Skip to content

fix: improve task reliability for security audit and anonymous enum roles#118

Merged
l50 merged 3 commits intomainfrom
fix/ansible-async-and-secedit-paths
Apr 16, 2026
Merged

fix: improve task reliability for security audit and anonymous enum roles#118
l50 merged 3 commits intomainfrom
fix/ansible-async-and-secedit-paths

Conversation

@l50
Copy link
Copy Markdown
Contributor

@l50 l50 commented Apr 16, 2026
edited
Loading

Key Changes:

  • Enabled asynchronous execution with polling for SACL configuration tasks
  • Increased timeout and polling intervals to handle long-running folder audits
  • Corrected database path for secedit in anonymous enum policy application

Added:

  • Asynchronous execution with a 30-second poll and 30-minute timeout for SACL
    configuration tasks in security audit policy role, improving reliability on
    slow systems or large datasets

Changed:

  • SACL configuration for SYSVOL, NETLOGON, and custom audit folders now uses
    async and poll parameters to avoid timeouts and provide better status
    tracking in Ansible
  • LSAAnonymousNameLookup policy application updates the database path to
    C:\Windows\Temp\secedit-anon.sdb and removes the /overwrite flag to
    prevent conflicts and improve idempotency

@dreadnode-renovate-bot dreadnode-renovate-bot Bot added the area/roles Changes made to Ansible roles label Apr 16, 2026
@l50 l50 changed the title ``` fix: improve task reliability for security audit and anonymous enum roles Apr 16, 2026
@l50
fix: add async options and correct secedit db path for audit and poli…
5eb44ca 
…cy tasks

**Changed:**

- Added async and poll options to long-running SACL configuration tasks in
  security_audit_policy role to prevent timeouts and improve reliability
- Updated secedit command in vulns_anonymous_enum role to use a temp
  database path, preventing potential conflicts with system database and
  aligning with best practices for policy application
@l50 l50 force-pushed the fix/ansible-async-and-secedit-paths branch from e6b36bb to 5eb44ca Compare April 16, 2026 21:37
@l50
```
1d5aca1 
ci: support merge_group event in terratest workflow base ref selection
**Added:**

- Added handling for the `merge_group` event by setting `MERGE_GROUP_BASE_SHA`
  and updating base ref logic to use it when appropriate in the terratest
  workflow
```
@dreadnode-renovate-bot dreadnode-renovate-bot Bot added the area/github Changes made to github actions label Apr 16, 2026
@l50
fix: prevent WUA 0x800703FA by setting DisableForceUnload registry key
e6f5df0 
**Added:**

- Set `DisableForceUnload` registry key to prevent forced user registry unload
  and fix Windows Update Agent error 0x800703FA in base playbooks and
  settings_updates role

**Changed:**

- Documented the new registry tweak in settings_updates/README.md under
  main.yml tasks
- Updated playbook file reference in get-playbook-files.sh to use
  settings_updates/tasks/main.yml instead of default.yml

**Removed:**

- Removed settings_updates/tasks/default.yml and its tasks, consolidating
  update logic under main.yml
@dreadnode-renovate-bot dreadnode-renovate-bot Bot added area/scripts Changes made to utility scripts area/playbooks Changes made to playbooks directory labels Apr 16, 2026
@l50 l50 merged commit 7b1c1d9 into main Apr 16, 2026
8 checks passed
@l50 l50 deleted the fix/ansible-async-and-secedit-paths branch April 16, 2026 22:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/github Changes made to github actions area/playbooks Changes made to playbooks directory area/roles Changes made to Ansible roles area/scripts Changes made to utility scripts

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@l50