1 #!powershell
2 
3 # Copyright: (c) 2017, Noah Sparks <nsparks@outlook.com>
4 # Copyright: (c) 2017, Ansible Project
5 # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
6 
7 #Requires -Module Ansible.ModuleUtils.Legacy
8 #Requires -Module Ansible.ModuleUtils.CommandUtil
9 
10 $ErrorActionPreference = 'Stop'
11 
12 $params = Parse-Args -arguments $args -supports_check_mode $true
13 $check_mode = Get-AnsibleParam -obj $params -name "_ansible_check_mode" -type "bool" -default $false
14 
15 $results = @{
16     changed = $false
17 }
18 
19 ######################################
20 ### populate sets for -validateset ###
21 ######################################
22 $categories_rc = run-command -command 'auditpol /list /category /r'
23 $subcategories_rc = run-command -command 'auditpol /list /subcategory:* /r'
24 
25 If ($categories_rc.item('rc') -eq 0)
26 {
27     $categories = ConvertFrom-Csv $categories_rc.item('stdout') | Select-Object -expand Category*
28 }
29 Else
30 {
31     Fail-Json -obj $results -message "Failed to retrive audit policy categories. Please make sure the auditpol command is functional on
32     the system and that the account ansible is running under is able to retrieve them. $($_.Exception.Message)"
33 }
34 
35 If ($subcategories_rc.item('rc') -eq 0)
36 {
37     $subcategories = ConvertFrom-Csv $subcategories_rc.item('stdout') | Select-Object -expand Category* |
38     Where-Object {$_ -notin $categories}
39 }
40 Else
41 {
42     Fail-Json -obj $results -message "Failed to retrive audit policy subcategories. Please make sure the auditpol command is functional on
43     the system and that the account ansible is running under is able to retrieve them. $($_.Exception.Message)"
44 }
45 
46 ######################
47 ### ansible params ###
48 ######################
49 $category = Get-AnsibleParam -obj $params -name "category" -type "str" -ValidateSet $categories
50 $subcategory = Get-AnsibleParam -obj $params -name "subcategory" -type "str" -ValidateSet $subcategories
51 $audit_type = Get-AnsibleParam -obj $params -name "audit_type" -type "list" -failifempty -
52 
53 ########################
54 ### Start Processing ###
55 ########################
Get-AuditPolicy($GetString)56 Function Get-AuditPolicy ($GetString) {
57     $auditpolcsv = Run-Command -command $GetString
58     If ($auditpolcsv.item('rc') -eq 0)
59     {
60         $Obj = ConvertFrom-CSV $auditpolcsv.item('stdout') | Select-Object @{n='subcategory';e={$_.Subcategory.ToLower()}},
61         @{n='audit_type';e={$_."Inclusion Setting".ToLower()}}
62     }
63     Else {
64         return $auditpolcsv.item('stderr')
65     }
66 
67     $HT = @{}
68     Foreach ( $Item in $Obj )
69     {
70         $HT.Add($Item.subcategory,$Item.audit_type)
71     }
72     $HT
73 }
74 
75 ################
76 ### Validate ###
77 ################
78 
79 #make sure category and subcategory are valid
80 If (-Not $category -and -Not $subcategory) {Fail-Json -obj $results -message "You must provide either a Category or Subcategory parameter"}
81 If ($category -and $subcategory) {Fail-Json -obj $results -message "Must pick either a specific subcategory or category. You cannot define both"}
82 
83 
84 $possible_audit_types = 'success','failure','none'
85 $audit_type | ForEach-Object {
86     If ($_ -notin $possible_audit_types)
87     {
88         Fail-Json -obj $result -message "$_ is not a valid audit_type. Please choose from $($possible_audit_types -join ',')"
89     }
90 }
91 
92 #############################################################
93 ### build lists for setting, getting, and comparing rules ###
94 #############################################################
95 $audit_type_string = $audit_type -join ' and '
96 
97 $SetString = 'auditpol /set'
98 $GetString = 'auditpol /get /r'
99 
100 If ($category) {$SetString = "$SetString /category:`"$category`""; $GetString = "$GetString /category:`"$category`""}
101 If ($subcategory) {$SetString= "$SetString /subcategory:`"$subcategory`""; $GetString = "$GetString /subcategory:`"$subcategory`""}
102 
103 
104 Switch ($audit_type_string)
105 {
106     'success and failure' {$SetString = "$SetString /success:enable /failure:enable"; $audit_type_check = $audit_type_string}
107     'failure' {$SetString = "$SetString /success:disable /failure:enable"; $audit_type_check = $audit_type_string}
108     'success' {$SetString = "$SetString /success:enable /failure:disable"; $audit_type_check = $audit_type_string}
109     'none' {$SetString = "$SetString /success:disable /failure:disable"; $audit_type_check = 'No Auditing'}
110     default {Fail-Json -obj $result -message "It seems you have specified an invalid combination of items for audit_type. Please review documentation"}
111 }
112 
113 #########################
114 ### check Idempotence ###
115 #########################
116 
117 $CurrentRule = Get-AuditPolicy $GetString
118 
119 #exit if the audit_type is already set properly for the category
120 If (-not ($CurrentRule.Values | Where-Object {$_ -ne $audit_type_check}) )
121 {
122     $results.current_audit_policy = Get-AuditPolicy $GetString
123     Exit-Json -obj $results
124 }
125 
126 ####################
127 ### Apply Change ###
128 ####################
129 
130 If (-not $check_mode)
131 {
132     $ApplyPolicy = Run-Command -command $SetString
133 
134     If ($ApplyPolicy.Item('rc') -ne 0)
135     {
136         $results.current_audit_policy = Get-AuditPolicy $GetString
137         Fail-Json $results "Failed to set audit policy - $($_.Exception.Message)"
138     }
139 }
140 
141 $results.changed = $true
142 $results.current_audit_policy = Get-AuditPolicy $GetString
143 Exit-Json $results
144