search

ayohrling / local_security_policy

Apache License 2.0
6 stars 28 forks source link

SDDL values are not idempotent #108

Closed Andy-Adrian closed 3 years ago

Andy-Adrian commented 3 years ago

Policy values in SDDL format are set properly by the module. When read from the file, the value is truncated at the first semicolon.

Resource definition:

local_security_policy {
  'Network access: Restrict clients allowed to make remote calls to SAM':
    ensure => present,
    policy_value => '1,"O:BAG:BAD:(A;;RC;;;BA)"',
}

Results from secedit /export:

[Registry Values]
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSAM=1,"O:BAG:BAD:(A;;RC;;;BA)"

Results from puppet apply:

Notice: /Stage[main]/Simp_windows/Local_security_policy[Network access: Restrict clients allowed to make remote calls to
 SAM]/policy_value: policy_value changed '1,"O:BAG:BAD:(A' to '1,"O:BAG:BAD:(A;;RC;;;BA)"'

Outputting @file_object at the end of read_policy_settings in the provider shows the truncation happening somewhere in there. Contents of @file_object: 

[Registry Values]
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSAM = 1,"O:BAG:BAD:(A