search

dev-sec / chef-windows-hardening

This chef cookbook provides windows hardening configurations for the DevSec Windows baseline profile.
http://dev-sec.io
96 stars 43 forks source link

Cookbook supports only English versions of Windows #48

Open jugatsu opened 5 years ago

jugatsu commented 5 years ago

Describe the bug When running on non-English version of Windows (for example, Russian version), cookbook fails with Expected process to exit with [0], but received '87'

Expected behavior Cookbook should support not only English version of Windows.

Actual behavior

* execute[Account Logon Audit Log] action run

           ================================================================================
           Error executing action `run` on resource 'execute[Account Logon Audit Log]'
           ================================================================================

           Mixlib::ShellOut::ShellCommandFailed
           ------------------------------------
           Expected process to exit with [0], but received '87'
           ---- Begin output of AuditPol /Set /Category:"Account Logon" /Failure:Enable /Success:Enable ----
           STDOUT: €бЇ®«м§®ў ­ЁҐ: AuditPol Є®¬ ­¤  [<Ї®¤Є®¬ ­¤ ><Ї а ¬Ґвал>]

This happens because all categories are hardcoded to english naming.

https://github.com/dev-sec/chef-windows-hardening/blob/master/recipes/audit.rb#L60

execute 'Account Logon Audit Log' do
  command 'AuditPol /Set /Category:"Account Logon" /Failure:Enable /Success:Enable'
  action :run
  not_if { ::File.exist?('C:\accountLogonAudit.lock') }
  notifies :create, 'file[C:\accountLogonAudit.lock]', :immediately
end

Example code

include_recipe 'windows-hardening::default'

OS / Environment

Windows Server 2016 Datacenter Evaluation (Russian)

PS C:\Users\vagrant> Get-WinSystemLocale

LCID             Name             DisplayName
----             ----             -----------
1049             ru-RU            Русский (Россия)

Chef Version

14.13.11

Cookbook Version

0.9.1

Additional context

PS C:\Users\vagrant> auditpol /list /category
Категория или подкатегория
Вход учетной записи
Вход/выход
Доступ к объектам
Доступ к службе каталогов (DS)
Изменение политики
Использование прав
Подробное отслеживание
Система
Учетные записи
PS C:\Users\vagrant> AuditPol /Set /Category:"Вход учетной записи" /Failure:Enable /Success:Enable
Команда выполнена успешно.

As a workaround we can move Categories names to attributes.