search

puppetlabs / Puppet.Dsc

Convert DSC resources into Puppet Resource API types and providers
https://www.powershellgallery.com/packages/Puppet.Dsc
Apache License 2.0
9 stars 12 forks source link

Settings of auditpolicydsc are overwritten by puppetized securitypolicydsc #131

Closed norbertstoll closed 3 years ago

norbertstoll commented 3 years ago

Describe the Bug

If using settings of puppetized auditpolicydsc and puppetized securitypolicy at the same time, auditpolicydsc-settings are being reset during run of puppet agent. Checking auditpolicy via 'auditpol /get /category:*' while puppet agent is applying its settings shows, that as soon as settings of securitypolicy are applied any audit policy-config is set to 'No Auditing'.

This is not happening while using puppetized auditpolicydsc in combination with dsc_lite-module of securitypolicy - with the limitation, it's only kept after a second run of puppet agent.

Also: Settings of puppetized securitypolicy will always be re-applied/corrective. Independent of usage with auditpolicy or any module.

Notes: ALL domain based policy are not being applied by blocked inheritance of GPOs. However registry key SCENoApplyLegacyAuditPolicy is to '0', but this hasn't any effect either: https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/security-auditing-settings-not-applied-when-deploy-domain-based-policy

Expected Behavior

Settings of puppetized auditpolicydsc and puppetized securitypolicy remain as expected/defined after end of run of puppet agent.

Steps to Reproduce

We use hiera, so here's a part the relevant part of code.

The following config will end up having 'System Integrity' being set to 'No Auditing' (while 'Failure' should be set):

auditpolicydsc::auditpolicysubcategory:

'Audit_SystemIntegrity_Success': dsc_name: 'System Integrity' dsc_ensure: 'Present' dsc_auditflag: 'Failure'

securitypolicydsc::userrightsassignment: 'SecPol_ChangeSystemTime': dsc_policy: 'Change_the_system_time' dsc_identity: ['domain\username']

The following change to 'SecPol_ChangeSystemTime' by using local PowerShell DSC-resources on the Windows-Server itself will keep audit policy settings after a second run of puppet agent:

Change security policy settings

'SecPol_ChangeSystemTime': resource_name: 'UserRightsAssignment' module: 'SecurityPolicyDsc' properties: policy: 'Change_the_system_time' identity: ['domain\username']

Environment

PS C:> Get-Module puppet -ListAvailable | Select Name, Version

Name Version

Puppet.Dsc 0.4.0
PuppetDevelopmentKit 1.18.1

puppetserver --version puppetserver version: 6.14.1

2.10.0-0-2 of https://forge.puppet.com/modules/dsc/securitypolicydsc 1.4.0-0-2 of https://forge.puppet.com/modules/dsc/auditpolicydsc

michaeltlombardi commented 3 years ago

@norbertstoll what version of puppetlabs-pwshlib do you have in your environment?

Just to clarify the manifests, this is an accurate test, correct?

dsc_auditpolicysubcategory {'Audit_SystemIntegrity_Success':
  dsc_name      => 'System Integrity',
  dsc_ensure    => 'Present',
  dsc_auditflag => 'Failure',
}

dsc_userrightsassignment {'SecPol_ChangeSystemTime':
  dsc_policy   => 'Change_the_system_time',
  dsc_identity => ['domain\username'],
}

If so, I'll begin experimenting to see if I can run this down. I may need to pair with you to see things live in your environment and walk you through some debugging to figure out exactly what's going on and file a fix (likely in ruby-pwsh/pwshlib where the base provider lives)

SecurityPolicyDsc Bugs

You may be running into bugs in SecurityPolicyDsc which cause flapping, two of which I've submitted upstream fixes for - one merged, one not, but neither of them in a released non-preview version.

norbertstoll commented 3 years ago

Hi @michaeltlombardi,

what do you mean by 'accurate'? The values are set correct as long as AuditPolicy isn't combined with SecurityPolicyDsc. AuditPolicyDsc-settings will be applied during a run of puppet agent but as soon as settings of SecurityPolicyDsc are being applied they are reset to 'No Auditing'. The example will show this, if that is what you've been asking :)

Isolated use of AuditPolicyDsc does work as expected, however isolated use of SecurityPolicyDsc will show that even in that case all settings will be re-applied at each run of puppet agent - it's always corrective.

mod 'puppetlabs-pwshlib', '0.7.4'

If you need to see this live in our environment I've to get back to our customer and maybe we need a NDA, hoping this is no problem for you.

Kind regards

michaeltlombardi commented 3 years ago

Hey @norbertstoll - sorry, I didn't see this notification pop up!

Just to be clear, the example manifest I threw together replicates the problem on your end, right? I've got some in-flight work but I can set aside some time to sit with you and pair debug if needed, an NDA is no problem. If not, I'll try to repro this after my current work item wraps.

The "always corrective" problem does not surprise me - I had to file two different bugs with that module already because it does not correctly report back all the relevant information. I can try to run that down separately but my initial guess is that there's a goof in the get behavior of the UserRightsAssignment DSC Resource.

norbertstoll commented 3 years ago

Hi @michaeltlombardi

EDIT: I was already wondering what has happened to my testing environment but didn't analyze in depth. Seems like I've been in some kind of easter trance ;) One of my colleagues moved the computer account to another OU and all formerly blocked GPOs had been applied. So please ignore today's first comment (which I deleted asap)...

Sorry for the delay! Now it's been me. There's way too much work to do and this important piece of it had to wait. Seems like there's still some work to do but I'm really glad you're pushing and supporting this!

We updated all required modules. I tested a lot last week and this is how it looks like right now:

mod 'puppetlabs-pwshlib', '0.8.0'
mod 'dsc-auditpolicydsc', '1.4.0-0-2'
mod 'dsc-securitypolicydsc', '2.10.0-0-2'
---

classes:
  include:
    - 'profile::dsc::auditpolicy'
    - 'profile::dsc::securitypolicy'

profile::dsc::auditpolicy::auditpolicysubcategory:
  'Audit_SystemIntegrity_Success':
    dsc_name:          'System Integrity'
    dsc_ensure:         'Present'
    dsc_auditflag:      'Failure'

  'Audit_CredentialValidation_Success':
    dsc_name:          'Credential Validation'
    dsc_ensure:        'Present'
    dsc_auditflag:     'Success'

  'Audit_ComputerAccountManagement_Success':
    dsc_name:          'Computer Account Management'
    dsc_ensure:        'Present'
    dsc_auditflag:     'Failure'

  'Audit_Logon_Success':
    dsc_name:          'Logon'
    dsc_ensure:        'Present'
    dsc_auditflag:     'Success'

profile::dsc::securitypolicy::securityoption:
  'SecPol_AuditPolicySubcategories':
    dsc_name:          'AccountSecurityOptions'
    dsc_audit_force_audit_policy_subcategory_settings_windows_vista_or_later_to_override_audit_policy_category_settings:  'Enabled'

profile::dsc::securitypolicy::userrightsassignment:
  'SecPol_ChangeSystemTime':
    dsc_policy:           'Change_the_system_time' 
    dsc_identity:         ['domain\user']

  'SecPol_DenyLogOnAsBatchJob':
    dsc_policy:           'Deny_log_on_as_a_batch_job' 
    dsc_identity:         ['domain\user'] 
PS C:\> puppet agent -t
Info: Using configured environment 'windows_test'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Info: Caching catalog for computername.domain
Info: Applying configuration version '0cef4c9ee716c07e71946c845e3de31fe089c33e'
Notice: /Stage[main]/Profile::Dsc::Auditpolicy/Dsc_auditpolicysubcategory[Audit_SystemIntegrity_Success]/dsc_ensure: dsc_ensure changed  to 'Present' (corrective)
Notice: dsc_auditpolicysubcategory[{:name=>"Audit_SystemIntegrity_Success", :dsc_name=>"System Integrity", :dsc_auditflag=>"Failure"}]: Creating: Finished in 0.854432 seconds
Notice: /Stage[main]/Profile::Dsc::Auditpolicy/Dsc_auditpolicysubcategory[Audit_CredentialValidation_Success]/dsc_ensure: dsc_ensure changed  to 'Present' (corrective)
Notice: dsc_auditpolicysubcategory[{:name=>"Audit_CredentialValidation_Success", :dsc_name=>"Credential Validation", :dsc_auditflag=>"Success"}]: Creating: Finished in 0.716539 seconds
Notice: /Stage[main]/Profile::Dsc::Auditpolicy/Dsc_auditpolicysubcategory[Audit_ComputerAccountManagement_Success]/dsc_ensure: dsc_ensure changed  to 'Present' (corrective)
Notice: dsc_auditpolicysubcategory[{:name=>"Audit_ComputerAccountManagement_Success", :dsc_name=>"Computer Account Management", :dsc_auditflag=>"Failure"}]: Creating: Finished in 0.725495 seconds
Notice: /Stage[main]/Profile::Dsc::Auditpolicy/Dsc_auditpolicysubcategory[Audit_Logon_Success]/dsc_ensure: dsc_ensure changed  to 'Present' (corrective)
Notice: dsc_auditpolicysubcategory[{:name=>"Audit_Logon_Success", :dsc_name=>"Logon", :dsc_auditflag=>"Success"}]: Creating: Finished in 0.725473 seconds
Notice: /Stage[main]/Profile::Dsc::Securitypolicy/Dsc_securityoption[SecPol_AuditPolicySubcategories]/dsc_audit_force_audit_policy_subcategory_settings_windows_vista_or_later_to_override_audit_policy_category_settings: dsc_audit_force_audit_policy_subcategory_settings_windows_vista_or_later_to_override_audit_policy_category_settings changed  to 'Enabled' (corrective)
Notice: dsc_securityoption[{:name=>"SecPol_AuditPolicySubcategories", :dsc_name=>"AccountSecurityOptions"}]: Updating: Finished in 2.27 seconds
Notice: /Stage[main]/Profile::Dsc::Securitypolicy/Dsc_userrightsassignment[SecPol_ChangeSystemTime]/dsc_identity: dsc_identity changed ['NT AUTHORITY\LOCAL SERVICE', 'domain\user', 'BUILTIN\Administrators'] to ['domain\user'] (corrective)
Notice: dsc_userrightsassignment[{:name=>"SecPol_ChangeSystemTime", :dsc_policy=>"Change_the_system_time"}]: Updating: Finished in 2.04 seconds
Notice: /Stage[main]/Profile::Dsc::Securitypolicy/Dsc_userrightsassignment[SecPol_DenyLogOnAsBatchJob]/dsc_identity: dsc_identity changed ['domain\user', 'BUILTIN\Guests'] to ['domain\user'] (corrective)
Notice: dsc_userrightsassignment[{:name=>"SecPol_DenyLogOnAsBatchJob", :dsc_policy=>"Deny_log_on_as_a_batch_job"}]: Updating: Finished in 1.94 seconds
Notice: Applied catalog in 13.62 seconds

Note: all audit policy- and security policy settings have been applied as expected.

PS C:\> puppet agent -t
Info: Using configured environment 'windows_test'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Info: Caching catalog for computername.domain
Info: Applying configuration version '0cef4c9ee716c07e71946c845e3de31fe089c33e'
Notice: /Stage[main]/Profile::Dsc::Securitypolicy/Dsc_securityoption[SecPol_AuditPolicySubcategories]/dsc_audit_force_audit_policy_subcategory_settings_windows_vista_or_later_to_override_audit_policy_category_settings: dsc_audit_force_audit_policy_subcategory_settings_windows_vista_or_later_to_override_audit_policy_category_settings changed  to 'Enabled' (corrective)
Notice: dsc_securityoption[{:name=>"SecPol_AuditPolicySubcategories", :dsc_name=>"AccountSecurityOptions"}]: Updating: Finished in 2.28 seconds
Notice: /Stage[main]/Profile::Dsc::Securitypolicy/Dsc_userrightsassignment[SecPol_ChangeSystemTime]/dsc_identity: dsc_identity changed ['NT AUTHORITY\LOCAL SERVICE', 'domain\user', 'BUILTIN\Administrators'] to ['domain\user'] (corrective)
Notice: dsc_userrightsassignment[{:name=>"SecPol_ChangeSystemTime", :dsc_policy=>"Change_the_system_time"}]: Updating: Finished in 2.04 seconds
Notice: /Stage[main]/Profile::Dsc::Securitypolicy/Dsc_userrightsassignment[SecPol_DenyLogOnAsBatchJob]/dsc_identity: dsc_identity changed ['domain\user', 'BUILTIN\Guests'] to ['domain\user'] (corrective)
Notice: dsc_userrightsassignment[{:name=>"SecPol_DenyLogOnAsBatchJob", :dsc_policy=>"Deny_log_on_as_a_batch_job"}]: Updating: Finished in 1.95 seconds
Notice: Applied catalog in 7.63 seconds
PS C:\>

Note: audit policy-settings are being kept(!), this has changed and has been probably been fixed by a new version of pwshlib(?).

So with one issue being resolved, the 'always corrective'-bug remains.

Kind regards, Norbert

norbertstoll commented 3 years ago

Hi @michaeltlombardi,

I updated puppet agent to 6.23.0, pwshlib 0.9.0 and each module (auditpolicydsc, securitypolicydsc, gpregistrypolicysdc) to its most recent version. I still see the same issues:

Am I impatient or is there anything I can do to get things fixed with those new releases?

Kind regards, Norbert

norbertstoll commented 3 years ago

Hi @michaeltlombardi,

please tell me if you need any code excerpts, testing on my side or if a remote session would make sense.

I was hoping this issue will be fixed with those recently released versions of puppet agent for windows, pwshlib etc. but right now I'm getting under pressure finding a solution since we need this stuff. Otherwise I'd have to switch over to the usage of "native PowerShell DSC-Modules" including distribution of DSC-Modules via software-repository to the member servers what I'd really like to avoid :)

michaeltlombardi commented 3 years ago

@norbertstoll does using the new validate_mode flag help with the corrective runs?

Can you share the output from a puppet run with the --debug flag?

norbertstoll commented 3 years ago

Hi @michaeltlombardi,

validate_mode fixed it! No more "correctiveness" 👯

Thanks a lot! That was almost a live saver ;)

Regards, Norbert

michaeltlombardi commented 3 years ago

\o/ Awesome! That's why we implemented the functionality 😂 😭