new windows module, win_audit_rule (#30473)

* added win_audit_rule with integration test * Updated integration testing to target files as well as directories and registry keys. Split testing files apart to be more organized. Updated powershell for better handling when targetting file objects and optimized a bit. Removed duplicated sections that got there from a previous merge I think. * Decided to make all the fact names the same in integration testing. Seemed like there would be less change of accidentally using the wrong variable when copy/pasting that way, and not much upside to having unique names. Did final cleanup and fixed a few errors in the integration testing. * Fixed a bug where results was displaying a wrong value Fixed a bug where removal was failing if multiple rules existed due to inheritance from higher level objects. * Resolved issue with unhandled error when used didn't have permissions for get-acl. Changed from setauditrule to addauditrule, see comment in script for reasoning. Fixed state absent to be able to remove multiple entries if they exist. * fixed docs issue * updated to fail if invalid inheritance_rule when defining a file rather than warn
2017-10-19 21:20:33 -04:00 · 2017-10-19 21:20:33 -04:00 · 5cccad8ed4
commit 5cccad8ed4
parent bb4b98a82e
9 changed files with 962 additions and 0 deletions
--- a/lib/ansible/modules/windows/win_audit_rule.ps1
+++ b/lib/ansible/modules/windows/win_audit_rule.ps1
@ -0,0 +1,193 @@
+#!powershell
+
+# Copyright: (c) 2017, Noah Sparks <nsparks@outlook.com>
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+#Requires -Module Ansible.ModuleUtils.Legacy.psm1
+#Requires -Module Ansible.ModuleUtils.SID.psm1
+
+$params = Parse-Args -arguments $args -supports_check_mode $true
+$check_mode = Get-AnsibleParam -obj $params -name "_ansible_check_mode" -type "bool" -default $false
+
+# module parameters
+$path = Get-AnsibleParam -obj $params -name "path" -type "path" -failifempty $true -aliases "destination","dest"
+$user = Get-AnsibleParam -obj $params -name "user" -type "str" -failifempty $true
+$rights = Get-AnsibleParam -obj $params -name "rights" -type "list"
+$inheritance_flags = Get-AnsibleParam -obj $params -name "inheritance_flags" -type "list" -default 'ContainerInherit','ObjectInherit'
+$propagation_flags = Get-AnsibleParam -obj $params -name "propagation_flags" -type "str" -default "none" -ValidateSet 'InheritOnly','None','NoPropagateInherit'
+$audit_flags = Get-AnsibleParam -obj $params -name "audit_flags" -type "list" -default 'success'
+$state = Get-AnsibleParam -obj $params -name "state" -type "str" -default "present" -validateset 'present','absent'
+
+#Make sure target path is valid
+If (-not (Test-Path -Path $path) )
+{
+    Fail-Json -obj $result -message "defined path ($path) is not found/invalid"
+}
+
+#function get current audit rules and convert to hashtable
+Function Get-CurrentAuditRules ($path) {
+    Try {
+        $ACL = Get-Acl $path -Audit
+    }
+    Catch {
+        Return "Unable to retrieve the ACL on $Path"
+    }
+
+    $HT = Foreach ($Obj in $ACL.Audit)
+    {
+        @{
+            user = $Obj.IdentityReference.ToString()
+            rights = ($Obj | Select-Object -expand "*rights").ToString()
+            audit_flags = $Obj.AuditFlags.ToString()
+            is_inherited = $Obj.IsInherited.ToString()
+            inheritance_flags = $Obj.InheritanceFlags.ToString()
+            propagation_flags = $Obj.PropagationFlags.ToString()
+        }
+    }
+
+    If (-Not $HT)
+    {
+        "No audit rules defined on $path"
+    }
+    Else {$HT}
+}
+
+$result = @{
+    changed = $false
+    current_audit_rules = Get-CurrentAuditRules $path
+}
+
+#Make sure identity is valid and can be looked up
+Try {
+    $SID = Convert-ToSid $user
+}
+Catch {
+    Fail-Json -obj $result -message "Failed to lookup the identity ($user) - $($_.exception.message)"
+}
+
+#get the path type
+$ItemType = (Get-Item $path).GetType()
+switch ($ItemType)
+{
+    ([Microsoft.Win32.RegistryKey]) {$registry = $true;  $result.path_type = 'registry'}
+    ([System.IO.FileInfo]) {$file = $true;  $result.path_type = 'file'}
+    ([System.IO.DirectoryInfo]) {$result.path_type = 'directory'}
+}
+
+#Get current acl/audit rules on the target
+Try {
+    $ACL = Get-Acl $path -Audit
+}
+Catch {
+    Fail-Json -obj $result -message "Unable to retrieve the ACL on $Path -  $($_.Exception.Message)"
+}
+
+#configure acl object to remove the specified user
+If ($state -eq 'absent')
+{
+    #Try and find an identity on the object that matches user
+    #We skip inherited items since we can't remove those
+    $ToRemove = ($ACL.Audit | Where-Object {$_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]) -eq $SID -and
+    $_.IsInherited -eq $false}).IdentityReference
+
+    #Exit with changed false if no identity is found
+    If (-Not $ToRemove)
+    {
+        $result.current_audit_rules = Get-CurrentAuditRules $path
+        Exit-Json -obj $result
+    }
+
+    #update the ACL object if identity found
+    Try
+    {
+        $ToRemove | ForEach-Object { $ACL.PurgeAuditRules($_) }
+    }
+    Catch
+    {
+        $result.current_audit_rules = Get-CurrentAuditRules $path
+        Fail-Json -obj $result -message "Failed to remove audit rule: $($_.Exception.Message)"
+    }
+}
+
+Else
+{
+    If ($registry)
+    {
+        $PossibleRights = [System.Enum]::GetNames([System.Security.AccessControl.RegistryRights])
+
+        Foreach ($right in $rights)
+        {
+            if ($right -notin $PossibleRights)
+            {
+                Fail-Json -obj $result -message "$right does not seem to be a valid REGISTRY right"
+            }
+        }
+
+        $NewAccessRule = New-Object System.Security.AccessControl.RegistryAuditRule($user,$rights,$inheritance_flags,$propagation_flags,$audit_flags)
+    }
+    Else
+    {
+        $PossibleRights = [System.Enum]::GetNames([System.Security.AccessControl.FileSystemRights])
+
+        Foreach ($right in $rights)
+        {
+            if ($right -notin $PossibleRights)
+            {
+                Fail-Json -obj $result -message "$right does not seem to be a valid FILE SYSTEM right"
+            }
+        }
+
+        If ($file -and $inheritance_flags -ne 'none')
+        {
+            Fail-Json -obj $result -message "The target type is a file. inheritance_flags must be changed to 'none'"
+        }
+
+        $NewAccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($user,$rights,$inheritance_flags,$propagation_flags,$audit_flags)
+    }
+
+    #exit here if any existing rule matches defined rule since no change is needed
+    #if we need to ignore inherited rules in the future, this would be where to do it
+    #Just filter out inherited rules from $ACL.Audit
+    Foreach ($group in $ACL.Audit | Where-Object {$_.IsInherited -eq $false})
+    {
+        If (
+            ($group | Select-Object -expand "*Rights") -eq ($NewAccessRule | Select-Object -expand "*Rights") -and
+            $group.AuditFlags -eq $NewAccessRule.AuditFlags -and
+            $group.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]) -eq $SID -and
+            $group.InheritanceFlags -eq $NewAccessRule.InheritanceFlags -and
+            $group.PropagationFlags -eq $NewAccessRule.PropagationFlags
+        )
+        {
+            $result.current_audit_rules = Get-CurrentAuditRules $path
+            Exit-Json -obj $result
+        }
+    }
+
+    #try and set the acl object. AddAuditRule allows for multiple entries to exist under the same
+    #identity...so if someone wanted success: write and failure: delete for example, that setup would be
+    #possible. The alternative is SetAuditRule which would instead modify an existing rule and not allow
+    #for setting the above example.
+    Try
+    {
+        $ACL.AddAuditRule($NewAccessRule)
+    }
+    Catch
+    {
+        Fail-Json -obj $result -message "Failed to set the audit rule: $($_.Exception.Message)"
+    }
+}
+
+
+#finally set the permissions
+Try {
+    Set-Acl -Path $path -ACLObject $ACL -WhatIf:$check_mode
+}
+Catch {
+    $result.current_audit_rules = Get-CurrentAuditRules $path
+    Fail-Json -obj $result -message "Failed to apply audit change: $($_.Exception.Message)"
+}
+
+#exit here after a change is applied
+$result.current_audit_rules = Get-CurrentAuditRules $path
+$result.changed = $true
+Exit-Json -obj $result
--- a/lib/ansible/modules/windows/win_audit_rule.py
+++ b/lib/ansible/modules/windows/win_audit_rule.py
@ -0,0 +1,135 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Copyright: (c) 2017, Noah Sparks <nsparks@outlook.com>
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+ANSIBLE_METADATA = {'metadata_version': '1.1',
+                    'status': ['preview'],
+                    'supported_by': 'community'}
+
+
+DOCUMENTATION = r'''
+---
+module: win_audit_rule
+short_description: Adds an audit rule to files, folders, or registry keys
+description:
+  - Used to apply audit rules to files, folders or registry keys.
+  - Once applied, it will begin recording the user who performed the operation defined into the Security
+    Log in the Event viewer.
+  - The behavior is designed to ignore inherited rules since those cannot be adjusted without first disabling
+    the inheritance behavior. It will still print inherited rules in the output though for debugging purposes.
+version_added: "2.5"
+author:
+  - Noah Sparks (@nwsparks)
+options:
+  path:
+    description:
+      - Path to the file, folder, or registry key.
+      - Registry paths should be in Powershell format, beginning with an abbreviation for the root
+        such as, 'hklm:\software'.
+    required: true
+    aliases: [ dest, destination ]
+  user:
+    description:
+      - The user or group to adjust rules for.
+    required: true
+  rights:
+    description:
+      - Comma seperated list of the rights desired. Only required for adding a rule.
+      - If I(path) is a file or directory, rights can be any right under MSDN
+        FileSystemRights U(https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemrights.aspx).
+      - If I(path) is a registry key, rights can be any right under MSDN
+        RegistryRights U(https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.registryrights.aspx).
+    required: true
+  inheritance_flags:
+    description:
+      - Defines what objects inside of a folder or registry key will inherit the settings.
+      - If you are setting a rule on a file, this value has to be changed to C(none).
+      - For more information on the choices see MSDN PropagationFlags enumeration
+        at U(https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.inheritanceflags.aspx).
+    default: "ContainerInherit,ObjectInherit"
+    choices: [ ContainerInherit, ObjectInherit ]
+  propagation_flags:
+    description:
+      - Propagation flag on the audit rules.
+      - This value is ignored when the path type is a file.
+      - For more information on the choices see MSDN PropagationFlags enumeration
+        at U(https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.propagationflags.aspx).
+    default: "None"
+    choices: [ None, InherityOnly, NoPropagateInherit ]
+  audit_flags:
+    description:
+      - Defines whether to log on failure, success, or both.
+      - To log both define as comma seperated list "Success, Failure".
+    required: true
+    choices: [ Success, Failure ]
+  state:
+    description:
+      - Whether the rule should be C(present) or C(absent).
+      - For absent, only I(path), I(user), and I(state) are required.
+      - Specifying C(absent) will remove all rules matching the defined I(user).
+    default: present
+    choices: [ present, absent ]
+'''
+
+EXAMPLES = r'''
+- name: add filesystem audit rule for a folder
+  win_audit_rule:
+    path: 'c:\inetpub\wwwroot\website'
+    user: 'BUILTIN\Users'
+    rights: 'write,delete,changepermissions'
+    audit_flags: 'success,failure'
+    inheritance_flags: 'ContainerInherit,ObjectInherit'
+
+- name: add filesystem audit rule for a file
+  win_audit_rule:
+    path: 'c:\inetpub\wwwroot\website\web.config'
+    user: 'BUILTIN\Users'
+    rights: write,delete,changepermissions
+    audit_flags: success,failure
+    inheritance_flags: None
+
+- name: add registry audit rule
+  win_audit_rule:
+    path: 'hklm:\software'
+    user: 'BUILTIN\Users'
+    rights: 'delete'
+    audit_flags: 'success'
+
+- name: remove filesystem audit rule
+  win_audit_rule:
+    path: 'c:\inetpub\wwwroot\website'
+    user: 'BUILTIN\Users'
+    state: absent
+
+- name: remove registry audit rule
+  win_audit_rule:
+    path: 'hklm:\software'
+    user: 'BUILTIN\Users'
+    state: absent
+'''
+
+RETURN = r'''
+current_audit_rules:
+  description:
+    - The current rules on the defined I(path)
+    - Will return "No audit rules defined on I(path)"
+  returned: always
+  type: dictionary
+  sample: |
+    {
+      "audit_flags": "Success",
+      "user": "Everyone",
+      "inheritance_flags": "False",
+      "is_inherited": "False",
+      "propagation_flags": "None",
+      "rights": "Delete"
+    }
+path_type:
+  description:
+    - The type of I(path) being targetted.
+    - Will be one of file, directory, registry.
+  returned: always
+  type: string
+'''
--- a/test/integration/targets/win_audit_rule/aliases
+++ b/test/integration/targets/win_audit_rule/aliases
@ -0,0 +1 @@
+windows/ci/group3
--- a/test/integration/targets/win_audit_rule/defaults/main.yml
+++ b/test/integration/targets/win_audit_rule/defaults/main.yml
@ -0,0 +1,7 @@
+test_audit_rule_folder: c:\windows\temp\{{ 'ansible test win_audit_policy' | to_uuid }}
+test_audit_rule_file: c:\windows\temp\{{ 'ansible test win_audit_policy' | to_uuid }}.txt
+test_audit_rule_registry: HKCU:\{{ 'ansible test win_audit_policy' | to_uuid }}
+test_audit_rule_rights: 'delete'
+test_audit_rule_new_rights: 'delete,changepermissions'
+test_audit_rule_user: 'everyone'
+test_audit_rule_audit_flags: success
--- a/test/integration/targets/win_audit_rule/library/test_get_audit_rule.ps1
+++ b/test/integration/targets/win_audit_rule/library/test_get_audit_rule.ps1
@ -0,0 +1,98 @@
+#!powershell
+
+# Copyright (c) 2017 Ansible Project
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+#Requires -Module Ansible.ModuleUtils.Legacy.psm1
+#Requires -Module Ansible.ModuleUtils.SID.psm1
+
+$params = Parse-Args -arguments $args -supports_check_mode $true
+
+# these are your module parameters
+$path = Get-AnsibleParam -obj $params -name "path" -type "path" -failifempty $true -aliases "destination","dest"
+$user = Get-AnsibleParam -obj $params -name "user" -type "str" -failifempty $true
+$rights = Get-AnsibleParam -obj $params -name "rights" -type "list"
+$inheritance_flags = Get-AnsibleParam -obj $params -name "inheritance_flags" -type "list" -default 'ContainerInherit','ObjectInherit' # -validateset 'None','ContainerInherit','ObjectInherit'
+$propagation_flags = Get-AnsibleParam -obj $params -name "propagation_flags" -type "str" -default "none" -ValidateSet 'InheritOnly','None','NoPropagateInherit'
+$audit_flags = Get-AnsibleParam -obj $params -name "audit_flags" -type "list" -default "success" #-ValidateSet 'Success','Failure'
+#$state = Get-AnsibleParam -obj $params -name "state" -type "str" -default "present" -validateset 'present','absent'
+
+
+If (! (Test-Path $path) )
+{
+    Fail-Json $result "Path not found ($path)"
+}
+
+Function Get-CurrentAuditRules ($path) {
+    $ACL = Get-Acl -Path $path -Audit
+
+    $HT = Foreach ($Obj in $ACL.Audit)
+    {
+        @{
+            user = $Obj.IdentityReference.ToString()
+            rights = ($Obj | Select-Object -expand "*rights").ToString()
+            audit_flags = $Obj.AuditFlags.ToString()
+            is_inherited = $Obj.InheritanceFlags.ToString()
+            inheritance_flags = $Obj.IsInherited.ToString()
+            propagation_flags = $Obj.PropagationFlags.ToString()
+        }
+    }
+
+    If (-Not $HT)
+    {
+        "No audit rules defined on $path"
+    }
+    Else {$HT}
+}
+
+
+$result = @{
+    changed = $false
+    matching_rule_found = $false
+    current_audit_rules = Get-CurrentAuditRules $path
+}
+
+$ACL = Get-ACL $Path -Audit
+$SID = Convert-ToSid $user
+
+$ItemType = (Get-Item $path).GetType()
+switch ($ItemType)
+{
+    ([Microsoft.Win32.RegistryKey]) {
+        $rights = [System.Security.AccessControl.RegistryRights]$rights
+        $result.path_type = 'registry'
+    }
+    ([System.IO.FileInfo]) {
+        $rights = [System.Security.AccessControl.FileSystemRights]$rights
+        $result.path_type = 'file'
+    }
+    ([System.IO.DirectoryInfo]) {
+        $rights = [System.Security.AccessControl.FileSystemRights]$rights
+        $result.path_type = 'directory'
+    }
+}
+
+$flags = [System.Security.AccessControl.AuditFlags]$audit_flags
+$inherit = [System.Security.AccessControl.InheritanceFlags]$inheritance_flags
+$prop = [System.Security.AccessControl.PropagationFlags]$propagation_flags
+
+Foreach ($group in $ACL.Audit)
+{
+    #exit here if any existing rule matches defined rule, otherwise exit below
+    #with no matches
+    If (
+        ($group | select -expand "*Rights") -eq $rights -and
+        $group.AuditFlags -eq $flags -and
+        $group.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]) -eq $SID -and
+        $group.InheritanceFlags -eq $inherit -and
+        $group.PropagationFlags -eq $prop
+    )
+    {
+        $result.matching_rule_found = $true
+	    $result.current_audit_rules = Get-CurrentAuditRules $path
+        Exit-Json $result
+    }
+}
+
+$result.current_audit_rules = Get-CurrentAuditRules $path
+Exit-Json $result
--- a/test/integration/targets/win_audit_rule/tasks/add.yml
+++ b/test/integration/targets/win_audit_rule/tasks/add.yml
@ -0,0 +1,172 @@
+######################
+### check mode add ###
+######################
+- name: check mode ADD audit policy directory
+  win_audit_rule:
+    path: "{{ test_audit_rule_folder }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_rights }}"
+    state: present
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+  register: directory
+  check_mode: yes
+
+- name: check mode ADD audit policy file
+  win_audit_rule:
+    path: "{{ test_audit_rule_file }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_rights }}"
+    state: present
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+    inheritance_flags: none
+  register: file
+  check_mode: yes
+
+- name: check mode ADD audit policy registry
+  win_audit_rule:
+    path: "{{ test_audit_rule_registry }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_rights }}"
+    state: present
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+  register: registry
+  check_mode: yes
+
+- name: check mode ADD get directory results
+  test_get_audit_rule:
+    path: "{{ test_audit_rule_folder }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_rights }}"
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+  register: directory_results
+
+- name: check mode ADD get file results
+  test_get_audit_rule:
+    path: "{{ test_audit_rule_file }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_rights }}"
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+    inheritance_flags: none
+  register: file_results
+
+- name: check mode ADD get REGISTRY results
+  test_get_audit_rule:
+    path: "{{ test_audit_rule_registry }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_rights }}"
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+  register: registry_results
+
+- name: check mode ADD assert that a change is needed, but no change occurred to the audit rules
+  assert:
+    that:
+    - directory | changed
+    - file | changed
+    - registry | changed
+    - not directory_results.matching_rule_found and directory_results.path_type == 'directory'
+    - not file_results.matching_rule_found and file_results.path_type == 'file'
+    - not registry_results.matching_rule_found and registry_results.path_type == 'registry'
+
+##################
+### add a rule ###
+##################
+- name: ADD audit policy directory
+  win_audit_rule:
+    path: "{{ test_audit_rule_folder }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_rights }}"
+    state: present
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+  register: directory
+
+- name: ADD audit policy file
+  win_audit_rule:
+    path: "{{ test_audit_rule_file }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_rights }}"
+    state: present
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+    inheritance_flags: none
+  register: file
+
+- name: ADD audit policy registry
+  win_audit_rule:
+    path: "{{ test_audit_rule_registry }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_rights }}"
+    state: present
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+  register: registry
+
+- name: ADD get directory results
+  test_get_audit_rule:
+    path: "{{ test_audit_rule_folder }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_rights }}"
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+  register: directory_results
+
+- name: ADD get file results
+  test_get_audit_rule:
+    path: "{{ test_audit_rule_file }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_rights }}"
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+    inheritance_flags: none
+  register: file_results
+
+- name: ADD get REGISTRY results
+  test_get_audit_rule:
+    path: "{{ test_audit_rule_registry }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_rights }}"
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+  register: registry_results
+
+- name: ADD assert that the rules were added and a change is detected
+  assert:
+    that:
+    - directory | changed
+    - file | changed
+    - registry | changed
+    - directory_results.matching_rule_found and directory_results.path_type == 'directory'
+    - file_results.matching_rule_found and file_results.path_type == 'file'
+    - registry_results.matching_rule_found and registry_results.path_type == 'registry'
+
+#############################
+### idempotent add a rule ###
+#############################
+- name: idempotent ADD audit policy directory
+  win_audit_rule:
+    path: "{{ test_audit_rule_folder }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_rights }}"
+    state: present
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+  register: directory
+
+- name: idempotent ADD audit policy file
+  win_audit_rule:
+    path: "{{ test_audit_rule_file }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_rights }}"
+    state: present
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+    inheritance_flags: none
+  register: file
+
+- name: idempotent ADD audit policy registry idempotent
+  win_audit_rule:
+    path: "{{ test_audit_rule_registry }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_rights }}"
+    state: present
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+  register: registry
+
+- name: idempotent ADD assert that a change did not occur
+  assert:
+    that:
+    - not directory | changed and directory.path_type == 'directory'
+    - not file | changed and file.path_type == 'file'
+    - not registry | changed and registry.path_type == 'registry'
--- a/test/integration/targets/win_audit_rule/tasks/main.yml
+++ b/test/integration/targets/win_audit_rule/tasks/main.yml
@ -0,0 +1,33 @@
+- name: create temporary folder to test with
+  win_file:
+    path: "{{ test_audit_rule_folder }}"
+    state: directory
+
+- name: create temporary file to test with
+  win_file:
+    path: "{{ test_audit_rule_file }}"
+    state: touch
+
+- name: create temporary registry key to test with
+  win_regedit:
+    path: "{{ test_audit_rule_registry }}"
+
+- block:
+    - include_tasks: add.yml
+    - include_tasks: modify.yml
+    - include_tasks: remove.yml
+  always:
+  - name: remove testing folder
+    win_file:
+      path: "{{ test_audit_rule_folder }}"
+      state: absent
+
+  - name: remove testing file
+    win_file:
+      path: "{{ test_audit_rule_file }}"
+      state: absent
+
+  - name: remove registry key
+    win_regedit:
+      path: "{{ test_audit_rule_registry }}"
+      state: absent
--- a/test/integration/targets/win_audit_rule/tasks/modify.yml
+++ b/test/integration/targets/win_audit_rule/tasks/modify.yml
@ -0,0 +1,172 @@
+#########################
+### modify check mode ###
+#########################
+- name: check mode modify audit policy directory
+  win_audit_rule:
+    path: "{{ test_audit_rule_folder }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_new_rights }}"
+    state: present
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+  register: directory
+  check_mode: yes
+
+- name: check mode modify audit policy file
+  win_audit_rule:
+    path: "{{ test_audit_rule_file }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_new_rights }}"
+    state: present
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+    inheritance_flags: none
+  register: file
+  check_mode: yes
+
+- name: check mode modify audit policy registry
+  win_audit_rule:
+    path: "{{ test_audit_rule_registry }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_new_rights }}"
+    state: present
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+  register: registry
+  check_mode: yes
+
+- name: check mode modify get directory rule results
+  test_get_audit_rule:
+    path: "{{ test_audit_rule_folder }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_new_rights }}"
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+  register: directory_results
+
+- name: check mode modify get file rule results
+  test_get_audit_rule:
+    path: "{{ test_audit_rule_file }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_new_rights }}"
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+    inheritance_flags: none
+  register: file_results
+
+- name: check mode modify get REGISTRY rule results
+  test_get_audit_rule:
+    path: "{{ test_audit_rule_registry }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_new_rights }}"
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+  register: registry_results
+
+- name: check mode modify assert that change is needed but rights still equal the original rights and not test_audit_rule_new_rights
+  assert:
+    that:
+    - directory | changed
+    - file | changed
+    - registry | changed
+    - not directory_results.matching_rule_found and directory_results.path_type == 'directory'
+    - not file_results.matching_rule_found and file_results.path_type == 'file'
+    - not registry_results.matching_rule_found and registry_results.path_type == 'registry'
+
+##############
+### modify ###
+##############
+- name: modify audit policy directory
+  win_audit_rule:
+    path: "{{ test_audit_rule_folder }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_new_rights }}"
+    state: present
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+  register: directory
+
+- name: modify audit policy file
+  win_audit_rule:
+    path: "{{ test_audit_rule_file }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_new_rights }}"
+    state: present
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+    inheritance_flags: none
+  register: file
+
+- name: modify audit policy registry
+  win_audit_rule:
+    path: "{{ test_audit_rule_registry }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_new_rights }}"
+    state: present
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+  register: registry
+
+- name: modify get directory rule results
+  test_get_audit_rule:
+    path: "{{ test_audit_rule_folder }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_new_rights }}"
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+  register: directory_results
+
+- name: modify get file rule results
+  test_get_audit_rule:
+    path: "{{ test_audit_rule_file }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_new_rights }}"
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+    inheritance_flags: none
+  register: file_results
+
+- name: modify get REGISTRY rule results
+  test_get_audit_rule:
+    path: "{{ test_audit_rule_registry }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_new_rights }}"
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+  register: registry_results
+
+- name: modify assert that the rules were modified and a change is detected
+  assert:
+    that:
+    - directory | changed
+    - file | changed
+    - registry | changed
+    - directory_results.matching_rule_found and directory_results.path_type == 'directory'
+    - file_results.matching_rule_found and file_results.path_type == 'file'
+    - registry_results.matching_rule_found and registry_results.path_type == 'registry'
+
+#####################################
+### idempotent test modify a rule ###
+#####################################
+- name: idempotent modify audit policy directory
+  win_audit_rule:
+    path: "{{ test_audit_rule_folder }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_new_rights }}"
+    state: present
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+  register: directory
+
+- name: idempotent modify audit policy file
+  win_audit_rule:
+    path: "{{ test_audit_rule_file }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_new_rights }}"
+    state: present
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+    inheritance_flags: none
+  register: file
+
+- name: idempotent modify audit policy registry
+  win_audit_rule:
+    path: "{{ test_audit_rule_registry }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_new_rights }}"
+    state: present
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+  register: registry
+
+- name: idempotent modify assert that and a change is not detected
+  assert:
+    that:
+    - not directory | changed and directory.path_type == 'directory'
+    - not file | changed and file.path_type == 'file'
+    - not registry | changed and registry.path_type == 'registry'
--- a/test/integration/targets/win_audit_rule/tasks/remove.yml
+++ b/test/integration/targets/win_audit_rule/tasks/remove.yml
@ -0,0 +1,151 @@
+################################
+### check mode remove a rule ###
+################################
+- name: check mode remove directory rule
+  win_audit_rule:
+    path: "{{ test_audit_rule_folder }}"
+    user: "{{ test_audit_rule_user }}"
+    state: absent
+  register: directory
+  check_mode: yes
+
+- name: check mode remove file rule
+  win_audit_rule:
+    path: "{{ test_audit_rule_file }}"
+    user: "{{ test_audit_rule_user }}"
+    state: absent
+  register: file
+  check_mode: yes
+
+- name: check mode remove registry rule
+  win_audit_rule:
+    path: "{{ test_audit_rule_registry }}"
+    user: "{{ test_audit_rule_user }}"
+    state: absent
+  register: registry
+  check_mode: yes
+
+- name: check mode remove get directory rule results
+  test_get_audit_rule:
+    path: "{{ test_audit_rule_folder }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_new_rights }}"
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+  register: directory_results
+
+- name: check mode remove get file rule results
+  test_get_audit_rule:
+    path: "{{ test_audit_rule_file }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_new_rights }}"
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+    inheritance_flags: none
+  register: file_results
+
+- name: check mode remove get REGISTRY rule results
+  test_get_audit_rule:
+    path: "{{ test_audit_rule_registry }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_new_rights }}"
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+  register: registry_results
+
+- name: check mode remove assert that change detected, but rule is still present
+  assert:
+    that:
+    - directory | changed
+    - file | changed
+    - registry | changed
+    - directory_results.matching_rule_found and directory_results.path_type == 'directory'
+    - file_results.matching_rule_found and file_results.path_type == 'file'
+    - registry_results.matching_rule_found and registry_results.path_type == 'registry'
+
+#####################
+### remove a rule ###
+#####################
+- name: remove directory rule
+  win_audit_rule:
+    path: "{{ test_audit_rule_folder }}"
+    user: "{{ test_audit_rule_user }}"
+    state: absent
+  register: directory
+
+- name: remove file rule
+  win_audit_rule:
+    path: "{{ test_audit_rule_file }}"
+    user: "{{ test_audit_rule_user }}"
+    state: absent
+  register: file
+
+- name: remove registry rule
+  win_audit_rule:
+    path: "{{ test_audit_rule_registry }}"
+    user: "{{ test_audit_rule_user }}"
+    state: absent
+  register: registry
+
+- name: remove get directory rule results
+  test_get_audit_rule:
+    path: "{{ test_audit_rule_folder }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_new_rights }}"
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+  register: directory_results
+
+- name: remove get file rule results
+  test_get_audit_rule:
+    path: "{{ test_audit_rule_file }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_new_rights }}"
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+    inheritance_flags: none
+  register: file_results
+
+- name: remove get REGISTRY rule results
+  test_get_audit_rule:
+    path: "{{ test_audit_rule_registry }}"
+    user: "{{ test_audit_rule_user }}"
+    rights: "{{ test_audit_rule_new_rights }}"
+    audit_flags: "{{ test_audit_rule_audit_flags }}"
+  register: registry_results
+
+- name: remove assert that change detected and rule is gone
+  assert:
+    that:
+    - directory | changed
+    - file | changed
+    - registry | changed
+    - not directory_results.matching_rule_found and directory_results.path_type == 'directory'
+    - not file_results.matching_rule_found and file_results.path_type == 'file'
+    - not registry_results.matching_rule_found and registry_results.path_type == 'registry'
+
+################################
+### idempotent remove a rule ###
+################################
+- name: idempotent remove directory rule
+  win_audit_rule:
+    path: "{{ test_audit_rule_folder }}"
+    user: "{{ test_audit_rule_user }}"
+    state: absent
+  register: directory
+
+- name: idempotent remove file rule
+  win_audit_rule:
+    path: "{{ test_audit_rule_file }}"
+    user: "{{ test_audit_rule_user }}"
+    state: absent
+  register: file
+
+- name: idempotent remove registry rule
+  win_audit_rule:
+    path: "{{ test_audit_rule_registry }}"
+    user: "{{ test_audit_rule_user }}"
+    state: absent
+  register: registry
+
+- name: idempotent remove assert that no change detected
+  assert:
+    that:
+    - not directory | changed and directory.path_type == 'directory'
+    - not file | changed and file.path_type == 'file'
+    - not registry | changed and registry.path_type == 'registry'