-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Settings of auditpolicydsc are overwritten by puppetized securitypolicydsc #131
Comments
@norbertstoll what version of Just to clarify the manifests, this is an accurate test, correct? dsc_auditpolicysubcategory {'Audit_SystemIntegrity_Success':
dsc_name => 'System Integrity',
dsc_ensure => 'Present',
dsc_auditflag => 'Failure',
}
dsc_userrightsassignment {'SecPol_ChangeSystemTime':
dsc_policy => 'Change_the_system_time',
dsc_identity => ['domain\username'],
} If so, I'll begin experimenting to see if I can run this down. I may need to pair with you to see things live in your environment and walk you through some debugging to figure out exactly what's going on and file a fix (likely in ruby-pwsh/pwshlib where the base provider lives) SecurityPolicyDsc BugsYou may be running into bugs in SecurityPolicyDsc which cause flapping, two of which I've submitted upstream fixes for - one merged, one not, but neither of them in a released non-preview version. |
what do you mean by 'accurate'? The values are set correct as long as AuditPolicy isn't combined with SecurityPolicyDsc. AuditPolicyDsc-settings will be applied during a run of puppet agent but as soon as settings of SecurityPolicyDsc are being applied they are reset to 'No Auditing'. The example will show this, if that is what you've been asking :) Isolated use of AuditPolicyDsc does work as expected, however isolated use of SecurityPolicyDsc will show that even in that case all settings will be re-applied at each run of puppet agent - it's always corrective. mod 'puppetlabs-pwshlib', '0.7.4' If you need to see this live in our environment I've to get back to our customer and maybe we need a NDA, hoping this is no problem for you. Kind regards |
Hey @norbertstoll - sorry, I didn't see this notification pop up! Just to be clear, the example manifest I threw together replicates the problem on your end, right? I've got some in-flight work but I can set aside some time to sit with you and pair debug if needed, an NDA is no problem. If not, I'll try to repro this after my current work item wraps. The "always corrective" problem does not surprise me - I had to file two different bugs with that module already because it does not correctly report back all the relevant information. I can try to run that down separately but my initial guess is that there's a goof in the get behavior of the |
EDIT: I was already wondering what has happened to my testing environment but didn't analyze in depth. Seems like I've been in some kind of easter trance ;) Sorry for the delay! Now it's been me. There's way too much work to do and this important piece of it had to wait. We updated all required modules. I tested a lot last week and this is how it looks like right now: mod 'puppetlabs-pwshlib', '0.8.0'
mod 'dsc-auditpolicydsc', '1.4.0-0-2'
mod 'dsc-securitypolicydsc', '2.10.0-0-2'
---
classes:
include:
- 'profile::dsc::auditpolicy'
- 'profile::dsc::securitypolicy'
profile::dsc::auditpolicy::auditpolicysubcategory:
'Audit_SystemIntegrity_Success':
dsc_name: 'System Integrity'
dsc_ensure: 'Present'
dsc_auditflag: 'Failure'
'Audit_CredentialValidation_Success':
dsc_name: 'Credential Validation'
dsc_ensure: 'Present'
dsc_auditflag: 'Success'
'Audit_ComputerAccountManagement_Success':
dsc_name: 'Computer Account Management'
dsc_ensure: 'Present'
dsc_auditflag: 'Failure'
'Audit_Logon_Success':
dsc_name: 'Logon'
dsc_ensure: 'Present'
dsc_auditflag: 'Success'
profile::dsc::securitypolicy::securityoption:
'SecPol_AuditPolicySubcategories':
dsc_name: 'AccountSecurityOptions'
dsc_audit_force_audit_policy_subcategory_settings_windows_vista_or_later_to_override_audit_policy_category_settings: 'Enabled'
profile::dsc::securitypolicy::userrightsassignment:
'SecPol_ChangeSystemTime':
dsc_policy: 'Change_the_system_time'
dsc_identity: ['domain\user']
'SecPol_DenyLogOnAsBatchJob':
dsc_policy: 'Deny_log_on_as_a_batch_job'
dsc_identity: ['domain\user']
Note: all audit policy- and security policy settings have been applied as expected.
Note: audit policy-settings are being kept(!), this has changed and has been probably been fixed by a new version of pwshlib(?). So with one issue being resolved, the 'always corrective'-bug remains. Kind regards, |
I updated puppet agent to 6.23.0, pwshlib 0.9.0 and each module (auditpolicydsc, securitypolicydsc, gpregistrypolicysdc) to its most recent version. I still see the same issues:
Am I impatient or is there anything I can do to get things fixed with those new releases? Kind regards, |
please tell me if you need any code excerpts, testing on my side or if a remote session would make sense. I was hoping this issue will be fixed with those recently released versions of puppet agent for windows, pwshlib etc. but right now I'm getting under pressure finding a solution since we need this stuff. Otherwise I'd have to switch over to the usage of "native PowerShell DSC-Modules" including distribution of DSC-Modules via software-repository to the member servers what I'd really like to avoid :) |
@norbertstoll does using the new Can you share the output from a puppet run with the |
Thanks a lot! That was almost a live saver ;) Regards, |
\o/ Awesome! That's why we implemented the functionality 😂 😭 |
Describe the Bug
If using settings of puppetized auditpolicydsc and puppetized securitypolicy at the same time, auditpolicydsc-settings are being reset during run of puppet agent.
Checking auditpolicy via 'auditpol /get /category:*' while puppet agent is applying its settings shows, that as soon as settings of securitypolicy are applied any audit policy-config is set to 'No Auditing'.
This is not happening while using puppetized auditpolicydsc in combination with dsc_lite-module of securitypolicy - with the limitation, it's only kept after a second run of puppet agent.
Also:
Settings of puppetized securitypolicy will always be re-applied/corrective. Independent of usage with auditpolicy or any module.
Notes:
ALL domain based policy are not being applied by blocked inheritance of GPOs.
However registry key SCENoApplyLegacyAuditPolicy is to '0', but this hasn't any effect either:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/security-auditing-settings-not-applied-when-deploy-domain-based-policy
Expected Behavior
Settings of puppetized auditpolicydsc and puppetized securitypolicy remain as expected/defined after end of run of puppet agent.
Steps to Reproduce
We use hiera, so here's a part the relevant part of code.
The following config will end up having 'System Integrity' being set to 'No Auditing' (while 'Failure' should be set):
auditpolicydsc::auditpolicysubcategory:
'Audit_SystemIntegrity_Success':
dsc_name: 'System Integrity'
dsc_ensure: 'Present'
dsc_auditflag: 'Failure'
securitypolicydsc::userrightsassignment:
'SecPol_ChangeSystemTime':
dsc_policy: 'Change_the_system_time'
dsc_identity: ['domain\username']
The following change to 'SecPol_ChangeSystemTime' by using local PowerShell DSC-resources on the Windows-Server itself will keep audit policy settings after a second run of puppet agent:
Change security policy settings
'SecPol_ChangeSystemTime':
resource_name: 'UserRightsAssignment'
module: 'SecurityPolicyDsc'
properties:
policy: 'Change_the_system_time'
identity: ['domain\username']
Environment
PS C:> Get-Module puppet -ListAvailable | Select Name, Version
Name Version
Puppet.Dsc 0.4.0
PuppetDevelopmentKit 1.18.1
puppetserver --version
puppetserver version: 6.14.1
2.10.0-0-2 of https://forge.puppet.com/modules/dsc/securitypolicydsc
1.4.0-0-2 of https://forge.puppet.com/modules/dsc/auditpolicydsc
The text was updated successfully, but these errors were encountered: