Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect Data Comparison #109

Open
TheITRx opened this issue Nov 4, 2020 · 3 comments
Open

Incorrect Data Comparison #109

TheITRx opened this issue Nov 4, 2020 · 3 comments

Comments

@TheITRx
Copy link

TheITRx commented Nov 4, 2020
edited
Loading

I got a bunch of policies that every puppet run, it thinks that I have an incorrect config on my computer.

For example, for the default local administrator (Accounts: Rename administrator account), puppet thinks I don't have the correct config thus telling me it's doing a corrective change on puppet runs. This happens even though I have the correct existing configuration. The configs are there, but it thinks is not. It is a huge issue when generating reports on the PE console.

Puppet Run Result:
Notice: /Stage[main]/path::to::cis::Localsecuritypolicy/Local_security_policy[Audit account logon events]/policy_value: policy_value changed '0' to 3 (corrective)
Notice: /Stage[main]/path::to::cis::Localsecuritypolicy/Local_security_policy[Audit system events]/policy_value: policy_value changed '0' to 3 (corrective)
Notice: /Stage[main]/path::to::cis::Localsecuritypolicy/Local_security_policy[Accounts: Rename administrator account]/policy_value: policy_value changed '"aimlocaladmin"' to 'aimlocaladmin' (corrective)
Notice: /Stage[main]/path::to::cis::Localsecuritypolicy/Local_security_policy[Accounts: Rename guest account]/policy_value: policy_value changed '"aimguest"' to 'aimguest' (corrective)
Notice: /Stage[main]/path::to::cis::Localsecuritypolicy/Local_security_policy[Access Credential Manager as a trusted caller]/ensure: created (corrective)
Notice: /Stage[main]/path::to::cis::Localsecuritypolicy/Local_security_policy[Create a token object]/ensure: created (corrective)
Notice: /Stage[main]/path::to::cis::Localsecuritypolicy/Local_security_policy[Modify an object label]/ensure: created (corrective)
Notice: /Stage[main]/path::to::cis::Localsecuritypolicy/Local_security_policy[Act as part of the operating system]/ensure: created (corrective)
Notice: /Stage[main]/path::to::cis::Localsecuritypolicy/Local_security_policy[Create permanent shared objects]/ensure: created (corrective)
Notice: /Stage[main]/path::to::cis::Localsecuritypolicy/Local_security_policy[Create symbolic links]/ensure: created (corrective)
Notice: /Stage[main]/path::to::cis::Localsecuritypolicy/Local_security_policy[Lock pages in memory]/ensure: created (corrective)
Notice: /Stage[main]/path::to::cis::Localsecuritypolicy/Local_security_policy[Enable computer and user accounts to be trusted for delegation]/ensure: created (corrective)
@TheITRx
Copy link
Author

TheITRx commented Nov 4, 2020

We have User Rights local policies that we set to empty in accordance to CIS controls. Looks like the module does an incorrect comparison between what's an empty in the current setting and unto what's empty on the manifest.

This is my hiera data:

Lock pages in memory:
#Description: (L1) Ensure 'Lock pages in memory' is set to 'No One'
ensure: present
policy_value:

@Nwolford51
Copy link

We are having the same issue:

Notice: /Stage[main]/Oss::Profile::Base::Localadmins/Local_security_policy[Accounts: Rename administrator account]/policy_value: policy_value changed '"username"' to 'username' (corrective)
Notice: Applied catalog in 377.28 seconds

It evaluates the the admin account every run even though it is set correctly. We were able to get around setting the Guest account by using odd syntax to account for the '"Guest"' quotes.

local_security_policy { 'Accounts: Rename guest account':
    ensure       => 'present',
    policy_value => '"nobody"',
    before       => Dsc_user['nobody'],
  }

Any advice on how to get around it in the Accounts: Rename administrator account: setting when using a parameter as the name?


 local_security_policy { 'Accounts: Rename administrator account':
    ensure       => 'present',
    policy_value => $domain_username,
    before       => Dsc_user[$domain_username],
  }

@canihavethisone
Copy link

canihavethisone commented Jan 4, 2022
edited
Loading

@Nwolford51

I overcame this issue (which affects both administrator and guest account names) by using additional quotes on an in-hiera lookup. I think this may be more of an issue with Windows than the module, thought potentially the module could mitigate it. In the meantime the below works fine:

  'Accounts: Rename administrator account':
    policy_value: '"%{lookup("windows::disabled_administrator_newname")}"'

  'Accounts: Rename guest account':
    policy_value: '"%{lookup("windows::disabled_guest_newname")}"'

Re your question on working around it when a parameter in a manifest, perhaps the following (or a variation of) may work? Though I think lint checks may flag it.

    policy_value => '"${domain_username}"',

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Nwolford51 @canihavethisone @TheITRx