1 #!powershell 2 3 # Copyright: (c) 2017, Noah Sparks <nsparks@outlook.com> 4 # Copyright: (c) 2017, Ansible Project 5 # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) 6 7 #Requires -Module Ansible.ModuleUtils.Legacy 8 #Requires -Module Ansible.ModuleUtils.CommandUtil 9 10 $ErrorActionPreference = 'Stop' 11 12 $params = Parse-Args -arguments $args -supports_check_mode $true 13 $check_mode = Get-AnsibleParam -obj $params -name "_ansible_check_mode" -type "bool" -default $false 14 15 $results = @{ 16 changed = $false 17 } 18 19 ###################################### 20 ### populate sets for -validateset ### 21 ###################################### 22 $categories_rc = run-command -command 'auditpol /list /category /r' 23 $subcategories_rc = run-command -command 'auditpol /list /subcategory:* /r' 24 25 If ($categories_rc.item('rc') -eq 0) 26 { 27 $categories = ConvertFrom-Csv $categories_rc.item('stdout') | Select-Object -expand Category* 28 } 29 Else 30 { 31 Fail-Json -obj $results -message "Failed to retrive audit policy categories. Please make sure the auditpol command is functional on 32 the system and that the account ansible is running under is able to retrieve them. $($_.Exception.Message)" 33 } 34 35 If ($subcategories_rc.item('rc') -eq 0) 36 { 37 $subcategories = ConvertFrom-Csv $subcategories_rc.item('stdout') | Select-Object -expand Category* | 38 Where-Object {$_ -notin $categories} 39 } 40 Else 41 { 42 Fail-Json -obj $results -message "Failed to retrive audit policy subcategories. Please make sure the auditpol command is functional on 43 the system and that the account ansible is running under is able to retrieve them. $($_.Exception.Message)" 44 } 45 46 ###################### 47 ### ansible params ### 48 ###################### 49 $category = Get-AnsibleParam -obj $params -name "category" -type "str" -ValidateSet $categories 50 $subcategory = Get-AnsibleParam -obj $params -name "subcategory" -type "str" -ValidateSet $subcategories 51 $audit_type = Get-AnsibleParam -obj $params -name "audit_type" -type "list" -failifempty - 52 53 ######################## 54 ### Start Processing ### 55 ######################## Get-AuditPolicy($GetString)56Function Get-AuditPolicy ($GetString) { 57 $auditpolcsv = Run-Command -command $GetString 58 If ($auditpolcsv.item('rc') -eq 0) 59 { 60 $Obj = ConvertFrom-CSV $auditpolcsv.item('stdout') | Select-Object @{n='subcategory';e={$_.Subcategory.ToLower()}}, 61 @{n='audit_type';e={$_."Inclusion Setting".ToLower()}} 62 } 63 Else { 64 return $auditpolcsv.item('stderr') 65 } 66 67 $HT = @{} 68 Foreach ( $Item in $Obj ) 69 { 70 $HT.Add($Item.subcategory,$Item.audit_type) 71 } 72 $HT 73 } 74 75 ################ 76 ### Validate ### 77 ################ 78 79 #make sure category and subcategory are valid 80 If (-Not $category -and -Not $subcategory) {Fail-Json -obj $results -message "You must provide either a Category or Subcategory parameter"} 81 If ($category -and $subcategory) {Fail-Json -obj $results -message "Must pick either a specific subcategory or category. You cannot define both"} 82 83 84 $possible_audit_types = 'success','failure','none' 85 $audit_type | ForEach-Object { 86 If ($_ -notin $possible_audit_types) 87 { 88 Fail-Json -obj $result -message "$_ is not a valid audit_type. Please choose from $($possible_audit_types -join ',')" 89 } 90 } 91 92 ############################################################# 93 ### build lists for setting, getting, and comparing rules ### 94 ############################################################# 95 $audit_type_string = $audit_type -join ' and ' 96 97 $SetString = 'auditpol /set' 98 $GetString = 'auditpol /get /r' 99 100 If ($category) {$SetString = "$SetString /category:`"$category`""; $GetString = "$GetString /category:`"$category`""} 101 If ($subcategory) {$SetString= "$SetString /subcategory:`"$subcategory`""; $GetString = "$GetString /subcategory:`"$subcategory`""} 102 103 104 Switch ($audit_type_string) 105 { 106 'success and failure' {$SetString = "$SetString /success:enable /failure:enable"; $audit_type_check = $audit_type_string} 107 'failure' {$SetString = "$SetString /success:disable /failure:enable"; $audit_type_check = $audit_type_string} 108 'success' {$SetString = "$SetString /success:enable /failure:disable"; $audit_type_check = $audit_type_string} 109 'none' {$SetString = "$SetString /success:disable /failure:disable"; $audit_type_check = 'No Auditing'} 110 default {Fail-Json -obj $result -message "It seems you have specified an invalid combination of items for audit_type. Please review documentation"} 111 } 112 113 ######################### 114 ### check Idempotence ### 115 ######################### 116 117 $CurrentRule = Get-AuditPolicy $GetString 118 119 #exit if the audit_type is already set properly for the category 120 If (-not ($CurrentRule.Values | Where-Object {$_ -ne $audit_type_check}) ) 121 { 122 $results.current_audit_policy = Get-AuditPolicy $GetString 123 Exit-Json -obj $results 124 } 125 126 #################### 127 ### Apply Change ### 128 #################### 129 130 If (-not $check_mode) 131 { 132 $ApplyPolicy = Run-Command -command $SetString 133 134 If ($ApplyPolicy.Item('rc') -ne 0) 135 { 136 $results.current_audit_policy = Get-AuditPolicy $GetString 137 Fail-Json $results "Failed to set audit policy - $($_.Exception.Message)" 138 } 139 } 140 141 $results.changed = $true 142 $results.current_audit_policy = Get-AuditPolicy $GetString 143 Exit-Json $results 144