new windows module, win_audit_rule (#30473)

* added win_audit_rule with integration test

* Updated integration testing to target files as well as directories
and registry keys. Split testing files apart to be more organized.

Updated powershell for better handling when targetting file objects
and optimized a bit. Removed duplicated sections that got there from a
previous merge I think.

* Decided to make all the fact names the same in integration testing.
Seemed like there would be less change of accidentally using the wrong
variable when copy/pasting that way, and not much upside to having
unique names.

Did final cleanup and fixed a few errors in the integration testing.

* Fixed a bug where results was displaying a wrong value

Fixed a bug where removal was failing if multiple rules existed due to
inheritance from higher level objects.

* Resolved issue with unhandled error when used didn't have permissions
for get-acl.

Changed from setauditrule to addauditrule, see comment in script for reasoning.

Fixed state absent to be able to remove multiple entries if they exist.

* fixed docs issue

* updated to fail if invalid inheritance_rule when defining a file rather than warn
This commit is contained in:
nwsparks 2017-10-19 21:20:33 -04:00 committed by Jordan Borean
parent bb4b98a82e
commit 5cccad8ed4
9 changed files with 962 additions and 0 deletions

View file

@ -0,0 +1,193 @@
#!powershell
# Copyright: (c) 2017, Noah Sparks <nsparks@outlook.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
#Requires -Module Ansible.ModuleUtils.Legacy.psm1
#Requires -Module Ansible.ModuleUtils.SID.psm1
$params = Parse-Args -arguments $args -supports_check_mode $true
$check_mode = Get-AnsibleParam -obj $params -name "_ansible_check_mode" -type "bool" -default $false
# module parameters
$path = Get-AnsibleParam -obj $params -name "path" -type "path" -failifempty $true -aliases "destination","dest"
$user = Get-AnsibleParam -obj $params -name "user" -type "str" -failifempty $true
$rights = Get-AnsibleParam -obj $params -name "rights" -type "list"
$inheritance_flags = Get-AnsibleParam -obj $params -name "inheritance_flags" -type "list" -default 'ContainerInherit','ObjectInherit'
$propagation_flags = Get-AnsibleParam -obj $params -name "propagation_flags" -type "str" -default "none" -ValidateSet 'InheritOnly','None','NoPropagateInherit'
$audit_flags = Get-AnsibleParam -obj $params -name "audit_flags" -type "list" -default 'success'
$state = Get-AnsibleParam -obj $params -name "state" -type "str" -default "present" -validateset 'present','absent'
#Make sure target path is valid
If (-not (Test-Path -Path $path) )
{
Fail-Json -obj $result -message "defined path ($path) is not found/invalid"
}
#function get current audit rules and convert to hashtable
Function Get-CurrentAuditRules ($path) {
Try {
$ACL = Get-Acl $path -Audit
}
Catch {
Return "Unable to retrieve the ACL on $Path"
}
$HT = Foreach ($Obj in $ACL.Audit)
{
@{
user = $Obj.IdentityReference.ToString()
rights = ($Obj | Select-Object -expand "*rights").ToString()
audit_flags = $Obj.AuditFlags.ToString()
is_inherited = $Obj.IsInherited.ToString()
inheritance_flags = $Obj.InheritanceFlags.ToString()
propagation_flags = $Obj.PropagationFlags.ToString()
}
}
If (-Not $HT)
{
"No audit rules defined on $path"
}
Else {$HT}
}
$result = @{
changed = $false
current_audit_rules = Get-CurrentAuditRules $path
}
#Make sure identity is valid and can be looked up
Try {
$SID = Convert-ToSid $user
}
Catch {
Fail-Json -obj $result -message "Failed to lookup the identity ($user) - $($_.exception.message)"
}
#get the path type
$ItemType = (Get-Item $path).GetType()
switch ($ItemType)
{
([Microsoft.Win32.RegistryKey]) {$registry = $true; $result.path_type = 'registry'}
([System.IO.FileInfo]) {$file = $true; $result.path_type = 'file'}
([System.IO.DirectoryInfo]) {$result.path_type = 'directory'}
}
#Get current acl/audit rules on the target
Try {
$ACL = Get-Acl $path -Audit
}
Catch {
Fail-Json -obj $result -message "Unable to retrieve the ACL on $Path - $($_.Exception.Message)"
}
#configure acl object to remove the specified user
If ($state -eq 'absent')
{
#Try and find an identity on the object that matches user
#We skip inherited items since we can't remove those
$ToRemove = ($ACL.Audit | Where-Object {$_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]) -eq $SID -and
$_.IsInherited -eq $false}).IdentityReference
#Exit with changed false if no identity is found
If (-Not $ToRemove)
{
$result.current_audit_rules = Get-CurrentAuditRules $path
Exit-Json -obj $result
}
#update the ACL object if identity found
Try
{
$ToRemove | ForEach-Object { $ACL.PurgeAuditRules($_) }
}
Catch
{
$result.current_audit_rules = Get-CurrentAuditRules $path
Fail-Json -obj $result -message "Failed to remove audit rule: $($_.Exception.Message)"
}
}
Else
{
If ($registry)
{
$PossibleRights = [System.Enum]::GetNames([System.Security.AccessControl.RegistryRights])
Foreach ($right in $rights)
{
if ($right -notin $PossibleRights)
{
Fail-Json -obj $result -message "$right does not seem to be a valid REGISTRY right"
}
}
$NewAccessRule = New-Object System.Security.AccessControl.RegistryAuditRule($user,$rights,$inheritance_flags,$propagation_flags,$audit_flags)
}
Else
{
$PossibleRights = [System.Enum]::GetNames([System.Security.AccessControl.FileSystemRights])
Foreach ($right in $rights)
{
if ($right -notin $PossibleRights)
{
Fail-Json -obj $result -message "$right does not seem to be a valid FILE SYSTEM right"
}
}
If ($file -and $inheritance_flags -ne 'none')
{
Fail-Json -obj $result -message "The target type is a file. inheritance_flags must be changed to 'none'"
}
$NewAccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($user,$rights,$inheritance_flags,$propagation_flags,$audit_flags)
}
#exit here if any existing rule matches defined rule since no change is needed
#if we need to ignore inherited rules in the future, this would be where to do it
#Just filter out inherited rules from $ACL.Audit
Foreach ($group in $ACL.Audit | Where-Object {$_.IsInherited -eq $false})
{
If (
($group | Select-Object -expand "*Rights") -eq ($NewAccessRule | Select-Object -expand "*Rights") -and
$group.AuditFlags -eq $NewAccessRule.AuditFlags -and
$group.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]) -eq $SID -and
$group.InheritanceFlags -eq $NewAccessRule.InheritanceFlags -and
$group.PropagationFlags -eq $NewAccessRule.PropagationFlags
)
{
$result.current_audit_rules = Get-CurrentAuditRules $path
Exit-Json -obj $result
}
}
#try and set the acl object. AddAuditRule allows for multiple entries to exist under the same
#identity...so if someone wanted success: write and failure: delete for example, that setup would be
#possible. The alternative is SetAuditRule which would instead modify an existing rule and not allow
#for setting the above example.
Try
{
$ACL.AddAuditRule($NewAccessRule)
}
Catch
{
Fail-Json -obj $result -message "Failed to set the audit rule: $($_.Exception.Message)"
}
}
#finally set the permissions
Try {
Set-Acl -Path $path -ACLObject $ACL -WhatIf:$check_mode
}
Catch {
$result.current_audit_rules = Get-CurrentAuditRules $path
Fail-Json -obj $result -message "Failed to apply audit change: $($_.Exception.Message)"
}
#exit here after a change is applied
$result.current_audit_rules = Get-CurrentAuditRules $path
$result.changed = $true
Exit-Json -obj $result

View file

@ -0,0 +1,135 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Copyright: (c) 2017, Noah Sparks <nsparks@outlook.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
ANSIBLE_METADATA = {'metadata_version': '1.1',
'status': ['preview'],
'supported_by': 'community'}
DOCUMENTATION = r'''
---
module: win_audit_rule
short_description: Adds an audit rule to files, folders, or registry keys
description:
- Used to apply audit rules to files, folders or registry keys.
- Once applied, it will begin recording the user who performed the operation defined into the Security
Log in the Event viewer.
- The behavior is designed to ignore inherited rules since those cannot be adjusted without first disabling
the inheritance behavior. It will still print inherited rules in the output though for debugging purposes.
version_added: "2.5"
author:
- Noah Sparks (@nwsparks)
options:
path:
description:
- Path to the file, folder, or registry key.
- Registry paths should be in Powershell format, beginning with an abbreviation for the root
such as, 'hklm:\software'.
required: true
aliases: [ dest, destination ]
user:
description:
- The user or group to adjust rules for.
required: true
rights:
description:
- Comma seperated list of the rights desired. Only required for adding a rule.
- If I(path) is a file or directory, rights can be any right under MSDN
FileSystemRights U(https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemrights.aspx).
- If I(path) is a registry key, rights can be any right under MSDN
RegistryRights U(https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.registryrights.aspx).
required: true
inheritance_flags:
description:
- Defines what objects inside of a folder or registry key will inherit the settings.
- If you are setting a rule on a file, this value has to be changed to C(none).
- For more information on the choices see MSDN PropagationFlags enumeration
at U(https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.inheritanceflags.aspx).
default: "ContainerInherit,ObjectInherit"
choices: [ ContainerInherit, ObjectInherit ]
propagation_flags:
description:
- Propagation flag on the audit rules.
- This value is ignored when the path type is a file.
- For more information on the choices see MSDN PropagationFlags enumeration
at U(https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.propagationflags.aspx).
default: "None"
choices: [ None, InherityOnly, NoPropagateInherit ]
audit_flags:
description:
- Defines whether to log on failure, success, or both.
- To log both define as comma seperated list "Success, Failure".
required: true
choices: [ Success, Failure ]
state:
description:
- Whether the rule should be C(present) or C(absent).
- For absent, only I(path), I(user), and I(state) are required.
- Specifying C(absent) will remove all rules matching the defined I(user).
default: present
choices: [ present, absent ]
'''
EXAMPLES = r'''
- name: add filesystem audit rule for a folder
win_audit_rule:
path: 'c:\inetpub\wwwroot\website'
user: 'BUILTIN\Users'
rights: 'write,delete,changepermissions'
audit_flags: 'success,failure'
inheritance_flags: 'ContainerInherit,ObjectInherit'
- name: add filesystem audit rule for a file
win_audit_rule:
path: 'c:\inetpub\wwwroot\website\web.config'
user: 'BUILTIN\Users'
rights: write,delete,changepermissions
audit_flags: success,failure
inheritance_flags: None
- name: add registry audit rule
win_audit_rule:
path: 'hklm:\software'
user: 'BUILTIN\Users'
rights: 'delete'
audit_flags: 'success'
- name: remove filesystem audit rule
win_audit_rule:
path: 'c:\inetpub\wwwroot\website'
user: 'BUILTIN\Users'
state: absent
- name: remove registry audit rule
win_audit_rule:
path: 'hklm:\software'
user: 'BUILTIN\Users'
state: absent
'''
RETURN = r'''
current_audit_rules:
description:
- The current rules on the defined I(path)
- Will return "No audit rules defined on I(path)"
returned: always
type: dictionary
sample: |
{
"audit_flags": "Success",
"user": "Everyone",
"inheritance_flags": "False",
"is_inherited": "False",
"propagation_flags": "None",
"rights": "Delete"
}
path_type:
description:
- The type of I(path) being targetted.
- Will be one of file, directory, registry.
returned: always
type: string
'''

View file

@ -0,0 +1 @@
windows/ci/group3

View file

@ -0,0 +1,7 @@
test_audit_rule_folder: c:\windows\temp\{{ 'ansible test win_audit_policy' | to_uuid }}
test_audit_rule_file: c:\windows\temp\{{ 'ansible test win_audit_policy' | to_uuid }}.txt
test_audit_rule_registry: HKCU:\{{ 'ansible test win_audit_policy' | to_uuid }}
test_audit_rule_rights: 'delete'
test_audit_rule_new_rights: 'delete,changepermissions'
test_audit_rule_user: 'everyone'
test_audit_rule_audit_flags: success

View file

@ -0,0 +1,98 @@
#!powershell
# Copyright (c) 2017 Ansible Project
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
#Requires -Module Ansible.ModuleUtils.Legacy.psm1
#Requires -Module Ansible.ModuleUtils.SID.psm1
$params = Parse-Args -arguments $args -supports_check_mode $true
# these are your module parameters
$path = Get-AnsibleParam -obj $params -name "path" -type "path" -failifempty $true -aliases "destination","dest"
$user = Get-AnsibleParam -obj $params -name "user" -type "str" -failifempty $true
$rights = Get-AnsibleParam -obj $params -name "rights" -type "list"
$inheritance_flags = Get-AnsibleParam -obj $params -name "inheritance_flags" -type "list" -default 'ContainerInherit','ObjectInherit' # -validateset 'None','ContainerInherit','ObjectInherit'
$propagation_flags = Get-AnsibleParam -obj $params -name "propagation_flags" -type "str" -default "none" -ValidateSet 'InheritOnly','None','NoPropagateInherit'
$audit_flags = Get-AnsibleParam -obj $params -name "audit_flags" -type "list" -default "success" #-ValidateSet 'Success','Failure'
#$state = Get-AnsibleParam -obj $params -name "state" -type "str" -default "present" -validateset 'present','absent'
If (! (Test-Path $path) )
{
Fail-Json $result "Path not found ($path)"
}
Function Get-CurrentAuditRules ($path) {
$ACL = Get-Acl -Path $path -Audit
$HT = Foreach ($Obj in $ACL.Audit)
{
@{
user = $Obj.IdentityReference.ToString()
rights = ($Obj | Select-Object -expand "*rights").ToString()
audit_flags = $Obj.AuditFlags.ToString()
is_inherited = $Obj.InheritanceFlags.ToString()
inheritance_flags = $Obj.IsInherited.ToString()
propagation_flags = $Obj.PropagationFlags.ToString()
}
}
If (-Not $HT)
{
"No audit rules defined on $path"
}
Else {$HT}
}
$result = @{
changed = $false
matching_rule_found = $false
current_audit_rules = Get-CurrentAuditRules $path
}
$ACL = Get-ACL $Path -Audit
$SID = Convert-ToSid $user
$ItemType = (Get-Item $path).GetType()
switch ($ItemType)
{
([Microsoft.Win32.RegistryKey]) {
$rights = [System.Security.AccessControl.RegistryRights]$rights
$result.path_type = 'registry'
}
([System.IO.FileInfo]) {
$rights = [System.Security.AccessControl.FileSystemRights]$rights
$result.path_type = 'file'
}
([System.IO.DirectoryInfo]) {
$rights = [System.Security.AccessControl.FileSystemRights]$rights
$result.path_type = 'directory'
}
}
$flags = [System.Security.AccessControl.AuditFlags]$audit_flags
$inherit = [System.Security.AccessControl.InheritanceFlags]$inheritance_flags
$prop = [System.Security.AccessControl.PropagationFlags]$propagation_flags
Foreach ($group in $ACL.Audit)
{
#exit here if any existing rule matches defined rule, otherwise exit below
#with no matches
If (
($group | select -expand "*Rights") -eq $rights -and
$group.AuditFlags -eq $flags -and
$group.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]) -eq $SID -and
$group.InheritanceFlags -eq $inherit -and
$group.PropagationFlags -eq $prop
)
{
$result.matching_rule_found = $true
$result.current_audit_rules = Get-CurrentAuditRules $path
Exit-Json $result
}
}
$result.current_audit_rules = Get-CurrentAuditRules $path
Exit-Json $result

View file

@ -0,0 +1,172 @@
######################
### check mode add ###
######################
- name: check mode ADD audit policy directory
win_audit_rule:
path: "{{ test_audit_rule_folder }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_rights }}"
state: present
audit_flags: "{{ test_audit_rule_audit_flags }}"
register: directory
check_mode: yes
- name: check mode ADD audit policy file
win_audit_rule:
path: "{{ test_audit_rule_file }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_rights }}"
state: present
audit_flags: "{{ test_audit_rule_audit_flags }}"
inheritance_flags: none
register: file
check_mode: yes
- name: check mode ADD audit policy registry
win_audit_rule:
path: "{{ test_audit_rule_registry }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_rights }}"
state: present
audit_flags: "{{ test_audit_rule_audit_flags }}"
register: registry
check_mode: yes
- name: check mode ADD get directory results
test_get_audit_rule:
path: "{{ test_audit_rule_folder }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_rights }}"
audit_flags: "{{ test_audit_rule_audit_flags }}"
register: directory_results
- name: check mode ADD get file results
test_get_audit_rule:
path: "{{ test_audit_rule_file }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_rights }}"
audit_flags: "{{ test_audit_rule_audit_flags }}"
inheritance_flags: none
register: file_results
- name: check mode ADD get REGISTRY results
test_get_audit_rule:
path: "{{ test_audit_rule_registry }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_rights }}"
audit_flags: "{{ test_audit_rule_audit_flags }}"
register: registry_results
- name: check mode ADD assert that a change is needed, but no change occurred to the audit rules
assert:
that:
- directory | changed
- file | changed
- registry | changed
- not directory_results.matching_rule_found and directory_results.path_type == 'directory'
- not file_results.matching_rule_found and file_results.path_type == 'file'
- not registry_results.matching_rule_found and registry_results.path_type == 'registry'
##################
### add a rule ###
##################
- name: ADD audit policy directory
win_audit_rule:
path: "{{ test_audit_rule_folder }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_rights }}"
state: present
audit_flags: "{{ test_audit_rule_audit_flags }}"
register: directory
- name: ADD audit policy file
win_audit_rule:
path: "{{ test_audit_rule_file }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_rights }}"
state: present
audit_flags: "{{ test_audit_rule_audit_flags }}"
inheritance_flags: none
register: file
- name: ADD audit policy registry
win_audit_rule:
path: "{{ test_audit_rule_registry }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_rights }}"
state: present
audit_flags: "{{ test_audit_rule_audit_flags }}"
register: registry
- name: ADD get directory results
test_get_audit_rule:
path: "{{ test_audit_rule_folder }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_rights }}"
audit_flags: "{{ test_audit_rule_audit_flags }}"
register: directory_results
- name: ADD get file results
test_get_audit_rule:
path: "{{ test_audit_rule_file }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_rights }}"
audit_flags: "{{ test_audit_rule_audit_flags }}"
inheritance_flags: none
register: file_results
- name: ADD get REGISTRY results
test_get_audit_rule:
path: "{{ test_audit_rule_registry }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_rights }}"
audit_flags: "{{ test_audit_rule_audit_flags }}"
register: registry_results
- name: ADD assert that the rules were added and a change is detected
assert:
that:
- directory | changed
- file | changed
- registry | changed
- directory_results.matching_rule_found and directory_results.path_type == 'directory'
- file_results.matching_rule_found and file_results.path_type == 'file'
- registry_results.matching_rule_found and registry_results.path_type == 'registry'
#############################
### idempotent add a rule ###
#############################
- name: idempotent ADD audit policy directory
win_audit_rule:
path: "{{ test_audit_rule_folder }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_rights }}"
state: present
audit_flags: "{{ test_audit_rule_audit_flags }}"
register: directory
- name: idempotent ADD audit policy file
win_audit_rule:
path: "{{ test_audit_rule_file }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_rights }}"
state: present
audit_flags: "{{ test_audit_rule_audit_flags }}"
inheritance_flags: none
register: file
- name: idempotent ADD audit policy registry idempotent
win_audit_rule:
path: "{{ test_audit_rule_registry }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_rights }}"
state: present
audit_flags: "{{ test_audit_rule_audit_flags }}"
register: registry
- name: idempotent ADD assert that a change did not occur
assert:
that:
- not directory | changed and directory.path_type == 'directory'
- not file | changed and file.path_type == 'file'
- not registry | changed and registry.path_type == 'registry'

View file

@ -0,0 +1,33 @@
- name: create temporary folder to test with
win_file:
path: "{{ test_audit_rule_folder }}"
state: directory
- name: create temporary file to test with
win_file:
path: "{{ test_audit_rule_file }}"
state: touch
- name: create temporary registry key to test with
win_regedit:
path: "{{ test_audit_rule_registry }}"
- block:
- include_tasks: add.yml
- include_tasks: modify.yml
- include_tasks: remove.yml
always:
- name: remove testing folder
win_file:
path: "{{ test_audit_rule_folder }}"
state: absent
- name: remove testing file
win_file:
path: "{{ test_audit_rule_file }}"
state: absent
- name: remove registry key
win_regedit:
path: "{{ test_audit_rule_registry }}"
state: absent

View file

@ -0,0 +1,172 @@
#########################
### modify check mode ###
#########################
- name: check mode modify audit policy directory
win_audit_rule:
path: "{{ test_audit_rule_folder }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_new_rights }}"
state: present
audit_flags: "{{ test_audit_rule_audit_flags }}"
register: directory
check_mode: yes
- name: check mode modify audit policy file
win_audit_rule:
path: "{{ test_audit_rule_file }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_new_rights }}"
state: present
audit_flags: "{{ test_audit_rule_audit_flags }}"
inheritance_flags: none
register: file
check_mode: yes
- name: check mode modify audit policy registry
win_audit_rule:
path: "{{ test_audit_rule_registry }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_new_rights }}"
state: present
audit_flags: "{{ test_audit_rule_audit_flags }}"
register: registry
check_mode: yes
- name: check mode modify get directory rule results
test_get_audit_rule:
path: "{{ test_audit_rule_folder }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_new_rights }}"
audit_flags: "{{ test_audit_rule_audit_flags }}"
register: directory_results
- name: check mode modify get file rule results
test_get_audit_rule:
path: "{{ test_audit_rule_file }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_new_rights }}"
audit_flags: "{{ test_audit_rule_audit_flags }}"
inheritance_flags: none
register: file_results
- name: check mode modify get REGISTRY rule results
test_get_audit_rule:
path: "{{ test_audit_rule_registry }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_new_rights }}"
audit_flags: "{{ test_audit_rule_audit_flags }}"
register: registry_results
- name: check mode modify assert that change is needed but rights still equal the original rights and not test_audit_rule_new_rights
assert:
that:
- directory | changed
- file | changed
- registry | changed
- not directory_results.matching_rule_found and directory_results.path_type == 'directory'
- not file_results.matching_rule_found and file_results.path_type == 'file'
- not registry_results.matching_rule_found and registry_results.path_type == 'registry'
##############
### modify ###
##############
- name: modify audit policy directory
win_audit_rule:
path: "{{ test_audit_rule_folder }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_new_rights }}"
state: present
audit_flags: "{{ test_audit_rule_audit_flags }}"
register: directory
- name: modify audit policy file
win_audit_rule:
path: "{{ test_audit_rule_file }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_new_rights }}"
state: present
audit_flags: "{{ test_audit_rule_audit_flags }}"
inheritance_flags: none
register: file
- name: modify audit policy registry
win_audit_rule:
path: "{{ test_audit_rule_registry }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_new_rights }}"
state: present
audit_flags: "{{ test_audit_rule_audit_flags }}"
register: registry
- name: modify get directory rule results
test_get_audit_rule:
path: "{{ test_audit_rule_folder }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_new_rights }}"
audit_flags: "{{ test_audit_rule_audit_flags }}"
register: directory_results
- name: modify get file rule results
test_get_audit_rule:
path: "{{ test_audit_rule_file }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_new_rights }}"
audit_flags: "{{ test_audit_rule_audit_flags }}"
inheritance_flags: none
register: file_results
- name: modify get REGISTRY rule results
test_get_audit_rule:
path: "{{ test_audit_rule_registry }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_new_rights }}"
audit_flags: "{{ test_audit_rule_audit_flags }}"
register: registry_results
- name: modify assert that the rules were modified and a change is detected
assert:
that:
- directory | changed
- file | changed
- registry | changed
- directory_results.matching_rule_found and directory_results.path_type == 'directory'
- file_results.matching_rule_found and file_results.path_type == 'file'
- registry_results.matching_rule_found and registry_results.path_type == 'registry'
#####################################
### idempotent test modify a rule ###
#####################################
- name: idempotent modify audit policy directory
win_audit_rule:
path: "{{ test_audit_rule_folder }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_new_rights }}"
state: present
audit_flags: "{{ test_audit_rule_audit_flags }}"
register: directory
- name: idempotent modify audit policy file
win_audit_rule:
path: "{{ test_audit_rule_file }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_new_rights }}"
state: present
audit_flags: "{{ test_audit_rule_audit_flags }}"
inheritance_flags: none
register: file
- name: idempotent modify audit policy registry
win_audit_rule:
path: "{{ test_audit_rule_registry }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_new_rights }}"
state: present
audit_flags: "{{ test_audit_rule_audit_flags }}"
register: registry
- name: idempotent modify assert that and a change is not detected
assert:
that:
- not directory | changed and directory.path_type == 'directory'
- not file | changed and file.path_type == 'file'
- not registry | changed and registry.path_type == 'registry'

View file

@ -0,0 +1,151 @@
################################
### check mode remove a rule ###
################################
- name: check mode remove directory rule
win_audit_rule:
path: "{{ test_audit_rule_folder }}"
user: "{{ test_audit_rule_user }}"
state: absent
register: directory
check_mode: yes
- name: check mode remove file rule
win_audit_rule:
path: "{{ test_audit_rule_file }}"
user: "{{ test_audit_rule_user }}"
state: absent
register: file
check_mode: yes
- name: check mode remove registry rule
win_audit_rule:
path: "{{ test_audit_rule_registry }}"
user: "{{ test_audit_rule_user }}"
state: absent
register: registry
check_mode: yes
- name: check mode remove get directory rule results
test_get_audit_rule:
path: "{{ test_audit_rule_folder }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_new_rights }}"
audit_flags: "{{ test_audit_rule_audit_flags }}"
register: directory_results
- name: check mode remove get file rule results
test_get_audit_rule:
path: "{{ test_audit_rule_file }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_new_rights }}"
audit_flags: "{{ test_audit_rule_audit_flags }}"
inheritance_flags: none
register: file_results
- name: check mode remove get REGISTRY rule results
test_get_audit_rule:
path: "{{ test_audit_rule_registry }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_new_rights }}"
audit_flags: "{{ test_audit_rule_audit_flags }}"
register: registry_results
- name: check mode remove assert that change detected, but rule is still present
assert:
that:
- directory | changed
- file | changed
- registry | changed
- directory_results.matching_rule_found and directory_results.path_type == 'directory'
- file_results.matching_rule_found and file_results.path_type == 'file'
- registry_results.matching_rule_found and registry_results.path_type == 'registry'
#####################
### remove a rule ###
#####################
- name: remove directory rule
win_audit_rule:
path: "{{ test_audit_rule_folder }}"
user: "{{ test_audit_rule_user }}"
state: absent
register: directory
- name: remove file rule
win_audit_rule:
path: "{{ test_audit_rule_file }}"
user: "{{ test_audit_rule_user }}"
state: absent
register: file
- name: remove registry rule
win_audit_rule:
path: "{{ test_audit_rule_registry }}"
user: "{{ test_audit_rule_user }}"
state: absent
register: registry
- name: remove get directory rule results
test_get_audit_rule:
path: "{{ test_audit_rule_folder }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_new_rights }}"
audit_flags: "{{ test_audit_rule_audit_flags }}"
register: directory_results
- name: remove get file rule results
test_get_audit_rule:
path: "{{ test_audit_rule_file }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_new_rights }}"
audit_flags: "{{ test_audit_rule_audit_flags }}"
inheritance_flags: none
register: file_results
- name: remove get REGISTRY rule results
test_get_audit_rule:
path: "{{ test_audit_rule_registry }}"
user: "{{ test_audit_rule_user }}"
rights: "{{ test_audit_rule_new_rights }}"
audit_flags: "{{ test_audit_rule_audit_flags }}"
register: registry_results
- name: remove assert that change detected and rule is gone
assert:
that:
- directory | changed
- file | changed
- registry | changed
- not directory_results.matching_rule_found and directory_results.path_type == 'directory'
- not file_results.matching_rule_found and file_results.path_type == 'file'
- not registry_results.matching_rule_found and registry_results.path_type == 'registry'
################################
### idempotent remove a rule ###
################################
- name: idempotent remove directory rule
win_audit_rule:
path: "{{ test_audit_rule_folder }}"
user: "{{ test_audit_rule_user }}"
state: absent
register: directory
- name: idempotent remove file rule
win_audit_rule:
path: "{{ test_audit_rule_file }}"
user: "{{ test_audit_rule_user }}"
state: absent
register: file
- name: idempotent remove registry rule
win_audit_rule:
path: "{{ test_audit_rule_registry }}"
user: "{{ test_audit_rule_user }}"
state: absent
register: registry
- name: idempotent remove assert that no change detected
assert:
that:
- not directory | changed and directory.path_type == 'directory'
- not file | changed and file.path_type == 'file'
- not registry | changed and registry.path_type == 'registry'