Open TheITRx opened 3 years ago
TheITRx
commented
3 years ago We have User Rights local policies that we set to empty in accordance to CIS controls. Looks like the module does an incorrect comparison between what's an empty in the current setting and unto what's empty on the manifest.
This is my hiera data:
Lock pages in memory:
ensure: present
policy_value:
Nwolford51
commented
3 years ago We are having the same issue:
Notice: /Stage[main]/Oss::Profile::Base::Localadmins/Local_security_policy[Accounts: Rename administrator account]/policy_value: policy_value changed '"username"' to 'username' (corrective)
Notice: Applied catalog in 377.28 secondsIt evaluates the the admin account every run even though it is set correctly. We were able to get around setting the Guest account by using odd syntax to account for the '"Guest"' quotes.
local_security_policy { 'Accounts: Rename guest account':
ensure => 'present',
policy_value => '"nobody"',
before => Dsc_user['nobody'],
}Any advice on how to get around it in the Accounts: Rename administrator account: setting when using a parameter as the name?
local_security_policy { 'Accounts: Rename administrator account':
ensure => 'present',
policy_value => $domain_username,
before => Dsc_user[$domain_username],
}
canihavethisone
commented
2 years ago @Nwolford51
I overcame this issue (which affects both administrator and guest account names) by using additional quotes on an in-hiera lookup. I think this may be more of an issue with Windows than the module, thought potentially the module could mitigate it. In the meantime the below works fine:
'Accounts: Rename administrator account':
policy_value: '"%{lookup("windows::disabled_administrator_newname")}"'
'Accounts: Rename guest account':
policy_value: '"%{lookup("windows::disabled_guest_newname")}"'Re your question on working around it when a parameter in a manifest, perhaps the following (or a variation of) may work? Though I think lint checks may flag it.
policy_value => '"${domain_username}"',
I got a bunch of policies that every puppet run, it thinks that I have an incorrect config on my computer.
For example, for the default local administrator (Accounts: Rename administrator account), puppet thinks I don't have the correct config thus telling me it's doing a corrective change on puppet runs. This happens even though I have the correct existing configuration. The configs are there, but it thinks is not. It is a huge issue when generating reports on the PE console.
Puppet Run Result: Notice: /Stage[main]/path::to::cis::Localsecuritypolicy/Local_security_policy[Audit account logon events]/policy_value: policy_value changed '0' to 3 (corrective) Notice: /Stage[main]/path::to::cis::Localsecuritypolicy/Local_security_policy[Audit system events]/policy_value: policy_value changed '0' to 3 (corrective) Notice: /Stage[main]/path::to::cis::Localsecuritypolicy/Local_security_policy[Accounts: Rename administrator account]/policy_value: policy_value changed '"aimlocaladmin"' to 'aimlocaladmin' (corrective) Notice: /Stage[main]/path::to::cis::Localsecuritypolicy/Local_security_policy[Accounts: Rename guest account]/policy_value: policy_value changed '"aimguest"' to 'aimguest' (corrective) Notice: /Stage[main]/path::to::cis::Localsecuritypolicy/Local_security_policy[Access Credential Manager as a trusted caller]/ensure: created (corrective) Notice: /Stage[main]/path::to::cis::Localsecuritypolicy/Local_security_policy[Create a token object]/ensure: created (corrective) Notice: /Stage[main]/path::to::cis::Localsecuritypolicy/Local_security_policy[Modify an object label]/ensure: created (corrective) Notice: /Stage[main]/path::to::cis::Localsecuritypolicy/Local_security_policy[Act as part of the operating system]/ensure: created (corrective) Notice: /Stage[main]/path::to::cis::Localsecuritypolicy/Local_security_policy[Create permanent shared objects]/ensure: created (corrective) Notice: /Stage[main]/path::to::cis::Localsecuritypolicy/Local_security_policy[Create symbolic links]/ensure: created (corrective) Notice: /Stage[main]/path::to::cis::Localsecuritypolicy/Local_security_policy[Lock pages in memory]/ensure: created (corrective) Notice: /Stage[main]/path::to::cis::Localsecuritypolicy/Local_security_policy[Enable computer and user accounts to be trusted for delegation]/ensure: created (corrective)