digital-forensics-labs/SecGen
1
0
Fork 0
mirror of https://github.com/cliffe/SecGen.git synced 2026-02-21 11:18:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Windows base box

Browse Source
This commit is contained in:
Emlyn Butterfield
2019-07-09 10:47:24 +01:00
parent 1aa6d22e6d
commit ccae583695
69 changed files with 5458 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
Gemfile.lock
View File

@@ -91,9 +91,9 @@ GEM
nori (2.6.0)
ovirt-engine-sdk (4.2.4)
json (>= 1, < 3)
packetfu (1.1.11)
pcaprub (~> 0.12)
pcaprub (0.12.4)
packetfu (1.1.13)
pcaprub
pcaprub (0.13.0)
pg (1.1.3)
process_helper (0.1.2)
puppet (6.0.0)
@@ -186,4 +186,4 @@ DEPENDENCIES
zipruby
BUNDLED WITH
1.16.1
2.0.1

10
README.md
View File

@@ -51,6 +51,16 @@ cd /home/user/bin/SecGen
bundle install
```
To use the Windows basesboxes you will need to install Packer. Use the following command:
```bash
curl -SL https://releases.hashicorp.com/packer/1.3.2/packer_1.3.2_linux_amd64.zip -o packer_1.3.2_linux_amd64.zip
unzip packer_1.3.2_linux_amd64.zip
sudo mv packer /usr/local/
sudo bash -c 'echo "export PATH=\"\$PATH:/usr/local/\"" >> /etc/environment'
sudo vagrant plugin install winrm
sudo vagrant plugin install winrm-fs
```
## Usage
Basic usage:
```bash

11
lib/templates/Vagrantfile.erb
View File

@@ -202,11 +202,12 @@ end
}
<% end -%>
<%=module_name%>.module_path = "<%="puppet/#{system.name}/modules"%>"
<%=module_name%>.environment_path = "environments/"
<%=module_name%>.environment = "production"
<%=module_name%>.synced_folder_type = "rsync"
<%=module_name%>.manifests_path = "<%="puppet/#{system.name}/modules/#{selected_module.module_path_end}"%>"
<% if selected_module.attributes['platform'].first.downcase != 'windows' %>
<%=module_name%>.environment_path = "environments/"
<%=module_name%>.environment = "production"
<%=module_name%>.synced_folder_type = "rsync"
<% end %>
<%=module_name%>.manifests_path = "<%="puppet/#{system.name}/modules/#{selected_module.module_path_end}"%>"
<%=module_name%>.manifest_file = "<%="#{selected_module.module_path_end}.pp"%>"
end
<% end -%>

305
modules/bases/windows_server_2008_r2_amd64/Autounattend.xml Normal file
View File

@@ -0,0 +1,305 @@
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<servicing/>
<settings pass="windowsPE">
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<DiskConfiguration>
<Disk wcm:action="add">
<CreatePartitions>
<CreatePartition wcm:action="add">
<Order>1</Order>
<Type>Primary</Type>
<Extend>true</Extend>
</CreatePartition>
</CreatePartitions>
<ModifyPartitions>
<ModifyPartition wcm:action="add">
<Extend>false</Extend>
<Format>NTFS</Format>
<Letter>C</Letter>
<Order>1</Order>
<PartitionID>1</PartitionID>
<Label>Windows 2008R2</Label>
</ModifyPartition>
</ModifyPartitions>
<DiskID>0</DiskID>
<WillWipeDisk>true</WillWipeDisk>
</Disk>
<WillShowUI>OnError</WillShowUI>
</DiskConfiguration>
<UserData>
<AcceptEula>true</AcceptEula>
<FullName>Vagrant Administrator</FullName>
<Organization>Vagrant Inc.</Organization>
<!-- Product Key from http://technet.microsoft.com/en-us/library/jj612867.aspx -->
<ProductKey>
<!-- Do not uncomment the Key element if you are using trial ISOs -->
<!-- You must uncomment the Key element (and optionally insert your own key) if you are using retail or volume license ISOs -->
<!--<Key>YC6KT-GKW9T-YTKYR-T4X34-R7VHC</Key>-->
<!--<Key>YC6KT-GKW9T-YTKYR-T4X34-R7VHC</Key>-->
<!--<Key></Key>-->
<WillShowUI>Never</WillShowUI>
</ProductKey>
</UserData>
<ImageInstall>
<OSImage>
<InstallTo>
<DiskID>0</DiskID>
<PartitionID>1</PartitionID>
</InstallTo>
<WillShowUI>OnError</WillShowUI>
<InstallToAvailablePartition>false</InstallToAvailablePartition>
<InstallFrom>
<MetaData wcm:action="add">
<Key>/IMAGE/NAME</Key>
<Value>Windows Server 2008 R2 SERVERSTANDARD</Value>
</MetaData>
</InstallFrom>
</OSImage>
</ImageInstall>
</component>
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<SetupUILanguage>
<UILanguage>en-US</UILanguage>
</SetupUILanguage>
<InputLocale>en-US</InputLocale>
<SystemLocale>en-US</SystemLocale>
<UILanguage>en-US</UILanguage>
<UILanguageFallback>en-US</UILanguageFallback>
<UserLocale>en-US</UserLocale>
</component>
</settings>
<settings pass="offlineServicing">
<component name="Microsoft-Windows-LUA-Settings" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<EnableLUA>false</EnableLUA>
</component>
</settings>
<settings pass="oobeSystem">
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<UserAccounts>
<AdministratorPassword>
<Value>vagrant</Value>
<PlainText>true</PlainText>
</AdministratorPassword>
<LocalAccounts>
<LocalAccount wcm:action="add">
<Password>
<Value>vagrant</Value>
<PlainText>true</PlainText>
</Password>
<Description>Vagrant User</Description>
<DisplayName>vagrant</DisplayName>
<Group>administrators</Group>
<Name>vagrant</Name>
</LocalAccount>
</LocalAccounts>
</UserAccounts>
<OOBE>
<HideEULAPage>true</HideEULAPage>
<HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
<NetworkLocation>Home</NetworkLocation>
</OOBE>
<AutoLogon>
<Password>
<Value>vagrant</Value>
<PlainText>true</PlainText>
</Password>
<Username>vagrant</Username>
<Enabled>true</Enabled>
</AutoLogon>
<FirstLogonCommands>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</CommandLine>
<Description>Set Execution Policy 64 Bit</Description>
<Order>1</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>C:\Windows\SysWOW64\cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</CommandLine>
<Description>Set Execution Policy 32 Bit</Description>
<Order>2</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c winrm quickconfig -q</CommandLine>
<Description>winrm quickconfig -q</Description>
<Order>3</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c winrm quickconfig -transport:http</CommandLine>
<Description>winrm quickconfig -transport:http</Description>
<Order>4</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c winrm set winrm/config @{MaxTimeoutms="1800000"}</CommandLine>
<Description>Win RM MaxTimoutms</Description>
<Order>5</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c winrm set winrm/config/winrs @{MaxMemoryPerShellMB="800"}</CommandLine>
<Description>Win RM MaxMemoryPerShellMB</Description>
<Order>6</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c winrm set winrm/config/winrs @{MaxShellsPerUser="999"}</CommandLine>
<Description>Win RM MaxShellsPerUser</Description>
<Order>7</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c winrm set winrm/config/winrs @{MaxProcessesPerShell="999"}</CommandLine>
<Description>Win RM MaxProcessesPerShell</Description>
<Order>8</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c winrm set winrm/config/service @{MaxConcurrentOperationsPerUser="999"}</CommandLine>
<Description>Win RM ConcurrentOperationsPerUser</Description>
<Order>9</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c winrm set winrm/config/service @{AllowUnencrypted="true"}</CommandLine>
<Description>Win RM AllowUnencrypted</Description>
<Order>10</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c winrm set winrm/config/service/auth @{Basic="true"}</CommandLine>
<Description>Win RM auth Basic</Description>
<Order>11</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c winrm set winrm/config/client/auth @{Basic="true"}</CommandLine>
<Description>Win RM client auth Basic</Description>
<Order>12</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c winrm set winrm/config/listener?Address=*+Transport=HTTP @{Port="5985"} </CommandLine>
<Description>Win RM listener Address/Port</Description>
<Order>13</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes </CommandLine>
<Description>Win RM adv firewall enable</Description>
<Order>14</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c netsh firewall add portopening TCP 5985 "Port 5985" </CommandLine>
<Description>Win RM port open</Description>
<Order>15</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c net stop winrm </CommandLine>
<Description>Stop Win RM Service </Description>
<Order>16</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c sc config winrm start= auto</CommandLine>
<Description>Win RM Autostart</Description>
<Order>17</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c net start winrm</CommandLine>
<Description>Start Win RM Service</Description>
<Order>18</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v HideFileExt /t REG_DWORD /d 0 /f</CommandLine>
<Order>19</Order>
<Description>Show file extensions in Explorer</Description>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\Console /v QuickEdit /t REG_DWORD /d 1 /f</CommandLine>
<Order>20</Order>
<Description>Enable QuickEdit mode</Description>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v Start_ShowRun /t REG_DWORD /d 1 /f</CommandLine>
<Order>21</Order>
<Description>Show Run command in Start Menu</Description>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v StartMenuAdminTools /t REG_DWORD /d 1 /f</CommandLine>
<Order>22</Order>
<Description>Show Administrative Tools in Start Menu</Description>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>%SystemRoot%\System32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\Power\ /v HibernateFileSizePercent /t REG_DWORD /d 0 /f</CommandLine>
<Order>23</Order>
<Description>Zero Hibernation File</Description>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>%SystemRoot%\System32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\Power\ /v HibernateEnabled /t REG_DWORD /d 0 /f</CommandLine>
<Order>24</Order>
<Description>Disable Hibernation Mode</Description>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c wmic useraccount where "name='vagrant'" set PasswordExpires=FALSE</CommandLine>
<Order>25</Order>
<Description>Disable password expiration for vagrant user</Description>
</SynchronousCommand>
<!-- WITHOUT WINDOWS UPDATES -->
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\openssh.ps1 -AutoStart</CommandLine>
<Description>Install OpenSSH</Description>
<Order>99</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<!-- END WITHOUT WINDOWS UPDATES -->
<!-- WITH WINDOWS UPDATES -->
<!--<SynchronousCommand wcm:action="add">-->
<!--<CommandLine>cmd.exe /c a:\microsoft-updates.bat</CommandLine>-->
<!--<Order>98</Order>-->
<!--<Description>Enable Microsoft Updates</Description>-->
<!--</SynchronousCommand>-->
<!--<SynchronousCommand wcm:action="add">-->
<!--<CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\win-updates.ps1 -MaxUpdatesPerCycle 30</CommandLine>-->
<!--<Description>Install Windows Updates</Description>-->
<!--<Order>100</Order>-->
<!--<RequiresUserInput>true</RequiresUserInput>-->
<!--</SynchronousCommand>-->
<!-- END WITH WINDOWS UPDATES -->
</FirstLogonCommands>
<ShowWindowsLive>false</ShowWindowsLive>
</component>
</settings>
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<OEMInformation>
<HelpCustomized>false</HelpCustomized>
</OEMInformation>
<!-- Rename computer here. -->
<ComputerName>vagrant-2008R2</ComputerName>
<TimeZone>Pacific Standard Time</TimeZone>
<RegisteredOwner/>
</component>
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-ServerManager-SvrMgrNc" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<DoNotOpenServerManagerAtLogon>true</DoNotOpenServerManagerAtLogon>
</component>
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-IE-ESC" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<!-- Disable IE ESC. -->
<IEHardenAdmin>false</IEHardenAdmin>
<IEHardenUser>false</IEHardenUser>
</component>
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-OutOfBoxExperience" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<DoNotOpenInitialConfigurationTasksAtLogon>true</DoNotOpenInitialConfigurationTasksAtLogon>
</component>
<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Security-SPP-UX" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<SkipAutoActivation>true</SkipAutoActivation>
</component>
</settings>
<cpi:offlineImage xmlns:cpi="urn:schemas-microsoft-com:cpi" cpi:source="catalog:d:/sources/install_windows server 2008 r2 serverdatacenter.clg"/>
</unattend>

56
modules/bases/windows_server_2008_r2_amd64/Packerfile Normal file
View File

@@ -0,0 +1,56 @@
{
"builders": [{
"type": "virtualbox-iso",
"vboxmanage": [
[ "modifyvm", "{{.Name}}", "--natpf1", "winrm,tcp,,5985,,5985" ]
],
"guest_os_type": "Windows2008_64",
"headless": true,
"disk_size": 61440,
"iso_url": "http://download.microsoft.com/download/7/5/E/75EC4E54-5B02-42D6-8879-D8D3A25FBEF7/7601.17514.101119-1850_x64fre_server_eval_en-us-GRMSXEVAL_EN_DVD.iso",
"iso_checksum": "4263be2cf3c59177c45085c0a7bc6ca5",
"iso_checksum_type": "md5",
"communicator": "winrm",
"winrm_username": "vagrant",
"winrm_password": "vagrant",
"winrm_port": "5985",
"winrm_timeout": "5h",
"shutdown_command": "shutdown /s /t 10 /f /d p:4:1 /c \"Packer Shutdown\"",
"shutdown_timeout": "1h",
"floppy_files": [
"Autounattend.xml"
]
}],
"provisioners": [
{
"type": "windows-shell",
"script": "scripts/vm-guest-tools.bat",
"execute_command": "{{ .Vars }} cmd /c {{ .Path }}"
},
{
"type": "powershell",
"environment_vars": "PuppetVersion=3.8.7",
"script": "puppet_install/windows.ps1"
}
],
"post-processors": [
{
"type": "vagrant",
"keep_input_artifact": false,
"override": {
"virtualbox": {
"output": "/home/laptop02/bin/SecGen/.generated/windows_2008_64_virtualbox.box"
},
"vmware": {
"output": "/home/laptop02/bin/SecGen/.generated/windows_2008_64_vmware_esxi.box"
}
}
}
]
}

5
modules/bases/windows_server_2008_r2_amd64/puppet_install/windows.ps1
View File

@@ -21,8 +21,7 @@
This defaults to $null.
#>
param(
# [string]$MsiUrl = "https://downloads.puppetlabs.com/windows/puppet-3.3.2.msi"
[string]$MsiUrl = "https://downloads.puppetlabs.com/windows/puppet-3.8.7.msi"
[string]$MsiUrl = "https://downloads.puppetlabs.com/windows/puppet6/puppet-agent-x64-latest.msi"
,[string]$PuppetVersion = $null
)
@@ -51,7 +50,7 @@ if (!($PuppetInstalled)) {
}
# Install it - msiexec will download from the url
$install_args = @("/qn", "/norestart","/i", $MsiUrl)
$install_args = @("/i", $MsiUrl,"/qn", "/norestart")
Write-Host "Installing Puppet. Running msiexec.exe $install_args"
$process = Start-Process -FilePath msiexec.exe -ArgumentList $install_args -Wait -PassThru
if ($process.ExitCode -ne 0) {

70
modules/build/puppet/secgen_functions/manifests/leak_file.pp
View File

@@ -3,27 +3,59 @@ define secgen_functions::leak_file($leaked_filename, $storage_directory, $string
$path_to_leak = "$storage_directory/$leaked_filename"
# create the directory tree, incase the file name has extra layers of directories
exec { "$leaked_from-$path_to_leak-mkdir":
path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'],
command => "mkdir -p `dirname $path_to_leak`;chown $owner. `dirname $path_to_leak`",
provider => shell,
if $::osfamily == 'windows' {
exec { "win_$leaked_from-$path_to_leak-mkdir":
command => "cmd.exe /c md $storage_directory",
path => "C:\\Windows\\System32",
returns => [1]
} ->
exec { "win_$leaked_from-$path_to_leak-takeown":
command => "cmd.exe /c takeown /F $storage_directory /U $owner",
path => "C:\\Windows\\System32",
returns => [1]
}
# assuming everything not windows has mkdir and chown
} else {
exec { "$leaked_from-$path_to_leak-mkdir":
path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'],
command => "mkdir -p `dirname $path_to_leak`;chown $owner. `dirname $path_to_leak`",
provider => shell,
}
}
# If the file already exists append to it, otherwise create it.
if (defined(File[$path_to_leak])){
notice("File with that name already defined, appending leaked strings instead...")
exec { "$leaked_from-$path_to_leak-append":
path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'],
command => "echo \"\n------\n$strings_to_leak\" >> $path_to_leak",
}
} else {
file { $path_to_leak:
ensure => present,
owner => $owner,
group => $group,
mode => $mode,
content => template('secgen_functions/overshare.erb')
}
}
if $::osfamily == 'windows' {
if (defined(File[$path_to_leak])){
notice("File with that name already defined, appending leaked strings instead...")
file_line { "$leaked_from-$path_to_leak -append":
path => $path_to_leak ,
line => "\n------\n$strings_to_leak",
}
} else {
file { $path_to_leak:
ensure => present,
owner => $owner,
group => $group,
content => template('secgen_functions/overshare.erb')
}
}
}else{ # If the file already exists append to it, otherwise create it.
if (defined(File[$path_to_leak])){
notice("File with that name already defined, appending leaked strings instead...")
file_line { "$leaked_from-$path_to_leak -append":
path => $path_to_leak ,
line => "\n------\n$strings_to_leak",
}
} else {
file { $path_to_leak:
ensure => present,
owner => $owner,
group => $group,
mode => $mode,
content => template('secgen_functions/overshare.erb')
}
}
}
}
}

2
modules/build/puppet/secgen_functions/manifests/leak_files.pp
View File

@@ -17,6 +17,7 @@ define secgen_functions::leak_files($leaked_filenames=[], $storage_directory, $s
storage_directory => $storage_directory,
strings_to_leak => $leaked_strings,
owner => $owner,
group => $group,
mode => $mode,
}
} else {
@@ -28,6 +29,7 @@ define secgen_functions::leak_files($leaked_filenames=[], $storage_directory, $s
storage_directory => $storage_directory,
strings_to_leak => $leaked_strings,
owner => $owner,
group => $group,
mode => $mode,
leaked_from => $leaked_file_resource, # pass this in when appending to avoid resource clashes
}

2
modules/utilities/unix/system/parameterised_accounts/manifests/init.pp
View File

@@ -16,4 +16,4 @@ class parameterised_accounts::init {
}
}
}
}
}

25
modules/utilities/windows/system/accounts/CHANGELOG.md Executable file
View File

@@ -0,0 +1,25 @@
# Change log
All notable changes to this project will be documented in this file.
## Supported Release 1.1.0
### Summary
A feature rich release, with the addition of Debian 8 support. Also several generic fixes to tests.
#### Features
- Now allows SSH keys to be purged from user.
- Multiple updates and fixes to the README.
- RSpec-puppet has now been unpinned.
- Addition of Debian 8 compatibility to metadata.
- Addition of OSfamily fact to tests.
- Several modulesync updates.
#### Bugfixes
- Multiple fixes to tests.
## Supported Release 1.0.0
### Summary:
This is the initial release of the rewrite of puppetlabs-pe\_accounts for a more general usage.
Differences from the pe\_accounts module is that the data model is gone, and thus the base class that accepts hashes (ie, from hiera). Instead, the module is designed around the use of the `accounts::user` defined resource.
To regain the old hiera behavior, use the `create_resources()` function in combination with `accounts::user`; eg: `create_resources('accounts::user', hiera_hash('accounts::users'))`

218
modules/utilities/windows/system/accounts/CONTRIBUTING.md Normal file
View File

@@ -0,0 +1,218 @@
Checklist (and a short version for the impatient)
=================================================
* Commits:
- Make commits of logical units.
- Check for unnecessary whitespace with "git diff --check" before
committing.
- Commit using Unix line endings (check the settings around "crlf" in
git-config(1)).
- Do not check in commented out code or unneeded files.
- The first line of the commit message should be a short
description (50 characters is the soft limit, excluding ticket
number(s)), and should skip the full stop.
- Associate the issue in the message. The first line should include
the issue number in the form "(#XXXX) Rest of message".
- The body should provide a meaningful commit message, which:
- uses the imperative, present tense: "change", not "changed" or
"changes".
- includes motivation for the change, and contrasts its
implementation with the previous behavior.
- Make sure that you have tests for the bug you are fixing, or
feature you are adding.
- Make sure the test suites passes after your commit:
`bundle exec rspec spec/acceptance` More information on [testing](#Testing) below
- When introducing a new feature, make sure it is properly
documented in the README.md
* Submission:
* Pre-requisites:
- Make sure you have a [GitHub account](https://github.com/join)
- [Create a ticket](https://tickets.puppetlabs.com/secure/CreateIssue!default.jspa), or [watch the ticket](https://tickets.puppetlabs.com/browse/) you are patching for.
* Preferred method:
- Fork the repository on GitHub.
- Push your changes to a topic branch in your fork of the
repository. (the format ticket/1234-short_description_of_change is
usually preferred for this project).
- Submit a pull request to the repository in the puppetlabs
organization.
The long version
================
1. Make separate commits for logically separate changes.
Please break your commits down into logically consistent units
which include new or changed tests relevant to the rest of the
change. The goal of doing this is to make the diff easier to
read for whoever is reviewing your code. In general, the easier
your diff is to read, the more likely someone will be happy to
review it and get it into the code base.
If you are going to refactor a piece of code, please do so as a
separate commit from your feature or bug fix changes.
We also really appreciate changes that include tests to make
sure the bug is not re-introduced, and that the feature is not
accidentally broken.
Describe the technical detail of the change(s). If your
description starts to get too long, that is a good sign that you
probably need to split up your commit into more finely grained
pieces.
Commits which plainly describe the things which help
reviewers check the patch and future developers understand the
code are much more likely to be merged in with a minimum of
bike-shedding or requested changes. Ideally, the commit message
would include information, and be in a form suitable for
inclusion in the release notes for the version of Puppet that
includes them.
Please also check that you are not introducing any trailing
whitespace or other "whitespace errors". You can do this by
running "git diff --check" on your changes before you commit.
2. Sending your patches
To submit your changes via a GitHub pull request, we _highly_
recommend that you have them on a topic branch, instead of
directly on "master".
It makes things much easier to keep track of, especially if
you decide to work on another thing before your first change
is merged in.
GitHub has some pretty good
[general documentation](http://help.github.com/) on using
their site. They also have documentation on
[creating pull requests](http://help.github.com/send-pull-requests/).
In general, after pushing your topic branch up to your
repository on GitHub, you can switch to the branch in the
GitHub UI and click "Pull Request" towards the top of the page
in order to open a pull request.
3. Update the related GitHub issue.
If there is a GitHub issue associated with the change you
submitted, then you should update the ticket to include the
location of your branch, along with any other commentary you
may wish to make.
Testing
=======
Getting Started
---------------
Our puppet modules provide [`Gemfile`](./Gemfile)s which can tell a ruby
package manager such as [bundler](http://bundler.io/) what Ruby packages,
or Gems, are required to build, develop, and test this software.
Please make sure you have [bundler installed](http://bundler.io/#getting-started)
on your system, then use it to install all dependencies needed for this project,
by running
```shell
% bundle install
Fetching gem metadata from https://rubygems.org/........
Fetching gem metadata from https://rubygems.org/..
Using rake (10.1.0)
Using builder (3.2.2)
-- 8><-- many more --><8 --
Using rspec-system-puppet (2.2.0)
Using serverspec (0.6.3)
Using rspec-system-serverspec (1.0.0)
Using bundler (1.3.5)
Your bundle is complete!
Use `bundle show [gemname]` to see where a bundled gem is installed.
```
NOTE some systems may require you to run this command with sudo.
If you already have those gems installed, make sure they are up-to-date:
```shell
% bundle update
```
With all dependencies in place and up-to-date we can now run the tests:
```shell
% bundle exec rake spec
```
This will execute all the [rspec tests](http://rspec-puppet.com/) tests
under [spec/defines](./spec/defines), [spec/classes](./spec/classes),
and so on. rspec tests may have the same kind of dependencies as the
module they are testing. While the module defines in its [Modulefile](./Modulefile),
rspec tests define them in [.fixtures.yml](./fixtures.yml).
Some puppet modules also come with [beaker](https://github.com/puppetlabs/beaker)
tests. These tests spin up a virtual machine under
[VirtualBox](https://www.virtualbox.org/)) with, controlling it with
[Vagrant](http://www.vagrantup.com/) to actually simulate scripted test
scenarios. In order to run these, you will need both of those tools
installed on your system.
You can run them by issuing the following command
```shell
% bundle exec rake spec_clean
% bundle exec rspec spec/acceptance
```
This will now download a pre-fabricated image configured in the [default node-set](./spec/acceptance/nodesets/default.yml),
install puppet, copy this module and install its dependencies per [spec/spec_helper_acceptance.rb](./spec/spec_helper_acceptance.rb)
and then run all the tests under [spec/acceptance](./spec/acceptance).
Writing Tests
-------------
XXX getting started writing tests.
If you have commit access to the repository
===========================================
Even if you have commit access to the repository, you will still need to
go through the process above, and have someone else review and merge
in your changes. The rule is that all changes must be reviewed by a
developer on the project (that did not write the code) to ensure that
all changes go through a code review process.
Having someone other than the author of the topic branch recorded as
performing the merge is the record that they performed the code
review.
Additional Resources
====================
* [Getting additional help](http://puppet.com/community/get-help)
* [Writing tests](https://docs.puppet.com/guides/module_guides/bgtm.html#step-three-module-testing)
* [General GitHub documentation](http://help.github.com/)
* [GitHub pull request documentation](http://help.github.com/send-pull-requests/)

48
modules/utilities/windows/system/accounts/Gemfile Normal file
View File

@@ -0,0 +1,48 @@
#This file is generated by ModuleSync, do not edit.
source ENV['GEM_SOURCE'] || "https://rubygems.org"
def location_from_env(env, default_location = [])
if location = ENV[env]
if location =~ /^((?:git|https?)[:@][^#]*)#(.*)/
[{ :git => $1, :branch => $2, :require => false }]
elsif location =~ /^file:\/\/(.*)/
['>= 0', { :path => File.expand_path($1), :require => false }]
else
[location, { :require => false }]
end
else
default_location
end
end
group :development, :unit_tests do
gem 'metadata-json-lint'
gem 'puppet_facts'
gem 'puppet-blacksmith', '>= 3.4.0'
gem 'puppetlabs_spec_helper', '>= 1.2.1'
gem 'rspec-puppet', '>= 2.3.2'
gem 'rspec-puppet-facts'
gem 'simplecov'
gem 'parallel_tests'
gem 'rubocop', '0.41.2' if RUBY_VERSION < '2.0.0'
gem 'rubocop' if RUBY_VERSION >= '2.0.0'
gem 'rubocop-rspec', '~> 1.6' if RUBY_VERSION >= '2.3.0'
gem 'json_pure', '<= 2.0.1' if RUBY_VERSION < '2.0.0'
end
group :system_tests do
gem 'beaker', *location_from_env('BEAKER_VERSION', []) if RUBY_VERSION >= '2.3.0'
gem 'beaker', *location_from_env('BEAKER_VERSION', ['< 3']) if RUBY_VERSION < '2.3.0'
gem 'beaker-rspec', *location_from_env('BEAKER_RSPEC_VERSION', ['>= 3.4'])
gem 'serverspec'
gem 'beaker-puppet_install_helper'
gem 'master_manipulator'
gem 'beaker-hostgenerator', *location_from_env('BEAKER_HOSTGENERATOR_VERSION', [])
end
gem 'facter', *location_from_env('FACTER_GEM_VERSION')
gem 'puppet', *location_from_env('PUPPET_GEM_VERSION')
if File.exists? "#{__FILE__}.local"
eval(File.read("#{__FILE__}.local"), binding)
end

202
modules/utilities/windows/system/accounts/LICENSE Normal file
View File

@@ -0,0 +1,202 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

17
modules/utilities/windows/system/accounts/NOTICE Normal file
View File

@@ -0,0 +1,17 @@
accounts puppet module
Copyright (C) 2012-2016 Puppet Labs, Inc.
Puppet Labs can be contacted at: info@puppetlabs.com
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

194
modules/utilities/windows/system/accounts/README.markdown Normal file
View File

@@ -0,0 +1,194 @@
# accounts
#### Table of Contents
1. [Description](#description)
2. [Setup - The basics of getting started with accounts](#setup)
3. [Usage - Configuration options and additional functionality](#usage)
* [Declare user accounts](#declare-user-accounts)
* [Customize the home directory](#customize-the-home-directory)
* [Lock accounts](#lock-accounts)
* [Manage SSH keys](#manage-ssh-keys)
4. [Reference - An under-the-hood peek at what the module is doing and how](#reference)
5. [Limitations - OS compatibility, etc.](#limitations)
6. [Development - Guide for contributing to the module](#development)
## Description
The accounts module manages resources related to login and service accounts. This module replaces Puppet Enterprise's built-in pe\_accounts module, which is no longer included in PE 2015.3 and later versions.
This module works on many UNIX/Linux operating systems. It does not support configuring accounts on Microsoft Windows platforms.
## Setup
### Beginning with accounts
Declare the `accounts` class in a Puppet-managed node's manifest:
~~~puppet
node default {
accounts::user { 'dan': }
accounts::user { 'morgan': }
}
~~~
The above example creates accounts, home directories, and groups for Dan and Morgan.
## Usage
### Declare user accounts
~~~puppet
accounts::user { 'bob':
uid => 4001,
gid => 4001,
shell => '/bin/bash',
password => '!!',
sshkeys => "ssh-rsa AAAA...",
locked => false,
}
~~~
### Customize the home directory
A simple bashrc and bash\_profile rc file is managed by Puppet for each account. These rc files add some simple aliases, update the prompt, add ~/bin to the path, and source the following files (which are not managed by this module) in the following order:
1. `/etc/bashrc`
2. `/etc/bashrc.puppet`
3. `~/.bashrc.custom`
Account holders can customize their shells by managing their bashrc.custom files. In addition, the system administrator can make profile changes that affect all accounts with a bash shell by managing the '/etc/bashrc.puppet' file.
### Lock accounts
Lock accounts by setting the `locked` parameter of an account to true.
For example:
~~~puppet
accounts::user { 'villain':
comment => 'Bad Person',
locked => true
}
~~~
The accounts module sets the account to an invalid shell appropriate for the system Puppet is managing and displays the following message if a user tries to access the account:
~~~
$ ssh villain@centos56
This account is currently not available.
Connection to 172.16.214.129 closed.
~~~
### Manage SSH keys
Manage SSH keys with the `sshkeys` attribute of the `accounts::user` defined type. This parameter accepts an array of public key contents as strings.
Example:
~~~puppet
accounts::user { 'jeff':
comment => 'Jeff McCune',
groups => [
'admin',
'sudonopw',
],
uid => '1112',
gid => '1112',
sshkeys => [
'ssh-rsa AAAAB3Nza...== jeff@puppetlabs.com',
'ssh-dss AAAAB3Nza...== jeff@metamachine.net',
],
}
~~~
## Reference
### Defined type: `accounts::user`
This resource manages the user, group, .vim/, .ssh/, .bash\_profile, .bashrc, homedir, .ssh/authorized\_keys files, and directories.
#### `bashrc_content`
The content to place in the user's ~/.bashrc file. Default: undef.
#### `bash_profile_content`
The content to place in the user's ~/.bash\_profile file. Default: undef.
#### `comment`
A comment describing or regarding the user. Accepts a string. Default: '$name'.
#### `ensure`
Specifies whether the user, its primary group, homedir, and ssh keys should exist. Valid values are 'present' and 'absent'. Note that when a user is created, a group with the same name as the user is also created. Default: 'present'.
#### `gid`
Specifies the gid of the user's primary group. Must be specified numerically. Default: undef.
#### `groups`
Specifies the user's group memberships. Valid values: an array. Default: an empty array.
#### `home`
Specifies the path to the user's home directory.
Default:
* Linux, non-root user: '/home/$name'
* Linux, root user: '/root'
* Solaris, non-root user: '/export/home/$name'
* Solaris, root user: '/'
#### `home_mode`
Manages the user's home directory permission mode. Valid values are in [octal notation](https://docs.puppetlabs.com/references/latest/type.html#file-attribute-mode), specified as a string. Defaults to `0700`, which gives the owner full read, write, and execute permissions, while group and other have no permissions.
#### `locked`
Specifies whether the account should be locked and the user prevented from logging in. Set to true for users whose login privileges have been revoked. Valid values: true, false. Default: false.
#### `managehome`
Specifies whether the user's home directory should be managed by puppet. In addition to the usual [user resource managehome](https://docs.puppetlabs.com/references/latest/type.html#user-attribute-managehome) qualities, this attribute also purges the user's homedir if `ensure` is set to 'absent' and `managehome` is set to true. Default: true.
#### `membership`
Establishes whether specified groups should be considered the complete list (inclusive) or the minimum list (minimum) of groups to which the user belongs. Valid values: 'inclusive', 'minimum'. Default: 'minimum'.
#### `password`
The user's password, in whatever encrypted format the local machine requires. Default: '!!', which prevents the user from logging in with a password.
#### `purge_sshkeys`
Whether keys not included in `sshkeys` should be removed from the user. If `purge_sshkeys` is true and `sshkeys` is an empty array, all SSH keys will be removed from the user. Valid values: true, false. Default: false.
#### `shell`
Manages the user shell. Default: '/bin/bash'.
#### `sshkeys`
An array of SSH public keys associated with the user. These should be complete public key strings that include the type and name of the key, exactly as the key would appear in its id\_rsa.pub or id\_dsa.pub file. Must be an array. Default: an empty array.
#### `uid`
Specifies the user's uid number. Must be specified numerically. Default: undef.
## Limitations
This module works with Puppet Enterprise 2015.3 and later.
### Changes from pe\_accounts
The accounts module is designed to take the place of the pe\_accounts module that shipped with PE versions 2015.2 and earlier. Some of the changes include the removal of the base class, improving the validation, and allowing more flexibility regarding which files should or should not be managed in a user's home directory.
For example, the .bashrc and .bash\_profile files are not managed by default but allow custom content to be passed in using the `bashrc_content` and `bash_profile_content` parameters. The content for these two files as managed by pe\_accounts can continue to be used by passing `bashrc_content => file('accounts/shell/bashrc')` and `bash_profile_content => file('accounts/shell/bash_profile')` to the `accounts::user` defined type.
## Development
If you run into an issue with this module, or if you would like to request a feature, please [file a ticket](https://tickets.puppetlabs.com/browse/MODULES/).
If you have problems getting this module up and running, please [contact Support](http://puppetlabs.com/services/customer-support).

38
modules/utilities/windows/system/accounts/Rakefile Normal file
View File

@@ -0,0 +1,38 @@
require 'puppet_blacksmith/rake_tasks'
require 'puppet-lint/tasks/puppet-lint'
require 'puppetlabs_spec_helper/rake_tasks'
PuppetLint.configuration.send('relative')
PuppetLint.configuration.send('disable_documentation')
PuppetLint.configuration.send('disable_single_quote_string_with_variables')
desc 'Generate pooler nodesets'
task :gen_nodeset do
require 'beaker-hostgenerator'
require 'securerandom'
require 'fileutils'
agent_target = ENV['TEST_TARGET']
if ! agent_target
STDERR.puts 'TEST_TARGET environment variable is not set'
STDERR.puts 'setting to default value of "redhat-64default."'
agent_target = 'redhat-64default.'
end
master_target = ENV['MASTER_TEST_TARGET']
if ! master_target
STDERR.puts 'MASTER_TEST_TARGET environment variable is not set'
STDERR.puts 'setting to default value of "redhat7-64mdcl"'
master_target = 'redhat7-64mdcl'
end
targets = "#{master_target}-#{agent_target}"
cli = BeakerHostGenerator::CLI.new([targets])
nodeset_dir = "tmp/nodesets"
nodeset = "#{nodeset_dir}/#{targets}-#{SecureRandom.uuid}.yaml"
FileUtils.mkdir_p(nodeset_dir)
File.open(nodeset, 'w') do |fh|
fh.print(cli.execute)
end
puts nodeset
end

11
modules/utilities/windows/system/accounts/accounts.pp Normal file
View File

@@ -0,0 +1,11 @@
# accounts::user { 'user':
# uid => '4001',
# gid => '4001',
# shell => '/bin/bash',
# name => 'user',
# # password = password
# password => '$6$$bLTg4cpho8PIUrjfsE7qlU08Qx2UEfw..xOc6I1wpGVtyVYToGrr7BzRdAAnEr5lYFr1Z9WcCf1xNZ1HG9qFW1',
#
# # sshkeys => "ssh-rsa AAAA...",
# # locked => false,
# }

27
modules/utilities/windows/system/accounts/checksums.json Normal file
View File

@@ -0,0 +1,27 @@
{
"CHANGELOG.md": "7acf5457a1d2aecbc66de472e405886e",
"CONTRIBUTING.md": "b78f71c1104f00538d50ad2775f58e95",
"Gemfile": "d197734139f44a800a88d49ad4c34192",
"LICENSE": "3b83ef96387f14655fc854ddc3c6bd57",
"NOTICE": "feab5860b912f2448cec4e01208a4c13",
"README.markdown": "66475b3069dc829325f59e53d7d0c4b9",
"Rakefile": "6db744f1deed7ae0746abe59e3d50863",
"examples/user_group.pp": "afcbd38c69bdb4baf06590ece91c0b7d",
"examples/user_group_hash.pp": "9cb2af2e0e1f4b4822b196f86c60ce3a",
"files/shell/bash_profile": "546be8ec0dfc6a62ceb331a4430f30f5",
"files/shell/bashrc": "776e5327b6b492e2b49f84a41f6f68dd",
"manifests/home_dir.pp": "463a878a924f759a8607bc92a7c8ce89",
"manifests/manage_keys.pp": "ece14075dde2b03f7d8f4db350311f8e",
"manifests/user.pp": "97fb4ddfd72e27c552cb4b3a3d326d4a",
"metadata.json": "a2633bb611dab42d7c829e61f0fde66b",
"spec/acceptance/nodesets/centos-7-x64.yml": "a713f3abd3657f0ae2878829badd23cd",
"spec/acceptance/nodesets/debian-8-x64.yml": "d2d2977900989f30086ad251a14a1f39",
"spec/acceptance/nodesets/default.yml": "b42da5a1ea0c964567ba7495574b8808",
"spec/acceptance/nodesets/docker/centos-7.yml": "8a3892807bdd62306ae4774f41ba11ae",
"spec/acceptance/nodesets/docker/debian-8.yml": "ac8e871d1068c96de5e85a89daaec6df",
"spec/acceptance/nodesets/docker/ubuntu-14.04.yml": "dc42ee922a96908d85b8f0f08203ce58",
"spec/acceptance/user_spec.rb": "4d58fcae36ef9e7998abaf2f27ef1e56",
"spec/defines/accounts_user_spec.rb": "ff0219f64d3b653d415f4812d1d073c7",
"spec/spec_helper.rb": "b2db3bc02b4ac2fd5142a6621c641b07",
"spec/spec_helper_acceptance.rb": "32ef084d528663244770e7b225c84e93"
}

37
modules/utilities/windows/system/accounts/examples/user_group.pp Normal file
View File

@@ -0,0 +1,37 @@
accounts::group { 'admin':
gid => 3000,
}
accounts::group { 'sudo':
gid => 3001,
}
accounts::group { 'sudonopw':
gid => 3002,
}
accounts::group { 'developer':
gid => 3003,
}
accounts::group { 'ops':
gid => 3004,
}
accounts::user { 'jeff':
shell => '/bin/zsh',
comment => 'Jeff McCune',
groups => [
'admin',
'sudonopw',
],
uid => 1112,
gid => 1112,
locked => true,
sshkeys => [
'ssh-rsa AAAA...',
'ssh-dss AAAA...',
],
password => '!!',
}
accounts::user { 'dan':
comment => 'Dan Bode',
uid => '1109',
gid => '1109',
}

31
modules/utilities/windows/system/accounts/examples/user_group_hash.pp Normal file
View File

@@ -0,0 +1,31 @@
# Use a variable OR with hiera_hash():
$groups_hash = {
'admin' => { gid => '3000' },
'sudo' => { gid => '3001' },
'sudonopw' => { gid => '3002' },
'developer' => { gid => '3003' },
'ops' => { gid => '3004' },
}
create_resources('accounts::group', $groups_hash)
$users_hash = {
'jeff' => {
'shell' => '/bin/zsh',
'comment' => 'Jeff McCune',
'groups' => [ admin, sudonopw, ],
'uid' => '1112',
'gid' => '1112',
'locked' => true,
'sshkeys' => [
'ssh-rsa AAAA...',
'ssh-dss AAAA...',
],
'password' => '!!',
},
'dan' => {
'comment' => 'Dan Bode',
'uid' => '1109',
'gid' => '1109',
},
}
create_resources('accounts::user', $users_hash)

13
modules/utilities/windows/system/accounts/files/shell/bash_profile Normal file
View File

@@ -0,0 +1,13 @@
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
PATH=$PATH:$HOME/bin
export PATH
unset USERNAME

27
modules/utilities/windows/system/accounts/files/shell/bashrc Normal file
View File

@@ -0,0 +1,27 @@
# .bashrc
# This file is managed by Puppet. Changes will be overwritten.
# Please edit ~/.bashrc.custom instead of this file!
# User specific aliases and functions
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
# Set the prompt
PS1='\u@\h:\w\$ '
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
# Puppet specific definitions
if [ -f /etc/bashrc.puppet ]; then
. /etc/bashrc.puppet
fi
# Account holder definitions
if [ -f ~/.bashrc.custom ]; then
. ~/.bashrc.custom
fi

92
modules/utilities/windows/system/accounts/manifests/home_dir.pp Normal file
View File

@@ -0,0 +1,92 @@
#
# Specified how home directories are managed.
#
# [*name*] Name of the home directory that is being managed.
# [*user*] User that owns all of the files being created.
# [*sshkeys*] List of ssh keys to be added for this user in this
# directory
define accounts::home_dir(
$user,
$bashrc_content = undef,
$bash_profile_content = undef,
$mode = '0700',
$ensure = 'present',
$managehome = true,
$sshkeys = [],
) {
validate_re($ensure, '^(present|absent)$')
if $ensure == 'absent' and $managehome == true {
file { $name:
ensure => absent,
recurse => true,
force => true,
}
} elsif $ensure == 'present' and $managehome == true {
$key_file = "${name}/.ssh/authorized_keys"
# Solaris homedirs are managed in zfs by `useradd -m`. If the directory
# does not yet exist then we can't predict how it should be created, but we
# should still manage the user/group/mode
file { $name:
ensure => directory,
owner => $user,
group => $user,
mode => $mode,
}
file { "${name}/.ssh":
ensure => directory,
owner => $user,
group => $user,
mode => '0700',
}
file { "${name}/.vim":
ensure => directory,
owner => $user,
group => $user,
mode => '0700',
}
if $bashrc_content {
file { "${name}/.bashrc":
ensure => file,
content => $bashrc_content,
owner => $user,
group => $user,
mode => '0644',
}
}
if $bash_profile_content {
file { "${name}/.bash_profile":
ensure => file,
content => $bash_profile_content,
owner => $user,
group => $user,
mode => '0644',
}
}
file { $key_file:
ensure => file,
owner => $user,
group => $user,
mode => '0600',
}
if $sshkeys != [] {
accounts::manage_keys { $sshkeys:
user => $user,
key_file => $key_file,
require => File["${name}/.ssh"],
before => File[$key_file],
}
}
} elsif $managehome == false {
if $sshkeys != [] {
warning("ssh keys were passed for user ${user} but \$managehome is set to false; not managing user ssh keys")
}
}
}

21
modules/utilities/windows/system/accounts/manifests/manage_keys.pp Normal file
View File

@@ -0,0 +1,21 @@
#
define accounts::manage_keys(
$user,
$key_file,
) {
$key_array = split($name, ' ')
$key_type = $key_array[0]
$key_content = $key_array[1]
$key_name = $key_array[2]
$key_title = "${user}_${key_type}_${key_name}"
ssh_authorized_key { $key_title:
ensure => present,
user => $user,
name => $key_name,
key => $key_content,
type => $key_type,
target => $key_file,
}
}

123
modules/utilities/windows/system/accounts/manifests/user.pp Normal file
View File

@@ -0,0 +1,123 @@
#
#
# parameters:
# [*name*] Name of user
# [*locked*] Whether the user account should be locked.
# [*sshkeys*] List of ssh public keys to be associated with the
# user.
# [*managehome*] Whether the home directory should be removed with accounts
#
define accounts::user(
$ensure = 'present',
$shell = '/bin/bash',
$comment = $name,
$home = undef,
$home_mode = undef,
$uid = undef,
$gid = undef,
$groups = [ ],
$membership = 'minimum',
$password = '!!',
$locked = false,
$sshkeys = [],
$purge_sshkeys = false,
$managehome = true,
$bashrc_content = undef,
$bash_profile_content = undef,
) {
validate_re($ensure, '^present$|^absent$')
validate_bool($locked, $managehome, $purge_sshkeys)
validate_re($shell, '^/')
validate_string($comment, $password)
validate_array($groups, $sshkeys)
validate_re($membership, '^inclusive$|^minimum$')
if $bashrc_content {
validate_string($bashrc_content)
}
if $bash_profile_content {
validate_string($bash_profile_content)
}
if $home {
validate_re($home, '^/')
# If the home directory is not / (root on solaris) then disallow trailing slashes.
validate_re($home, '^/$|[^/]$')
}
if $home {
$home_real = $home
} elsif $name == 'root' {
$home_real = $::osfamily ? {
'Solaris' => '/',
default => '/root',
}
} else {
$home_real = $::osfamily ? {
'Solaris' => "/export/home/${name}",
default => "/home/${name}",
}
}
if $uid != undef {
validate_re($uid, '^\d+$')
}
if $gid != undef {
validate_re($gid, '^\d+$')
$_gid = $gid
} else {
$_gid = $name
}
if $locked {
case $::operatingsystem {
'debian', 'ubuntu' : {
$_shell = '/usr/sbin/nologin'
}
'solaris' : {
$_shell = '/usr/bin/false'
}
default : {
$_shell = '/sbin/nologin'
}
}
} else {
$_shell = $shell
}
user { $name:
ensure => $ensure,
shell => $_shell,
comment => "${comment}", # lint:ignore:only_variable_string
home => $home_real,
uid => $uid,
gid => $_gid,
groups => $groups,
membership => $membership,
managehome => $managehome,
password => $password,
purge_ssh_keys => $purge_sshkeys,
}
# use $gid instead of $_gid since `gid` in group can only take a number
group { $name:
ensure => $ensure,
gid => $gid,
}
if $ensure == 'present' {
Group[$name] -> User[$name]
} else {
User[$name] -> Group[$name]
}
accounts::home_dir { $home_real:
ensure => $ensure,
mode => $home_mode,
managehome => $managehome,
bashrc_content => $bashrc_content,
bash_profile_content => $bash_profile_content,
user => $name,
sshkeys => $sshkeys,
require => [ User[$name], Group[$name] ],
}
}

78
modules/utilities/windows/system/accounts/metadata.json Normal file
View File

@@ -0,0 +1,78 @@
{
"name": "puppetlabs-accounts",
"version": "1.1.0",
"author": "puppetlabs",
"summary": "Account management module.",
"license": "Apache-2.0",
"source": "git://github.com/puppetlabs/puppetlabs-accounts.git",
"project_page": "https://github.com/puppetlabs/puppetlabs-accounts",
"issues_url": "https://tickets.puppetlabs.com/browse/MODULES",
"dependencies": [
{"name":"puppetlabs/stdlib","version_requirement":">= 3.4.0 < 5.0.0"}
],
"data_provider": null,
"operatingsystem_support": [
{
"operatingsystem": "RedHat",
"operatingsystemrelease": [
"6",
"7"
]
},
{
"operatingsystem": "CentOS",
"operatingsystemrelease": [
"6",
"7"
]
},
{
"operatingsystem": "OracleLinux",
"operatingsystemrelease": [
"6",
"7"
]
},
{
"operatingsystem": "Scientific",
"operatingsystemrelease": [
"6",
"7"
]
},
{
"operatingsystem": "Debian",
"operatingsystemrelease": [
"7",
"8"
]
},
{
"operatingsystem": "SLES",
"operatingsystemrelease": [
"11 SP1"
]
},
{
"operatingsystem": "Ubuntu",
"operatingsystemrelease": [
"12.04",
"14.04",
"16.04"
]
},
{
"operatingsystem": "Solaris",
"operatingsystemrelease": [
"11"
]
}
],
"requirements": [
{
"name": "puppet",
"version_requirement": ">= 4.0.0 < 5.0.0"
}
],
"description": "Account management module."
}

18
modules/utilities/windows/system/accounts/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,18 @@
<?xml version="1.0"?>
<utility xmlns="http://www.github/cliffe/SecGen/utility"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/utility">
<name>User account service</name>
<author>Puppet Labs</author>
<author>Jason Keighley</author>
<module_license>Apache v2</module_license>
<description>User account creation and modification</description>
<type>system</type>
<platform>linux</platform>
<!--optional details-->
<reference>https://forge.puppet.com/puppetlabs/accounts</reference>
</utility>

10
modules/utilities/windows/system/accounts/spec/acceptance/nodesets/centos-7-x64.yml Normal file
View File

@@ -0,0 +1,10 @@
HOSTS:
centos-7-x64:
roles:
- agent
- default
platform: el-7-x86_64
hypervisor: vagrant
box: puppetlabs/centos-7.2-64-nocm
CONFIG:
type: foss

10
modules/utilities/windows/system/accounts/spec/acceptance/nodesets/debian-8-x64.yml Normal file
View File

@@ -0,0 +1,10 @@
HOSTS:
debian-8-x64:
roles:
- agent
- default
platform: debian-8-amd64
hypervisor: vagrant
box: puppetlabs/debian-8.2-64-nocm
CONFIG:
type: foss

10
modules/utilities/windows/system/accounts/spec/acceptance/nodesets/default.yml Normal file
View File

@@ -0,0 +1,10 @@
HOSTS:
ubuntu-1404-x64:
roles:
- agent
- default
platform: ubuntu-14.04-amd64
hypervisor: vagrant
box: puppetlabs/ubuntu-14.04-64-nocm
CONFIG:
type: foss

12
modules/utilities/windows/system/accounts/spec/acceptance/nodesets/docker/centos-7.yml Normal file
View File

@@ -0,0 +1,12 @@
HOSTS:
centos-7-x64:
platform: el-7-x86_64
hypervisor: docker
image: centos:7
docker_preserve_image: true
docker_cmd: '["/usr/sbin/init"]'
# install various tools required to get the image up to usable levels
docker_image_commands:
- 'yum install -y crontabs tar wget openssl sysvinit-tools iproute which initscripts'
CONFIG:
trace_limit: 200

11
modules/utilities/windows/system/accounts/spec/acceptance/nodesets/docker/debian-8.yml Normal file
View File

@@ -0,0 +1,11 @@
HOSTS:
debian-8-x64:
platform: debian-8-amd64
hypervisor: docker
image: debian:8
docker_preserve_image: true
docker_cmd: '["/sbin/init"]'
docker_image_commands:
- 'apt-get update && apt-get install -y net-tools wget locales strace lsof && echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && locale-gen'
CONFIG:
trace_limit: 200

12
modules/utilities/windows/system/accounts/spec/acceptance/nodesets/docker/ubuntu-14.04.yml Normal file
View File

@@ -0,0 +1,12 @@
HOSTS:
ubuntu-1404-x64:
platform: ubuntu-14.04-amd64
hypervisor: docker
image: ubuntu:14.04
docker_preserve_image: true
docker_cmd: '["/sbin/init"]'
docker_image_commands:
# ensure that upstart is booting correctly in the container
- 'rm /usr/sbin/policy-rc.d && rm /sbin/initctl && dpkg-divert --rename --remove /sbin/initctl && apt-get update && apt-get install -y net-tools wget && locale-gen en_US.UTF-8'
CONFIG:
trace_limit: 200

87
modules/utilities/windows/system/accounts/spec/acceptance/user_spec.rb Normal file
View File

@@ -0,0 +1,87 @@
require 'spec_helper_acceptance'
describe 'accounts::user define', :unless => UNSUPPORTED_PLATFORMS.include?(fact("osfamily")) do
describe 'main tests' do
describe user('hunner') do
it 'creates groups of matching names, assigns non-matching group, manages homedir, manages other properties, gives key, makes dotfiles' do
pp = <<-EOS
file { '/test':
ensure => directory,
before => Accounts::User['hunner'],
}
accounts::user { 'hunner':
groups => ['root'],
password => 'hi',
shell => '/bin/true',
home => '/test/hunner',
bashrc_content => file('accounts/shell/bashrc'),
bash_profile_content => file('accounts/shell/bash_profile'),
sshkeys => [
'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant',
],
}
EOS
apply_manifest(pp, :catch_failures => true)
end
it { should exist }
it { should belong_to_group 'hunner' }
it { should belong_to_group 'root' }
it { should have_login_shell '/bin/true' }
it { should have_home_directory '/test/hunner' }
# Solaris 10's /bin/sh can't expand ~username paths and thus can't read ~hunner/.ssh/authorized_keys
it("should have authorized_key", :unless => default['platform'].match(/solaris-10/)) { should have_authorized_key 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant' }
end
describe file('/test/hunner') do
it { should be_directory }
it { should be_mode 700 }
it { should be_owned_by 'hunner' }
it { should be_grouped_into 'hunner' }
end
describe file('/test/hunner/.bashrc') do
its(:content) { should match(/managed by Puppet/) }
end
describe file('/test/hunner/.bash_profile') do
its(:content) { should match(/Get the aliases and functions/) }
end
describe file('/test/hunner/.vim') do
it { should be_directory }
end
end
describe 'warn for sshkeys without managehome' do
it 'creates groups of matching names, assigns non-matching group, manages homedir, manages other properties, gives key, makes dotfiles' do
pp = <<-EOS
accounts::user { 'hunner':
managehome => false,
sshkeys => [
'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant',
],
}
EOS
apply_manifest(pp, :catch_failures => true) do |r|
expect(r.stderr).to match(/Warning:.*ssh keys were passed for user hunner/)
end
end
end
describe 'locking users' do
describe user('hunner') do
it 'locks a user' do
pp = <<-EOS
accounts::user { 'hunner':
locked => true,
}
EOS
apply_manifest(pp, :catch_failures => true)
end
it {
case fact('osfamily')
when 'Debian'
should have_login_shell '/usr/sbin/nologin'
when 'Solaris'
should have_login_shell '/usr/bin/false'
else
should have_login_shell '/sbin/nologin'
end
}
end
end
end

185
modules/utilities/windows/system/accounts/spec/defines/accounts_user_spec.rb Normal file
View File

@@ -0,0 +1,185 @@
require 'spec_helper'
describe '::accounts::user' do
let(:title) { "dan" }
let(:params) { {} }
let(:facts) { {} }
describe 'expected defaults' do
let(:facts) { { :osfamily => "Debian" } }
it { is_expected.to contain_user('dan').with({'shell' => '/bin/bash'}) }
it { is_expected.to contain_user('dan').with({'home' => "/home/#{title}"}) }
it { is_expected.to contain_user('dan').with({'ensure' => 'present'}) }
it { is_expected.to contain_user('dan').with({'comment' => title}) }
it { is_expected.to contain_user('dan').with({'groups' => []}) }
it { is_expected.to contain_user('dan').with({'managehome' => true }) }
it { is_expected.to contain_group('dan').with({'ensure' => 'present'}) }
it { is_expected.to contain_group('dan').with({'gid' => nil}) }
end
describe 'expected home defaults' do
context 'normal user on linux' do
let(:title) { "dan" }
let(:facts) { { :osfamily => "Debian" } }
it { is_expected.to contain_user('dan').with_home('/home/dan') }
end
context 'root user on linux' do
let(:title) { "root" }
let(:facts) { { :osfamily => "Debian" } }
it { is_expected.to contain_user('root').with_home('/root') }
end
context 'normal user on Solaris' do
let(:title) { "dan" }
let(:facts) { { :osfamily => "Solaris" } }
it { is_expected.to contain_user('dan').with_home('/export/home/dan') }
end
context 'root user on Solaris' do
let(:title) { "root" }
let(:facts) { { :osfamily => "Solaris" } }
it { is_expected.to contain_user('root').with_home('/') }
end
end
describe 'when setting user parameters' do
before do
params['ensure'] = 'present'
params['shell'] = '/bin/csh'
params['comment'] = 'comment'
params['home'] = '/var/home/dan'
params['home_mode'] = '0755'
params['uid'] = '123'
params['gid'] = '456'
params['groups'] = ['admin']
params['membership'] = 'inclusive'
params['password'] = 'foo'
params['sshkeys'] = ['1 2 3', '2 3 4']
end
it { is_expected.to contain_user('dan').with({'ensure' => 'present'}) }
it { is_expected.to contain_user('dan').with({'shell' => '/bin/csh'}) }
it { is_expected.to contain_user('dan').with({'comment' => 'comment'}) }
it { is_expected.to contain_user('dan').with({'home' => '/var/home/dan'}) }
it { is_expected.to contain_user('dan').with({'uid' => '123'}) }
it { is_expected.to contain_user('dan').with({'gid' => '456'}) }
it { is_expected.to contain_user('dan').with({'groups' => ['admin']}) }
it { is_expected.to contain_user('dan').with({'membership' => 'inclusive'}) }
it { is_expected.to contain_user('dan').with({'password' => 'foo'}) }
it { is_expected.to contain_group('dan').with({'ensure' => 'present'}) }
it { is_expected.to contain_group('dan').with({'gid' => '456'}) }
it { is_expected.to contain_group('dan').that_comes_before('User[dan]') }
it { is_expected.to contain_accounts__home_dir('/var/home/dan').with({'user' => title}) }
it { is_expected.to contain_accounts__home_dir('/var/home/dan').with({'mode' => '0755'}) }
it { is_expected.to contain_accounts__home_dir('/var/home/dan').with({'sshkeys' => ['1 2 3', '2 3 4']}) }
it { is_expected.to contain_file('/var/home/dan/.ssh') }
describe 'when setting the user to absent' do
# when deleting users the home dir is a File resource instead of a accounts::home_dir
let(:contain_home_dir) { contain_file('/var/home/dan') }
before do
params['ensure'] = 'absent'
end
it { is_expected.to contain_user('dan').with({'ensure' => 'absent'}) }
it { is_expected.to contain_user('dan').that_comes_before('Group[dan]') }
it { is_expected.to contain_group('dan').with({'ensure' => 'absent'}) }
it do
is_expected.to_not contain_accounts__home_dir('/var/home/dan').with({
'ensure' => 'absent',
'recurse' => true,
'force' => true
})
end
describe 'with managehome off' do
before do
params['managehome'] = false
end
it { is_expected.not_to contain_home_dir }
it { is_expected.not_to contain_file('/var/home/dan/.ssh') }
end
end
end
describe 'invalid parameter values' do
it 'should only accept absent and present for ensure' do
params['ensure'] = 'invalid'
expect { subject.call }.to raise_error Puppet::Error
end
it 'should fail if locked is not a boolean' do
params['locked'] = 'true'
expect { subject.call }.to raise_error Puppet::Error
end
['home', 'shell'].each do |param|
it "should fail is #{param} does not start with '/'" do
params[param] = 'no_leading_slash'
expect { subject.call }.to raise_error Puppet::Error
end
end
it 'should fail if gid is not composed of digits' do
params['gid'] = 'name'
expect { subject.call }.to raise_error Puppet::Error
end
it 'should not accept non-boolean values for locked' do
params['locked'] = 'false'
expect { subject.call }.to raise_error Puppet::Error
end
it 'should not accept non-boolean values for managehome' do
params['managehome'] = 'false'
expect { subject.call }.to raise_error Puppet::Error
end
end
describe 'when locking users' do
let(:params) { { 'locked' => true } }
describe 'on debian' do
before { facts['operatingsystem'] = 'debian' }
before { facts['osfamily'] = 'Debian' }
it { is_expected.to contain_user('dan').with({'shell' => '/usr/sbin/nologin'}) }
end
describe 'on ubuntu' do
before { facts['operatingsystem'] = 'ubuntu' }
before { facts['osfamily'] = 'Ubuntu' }
it { is_expected.to contain_user('dan').with({'shell' => '/usr/sbin/nologin'}) }
end
describe 'on solaris' do
before { facts['operatingsystem'] = 'solaris' }
before { facts['osfamily'] = 'Solaris' }
it { is_expected.to contain_user('dan').with({'shell' => '/usr/bin/false'}) }
end
describe 'on all other platforms' do
before { facts['operatingsystem'] = 'anything_else' }
before { facts['osfamily'] = 'anything_else' }
it { is_expected.to contain_user('dan').with({'shell' => '/sbin/nologin'}) }
end
end
describe 'when supplying resource defaults' do
before do
facts['osfamily'] = 'Debian'
facts['operatingsystem'] = 'debian'
end
let(:pre_condition) { "Accounts::User{ shell => '/bin/zsh' }" }
it { is_expected.to contain_user('dan').with({'shell' => '/bin/zsh'}) }
describe 'override defaults' do
let(:params) { { 'shell' => '/bin/csh' } }
it { is_expected.to contain_user('dan').with({'shell' => '/bin/csh'}) }
end
describe 'locked overrides should override defaults and user params' do
let(:params) { { 'shell' => '/bin/csh', 'locked' => true} }
it { is_expected.to contain_user('dan').with({'shell' => '/usr/sbin/nologin'}) }
end
end
end

8
modules/utilities/windows/system/accounts/spec/spec_helper.rb Normal file
View File

@@ -0,0 +1,8 @@
#This file is generated by ModuleSync, do not edit.
require 'puppetlabs_spec_helper/module_spec_helper'
# put local configuration and setup into spec_helper_local
begin
require 'spec_helper_local'
rescue LoadError
end

17
modules/utilities/windows/system/accounts/spec/spec_helper_acceptance.rb Normal file
View File

@@ -0,0 +1,17 @@
require 'beaker-rspec'
require 'beaker/puppet_install_helper'
UNSUPPORTED_PLATFORMS = ['windows', 'Darwin']
run_puppet_install_helper
RSpec.configure do |c|
proj_root = File.expand_path(File.join(File.dirname(__FILE__), '..'))
c.formatter = :documentation
c.before :suite do
hosts.each do |host|
copy_module_to(host, :source => proj_root, :module_name => 'accounts')
on host, puppet('module','install','puppetlabs-stdlib'), { :acceptable_exit_codes => [0,1] }
end
end
end

29
modules/utilities/windows/system/local_security_policy/CHANGELOG.md Normal file
View File

@@ -0,0 +1,29 @@
###[0.6.3] - naeem98
* Added 'Accounts: Administrator account status' setting for CIS 2.3.1.1
###[0.6.2]
* Bug fix for 'No auditing' case issue - Jordan Wesolowski - #26
* Fix issue where WMIC was timing out or crashing on systems joined to a domain - Thomas Linkin - #28
###[0.6.1]
* Updates for typos in settings and official policy names - Gerben Welter - #19
* Support old-style file-loading - Jordan Wesolowski - #24
###[0.6.0] - Adam Yohrling
* Added new Network security settings, Typo Fixes, Idempotency - #18
###[0.5.2] - Ryan Russell-Yates
* Updated all ruby files to UTF-8 forced encoding.
###[0.4.1] - Adam Yohrling
* Fixed Issue 3 - undefined method error for 'Network access: Let Everyone permissions apply to
anonymous users' setting
###[0.4.0] - Adam Yohrling
* Added support for ensuring Privilege Rights settings as absent
###[0.3.2] - Adam Yohrling
* Added support for currently unset values
* Removed duplicate and invalid 'initalize' method
* Cleaned out .DS_Store files that were in the repository
* Moved references for external methods to self.class in flush method and removed duplicate data

22
modules/utilities/windows/system/local_security_policy/Gemfile Normal file
View File

@@ -0,0 +1,22 @@
source "https://rubygems.org"
group :test do
gem "rake"
gem "puppet", ENV['PUPPET_VERSION'] || '~> 3.7.3'
gem "rspec-puppet", :git => 'https://github.com/rodjek/rspec-puppet.git'
gem "puppetlabs_spec_helper"
gem 'rspec-puppet-utils', :git => 'https://github.com/Accuity/rspec-puppet-utils.git'
# there seems to be a bug with puppet-blacksmith and metadata-json-lint
# removing metadata for now
gem "metadata-json-lint"
gem 'puppet-syntax'
gem 'puppet-lint'
gem 'awesome_print'
end
group :development do
gem "travis"
gem "travis-lint"
gem "puppet-blacksmith"
end

202
modules/utilities/windows/system/local_security_policy/LICENSE Normal file
View File

@@ -0,0 +1,202 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

272
modules/utilities/windows/system/local_security_policy/README.md Executable file
View File

@@ -0,0 +1,272 @@
# Puppet Local Security Policy
created by Paul Cannon at email paulscannon at gmail dot com
forked and updated by Adam Yohrling at email aryohrling at gmail dot com
## Local_security_policy features
Configure, local security policy (LSP) for windows servers.
LSP is key to a baseline configuration of the following security features:
### Account Policy
* Password Policy
* Account Lockout Policy
### Local Policy
* Audit Policy
* User Rights Assignment
* Security Options
* Registry Values
This module uses types and providers to list, update, validate settings
## Use
The title and name of the resources is exact match of what is in secedit GUI. If you are uncertain of the setting name and values just user 'resource' to pipe them all into a file and make adjustments as necessary.
The block will look like this
```
local_security_policy { 'Audit account logon events': <- Title / Name
ensure => present, <- Always present
policy_setting => "AuditAccountLogon", <- The secedit file key. Informational purposes only, not for use in manifest definitions
policy_type => "Event Audit", <- The secedit file section, Informational purposes only, not for use in manifest definitions
policy_value => 'Success,Failure', <- Values
}
```
### Listing all settings
Show all local_security_policy resources available on server
```
puppet resource local_security_policy
```
Show a single local_security_policy resources available on server
```
puppet resource local_security_policy 'Maximum password age'
```
### More examples
Example Password Policy
```
local_security_policy { 'Maximum password age':
ensure => present,
policy_value => '90',
}
```
Example Audit Policy
```
local_security_policy { 'Audit account logon events':
ensure => present,
policy_value => 'Success,Failure',
}
```
Example User Rights Policy
```
local_security_policy { 'Allow log on locally':
ensure => present,
policy_value => '90',
}
```
Example Security Settings
```
local_security_policy { 'System cryptography: Use FIPS compiant algorithms for encryption, hashing, and signing':
ensure => present,
policy_value => 1 ,
}
```
### Full list of settings available
Access Credential Manager as a trusted caller
Access this computer from the network
Account lockout duration
Account lockout threshold
Accounts: Block Microsoft accounts
Accounts: Limit local account use of blank passwords to console logon only
Accounts: Rename administrator account
Accounts: Rename guest account
Accounts: Require Login to Change Password
Act as part of the operating system
Add workstations to domain
Adjust memory quotas for a process
Allow log on locally
Allow log on through Remote Desktop Services
Audit account logon events
Audit account management
Audit: Audit the access of global system objects
Audit: Audit the use of Backup and Restore privilege
Audit directory service access
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit: Shut down system immediately if unable to log security audits
Audit system events
Back up files and directories
Bypass traverse checking
Change the system time
Change the time zone
Create a pagefile
Create a token object
Create global objects
Create permanent shared objects
Create symbolic links
Debug programs
Deny access to this computer from the network
Deny log on as a batch job
Deny log on as a service
Deny log on locally
Deny log on through Remote Desktop Services
Devices: Allowed to format and eject removable media
Devices: Allow undock without having to log on
Devices: Prevent users from installing printer drivers
Devices: Restrict CD-ROM access to locally logged-on user only
Devices: Restrict floppy access to locally logged-on user only
Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt secure channel data (when possible)
Domain member: Digitally sign secure channel data (when possible)
Domain member: Disable machine account password changes
Domain member: Maximum machine account password age
Domain member: Require strong (Windows 2000 or later) session key
EnableAdminAccount
Enable computer and user accounts to be trusted for delegation
Enforce password history
Force shutdown from a remote system
Generate security audits
Impersonate a client after authentication
Increase a process working set
Increase scheduling priority
Interactive logon: Display user information when the session is locked
Interactive logon: Do not display last user name
Interactive logon: Do not require CTRL+ALT+DEL
Interactive logon: Machine account lockout threshold
Interactive logon: Machine inactivity limit
Interactive logon: Message text for users attempting to log on
Interactive logon: Message title for users attempting to log on
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
Interactive logon: Prompt user to change password before expiration
Interactive logon: Require Domain Controller authentication to unlock workstation
Interactive logon: Require smart card
Interactive logon: Smart card removal behavior
Load and unload device drivers
Lock pages in memory
Log on as a batch job
Log on as a service
Manage auditing and security log
Maximum password age
Microsoft network client: Digitally sign communications (always)
Microsoft network client: Digitally sign communications (if server agrees)
Microsoft network client: Send unencrypted password to third-party SMB servers
Microsoft network server: Amount of idle time required before suspending session
Microsoft network server: Digitally sign communications (always)
Microsoft network server: Digitally sign communications (if client agrees)
Microsoft network server: Disconnect clients when logon hours expire
Microsoft network server: Server SPN target name validation level
Minimum password age
Minimum password length
Modify an object label
Modify firmware environment values
Network access: Allow anonymous SID/name translation
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Do not allow storage of passwords and credentials for network authentication
Network access: Let Everyone permissions apply to anonymous users
Network access: Named Pipes that can be accessed anonymously
Network access: Remotely accessible registry paths
Network access: Remotely accessible registry paths and sub-paths
Network access: Restrict anonymous access to Named Pipes and Shares
Network access: Shares that can be accessed anonymously
Network access: Sharing and security model for local accounts
Network security: All Local System to use computer identity for NTLM
Network security: Do not store LAN Manager hash value on next password change
Network security: Force logoff when logon hours expire
Network security: LAN Manager authentication level
Network security: LDAP client signing requirements
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
Password must meet complexity requirements
Perform volume maintenance tasks
Profile single process
Profile system performance
Recovery console: Allow automatic administrative logon
Recovery console: Allow floppy copy and access to all drives and all folders
Remove computer from docking station
Replace a process level token
Reset account lockout counter after
Restore files and directories
Shutdown: Allow system to be shut down without having to log on
Shutdown: Clear virtual memory pagefile
Shut down the system
Store passwords using reversible encryption
Synchronize directory service data
System cryptography: Force strong key protection for user keys stored on the computer
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
System objects: Require case insensitivity for non-Windows subsystems
System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)
System settings: Optional subsystems
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies
Take ownership of files or other objects
User Account Control: Admin Approval Mode for the Built-in Administrator account
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
User Account Control: Behavior of the elevation prompt for standard users
User Account Control: Detect application installations and prompt for elevation
User Account Control: Only elevate executables that are signed and validated
User Account Control: Only elevate UIAccess applications that are installed in secure locations
User Account Control: Run all administrators in Admin Approval Mode
User Account Control: Switch to the secure desktop when prompting for elevation
User Account Control: Virtualize file and registry write failures to per-user locations
## How this works
The local_security_policy works by using `secedit /export` to export a list of currently set policies. The module will then
take the user defined resource and compare the values against the exported policies. If the values on the system do not match
the defined resource, the module will run `secedit /configure` to configure the policy on the system. If the policy already
exists on the system no change will be made.
In order to make setting these polices easier, this module has extracted some of the difficult to lookup or remember pieces
of a policy and placed them in a map for easy translation and value conversion. This means that you only need to remember the user
instead of the sid value, as well as the policy description instead of the special key that needs to be set. The mappings
below define how this translation works. If there is no map for your policy you will need to add to `lib/puppet_x/lsp/security_policy.rb`
```
'Accounts: Rename administrator account' => {
:name => 'NewAdministratorName',
:policy_type => 'System Access',
:data_type => :quoted_string
},
'Recovery console: Allow floppy copy and access to all drives and all folders' => {
:name => 'MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand',
:reg_type => '4',
:policy_type => 'Registry Values',
},
```
The key `Accounts: Rename administrator account ` in the first hash is what the user will define as the name in the resource name.
Instead of remembering the policy name, the description will help us remember what the policy is for. When defining new policy
maps you will need to define the key, name, policy_type, and optionally, data_type or reg_type.
Currently for data_type there is only `:quoted_string`. However, for reg_type(integer value) there are many values which are listed below:
```
REG_NONE 0
REG_SZ 1
REG_EXPAND_SZ 2
REG_BINARY 3
REG_DWORD 4
REG_DWORD_LITTLE_ENDIAN 4
REG_DWORD_BIG_ENDIAN 5
REG_LINK 6
REG_MULTI_SZ 7
REG_RESOURCE_LIST 8
REG_FULL_RESOURCE_DESCRIPTOR 9
REG_RESOURCE_REQUIREMENTS_LIST 10
REG_QWORD 11
REG_QWORD_LITTLE_ENDIAN 11
```
## Commands Used
## TODO: Future release
* Handle unsupported policies
* Validate users in active directory are being handled.

80
modules/utilities/windows/system/local_security_policy/Rakefile Normal file
View File

@@ -0,0 +1,80 @@
require 'puppetlabs_spec_helper/rake_tasks'
require 'puppet-lint/tasks/puppet-lint'
require 'puppet-syntax/tasks/puppet-syntax'
# These two gems aren't always present, for instance
# on Travis with --without development
begin
require 'puppet_blacksmith/rake_tasks'
Blacksmith::RakeTask.new do |t|
t.tag_pattern = "v%s" # Use a custom pattern with git tag. %s is replaced with the version number.
end
rescue LoadError
end
PuppetLint.configuration.relative = true
PuppetLint.configuration.send("disable_80chars")
PuppetLint.configuration.log_format = "%{path}:%{linenumber}:%{check}:%{KIND}:%{message}"
PuppetLint.configuration.fail_on_warnings = true
# Forsake support for Puppet 2.6.2 for the benefit of cleaner code.
# http://puppet-lint.com/checks/class_parameter_defaults/
PuppetLint.configuration.send('disable_class_parameter_defaults')
# http://puppet-lint.com/checks/class_inherits_from_params_class/
PuppetLint.configuration.send('disable_class_inherits_from_params_class')
exclude_paths = [
"pkg/**/*",
"vendor/**/*",
"spec/**/*",
]
PuppetLint.configuration.ignore_paths = exclude_paths
PuppetSyntax.exclude_paths = exclude_paths
task :metadata do
sh "metadata-json-lint metadata.json"
end
desc "Run syntax, lint, and spec tests."
task :test => [
:syntax,
:lint,
:spec,
:metadata,
]
def io_popen(command)
IO.popen(command) do |io|
io.each do |line|
print line
yield line if block_given?
end
end
end
desc 'Vagrant VM power up and provision'
task :vagrant_up, [:manifest, :hostname] do |t, args|
args.with_defaults(:manifest => 'init.pp', :hostname => '')
Rake::Task['spec_prep'].execute
ENV['VAGRANT_MANIFEST'] = args[:manifest]
provision = false
io_popen("vagrant up #{args[:hostname]}") do |line|
provision = true if line =~ /is already running./
end
io_popen("vagrant provision #{args[:hostname]}") if provision
end
# Cleanup vagrant environment
desc 'Vagrant VM shutdown and fixtures cleanup'
task :vagrant_destroy do
Rake::Task['spec_prep'].execute
`vagrant destroy -f`
Rake::Task['spec_clean'].execute
end
desc 'Return list of policy names'
task :policy_list do
require_relative "lib/puppet_x/lsp/security_policy"
puts "\nCurrent Policy List"
puts "----------------------------------------------"
SecurityPolicy.lsp_mapping.keys.sort.each {|key| puts "#{key}\n"}
end

94
modules/utilities/windows/system/local_security_policy/Vagrantfile vendored Normal file
View File

@@ -0,0 +1,94 @@
def vm(opt)
module_name = opt.fetch(:module).to_s || raise(ArgumentError, 'Must provide puppet module name')
hostname = opt.fetch(:hostname, module_name).to_s
memory = opt.fetch(:memory, 512)
cpu = opt.fetch(:cpu, 1)
box = opt.fetch(:box).to_s || raise(ArgumentError, 'Must provide box type.')
url = opt.fetch(:url, '').to_s
os_type = opt[:os_type] || opt[:type] || :linux
gui = opt.fetch(:gui, false)
ports = Array(opt.fetch(:port, []))
iso = opt.fetch(:iso, nil)
proj_root = File.expand_path(File.join(File.dirname(__FILE__)))
fixture_modules = File.join(proj_root, 'spec', 'fixtures', 'modules')
Vagrant.configure('2') do |conf|
# forward all the ports
ports.each do |p|
conf.vm.network(:forwarded_port, guest: p, host: p, auto_correct: true)
end
if os_type == :windows
conf.ssh.username = 'vagrant'
conf.winrm.username = 'vagrant'
conf.winrm.password = 'vagrant'
end
conf.vm.define hostname.to_sym do |mod|
mod.vm.box = box
mod.vm.box_url = url
if os_type == :windows
mod.vm.guest = :windows
mod.vm.communicator = 'winrm'
mod.vm.synced_folder './' , "/ProgramData/PuppetLabs/puppet/etc/modules/#{module_name}"
mod.vm.synced_folder 'spec/fixtures/modules' , '/temp/modules'
else
mod.vm.synced_folder './', "/etc/puppet/modules/#{module_name}"
mod.vm.synced_folder 'spec/fixtures/modules', '/tmp/puppet/modules'
end
mod.vm.hostname = hostname
mod.vm.provider :vmware_fusion do |f|
f.gui = gui
f.vmx['displayName'] = hostname
f.vmx['memsize'] = memory
f.vmx['numvcpus'] = cpu
if iso
f.vmx['ide1:0.devicetype'] = "cdrom-image"
f.vmx['ide1:0.filename'] = iso
end
end
mod.vm.provider :vmware_workstation do |f|
f.gui = gui
f.vmx['displayName'] = hostname
f.vmx['memsize'] = memory
f.vmx['numvcpus'] = cpu
if iso
f.vmx['ide1:0.devicetype'] = "cdrom-image"
f.vmx['ide1:0.filename'] = iso
end
end
mod.vm.provider :virtualbox do |v|
v.gui = gui
v.name = hostname
v.memory = memory
v.cpus = cpu
end
if os_type == :windows
manifest = ENV['VAGRANT_MANIFEST'] || 'init.pp'
# mod.vm.provision :shell, :inline => "iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))"
# mod.vm.provision :shell, :inline => "choco -y install puppet"
mod.vm.provision :shell, :inline => "puppet apply --modulepath 'C:/ProgramData/PuppetLabs/puppet/etc/modules;C:/temp/modules' --verbose C:/ProgramData/PuppetLabs/puppet/etc/modules/#{module_name}/tests/#{manifest}"
else
mod.vm.provision :puppet do |p|
p.manifests_path = 'tests'
p.hiera_config_path = File.join(fixture_modules, 'hieradata', 'hiera.yaml')
p.manifest_file = ENV['VAGRANT_MANIFEST'] || 'init.pp'
#p.module_path = fixture_modules
# because of how symlinks are handled via the spec_helper we are forced to mount the modules is different locations
# otherwise we could just use the above option
p.options = '--modulepath="/etc/puppet/modules:/tmp/puppet/modules"'
end
end
end
end
end
vm :hostname => 'win2012r2', :module => 'profiles', :box => 'opentable/win-2012r2-standard-amd64-nocm', :url => 'opentable/win-2012r2-standard-amd64-nocm', :os_type => :windows, :cpu => 1, :memory => 4096, :gui => true
vm :hostname => 'win2008r2', :module => 'profiles', :box => 'opentable/win-2008r2-standard-amd64-nocm', :url => 'opentable/win-2008r2-standard-amd64-nocm', :os_type => :windows, :cpu => 1, :memory => 4096, :gui => true

26
modules/utilities/windows/system/local_security_policy/checksums.json Normal file
View File

@@ -0,0 +1,26 @@
{
"CHANGELOG.md": "070da7699591cd3bf94005b02d8f7a20",
"Gemfile": "578005b552456cd33b30cee6889f28f6",
"Gemfile.lock": "09d3a9aee76de7f0b0d3d094d0eb6f73",
"LICENSE": "3b83ef96387f14655fc854ddc3c6bd57",
"README.md": "0ab316b7a948dd42829298a86027306a",
"Rakefile": "14264e48a158ab7357606c7df61ddd79",
"Vagrantfile": "65f7d6ebc54ade8fc8828e3bcb75ab0e",
"lib/puppet/provider/local_security_policy/policy.rb": "eee8076ccc563dd96e9cecfbecea7694",
"lib/puppet/type/local_security_policy.rb": "66875e9cc349beb0edf5ca3820f04373",
"lib/puppet_x/lsp/security_policy.rb": "74c4dd4da3a3328fe698f363cef66823",
"lib/puppet_x/twp/inifile.rb": "d9e1e62229899e191836fbc5254555d2",
"manifests/init.pp": "17a002bbf7698087525f28a3bf5f17bf",
"metadata.json": "c85f6fb4d24e80b7b67e30e0fa301d90",
"spec/classes/local_security_policy_spec.rb": "309ccc462f3856065a1bc8e7fda330cb",
"spec/fixtures/unit/group.txt": "7139a4cbda2e7294724f44f07f1f99e8",
"spec/fixtures/unit/secedit.inf": "d38bcd0c95fd3d62449db03c7b48d996",
"spec/fixtures/unit/short_secedit.inf": "de3be6848b6c737fdaf9a3dad424412e",
"spec/fixtures/unit/useraccount.txt": "c6add66cc0bab0d8dc96c2eaa131fa6f",
"spec/shared_contexts.rb": "7ec4683e370ecbe6795d351079a6a544",
"spec/spec_helper.rb": "3639a702dfd49bde5118175365a257b8",
"spec/unit/puppet/provider/local_security_policy/policy_spec.rb": "58432a207358b0c54ec67c450d2f3246",
"spec/unit/puppet/provider/local_security_policy/security_policy_spec.rb": "5b37ef57f96d1d63e4ea73c8e824a1b3",
"spec/unit/puppet/type/local_security_policy/local_security_policy_spec.rb": "e17edc0386c8a4da0b49b19ba7e6e754",
"tests/init.pp": "fbb38c252ace282cb7aa2c7a1a87c680"
}

185
modules/utilities/windows/system/local_security_policy/lib/puppet/provider/local_security_policy/policy.rb Normal file
View File

@@ -0,0 +1,185 @@
#encoding: UTF-8
require 'fileutils'
begin
require "puppet_x/twp/inifile"
require "puppet_x/lsp/security_policy"
rescue LoadError => detail
require 'pathname' # JJM WORK_AROUND #14073
mod = Puppet::Module.find('local_security_policy', Puppet[:environment].to_s)
if mod
require File.join(mod.path, 'lib/puppet_x/twp/inifile')
require File.join(mod.path, 'lib/puppet_x/lsp/security_policy')
else # received nil, fallback to old style
module_base = Pathname.new(__FILE__).dirname
require File.join(module_base, '../../../', 'puppet_x/twp/inifile')
require File.join(module_base, '../../../', 'puppet_x/lsp/security_policy')
end
end
Puppet::Type.type(:local_security_policy).provide(:policy) do
desc 'Puppet type that models the local security policy'
#
# TODO Finalize the registry key settings
# TODO Add in registry value translation (ex: 1=enable 0=disable)
# TODO Implement self.post_resource_eval (need to collect all resource updates the run secedit to make one call)
# limit access to windows hosts only
confine :operatingsystem => :windows
# limit access to systems with these commands since this is the tools we need
commands :wmic => 'wmic', :secedit => 'secedit'
mk_resource_methods
# export the policy settings to the specified file and return the filename
def self.export_policy_settings(inffile=nil)
inffile ||= temp_file
secedit(['/export', '/cfg', inffile, '/quiet'])
inffile
end
# export and then read the policy settings from a file into a inifile object
# caches the IniFile object during the puppet run
def self.read_policy_settings(inffile=nil)
inffile ||= temp_file
unless @file_object
export_policy_settings(inffile)
File.open inffile, 'r:IBM437' do |file|
# remove /r/n and remove the BOM
inffile_content = file.read.force_encoding('utf-16le').encode('utf-8', :universal_newline => true).gsub("\xEF\xBB\xBF", '')
@file_object ||= PuppetX::IniFile.new(:content => inffile_content)
end
end
@file_object
end
# converts any values that might be of a certain type specified in the mapping
# converts everything to a string
# returns the value
def self.fixup_value(value, type)
value = value.to_s.strip
case type
when :quoted_string
value = "\"#{value}\""
end
value
end
# exports the current list of policies into a file and then parses that file into
# provider instances. If an item is found on the system but not in the lsp_mapping,
# that policy is not supported only because we cannot match the description
# furthermore, if a policy is in the mapping but not in the system we would consider
# that resource absent
def self.instances
settings = []
inf = read_policy_settings
# need to find the policy, section_header, policy_setting, policy_value and reg_type
inf.each do |section, parameter_name, parameter_value|
next if section == 'Unicode'
next if section == 'Version'
begin
ensure_value = parameter_value.nil? ? :absent : :present
policy_desc, policy_values = SecurityPolicy.find_mapping_from_policy_name(parameter_name)
policy_hash = {
:name => policy_desc,
:ensure => ensure_value,
:policy_type => section ,
:policy_setting => parameter_name,
:policy_value => fixup_value(parameter_value, policy_values[:data_type])
}
inst = new(policy_hash)
settings << inst
rescue KeyError => e
Puppet.debug e.message
end
end
settings
end
# the flush method will be the last method called after applying all the other
# properties, by default nothing will be enabled or disabled unless the disable/enable are set to true
# if we ever move to a point were we can write all the settings via one big config file we
# would want to do that here.
def flush
begin
write_policy_to_system(resource.to_hash)
rescue KeyError => e
Puppet.debug e.message
# send helpful debug message to user here
end
@property_hash = resource.to_hash
end
def initialize(value={})
super(value)
@property_flush = {}
end
# create the resource and convert any user supplied values to computer terms
def create
# do everything in flush method
end
# this is currently not implemented correctly on purpose until we can figure out how to safely remove
def destroy
@property_hash[:ensure] = :absent
#Destroy not an option for now. LSP Settings should be set to something.
# we need some default destroy values in the mappings so we know ahead of time what to put unless the user supplies
# but this would just ensure a value the setting should go back to
end
def self.prefetch(resources)
policies = instances
resources.keys.each do |name|
if found_pol = policies.find { |pol| pol.name == name }
resources[name].provider = found_pol
end
end
end
def exists?
@property_hash[:ensure] == :present
end
# gets the property hash from the provider
def to_hash
instance_variable_get('@property_hash')
end
# required for easier mocking, this could be a Tempfile too
def self.temp_file
'c:\\windows\\temp\\secedit.inf'
end
def temp_file
'c:\\windows\\temp\\secedit.inf'
end
# writes out one policy at a time using the InfFile Class and secedit
def write_policy_to_system(policy_hash)
time = Time.now
time = time.strftime("%Y%m%d%H%M%S")
infout = "c:\\windows\\temp\\infimport-#{time}.inf"
sdbout = "c:\\windows\\temp\\sdbimport-#{time}.inf"
#logout = "c:\\windows\\temp\\logout-#{time}.inf"
status = nil
begin
# read the system state into the inifile object for easy variable setting
inf = PuppetX::IniFile.new
# these sections need to be here by default
inf["Version"] = {"signature"=>"$CHICAGO$", "Revision"=>1}
inf["Unicode"] = {"Unicode"=>"yes"}
section = policy_hash[:policy_type]
section_value = {policy_hash[:policy_setting] => policy_hash[:policy_value]}
# we can utilize the IniFile class to write out the data in ini format
inf[section] = section_value
inf.write(:filename => infout, :encoding => 'utf-8')
secedit(['/configure', '/db', sdbout, '/cfg',infout])
ensure
FileUtils.rm_f(temp_file)
FileUtils.rm_f(infout)
FileUtils.rm_f(sdbout)
#FileUtils.rm_f(logout)
end
end
end

112
modules/utilities/windows/system/local_security_policy/lib/puppet/type/local_security_policy.rb Normal file
View File

@@ -0,0 +1,112 @@
#encoding: UTF-8
begin
require "puppet_x/lsp/security_policy"
rescue LoadError => detail
require 'pathname' # JJM WORK_AROUND #14073
mod = Puppet::Module.find('local_security_policy', Puppet[:environment].to_s)
if mod
require File.join(mod.path, 'lib/puppet_x/lsp/security_policy')
else # received nil, fallback to old style
module_base = Pathname.new(__FILE__).dirname
require File.join(module_base, '../../', 'puppet_x/lsp/security_policy')
end
end
Puppet::Type.newtype(:local_security_policy) do
@doc = 'Puppet type that models the local security policy'
ensurable
newparam(:name, :namevar => true) do
desc 'Local Security Setting Name. What you see it the GUI.'
validate do |value|
raise ArgumentError, "Invalid Policy name: #{value}" unless SecurityPolicy.valid_lsp?(value)
end
end
newproperty(:policy_type) do
newvalues('System Access','Event Audit','Privilege Rights','Registry Values', nil, '')
desc 'Local Security Policy Machine Name. What OS knows it by.'
defaultto do
begin
policy_hash = SecurityPolicy.find_mapping_from_policy_desc(resource[:name])
rescue KeyError => e
fail(e.message)
end
policy_hash[:policy_type]
end
# uses the resource name to perform a lookup of the defined policy and returns the policy type
munge do |value|
begin
policy_hash = SecurityPolicy.find_mapping_from_policy_desc(resource[:name])
rescue KeyError => e
fail(e.message)
end
policy_hash[:policy_type]
end
end
newproperty(:policy_setting) do
desc 'Local Security Policy Machine Name. What OS knows it by.'
defaultto do
begin
policy_hash = SecurityPolicy.find_mapping_from_policy_desc(resource[:name])
rescue KeyError => e
fail(e.message)
end
policy_hash[:name]
end
munge do |value|
begin
policy_hash = SecurityPolicy.find_mapping_from_policy_desc(resource[:name])
rescue KeyError => e
fail(e.message)
end
policy_hash[:name]
end
end
newproperty(:policy_value) do
desc 'Local Security Policy Setting Value'
validate do |value|
if value.nil? or value.empty?
raise ArgumentError("Value cannot be nil or empty")
end
case resource[:policy_type].to_s
when 'Privilege Rights'
# maybe validate some sort of user?
when 'Event Audit'
raise ArgumentError("Invalid Event type: #{value} for #{resource[:policy_value]}") unless SecurityPolicy::EVENT_TYPES.include?(value)
when 'Registry Values'
# maybe validate the value based on the datatype?
# REG_NONE 0
# REG_SZ 1
# REG_EXPAND_SZ 2
# REG_BINARY 3
# REG_DWORD 4
# REG_DWORD_LITTLE_ENDIAN 4
# REG_DWORD_BIG_ENDIAN 5
# REG_LINK 6
# REG_MULTI_SZ 7
# REG_RESOURCE_LIST 8
# REG_FULL_RESOURCE_DESCRIPTOR 9
# REG_RESOURCE_REQUIREMENTS_LIST 10
# REG_QWORD 11
# REG_QWORD_LITTLE_ENDIAN 11
end
end
munge do | value |
# need to convert policy values to designated types
case resource[:policy_type].to_s
when 'Registry Values'
# secedit values sometimes look like : "1,\"4\""
end
SecurityPolicy.convert_policy_value(resource.to_hash, value)
end
end
end

925
modules/utilities/windows/system/local_security_policy/lib/puppet_x/lsp/security_policy.rb Normal file
View File

@@ -0,0 +1,925 @@
#encoding: UTF-8
require 'puppet/provider'
class SecurityPolicy
attr_reader :wmic_cmd
EVENT_TYPES = ["Success,Failure", "Success", "Failure", "No auditing", 0, 1, 2, 3]
def initialize
# suppose to make an instance method for wmic
@wmic_cmd = Puppet::Provider::CommandDefiner.define('wmic', 'wmic', Puppet::Provider)
end
def wmic(args=[])
case args[0]
when 'useraccount'
@@useraccount ||= wmic_cmd.execute(args).force_encoding('utf-16le').encode('utf-8', :universal_newline => true).gsub("\xEF\xBB\xBF", '')
when 'group'
@@groupaccount ||= wmic_cmd.execute(args).force_encoding('utf-16le').encode('utf-8', :universal_newline => true).gsub("\xEF\xBB\xBF", '')
else
# will not cache
wmic_cmd.execute(args).force_encoding('utf-16le').encode('utf-8', :universal_newline => true).gsub("\xEF\xBB\xBF", '')
end
end
# collect all the local accounts using wmic
def local_accounts
ary = []
["useraccount","group"].each do |lu|
wmic([lu, 'where', "(domain=\"#{ENV["COMPUTERNAME"]}\")", 'get', 'name,sid', '/format:csv']).split("\n").each do |line|
next if line =~ /Node/
if line.include? ","
ary << line.strip.split(",")
end
end
end
ary
end
def user_sid_array
@user_sid_array ||= local_accounts + builtin_accounts
end
def user_to_sid(value)
sid = user_sid_array.find do |home,user,sid|
user == value
end
unless sid.nil?
'*' + sid[2]
else
value
end
end
# convert the sid to a user
def sid_to_user(value)
value = value.gsub(/(^\*)/ , '')
user = user_sid_array.find do |home,user,sid|
value == sid
end
unless user.nil?
user[1]
else
value
end
end
def convert_privilege_right(ensure_value, policy_value)
# we need to convert users to sids first
if ensure_value.to_s == 'absent'
pv = ''
else
sids = Array.new
policy_value.split(",").sort.each do |suser|
suser.strip!
sids << user_to_sid(suser)
end
pv = sids.sort.join(",")
end
end
# converts the policy value inside the policy hash to conform to the secedit standards
def convert_policy_hash(policy_hash)
case policy_hash[:policy_type]
when 'Privilege Rights'
value = convert_privilege_right(policy_hash[:ensure], policy_hash[:policy_value])
when 'Event Audit'
value = event_to_audit_id(policy_hash[:policy_value])
when 'Registry Values'
value = SecurityPolicy.convert_registry_value(policy_hash[:name], policy_hash[:policy_value])
else
value = policy_hash[:policy_value]
end
policy_hash[:policy_value] = value
policy_hash
end
def builtin_accounts
# more accounts and SIDs can be found at https://support.microsoft.com/en-us/kb/243330
ary = [
["","NULL","S-1-0"],
["","NOBODY","S-1-0-0"],
["","EVERYONE","S-1-1-0"],
["","LOCAL","S-1-2-0"],
["","CONSOLE_LOGON","S-1-2-1"],
["","CREATOR_OWNER","S-1-3-0"],
["","CREATER_GROUP","S-1-3-1"],
["","OWNER_SERVER","S-1-3-2"],
["","GROUP_SERVER","S-1-3-3"],
["","OWNER_RIGHTS","S-1-3-4"],
["","NT_AUTHORITY","S-1-5"],
["","DIALUP","S-1-5-1"],
["","NETWORK","S-1-5-2"],
["","BATCH","S-1-5-3"],
["","INTERACTIVE","S-1-5-4"],
["","SERVICE","S-1-5-6"],
["","ANONYMOUS","S-1-5-7"],
["","PROXY","S-1-5-8"],
["","ENTERPRISE_DOMAIN_CONTROLLERS","S-1-5-9"],
["","PRINCIPAAL_SELF","S-1-5-10"],
["","AUTHENTICATED_USERS","S-1-5-11"],
["","RESTRICTED_CODE","S-1-5-12"],
["","TERMINAL_SERVER_USER","S-1-5-13"],
["","REMOTE_INTERACTIVE_LOGON","S-1-5-14"],
["","THIS_ORGANIZATION","S-1-5-15"],
["","IUSER","S-1-5-17"],
["","LOCAL_SYSTEM","S-1-5-18"],
["","LOCAL_SERVICE","S-1-5-19"],
["","NETWORK_SERVICE","S-1-5-20"],
["","COMPOUNDED_AUTHENTICATION","S-1-5-21-0-0-0-496"],
["","CLAIMS_VALID","S-1-5-21-0-0-0-497"],
["","BUILTIN_ADMINISTRATORS","S-1-5-32-544"],
["","BUILTIN_USERS","S-1-5-32-545"],
["","BUILTIN_GUESTS","S-1-5-32-546"],
["","POWER_USERS","S-1-5-32-547"],
["","ACCOUNT_OPERATORS","S-1-5-32-548"],
["","SERVER_OPERATORS","S-1-5-32-549"],
["","PRINTER_OPERATORS","S-1-5-32-550"],
["","BACKUP_OPERATORS","S-1-5-32-551"],
["","REPLICATOR","S-1-5-32-552"],
["","ALIAS_PREW2KCOMPACC","S-1-5-32-554"],
["","REMOTE_DESKTOP","S-1-5-32-555"],
["","NETWORK_CONFIGURATION_OPS","S-1-5-32-556"],
["","INCOMING_FOREST_TRUST_BUILDERS","S-1-5-32-557"],
["","PERMON_USERS","S-1-5-32-558"],
["","PERFLOG_USERS","S-1-5-32-559"],
["","WINDOWS_AUTHORIZATION_ACCESS_GROUP","S-1-5-32-560"],
["","TERMINAL_SERVER_LICENSE_SERVERS","S-1-5-32-561"],
["","DISTRIBUTED_COM_USERS","S-1-5-32-562"],
["","IIS_USERS","S-1-5-32-568"],
["","CRYPTOGRAPHIC_OPERATORS","S-1-5-32-569"],
["","EVENT_LOG_READERS","S-1-5-32-573"],
["","CERTIFICATE_SERVICE_DCOM_ACCESS","S-1-5-32-574"],
["","RDS_REMOTE_ACCESS_SERVERS","S-1-5-32-575"],
["","RDS_ENDPOINT_SERVERS","S-1-5-32-576"],
["","RDS_MANAGEMENT_SERVERS","S-1-5-32-577"],
["","HYPER_V_ADMINS","S-1-5-32-578"],
["","ACCESS_CONTROL_ASSISTANCE_OPS","S-1-5-32-579"],
["","REMOTE_MANAGEMENT_USERS","S-1-5-32-580"],
["","WRITE_RESTRICTED_CODE","S-1-5-32-558"],
["","NTLM_AUTHENTICATION","S-1-5-64-10"],
["","SCHANNEL_AUTHENTICATION","S-1-5-64-14"],
["","DIGEST_AUTHENTICATION","S-1-5-64-21"],
["","THIS_ORGANIZATION_CERTIFICATE","S-1-5-65-1"],
["","NT_SERVICE","S-1-5-80"],
["","NT_SERVICE\\ALL_SERVICES","S-1-5-80-0"],
["","NT_SERVICE\\WdiServiceHost","S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420"],
["","USER_MODE_DRIVERS","S-1-5-84-0-0-0-0-0"],
["","LOCAL_ACCOUNT","S-1-5-113"],
["","LOCAL_ACCOUNT_AND_MEMBER_OF_ADMINISTRATORS_GROUP","S-1-5-114"],
["","OTHER_ORGANIZATION","S-1-5-1000"],
["","ALL_APP_PACKAGES","S-1-15-2-1"],
["","ML_UNTRUSTED","S-1-16-0"],
["","ML_LOW","S-1-16-4096"],
["","ML_MEDIUM","S-1-16-8192"],
["","ML_MEDIUM_PLUS","S-1-16-8448"],
["","ML_HIGH","S-1-15-12288"],
["","ML_SYSTEM","S-1-16-16384"],
["","ML_PROTECTED_PROCESS","S-1-16-20480"],
["","AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY","S-1-18-1"],
["","SERVICE_ASSERTED_IDENTITY","S-1-18-2"]
]
ary
end
# Converts a event number to a word
def self.event_audit_mapper(policy_value)
case policy_value.to_s
when 3
return "Success,Failure"
when 2
return "Failure"
when 1
return "Success"
else
return "No auditing"
end
end
# Converts a event number to a word
def self.event_to_audit_id(event_audit_name)
case event_audit_name
when "Success,Failure"
return 3
when "Failure"
return 2
when "Success"
return 1
when 'No auditing'
return 0
else
return event_audit_name
end
end
# returns the key and hash value given the policy name
def self.find_mapping_from_policy_name(name)
key, value = lsp_mapping.find do |key,hash|
hash[:name] == name
end
unless key && value
raise KeyError, "#{name} is not a valid policy"
end
return key, value
end
# returns the key and hash value given the policy desc
def self.find_mapping_from_policy_desc(desc)
name = desc.downcase
value = nil
key, value = lsp_mapping.find do |key, hash|
key.downcase == name
end
unless value
raise KeyError, "#{desc} is not a valid policy"
end
return value
end
def self.valid_lsp?(name)
lsp_mapping.keys.include?(name)
end
def self.convert_registry_value(name, value)
value = value.to_s
return value if value.split(',').count > 1
policy_hash = find_mapping_from_policy_desc(name)
"#{policy_hash[:reg_type]},#{value}"
end
# converts the policy value to machine values
def self.convert_policy_value(policy_hash, value)
sp = SecurityPolicy.new
# I would rather not have to look this info up, but the type code will not always have this info handy
# without knowing the policy type we can't figure out what to convert
policy_type = find_mapping_from_policy_desc(policy_hash[:name])[:policy_type]
case policy_type.to_s
when 'Privilege Rights'
sp.convert_privilege_right(policy_hash[:ensure], value)
when 'Event Audit'
event_to_audit_id(value)
when 'Registry Values'
# convert the value to a datatype/value
convert_registry_value(policy_hash[:name], value)
else
value
end
end
def self.lsp_mapping
@lsp_mapping ||= {
# Password policy Mappings
'Enforce password history' => {
:name => 'PasswordHistorySize',
:policy_type => 'System Access',
},
'Maximum password age' => {
:name => 'MaximumPasswordAge',
:policy_type => 'System Access',
},
'Minimum password age' => {
:name => 'MinimumPasswordAge',
:policy_type => 'System Access',
},
'Minimum password length' => {
:name => 'MinimumPasswordLength',
:policy_type => 'System Access',
},
'Password must meet complexity requirements' => {
:name => 'PasswordComplexity',
:policy_type => 'System Access',
},
'Store passwords using reversible encryption' => {
:name => 'ClearTextPassword',
:policy_type => 'System Access',
},
'Account lockout threshold' => {
:name => 'LockoutBadCount',
:policy_type => 'System Access',
},
'Account lockout duration' => {
:name => 'LockoutDuration',
:policy_type => 'System Access',
},
'Reset account lockout counter after' => {
:name => 'ResetLockoutCount',
:policy_type => 'System Access',
},
'Accounts: Rename administrator account' => {
:name => 'NewAdministratorName',
:policy_type => 'System Access',
:data_type => :quoted_string
},
'Accounts: Administrator account status' => {
:name => 'EnableAdminAccount',
:policy_type => 'System Access',
},
'Accounts: Rename guest account' => {
:name => 'NewGuestName',
:policy_type => 'System Access',
:data_type => :quoted_string
},
'Accounts: Require Login to Change Password' => {
:name => 'RequireLogonToChangePassword',
:policy_type => 'System Access'
},
'Network security: Force logoff when logon hours expire' => {
:name => 'ForceLogoffWhenHourExpire',
:policy_type => 'System Access'
},
'Network access: Allow anonymous SID/name translation' => {
:name => 'LSAAnonymousNameLookup',
:policy_type => 'System Access'
},
'EnableAdminAccount' => {
:name => 'EnableAdminAccount',
:policy_type => 'System Access'
},
"EnableGuestAccount"=>{
:name=>"EnableGuestAccount",
:policy_type => 'System Access'
},
# Audit Policy Mappings
'Audit account logon events' => {
:name => 'AuditAccountLogon',
:policy_type => 'Event Audit',
},
'Audit account management' => {
:name => 'AuditAccountManage',
:policy_type => 'Event Audit',
},
'Audit directory service access' => {
:name => 'AuditDSAccess',
:policy_type => 'Event Audit',
},
'Audit logon events' => {
:name => 'AuditLogonEvents',
:policy_type => 'Event Audit',
},
'Audit object access' => {
:name => 'AuditObjectAccess',
:policy_type => 'Event Audit',
},
'Audit policy change' => {
:name => 'AuditPolicyChange',
:policy_type => 'Event Audit',
},
'Audit privilege use' => {
:name => 'AuditPrivilegeUse',
:policy_type => 'Event Audit',
},
'Audit process tracking' => {
:name => 'AuditProcessTracking',
:policy_type => 'Event Audit',
},
'Audit system events' => {
:name => 'AuditSystemEvents',
:policy_type => 'Event Audit',
},
'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' => {
:name => 'MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy',
:reg_type => '4',
:policy_type => 'Registry Values',
},
#User rights mapping
'Access Credential Manager as a trusted caller' => {
:name => 'SeTrustedCredManAccessPrivilege',
:policy_type => 'Privilege Rights',
},
'Access this computer from the network' => {
:name => 'SeNetworkLogonRight',
:policy_type => 'Privilege Rights',
},
'Act as part of the operating system' => {
:name => 'SeTcbPrivilege',
:policy_type => 'Privilege Rights',
},
'Add workstations to domain' => {
:name => 'SeMachineAccountPrivilege',
:policy_type => 'Privilege Rights',
},
'Adjust memory quotas for a process' => {
:name => 'SeIncreaseQuotaPrivilege',
:policy_type => 'Privilege Rights',
},
'Allow log on locally' => {
:name => 'SeInteractiveLogonRight',
:policy_type => 'Privilege Rights',
},
'Allow log on through Remote Desktop Services' => {
:name => 'SeRemoteInteractiveLogonRight',
:policy_type => 'Privilege Rights',
},
'Back up files and directories' => {
:name => 'SeBackupPrivilege',
:policy_type => 'Privilege Rights',
},
'Bypass traverse checking' => {
:name => 'SeChangeNotifyPrivilege',
:policy_type => 'Privilege Rights',
},
'Change the system time' => {
:name => 'SeSystemtimePrivilege',
:policy_type => 'Privilege Rights',
},
'Change the time zone' => {
:name => 'SeTimeZonePrivilege',
:policy_type => 'Privilege Rights',
},
'Create a pagefile' => {
:name => 'SeCreatePagefilePrivilege',
:policy_type => 'Privilege Rights',
},
'Create a token object' => {
:name => 'SeCreateTokenPrivilege',
:policy_type => 'Privilege Rights',
},
'Create global objects' => {
:name => 'SeCreateGlobalPrivilege',
:policy_type => 'Privilege Rights',
},
'Create permanent shared objects' => {
:name => 'SeCreatePermanentPrivilege',
:policy_type => 'Privilege Rights',
},
'Create symbolic links' => {
:name => 'SeCreateSymbolicLinkPrivilege',
:policy_type => 'Privilege Rights',
},
'Debug programs' => {
:name => 'SeDebugPrivilege',
:policy_type => 'Privilege Rights',
},
'Deny access to this computer from the network' => {
:name => 'SeDenyNetworkLogonRight',
:policy_type => 'Privilege Rights',
},
'Deny log on as a batch job' => {
:name => 'SeDenyBatchLogonRight',
:policy_type => 'Privilege Rights',
},
'Deny log on as a service' => {
:name => 'SeDenyServiceLogonRight',
:policy_type => 'Privilege Rights',
},
'Deny log on locally' => {
:name => 'SeDenyInteractiveLogonRight',
:policy_type => 'Privilege Rights',
},
'Deny log on through Remote Desktop Services' => {
:name => 'SeDenyRemoteInteractiveLogonRight',
:policy_type => 'Privilege Rights',
},
'Enable computer and user accounts to be trusted for delegation' => {
:name => 'SeEnableDelegationPrivilege',
:policy_type => 'Privilege Rights',
},
'Force shutdown from a remote system' => {
:name => 'SeRemoteShutdownPrivilege',
:policy_type => 'Privilege Rights',
},
'Generate security audits' => {
:name => 'SeAuditPrivilege',
:policy_type => 'Privilege Rights',
},
'Impersonate a client after authentication' => {
:name => 'SeImpersonatePrivilege',
:policy_type => 'Privilege Rights',
},
'Increase a process working set' => {
:name => 'SeIncreaseWorkingSetPrivilege',
:policy_type => 'Privilege Rights',
},
'Increase scheduling priority' => {
:name => 'SeIncreaseBasePriorityPrivilege',
:policy_type => 'Privilege Rights',
},
'Load and unload device drivers' => {
:name => 'SeLoadDriverPrivilege',
:policy_type => 'Privilege Rights',
},
'Lock pages in memory' => {
:name => 'SeLockMemoryPrivilege',
:policy_type => 'Privilege Rights',
},
'Log on as a batch job' => {
:name => 'SeBatchLogonRight',
:policy_type => 'Privilege Rights',
},
'Log on as a service' => {
:name => 'SeServiceLogonRight',
:policy_type => 'Privilege Rights',
},
'Manage auditing and security log' => {
:name => 'SeSecurityPrivilege',
:policy_type => 'Privilege Rights',
},
'Modify an object label' => {
:name => 'SeRelabelPrivilege',
:policy_type => 'Privilege Rights',
},
'Modify firmware environment values' => {
:name => 'SeSystemEnvironmentPrivilege',
:policy_type => 'Privilege Rights',
},
'Perform volume maintenance tasks' => {
:name => 'SeManageVolumePrivilege',
:policy_type => 'Privilege Rights',
},
'Profile single process' => {
:name => 'SeProfileSingleProcessPrivilege',
:policy_type => 'Privilege Rights',
},
'Profile system performance' => {
:name => 'SeSystemProfilePrivilege',
:policy_type => 'Privilege Rights',
},
'Remove computer from docking station' => {
:name => 'SeUndockPrivilege',
:policy_type => 'Privilege Rights',
},
'Replace a process level token' => {
:name => 'SeAssignPrimaryTokenPrivilege',
:policy_type => 'Privilege Rights',
},
'Restore files and directories' => {
:name => 'SeRestorePrivilege',
:policy_type => 'Privilege Rights',
},
'Shut down the system' => {
:name => 'SeShutdownPrivilege',
:policy_type => 'Privilege Rights',
},
'Synchronize directory service data' => {
:name => 'SeSyncAgentPrivilege',
:policy_type => 'Privilege Rights',
},
'Take ownership of files or other objects' => {
:name => 'SeTakeOwnershipPrivilege',
:policy_type => 'Privilege Rights',
},
#Registry Keys
'Recovery console: Allow automatic administrative logon' => {
:name => 'MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Recovery console: Allow floppy copy and access to all drives and all folders' => {
:name => 'MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' => {
:name => 'MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount',
:reg_type => '1',
:policy_type => 'Registry Values',
},
'Interactive logon: Require Domain Controller authentication to unlock workstation' => {
:name => 'MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Interactive logon: Prompt user to change password before expiration' => {
:name => 'MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Interactive logon: Smart card removal behavior' => {
:name => 'MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption',
:reg_type => '1',
:policy_type => 'Registry Values',
},
'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' => {
:name => 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'User Account Control: Behavior of the elevation prompt for standard users' => {
:name => 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Interactive logon: Do not require CTRL+ALT+DEL' => {
:name => 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Interactive logon: Do not display last user name' => {
:name => 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'User Account Control: Detect application installations and prompt for elevation' => {
:name => 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'User Account Control: Run all administrators in Admin Approval Mode' => {
:name => 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'User Account Control: Only elevate UIAccess applications that are installed in secure locations' => {
:name => 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' => {
:name => 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'User Account Control: Virtualize file and registry write failures to per-user locations' => {
:name => 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'User Account Control: Admin Approval Mode for the Built-in Administrator account' => {
:name => 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Interactive logon: Message title for users attempting to log on' => {
:name => 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption',
:reg_type => '1',
:policy_type => 'Registry Values',
},
'Interactive logon: Message text for users attempting to log on' => {
:name => 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText',
:reg_type => '7',
:policy_type => 'Registry Values',
},
'User Account Control: Switch to the secure desktop when prompting for elevation' => {
:name => 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Interactive logon: Require smart card' => {
:name => 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Shutdown: Allow system to be shut down without having to log on' => {
:name => 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Devices: Allow undock without having to log on' => {
:name => 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'User Account Control: Only elevate executables that are signed and validated' => {
:name => 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies' => {
:name => 'MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Audit: Audit the access of global system objects' => {
:name => 'MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Audit: Shut down system immediately if unable to log security audits' => {
:name => 'MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Network access: Do not allow storage of passwords and credentials for network authentication' => {
:name => 'MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Network access: Let Everyone permissions apply to anonymous users' => {
:name => 'MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Network access: Sharing and security model for local accounts' => {
:name => 'MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' => {
:name => 'MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'System cryptography: Force strong key protection for user keys stored on the computer' => {
:name => 'MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Audit: Audit the use of Backup and Restore privilege' => {
:name => 'MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing',
:reg_type => '3',
:policy_type => 'Registry Values',
},
'Accounts: Block Microsoft accounts' => {
:name => 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoConnectedUser',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Accounts: Limit local account use of blank passwords to console logon only' => {
:name => 'MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Network security: All Local System to use computer identity for NTLM' => {
:name => 'MACHINE\System\CurrentControlSet\Control\Lsa\UseMachineId',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Network access: Remotely accessible registry paths' => {
:name => 'MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine',
:reg_type => '7',
:policy_type => 'Registry Values',
},
'Devices: Restrict CD-ROM access to locally logged-on user only' => {
:name => 'MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms',
:reg_type => '1',
:policy_type => 'Registry Values',
},
'Devices: Restrict floppy access to locally logged-on user only' => {
:name => 'MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies',
:reg_type => '1',
:policy_type => 'Registry Values',
},
'Devices: Allowed to format and eject removable media' => {
:name => 'MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD',
:reg_type => '1',
:policy_type => 'Registry Values',
},
'Devices: Prevent users from installing printer drivers' => {
:name => 'MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Domain member: Digitally encrypt or sign secure channel data (always)' => {
:name => 'MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Domain member: Digitally encrypt secure channel data (when possible)' => {
:name => 'MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Domain member: Digitally sign secure channel data (when possible)' => {
:name => 'MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Domain member: Disable machine account password changes' => {
:name => 'MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Domain member: Maximum machine account password age' => {
:name => 'MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Domain member: Require strong (Windows 2000 or later) session key' => {
:name => 'MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Interactive logon: Display user information when the session is locked' => {
:name => 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLockedUserId',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Interactive logon: Machine inactivity limit' => {
:name => 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Interactive logon: Machine account lockout threshold' => {
:name => 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\MaxDevicePasswordFailedAttempts',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Microsoft network client: Digitally sign communications (always)' => {
:name => 'MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Microsoft network client: Digitally sign communications (if server agrees)' => {
:name => 'MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Microsoft network client: Send unencrypted password to third-party SMB servers' => {
:name => 'MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Microsoft network server: Server SPN target name validation level' => {
:name => 'MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\SmbServerNameHardeningLevel',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Microsoft network server: Amount of idle time required before suspending session' => {
:name => 'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Microsoft network server: Digitally sign communications (always)' => {
:name => 'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Microsoft network server: Digitally sign communications (if client agrees)' => {
:name => 'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Microsoft network server: Disconnect clients when logon hours expire' => {
:name => 'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Network access: Named Pipes that can be accessed anonymously' => {
:name => 'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes',
:reg_type => '7',
:policy_type => 'Registry Values',
},
'Network access: Shares that can be accessed anonymously' => {
:name => 'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares',
:reg_type => '7',
:policy_type => 'Registry Values',
},
'Network access: Do not allow anonymous enumeration of SAM accounts and shares' => {
:name => 'MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Network access: Do not allow anonymous enumeration of SAM accounts' => {
:name => 'MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Network access: Remotely accessible registry paths and sub-paths' => {
:name => 'MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine',
:reg_type => '7',
:policy_type => 'Registry Values',
},
'Network access: Restrict anonymous access to Named Pipes and Shares' => {
:name => 'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Network security: Do not store LAN Manager hash value on next password change' => {
:name => 'MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Network security: LAN Manager authentication level' => {
:name => 'MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' => {
:name => 'MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' => {
:name => 'MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec',
:reg_type => '4',
:policy_type => 'Registry Values',
},
'Network security: LDAP client signing requirements' => {
:name => 'MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity',
:reg_type => "4",
:policy_type => "Registry Values",
},
'System objects: Require case insensitivity for non-Windows subsystems' => {
:name => 'MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive',
:policy_type => "Registry Values",
:reg_type => "4"
},
'System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)' => {
:name => 'MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode',
:policy_type => "Registry Values",
:reg_type => "4"
},
'System settings: Optional subsystems' => {
:name => 'MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional',
:policy_type => "Registry Values",
:reg_type => "7"
},
'Shutdown: Clear virtual memory pagefile' => {
:name => 'MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown',
:policy_type => "Registry Values",
:reg_type => "4"
},
}
end
end

629
modules/utilities/windows/system/local_security_policy/lib/puppet_x/twp/inifile.rb Normal file
View File

@@ -0,0 +1,629 @@
#encoding: UTF-8
# This class represents the INI file and can be used to parse, modify,
# and write INI files.
module PuppetX
class IniFile
include Enumerable
class Error < StandardError; end
VERSION = '3.0.0'
# Public: Open an INI file and load the contents.
#
# filename - The name of the file as a String
# opts - The Hash of options (default: {})
# :comment - String containing the comment character(s)
# :parameter - String used to separate parameter and value
# :encoding - Encoding String for reading / writing
# :default - The String name of the default global section
#
# Examples
#
# IniFile.load('file.ini')
# #=> IniFile instance
#
# IniFile.load('does/not/exist.ini')
# #=> nil
#
# Returns an IniFile instance or nil if the file could not be opened.
def self.load( filename, opts = {} )
return unless File.file? filename
new(opts.merge(:filename => filename))
end
# Get and set the filename
attr_accessor :filename
# Get and set the encoding
attr_accessor :encoding
# Public: Create a new INI file from the given set of options. If :content
# is provided then it will be used to populate the INI file. If a :filename
# is provided then the contents of the file will be parsed and stored in the
# INI file. If neither the :content or :filename is provided then an empty
# INI file is created.
#
# opts - The Hash of options (default: {})
# :content - The String/Hash containing the INI contents
# :comment - String containing the comment character(s)
# :parameter - String used to separate parameter and value
# :encoding - Encoding String for reading / writing
# :default - The String name of the default global section
# :filename - The filename as a String
#
# Examples
#
# IniFile.new
# #=> an empty IniFile instance
#
# IniFile.new( :content => "[global]\nfoo=bar" )
# #=> an IniFile instance
#
# IniFile.new( :filename => 'file.ini', :encoding => 'UTF-8' )
# #=> an IniFile instance
#
# IniFile.new( :content => "[global]\nfoo=bar", :comment => '#' )
# #=> an IniFile instance
#
def initialize( opts = {} )
@comment = opts.fetch(:comment, ';#')
@param = opts.fetch(:parameter, '=')
@encoding = opts.fetch(:encoding, nil)
@default = opts.fetch(:default, 'global')
@filename = opts.fetch(:filename, nil)
content = opts.fetch(:content, nil)
@ini = Hash.new {|h,k| h[k] = Hash.new}
if content.is_a?(Hash) then merge!(content)
elsif content then parse(content)
elsif @filename then read
end
end
# Public: Write the contents of this IniFile to the file system. If left
# unspecified, the currently configured filename and encoding will be used.
# Otherwise the filename and encoding can be specified in the options hash.
#
# opts - The default options Hash
# :filename - The filename as a String
# :encoding - The encoding as a String
#
# Returns this IniFile instance.
def write( opts = {} )
filename = opts.fetch(:filename, @filename)
encoding = opts.fetch(:encoding, @encoding)
mode = encoding ? "w:#{encoding}" : "w"
File.open(filename, mode) do |f|
@ini.each do |section,hash|
f.puts "[#{section}]"
hash.each {|param,val| f.puts "#{param} #{@param} #{escape_value val}"}
f.puts
end
end
self
end
alias :save :write
# Public: Read the contents of the INI file from the file system and replace
# and set the state of this IniFile instance. If left unspecified the
# currently configured filename and encoding will be used when reading from
# the file system. Otherwise the filename and encoding can be specified in
# the options hash.
#
# opts - The default options Hash
# :filename - The filename as a String
# :encoding - The encoding as a String
#
# Returns this IniFile instance if the read was successful; nil is returned
# if the file could not be read.
def read( opts = {} )
filename = opts.fetch(:filename, @filename)
encoding = opts.fetch(:encoding, @encoding)
return unless File.file? filename
mode = encoding ? "r:#{encoding}" : "r"
File.open(filename, mode) { |fd| parse fd }
self
end
alias :restore :read
# Returns this IniFile converted to a String.
def to_s
s = []
@ini.each do |section,hash|
s << "[#{section}]"
hash.each {|param,val| s << "#{param} #{@param} #{escape_value val}"}
s << ""
end
s.join("\n")
end
# Returns this IniFile converted to a Hash.
def to_h
@ini.dup
end
# Public: Creates a copy of this inifile with the entries from the
# other_inifile merged into the copy.
#
# other - The other IniFile.
#
# Returns a new IniFile.
def merge( other )
self.dup.merge!(other)
end
# Public: Merges other_inifile into this inifile, overwriting existing
# entries. Useful for having a system inifile with user overridable settings
# elsewhere.
#
# other - The other IniFile.
#
# Returns this IniFile.
def merge!( other )
return self if other.nil?
my_keys = @ini.keys
other_keys = case other
when IniFile
other.instance_variable_get(:@ini).keys
when Hash
other.keys
else
raise Error, "cannot merge contents from '#{other.class.name}'"
end
(my_keys & other_keys).each do |key|
case other[key]
when Hash
@ini[key].merge!(other[key])
when nil
nil
else
raise Error, "cannot merge section #{key.inspect} - unsupported type: #{other[key].class.name}"
end
end
(other_keys - my_keys).each do |key|
@ini[key] = case other[key]
when Hash
other[key].dup
when nil
{}
else
raise Error, "cannot merge section #{key.inspect} - unsupported type: #{other[key].class.name}"
end
end
self
end
# Public: Yield each INI file section, parameter, and value in turn to the
# given block.
#
# block - The block that will be iterated by the each method. The block will
# be passed the current section and the parameter/value pair.
#
# Examples
#
# inifile.each do |section, parameter, value|
# puts "#{parameter} = #{value} [in section - #{section}]"
# end
#
# Returns this IniFile.
def each
return unless block_given?
@ini.each do |section,hash|
hash.each do |param,val|
yield section, param, val
end
end
self
end
# Public: Yield each section in turn to the given block.
#
# block - The block that will be iterated by the each method. The block will
# be passed the current section as a Hash.
#
# Examples
#
# inifile.each_section do |section|
# puts section.inspect
# end
#
# Returns this IniFile.
def each_section
return unless block_given?
@ini.each_key {|section| yield section}
self
end
# Public: Remove a section identified by name from the IniFile.
#
# section - The section name as a String.
#
# Returns the deleted section Hash.
def delete_section( section )
@ini.delete section.to_s
end
# Public: Get the section Hash by name. If the section does not exist, then
# it will be created.
#
# section - The section name as a String.
#
# Examples
#
# inifile['global']
# #=> global section Hash
#
# Returns the Hash of parameter/value pairs for this section.
def []( section )
return nil if section.nil?
@ini[section.to_s]
end
# Public: Set the section to a hash of parameter/value pairs.
#
# section - The section name as a String.
# value - The Hash of parameter/value pairs.
#
# Examples
#
# inifile['tenderloin'] = { 'gritty' => 'yes' }
# #=> { 'gritty' => 'yes' }
#
# Returns the value Hash.
def []=( section, value )
@ini[section.to_s] = value
end
# Public: Create a Hash containing only those INI file sections whose names
# match the given regular expression.
#
# regex - The Regexp used to match section names.
#
# Examples
#
# inifile.match(/^tree_/)
# #=> Hash of matching sections
#
# Return a Hash containing only those sections that match the given regular
# expression.
def match( regex )
@ini.dup.delete_if { |section, _| section !~ regex }
end
# Public: Check to see if the IniFile contains the section.
#
# section - The section name as a String.
#
# Returns true if the section exists in the IniFile.
def has_section?( section )
@ini.has_key? section.to_s
end
# Returns an Array of section names contained in this IniFile.
def sections
@ini.keys
end
# Public: Freeze the state of this IniFile object. Any attempts to change
# the object will raise an error.
#
# Returns this IniFile.
def freeze
super
@ini.each_value {|h| h.freeze}
@ini.freeze
self
end
# Public: Mark this IniFile as tainted -- this will traverse each section
# marking each as tainted.
#
# Returns this IniFile.
def taint
super
@ini.each_value {|h| h.taint}
@ini.taint
self
end
# Public: Produces a duplicate of this IniFile. The duplicate is independent
# of the original -- i.e. the duplicate can be modified without changing the
# original. The tainted state of the original is copied to the duplicate.
#
# Returns a new IniFile.
def dup
other = super
other.instance_variable_set(:@ini, Hash.new {|h,k| h[k] = Hash.new})
@ini.each_pair {|s,h| other[s].merge! h}
other.taint if self.tainted?
other
end
# Public: Produces a duplicate of this IniFile. The duplicate is independent
# of the original -- i.e. the duplicate can be modified without changing the
# original. The tainted state and the frozen state of the original is copied
# to the duplicate.
#
# Returns a new IniFile.
def clone
other = dup
other.freeze if self.frozen?
other
end
# Public: Compare this IniFile to some other IniFile. For two INI files to
# be equivalent, they must have the same sections with the same parameter /
# value pairs in each section.
#
# other - The other IniFile.
#
# Returns true if the INI files are equivalent and false if they differ.
def eql?( other )
return true if equal? other
return false unless other.instance_of? self.class
@ini == other.instance_variable_get(:@ini)
end
alias :== :eql?
# Escape special characters.
#
# value - The String value to escape.
#
# Returns the escaped value.
def escape_value( value )
value = value.to_s.dup
value.gsub!(%r/\\([0nrt])/, '\\\\\1')
value.gsub!(%r/\n/, '\n')
value.gsub!(%r/\r/, '\r')
value.gsub!(%r/\t/, '\t')
value.gsub!(%r/\0/, '\0')
value
end
# Parse the given content and store the information in this IniFile
# instance. All data will be cleared out and replaced with the information
# read from the content.
#
# content - A String or a file descriptor (must respond to `each_line`)
#
# Returns this IniFile.
def parse( content )
parser = Parser.new(@ini, @param, @comment, @default)
parser.parse(content)
self
end
# The IniFile::Parser has the responsibility of reading the contents of an
# .ini file and storing that information into a ruby Hash. The object being
# parsed must respond to `each_line` - this includes Strings and any IO
# object.
class Parser
attr_writer :section
attr_accessor :property
attr_accessor :value
# Create a new IniFile::Parser that can be used to parse the contents of
# an .ini file.
#
# hash - The Hash where parsed information will be stored
# param - String used to separate parameter and value
# comment - String containing the comment character(s)
# default - The String name of the default global section
#
def initialize( hash, param, comment, default )
@hash = hash
@default = default
comment = comment.to_s.empty? ? "\\z" : "\\s*(?:[#{comment}].*)?\\z"
@section_regexp = %r/\A\s*\[([^\]]+)\]#{comment}/
@ignore_regexp = %r/\A#{comment}/
@property_regexp = %r/\A(.*?)(?<!\\)#{param}(.*)\z/
@open_quote = %r/\A\s*(".*)\z/
@close_quote = %r/\A(.*(?<!\\)")#{comment}/
@full_quote = %r/\A\s*(".*(?<!\\)")#{comment}/
@trailing_slash = %r/\A(.*)(?<!\\)\\#{comment}/
@normal_value = %r/\A(.*?)#{comment}/
end
# Returns `true` if the current value starts with a leading double quote.
# Otherwise returns false.
def leading_quote?
value && value =~ %r/\A"/
end
# Given a string, attempt to parse out a value from that string. This
# value might be continued on the following line. So this method returns
# `true` if it is expecting more data.
#
# string - String to parse
#
# Returns `true` if the next line is also part of the current value.
# Returns `fase` if the string contained a complete value.
def parse_value( string )
continuation = false
# if our value starts with a double quote, then we are in a
# line continuation situation
if leading_quote?
# check for a closing quote at the end of the string
if string =~ @close_quote
value << $1
# otherwise just append the string to the value
else
value << string
continuation = true
end
# not currently processing a continuation line
else
case string
when @full_quote
self.value = $1
when @open_quote
self.value = $1
continuation = true
when @trailing_slash
self.value ? self.value << $1 : self.value = $1
continuation = true
when @normal_value
self.value ? self.value << $1 : self.value = $1
else
error
end
end
if continuation
self.value << $/ if leading_quote?
else
process_property
end
continuation
end
# Parse the ini file contents. This will clear any values currently stored
# in the ini hash.
#
# content - Any object that responds to `each_line`
#
# Returns nil.
def parse( content )
return unless content
continuation = false
@hash.clear
@line = nil
self.section = nil
content.each_line do |line|
@line = line.chomp
if continuation
continuation = parse_value @line
else
case @line
when @ignore_regexp
nil
when @section_regexp
self.section = @hash[$1]
when @property_regexp
self.property = $1.strip
error if property.empty?
continuation = parse_value $2
else
error
end
end
end
# check here if we have a dangling value ... usually means we have an
# unmatched open quote
if leading_quote?
error "Unmatched open quote"
elsif property && value
process_property
elsif value
error
end
nil
end
# Store the property/value pair in the currently active section. This
# method checks for continuation of the value to the next line.
#
# Returns nil.
def process_property
property.strip!
value.strip!
self.value = $1 if value =~ %r/\A"(.*)(?<!\\)"\z/m
section[property] = typecast(value)
self.property = nil
self.value = nil
end
# Returns the current section Hash.
def section
@section ||= @hash[@default]
end
# Raise a parse error using the given message and appending the current line
# being parsed.
#
# msg - The message String to use.
#
# Raises IniFile::Error
def error( msg = 'Could not parse line' )
raise Error, "#{msg}: #{@line.inspect}"
end
# Attempt to typecast the value string. We are looking for boolean values,
# integers, floats, and empty strings. Below is how each gets cast, but it
# is pretty logical and straightforward.
#
# "true" --> true
# "false" --> false
# "" --> nil
# "42" --> 42
# "3.14" --> 3.14
# "foo" --> "foo"
#
# Returns the typecast value.
def typecast( value )
case value
when %r/\Atrue\z/i; true
when %r/\Afalse\z/i; false
when %r/\A\s*\z/i; nil
else
Integer(value) rescue \
Float(value) rescue \
unescape_value(value)
end
end
# Unescape special characters found in the value string. This will convert
# escaped null, tab, carriage return, newline, and backslash into their
# literal equivalents.
#
# value - The String value to unescape.
#
# Returns the unescaped value.
def unescape_value( value )
value = value.to_s
value.gsub!(%r/\\[0nrt\\]/) { |char|
case char
when '\0'; "\0"
when '\n'; "\n"
when '\r'; "\r"
when '\t'; "\t"
when '\\\\'; "\\"
end
}
value
end
end
end # IniFile
end

1
modules/utilities/windows/system/local_security_policy/local_security_policy.pp Normal file
View File

@@ -0,0 +1 @@

14
modules/utilities/windows/system/local_security_policy/manifests/init.pp Normal file
View File

@@ -0,0 +1,14 @@
# Class: local_security_policy
#
# This module manages local_security_policy
#
# Parameters: none
#
# Actions:
#
# Requires: see Modulefile
#
# Sample Usage:
#
class local_security_policy {
}

23
modules/utilities/windows/system/local_security_policy/metadata.json Normal file
View File

@@ -0,0 +1,23 @@
{
"name": "ayohrling-local_security_policy",
"version": "0.6.3",
"author": "Paul S. Cannon, Adam Yohrling, Corey Osman, Ryan Russell-Yates, Jordan Wesolowski, Gerben Welter, Thomas Linkin",
"summary": "Windows Local Security Policy management. Forked from cannonps/local_security_policy",
"license": "Apache 2.0",
"source": "https://github.com/ayohrling/local_security_policy",
"project_page": "https://github.com/ayohrling/local_security_policy",
"issues_url": "https://github.com/ayohrling/local_security_policy/issues",
"dependencies": [
],
"data_provider": null,
"tags": [
"windows",
"security"
],
"operatingsystem_support": [
{
"operatingsystem": "windows"
}
]
}

26
modules/utilities/windows/system/local_security_policy/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,26 @@
<?xml version="1.0"?>
<utility xmlns="http://www.github/cliffe/SecGen/utility"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/utility">
<name>Local Security Policy</name>
<author>Paul Cannon</author>
<author>Adam Yohrling</author>
<author>Emlyn Butterfield</author>
<module_license>Apache v2</module_license>
<description>Configure local security policy (LSP) for windows servers.
</description>
<type>system</type>
<platform>windows</platform>
<!--optional details-->
<reference>https://forge.puppet.com/ayohrling/local_security_policy</reference>
<read_fact>accounts</read_fact>
<conflict>
<module_path>bases/(debian|kali|ubuntu).*</module_path>
</conflict>
</utility>

29
modules/utilities/windows/system/local_security_policy/spec/classes/local_security_policy_spec.rb Normal file
View File

@@ -0,0 +1,29 @@
require 'spec_helper'
require 'shared_contexts'
describe 'local_security_policy' do
# by default the hiera integration uses hiera data from the shared_contexts.rb file
# but basically to mock hiera you first need to add a key/value pair
# to the specific context in the spec/shared_contexts.rb file
# Note: you can only use a single hiera context per describe/context block
# rspec-puppet does not allow you to swap out hiera data on a per test block
#include_context :hiera
# below is the facts hash that gives you the ability to mock
# facts on a per describe/context block. If you use a fact in your
# manifest you should mock the facts below.
let(:facts) do
{}
end
# below is a list of the resource parameters that you can override.
# By default all non-required parameters are commented out,
# while all required parameters will require you to add a value
let(:params) do
{
}
end
# add these two lines in a single test block to enable puppet and hiera debug mode
# Puppet::Util::Log.level = :debug
# Puppet::Util::Log.newdestination(:console)
end

18
modules/utilities/windows/system/local_security_policy/spec/fixtures/unit/group.txt vendored Executable file
View File

@@ -0,0 +1,18 @@

Node,Name,SID
win2008r2,Administrators,S-1-5-32-544
win2008r2,Backup Operators,S-1-5-32-551
win2008r2,Certificate Service DCOM Access,S-1-5-32-574
win2008r2,Cryptographic Operators,S-1-5-32-569
win2008r2,Distributed COM Users,S-1-5-32-562
win2008r2,Event Log Readers,S-1-5-32-573
win2008r2,Guests,S-1-5-32-546
win2008r2,IIS_IUSRS,S-1-5-32-568
win2008r2,Network Configuration Operators,S-1-5-32-556
win2008r2,Performance Log Users,S-1-5-32-559
win2008r2,Performance Monitor Users,S-1-5-32-558
win2008r2,Power Users,S-1-5-32-547
win2008r2,Print Operators,S-1-5-32-550
win2008r2,Remote Desktop Users,S-1-5-32-555
win2008r2,Replicator,S-1-5-32-552
win2008r2,Users,S-1-5-32-545

124
modules/utilities/windows/system/local_security_policy/spec/fixtures/unit/secedit.inf vendored Normal file
View File

@@ -0,0 +1,124 @@
[Unicode]
Unicode=yes
[System Access]
MinimumPasswordAge = 1
MaximumPasswordAge = 60
MinimumPasswordLength = 14
PasswordComplexity = 1
PasswordHistorySize = 24
LockoutBadCount = 5
ResetLockoutCount = 15
LockoutDuration = 15
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
NewAdministratorName = "Executive"
NewGuestName = "Unwanted"
ClearTextPassword = 0
LSAAnonymousNameLookup = 0
EnableAdminAccount = 1
EnableGuestAccount = 0
[Event Audit]
AuditSystemEvents = 0
AuditLogonEvents = 0
AuditObjectAccess = 0
AuditPrivilegeUse = 0
AuditPolicyChange = 0
AuditAccountManage = 0
AuditProcessTracking = 0
AuditDSAccess = 0
AuditAccountLogon = 0
[Version]
signature="$CHICAGO$"
Revision=1
[Registry Values]
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,"4"
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,"1"
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin=4,5
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser=4,3
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,"Warning!"
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,WARNING! If you are not authorized to use this private network"," please disconnect immediately. Unauthorized access is prohibited and may result in civil and/or criminal prosecution. Users expressly consent to having their activities monitored"," recorded"," and shared with third parties. By your continued use of this network"," you acknowledge that you have read"," understood"," and agree with this warning message.
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures=4,0
MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled=4,1
MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0
MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,536870912
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,536870912
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,1
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine=7,System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine=7,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration,Software\Microsoft\Windows NT\CurrentVersion\Perflib,System\CurrentControlSet\Services\SysmonLog
MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1
MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional=7,Posix
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes=7,
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0
MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1
[Privilege Rights]
SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544
SeBackupPrivilege = *S-1-5-32-544
SeChangeNotifyPrivilege = *S-1-5-11,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-551
SeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544
SeCreatePagefilePrivilege = *S-1-5-32-544
SeDebugPrivilege = *S-1-5-32-544
SeRemoteShutdownPrivilege = *S-1-5-32-544
SeAuditPrivilege = *S-1-5-19,*S-1-5-20
SeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544
SeIncreaseBasePriorityPrivilege = *S-1-5-32-544
SeLoadDriverPrivilege = *S-1-5-32-544
SeBatchLogonRight = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-559
SeServiceLogonRight = *S-1-5-80-0
SeInteractiveLogonRight = *S-1-5-32-544
SeSecurityPrivilege = *S-1-5-32-544
SeSystemEnvironmentPrivilege = *S-1-5-32-544
SeProfileSingleProcessPrivilege = *S-1-5-32-544
SeSystemProfilePrivilege = *S-1-5-32-544,*S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420
SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-20
SeRestorePrivilege = *S-1-5-32-544
SeShutdownPrivilege = *S-1-5-32-544
SeTakeOwnershipPrivilege = *S-1-5-32-544
SeUndockPrivilege = *S-1-5-32-544
SeManageVolumePrivilege = *S-1-5-32-544
SeRemoteInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-555
SeImpersonatePrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6
SeCreateGlobalPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6
SeIncreaseWorkingSetPrivilege = *S-1-5-19,*S-1-5-32-544
SeTimeZonePrivilege = *S-1-5-19,*S-1-5-32-544
SeCreateSymbolicLinkPrivilege = *S-1-5-32-544

14
modules/utilities/windows/system/local_security_policy/spec/fixtures/unit/short_secedit.inf vendored Normal file
View File

@@ -0,0 +1,14 @@
[Unicode]
Unicode=yes
[System Access]
MinimumPasswordAge = 1
[Event Audit]
AuditSystemEvents = 0
[Version]
signature="$CHICAGO$"
Revision=1
[Registry Values]
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,"4"
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0
[Privilege Rights]
SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544

5
modules/utilities/windows/system/local_security_policy/spec/fixtures/unit/useraccount.txt vendored Executable file
View File

@@ -0,0 +1,5 @@

Node,Name,SID
win2008r2,Executive,S-1-5-21-3856814960-2022588966-2476110078-500
win2008r2,Unwanted,S-1-5-21-3856814960-2022588966-2476110078-501
win2008r2,vagrant,S-1-5-21-3856814960-2022588966-2476110078-1000

35
modules/utilities/windows/system/local_security_policy/spec/shared_contexts.rb Normal file
View File

@@ -0,0 +1,35 @@
# optional, this should be the path to where the hiera data config file is in this repo
# You must update this if your actual hiera data lives inside your module.
# I only assume its data, but it could be anything
hiera_config_file = File.expand_path(File.join(File.dirname(__FILE__), '..','data', 'hiera.yaml'))
# hiera_config and hiera_data are mutually exclusive contexts.
shared_context :hiera do
# example only,
let(:hiera_data) do
{:some_key => "some_value" }
end
end
shared_context :linux_hiera do
# example only,
let(:hiera_data) do
{:some_key => "some_value" }
end
end
# In case you want a more specific set of mocked hiera data for windows
shared_context :windows_hiera do
# example only,
let(:hiera_data) do
{:some_key => "some_value" }
end
end
# you cannot use this in addition to any of the hiera_data contexts above
shared_context :real_hiera_data do
let(:hiera_config) do
hirea_config_file
end
end

16
modules/utilities/windows/system/local_security_policy/spec/spec_helper.rb Normal file
View File

@@ -0,0 +1,16 @@
require 'puppetlabs_spec_helper/module_spec_helper'
require 'rspec-puppet-utils'
def fixtures_path
proj_root = File.expand_path(File.join(File.dirname(__FILE__), '..'))
fixtures_path = File.join(proj_root, 'spec', 'fixtures')
end
# Uncomment this to show coverage report, also useful for debugging
#at_exit { RSpec::Puppet::Coverage.report! }
RSpec.configure do |c|
c.formatter = 'documentation'
c.mock_with :rspec
end

174
modules/utilities/windows/system/local_security_policy/spec/unit/puppet/provider/local_security_policy/policy_spec.rb Normal file
View File

@@ -0,0 +1,174 @@
require 'spec_helper'
require "awesome_print"
provider_class = Puppet::Type.type(:local_security_policy).provider(:policy)
describe provider_class do
subject { provider_class }
before :all do
Puppet::Util.stubs(:which).with("wmic").returns("c:\\tools\\wmic")
Puppet::Util.stubs(:which).with("secedit").returns("c:\\tools\\secedit")
end
before :each do
infout = StringIO.new
sdbout = StringIO.new
allow(provider_class).to receive(:read_policy_settings).and_return(inf_data)
allow(Tempfile).to receive(:new).with('infimport').and_return(infout)
allow(Tempfile).to receive(:new).with('sdbimport').and_return(sdbout)
allow(File).to receive(:file?).with(secdata).and_return(true)
# the below mock seems to be required or rspec complains
allow(File).to receive(:file?).with(/facter/).and_return(true)
allow(subject).to receive(:temp_file).and_return(secdata)
subject.stubs(:secedit).with(['/configure', '/db', 'sdbout', '/cfg', 'infout', '/quiet'])
subject.stubs(:secedit).with(['/export', '/cfg', secdata, '/quiet'])
allow_any_instance_of(SecurityPolicy).to receive(:wmic).with([ "useraccount", "get", "name,sid", "/format:csv"]).and_return(userdata)
allow_any_instance_of(SecurityPolicy).to receive(:wmic).with([ "group", "get", "name,sid", "/format:csv"]).and_return(groupdata)
end
let(:security_policy){
SecurityPolicy.new
}
let(:inf_data) do
inffile_content = File.read(secdata).encode('utf-8', :universal_newline => true).gsub("\xEF\xBB\xBF", '')
PuppetX::IniFile.new(:content => inffile_content)
end
# mock up the data which was gathered on a real windows system
let(:secdata) do
File.join(fixtures_path, 'unit', 'secedit.inf')
end
let(:groupdata) do
file = File.join(fixtures_path, 'unit', 'group.txt')
File.open(file, 'r') {|f| f.read.encode('utf-8', :universal_newline => true).gsub("\xEF\xBB\xBF", '')}
end
let(:userdata) do
file = File.join(fixtures_path, 'unit', 'useraccount.txt')
File.open(file, 'r') {|f| f.read.encode('utf-8', :universal_newline => true).gsub("\xEF\xBB\xBF", '')}
end
let(:facts)do {:is_virtual => 'false', :operatingsystem => 'windows'} end
let(:resource) {
Puppet::Type.type(:local_security_policy).new(
:name => 'Network access: Let Everyone permissions apply to anonymous users',
:ensure => 'present',
:policy_setting => 'MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous',
:policy_type => 'Registry Values',
:policy_value => '0')
}
let(:provider) {
provider_class.new(resource)
}
it 'should create instances without error' do
instances = provider_class.instances
expect(instances.class).to eq(Array)
expect(instances.count).to be >= 114
end
# if you get this error, your are missing a entry in the lsp_mapping under puppet_x/security_policy
# either its a type, case, or missing entry
it 'lsp_mapping should contain all the entries in secdata file' do
inffile = subject.read_policy_settings
missing_policies = {}
message = lambda {|pol| "Missing policy, check the lsp mapping for something like: #{pol}\n"}
inffile.sections.each do |section|
next if section == 'Unicode'
next if section == 'Version'
inffile[section].each do |name, value|
begin
SecurityPolicy.find_mapping_from_policy_name(name)
rescue KeyError => e
puts e.message
if value and section == 'Registry Values'
reg_type = value.split(',').first
missing_policies[name] = {:name => name, :policy_type => section, :reg_type => reg_type}
else
missing_policies[name] = {:name => name, :policy_type => section}
end
end
end
end
ap missing_policies
expect(missing_policies.count).to eq(0), "Missing policy, check the lsp mapping"
end
xit 'ensure instances works' do
instances = Puppet::Type.type(:local_security_policy).instances
expect(instances.count).to be > 1
end
describe 'write output' do
let(:resource) {
Puppet::Type.type(:local_security_policy).new(
:name => 'Recovery console: Allow automatic adminstrative logon',
:ensure => 'present',
:policy_setting => 'MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel',
:policy_type => 'Registry Values',
:policy_value => '0')
}
xit 'should write out the file correctly' do
provider.create
end
end
describe 'resource is removed' do
let(:resource) {
Puppet::Type.type(:local_security_policy).new(
:name => 'Network access: Let Everyone permissions apply to anonymous users',
:ensure => 'absent',
:policy_setting => 'MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous',
:policy_type => 'Registry Values',
:policy_value => '0')
}
it 'exists? should be true' do
expect(provider.exists?).to eq(false)
# until we can implement the destroy functionality this test is useless
#expect(provider).to receive(:destroy).exactly(1).times
end
end
describe 'resource is present' do
let(:secdata) do
File.join(fixtures_path, 'unit', 'short_secedit.inf')
end
let(:resource) {
Puppet::Type.type(:local_security_policy).new(
:name => 'Recovery console: Allow automatic adminstrative logon',
:ensure => 'present',
:policy_setting => 'MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel',
:policy_type => 'Registry Values',
:policy_value => '0')
}
it 'exists? should be true' do
expect(provider).to receive(:create).exactly(0).times
end
end
describe 'resource is absent' do
let(:resource) {
Puppet::Type.type(:local_security_policy).new(
:name => 'Recovery console: Allow automatic adminstrative logon',
:ensure => 'present',
:policy_setting => '1MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel',
:policy_type => 'Registry Values',
:policy_value => '76')
}
it 'exists? should be false' do
expect(provider.exists?).to eq(false)
allow(provider).to receive(:create).exactly(1).times
end
end
it "should be an instance of Puppet::Type::Local_security_policy::ProviderPolicy" do
expect(provider).to be_an_instance_of Puppet::Type::Local_security_policy::ProviderPolicy
end
end

151
modules/utilities/windows/system/local_security_policy/spec/unit/puppet/provider/local_security_policy/security_policy_spec.rb Normal file
View File

@@ -0,0 +1,151 @@
require 'spec_helper'
require "puppet_x/lsp/security_policy"
describe 'SecurityPolicy' do
subject { SecurityPolicy }
before :all do
Puppet::Util.stubs(:which).with("wmic").returns("c:\\tools\\wmic")
Puppet::Util.stubs(:which).with("secedit").returns("c:\\tools\\secedit")
end
before :each do
infout = StringIO.new
sdbout = StringIO.new
allow(Tempfile).to receive(:new).with('infimport').and_return(infout)
allow(Tempfile).to receive(:new).with('sdbimport').and_return(sdbout)
allow(File).to receive(:file?).with(secdata).and_return(true)
# the below mock seems to be required or rspec complains
allow(File).to receive(:file?).with(/facter/).and_return(true)
allow(subject).to receive(:temp_file).and_return(secdata)
security_policy.stubs(:wmic).with([ "useraccount", "get", "name,sid", "/format:csv"]).returns(File.read(userdata))
security_policy.stubs(:wmic).with([ "group", "get", "name,sid", "/format:csv"]).returns(File.read(groupdata))
allow_any_instance_of(SecurityPolicy).to receive(:wmic).with([ "useraccount", "get", "name,sid", "/format:csv"]).and_return(userdata)
allow_any_instance_of(SecurityPolicy).to receive(:wmic).with([ "group", "get", "name,sid", "/format:csv"]).and_return(groupdata)
subject.stubs(:secedit).with(['/configure', '/db', 'sdbout', '/cfg', 'infout', '/quiet'])
subject.stubs(:secedit).with(['/export', '/cfg', secdata, '/quiet'])
end
let(:secdata) do
File.join(fixtures_path, 'unit', 'secedit.inf')
end
let(:groupdata) do
File.join(fixtures_path, 'unit', 'group.txt')
end
let(:userdata) do
File.join(fixtures_path, 'unit', 'useraccount.txt')
end
let(:security_policy){
SecurityPolicy.new
}
it 'should return builtin accounts' do
# we just want to check that this is an array within an array that has 3 elements in each element
expect(security_policy.builtin_accounts.count).to be > 50
expect(security_policy.builtin_accounts.first.count).to eq(3)
end
it 'user_sid_array should return array' do
a = security_policy.user_sid_array
# we just want to check that this is an array within an array that has 3 elements in each element
expect(a.count).to be > 50
expect(a.first.count).to eq(3)
end
it 'local accounts should return array' do
a = security_policy.local_accounts
expect(a).to be_instance_of(Array)
expect(a.count).to eq(19)
expect(a.first.count).to eq(3)
end
it 'should return user' do
expect(security_policy.sid_to_user("S-1-5-32-556")).to eq('Network Configuration Operators')
expect(security_policy.sid_to_user('*S-1-5-80-0')).to eq("NT_SERVICE\\ALL_SERVICES")
end
it 'should return sid when user is not found' do
expect(security_policy.user_to_sid('*S-11-5-80-0')).to eq('*S-11-5-80-0')
end
it 'should return sid' do
expect(security_policy.user_to_sid("Network Configuration Operators")).to eq('*S-1-5-32-556')
expect(security_policy.user_to_sid("NT_SERVICE\\ALL_SERVICES")).to eq('*S-1-5-80-0')
end
it 'should return user when sid is not found' do
expect(security_policy.user_to_sid("N_SERVICE\\ALL_SERVICES")).to eq("N_SERVICE\\ALL_SERVICES")
end
describe 'registry value' do
let(:resource) {
Puppet::Type.type(:local_security_policy).new(
:name => 'Network access: Let Everyone permissions apply to anonymous users',
:ensure => 'present',
:policy_setting => 'MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous',
:policy_type => 'Registry Values',
:policy_value => '3')
}
it 'should convert a registry value' do
expect(subject.convert_registry_value("Network access: Let Everyone permissions apply to anonymous users",
3)).to eq('4,3')
end
it 'should convert a policy right' do
defined_policy = {
:name => 'Network access: Let Everyone permissions apply to anonymous users',
:ensure => 'present',
:policy_setting => 'MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous',
:policy_type => 'Registry Values',
:policy_value => '3'
}
hash = security_policy.convert_policy_hash(defined_policy)
expect(hash[:policy_value]).to eq('4,3')
end
end
#
describe 'privilege right' do
let(:resource) {
Puppet::Type.type(:local_security_policy).new(
:name => 'Access this computer from the network',
:ensure => 'present',
:policy_setting => 'SeNetworkLogonRight',
:policy_type => 'Privilege Rights',
:policy_value => 'AUTHENTICATED_USERS,BUILTIN_ADMINISTRATORS'
)
}
it 'should convert a privilege right to sids' do
hash = security_policy.convert_policy_hash(resource)
expect(hash[:policy_value]).to eq('*S-1-5-11,*S-1-5-32-544')
end
end
#
# describe 'audit event' do
# let(:resource) {
# Puppet::Type.type(:local_security_policy).new(
# :name => 'Audit account logon events',
# :ensure => 'present',
# :policy_setting => "AuditAccountLogon",
# :policy_type => "Event Audit",
# :policy_value => 'Success,Failure',
# )
# }
# it 'should convert a audit right' do
# defined_policy = SecurityPolicy.find_mapping_from_policy_desc(resource[:name])
# defined_policy.merge!(resource.to_hash)
# expect(provider.convert_audit(defined_policy)).to eq(3)
# end
#
# it 'should convert a audit right' do
# defined_policy = SecurityPolicy.find_mapping_from_policy_desc(resource[:name])
# defined_policy.merge!(resource.to_hash)
# hash = provider.convert_policy_hash(defined_policy)
# expect(hash[:policy_value]).to eq(3)
# end
# end
end

50
modules/utilities/windows/system/local_security_policy/spec/unit/puppet/type/local_security_policy/local_security_policy_spec.rb Normal file
View File

@@ -0,0 +1,50 @@
require 'spec_helper'
describe Puppet::Type.type(:local_security_policy) do
[:name].each do |param|
it "should have a #{param} parameter" do
expect(Puppet::Type.type(:local_security_policy).attrtype(param)).to eq(:param)
end
end
[:policy_type,:ensure, :ensure, :policy_setting, :policy_value].each do |param|
it "should have an #{param} property" do
expect(Puppet::Type.type(:local_security_policy).attrtype(param)).to eq(:property)
end
end
describe 'test validation' do
it 'can create a registry value' do
resource = Puppet::Type.type(:local_security_policy).new(
:name => 'Network access: Let Everyone permissions apply to anonymous users',
:ensure => 'present',
:policy_setting => 'MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous',
:policy_type => 'Registry Values',
:policy_value => '0')
expect(resource[:policy_value]).to eq('4,0')
end
it 'raises an error with bad policy event audit value' do
expect{
Puppet::Type.type(:local_security_policy).new(
:name => 'Audit account logon events',
:ensure => 'present',
:policy_setting => "AuditAccountLogon",
:policy_type => "Event Audit",
:policy_value => 'Success,Failure',
)}.to raise_error(Puppet::ResourceError)
end
it 'raises an error with with bad value for Administrator account status' do
expect {
Puppet::Type.type(:local_security_policy).new(
:name => 'Administrator account status',
:ensure => present,
:policy_setting => 'EnableAdminAccount',
:policy_type => 'System Access',
:policy_value => '0'
)
}.to raise_error(Puppet::ResourceError)
end
end
end

10
modules/utilities/windows/system/local_security_policy/tests/init.pp Normal file
View File

@@ -0,0 +1,10 @@
local_security_policy { 'Allow log on locally':
ensure => 'present',
policy_value => 'Administrators, Users',
}
local_security_policy { 'Maximum password age':
ensure => 'present',
policy_value => '90',
}

46
modules/utilities/windows/system/parameterised_accounts/manifests/account.pp Normal file
View File

@@ -0,0 +1,46 @@
define parameterised_accounts::account (
$username,
$password,
$super_user,
$strings_to_leak,
$leaked_filenames,
$data_to_leak = []
) {
# Add user account
if $super_user {
$groups = ['Users','Administrators']
} else {
$groups = ['Users']
}
user { $username:
name => $username,
ensure => present,
groups => $groups,
password => $password,
managehome => true,
} ->
# Leak strings in a text file in the users home directory
::secgen_functions::leak_files { "$username-file-leak":
storage_directory => "C:/Users/$username/Desktop",
strings_to_leak => $strings_to_leak,
leaked_filenames => $leaked_filenames,
owner => $username,
group => $username,
mode => '0444',
leaked_from => "accounts_$username",
}
unless $data_to_leak == undef or $data_to_leak == [] or $data_to_leak == [''] {
::secgen_functions::leak_data { "$username-data-leak":
storage_directory => "C:/Users/$username/Desktop",
data_to_leak => $data_to_leak,
owner => $username,
group => $username,
mode => '0444',
leaked_from => "accounts_$username",
}
}
}

27
modules/utilities/windows/system/parameterised_accounts/manifests/init.pp Normal file
View File

@@ -0,0 +1,27 @@
class parameterised_accounts::init {
$secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
$accounts = $secgen_parameters['accounts']
local_security_policy { 'Password must meet complexity requirements':
ensure => present,
policy_value => 'Disabled',
}
if $accounts {
notice($accounts)
$accounts.each |$raw_account| {
$account = parsejson($raw_account)
$username = $account['username']
parameterised_accounts::account { "parameterised_$username":
username => $username,
password => $account['password'],
super_user => str2bool($account['super_user']),
strings_to_leak => $account['strings_to_leak'],
leaked_filenames => $account['leaked_filenames'],
data_to_leak => $account['data_to_leak'],
}
}
}
}

1
modules/utilities/windows/system/parameterised_accounts/parameterised_accounts.pp Normal file
View File

@@ -0,0 +1 @@
require parameterised_accounts::init

32
modules/utilities/windows/system/parameterised_accounts/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,32 @@
<?xml version="1.0"?>
<utility xmlns="http://www.github/cliffe/SecGen/utility"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/utility">
<name>Parameterised Accounts Module</name>
<author>Thomas Shaw</author>
<author>Puppet Labs</author>
<module_license>Apache v2</module_license>
<description>Parameterised user account creation and modification. Adds an account with a strong randomly generated password
by default.
</description>
<type>system</type>
<platform>windows</platform>
<!--optional details-->
<reference>https://forge.puppet.com/puppetlabs/accounts</reference>
<read_fact>accounts</read_fact>
<conflict>
<module_path>bases/(debian|kali|ubuntu).*</module_path>
</conflict>
<requires>
<module_path>.*local_security_policy</module_path>
</requires>
</utility>

2
scenarios/default_scenario.xml
View File

@@ -7,7 +7,7 @@
<!-- an example remote storage system, with a remotely exploitable vulnerability that can then be escalated to root -->
<system>
<system_name>escalation</system_name>
<base distro="Debian" type="server"/>
<base distro="Debian 9" type="server"/>
<vulnerability privilege="user_rwx" access="remote" />
<vulnerability privilege="root_rwx" access="local" />

66
scenarios/examples/windows_scenario_accounts.xml Normal file
View File

@@ -0,0 +1,66 @@
<?xml version="1.0"?>
<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
<!-- an example remote storage system, with a remotely exploitable vulnerability that can then be escalated to root -->
<system>
<system_name>storage_server</system_name>
<!--<base platform="windows" name="Windows 2008 Virtualbox puppet 32"/>-->
<base platform="windows" name="Windows 2008 Virtualbox puppet 64"/>
<input into_datastore="emails">
<generator type="email_address"/>
<generator type="email_address"/>
<generator type="email_address"/>
<generator type="email_address"/>
<generator type="email_address"/>
<generator type="email_address"/>
<generator type="email_address"/>
</input>
<utility module_path=".*parameterised_accounts" platform="windows">
<input into="accounts" into_datastore="accounts">
<generator type="account">
<input into="username">
<value>challenger</value>
</input>
<input into="password">
<value>hello</value>
</input>
<input into="super_user">
<value>false</value>
</input>
<input into="strings_to_leak">
<value>This is a test</value>
</input>
<input into="leaked_filenames">
<value>test.txt</value>
</input>
</generator>
<generator type="account">
<input into="username">
<value>challenger2</value>
</input>
<input into="password">
<value>tiaspbiqe2r</value>
</input>
<input into="super_user">
<value>false</value>
</input>
<input into="strings_to_leak">
<<datastore>emails</datastore>
</input>
<input into="leaked_filenames">
<value>test.txt</value>
</input>
</generator>
</input>
</utility>
<network type="private_network" range="dhcp"/>
</system>
</scenario>