get_audit_rule: + path: "{{ test_audit_rule_folder }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_new_rights }}" + audit_flags: "{{ test_audit_rule_audit_flags }}" + register: directory_results + +- name: remove get file rule results + test_get_audit_rule: + path: "{{ test_audit_rule_file }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_new_rights }}" + audit_flags: "{{ test_audit_rule_audit_flags }}" + inheritance_flags: none + register: file_results + +- name: remove get REGISTRY rule results + test_get_audit_rule: + path: "{{ test_audit_rule_registry }}" + user: "{{ test_audit_rule_user }}" + rights: "{{ test_audit_rule_new_rights }}" + audit_flags: "{{ test_audit_rule_audit_flags }}" + register: registry_results + +- name: remove assert that change detected and rule is gone + assert: + that: + - directory | changed + - file | changed + - registry | changed + - not directory_results.matching_rule_found and directory_results.path_type == 'directory' + - not file_results.matching_rule_found and file_results.path_type == 'file' + - not registry_results.matching_rule_found and registry_results.path_type == 'registry' + +################################ +### idempotent remove a rule ### +################################ +- name: idempotent remove directory rule + win_audit_rule: + path: "{{ test_audit_rule_folder }}" + user: "{{ test_audit_rule_user }}" + state: absent + register: directory + +- name: idempotent remove file rule + win_audit_rule: + path: "{{ test_audit_rule_file }}" + user: "{{ test_audit_rule_user }}" + state: absent + register: file + +- name: idempotent remove registry rule + win_audit_rule: + path: "{{ test_audit_rule_registry }}" + user: "{{ test_audit_rule_user }}" + state: absent + register: registry + +- name: idempotent remove assert that no change detected + assert: + that: + - not directory | changed and directory.path_type == 'directory' + - not file | changed and file.path_type == 'file' + - not registry | changed and registry.path_type == 'registry'