saltstack/salt
1
0
Fork 0
mirror of https://github.com/saltstack/salt.git synced 2025-04-17 10:10:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add more policies

Browse source 
Adds more policies
Fixes bug in netsh salt util
Uses __context__ to speed things up
Fixes bug in the state where it was reporting changes when no changes
occurred
This commit is contained in:
twangboy 2018-12-07 17:18:29 -07:00
parent b2b97959d0
commit 1247598f28
No known key found for this signature in database
GPG key ID: 93FF3BDEB278C9EB
3 changed files with 666 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

664
salt/modules/win_lgpo.py
View file

@ -488,6 +488,21 @@ class _policy_info(object):
'disable': 'No',
'notconfigured': 'Not configured'
}
self.firewall_log_packets_connections = {
'enable': 'Yes',
'disable': 'No (default)',
'notconfigured': 'Not configured'
}
self.firewall_notification = {
'enable': 'Yes',
'disable': 'No',
'notconfigured': 'Not configured'
}
self.firewall_state = {
'on': 'On (recommended)',
'off': 'Off',
'notconfigured': 'Not configured'
}
self.krb_encryption_types = {
0: 'No minimum',
1: 'DES_CBC_CRC',
@ -869,6 +884,84 @@ class _policy_info(object):
},
},
},
'WfwDomainState': {
'Policy': 'Network firewall: Domain: State',
'lgpo_section': self.windows_firewall_gpedit_path,
# Settings available are:
# - On (recommended)
# - Off
# - Not configured
'Settings': self.firewall_state.keys(),
'NetSH': {
'Profile': 'domain',
'Section': 'state',
'Option': 'State' # Unused, but needed
},
'Transform': {
'Get': '_dict_lookup',
'Put': '_dict_lookup',
'GetArgs': {
'lookup': self.firewall_state,
'value_lookup': False,
},
'PutArgs': {
'lookup': self.firewall_state,
'value_lookup': True,
},
},
},
'WfwPrivateState': {
'Policy': 'Network firewall: Private: State',
'lgpo_section': self.windows_firewall_gpedit_path,
# Settings available are:
# - On (recommended)
# - Off
# - Not configured
'Settings': self.firewall_state.keys(),
'NetSH': {
'Profile': 'private',
'Section': 'state',
'Option': 'State' # Unused, but needed
},
'Transform': {
'Get': '_dict_lookup',
'Put': '_dict_lookup',
'GetArgs': {
'lookup': self.firewall_state,
'value_lookup': False,
},
'PutArgs': {
'lookup': self.firewall_state,
'value_lookup': True,
},
},
},
'WfwPublicState': {
'Policy': 'Network firewall: Public: State',
'lgpo_section': self.windows_firewall_gpedit_path,
# Settings available are:
# - On (recommended)
# - Off
# - Not configured
'Settings': self.firewall_state.keys(),
'NetSH': {
'Profile': 'public',
'Section': 'state',
'Option': 'State' # Unused, but needed
},
'Transform': {
'Get': '_dict_lookup',
'Put': '_dict_lookup',
'GetArgs': {
'lookup': self.firewall_state,
'value_lookup': False,
},
'PutArgs': {
'lookup': self.firewall_state,
'value_lookup': True,
},
},
},
'WfwDomainInboundConnections': {
'Policy': 'Network firewall: Domain: Inbound connections',
'lgpo_section': self.windows_firewall_gpedit_path,
@ -896,6 +989,60 @@ class _policy_info(object):
},
},
},
'WfwPrivateInboundConnections': {
'Policy': 'Network firewall: Private: Inbound connections',
'lgpo_section': self.windows_firewall_gpedit_path,
# Settings available are:
# - Block (default)
# - Block all connections
# - Allow
# - Not configured
'Settings': self.firewall_inbound_connections.keys(),
'NetSH': {
'Profile': 'private',
'Section': 'firewallpolicy',
'Option': 'Inbound'
},
'Transform': {
'Get': '_dict_lookup',
'Put': '_dict_lookup',
'GetArgs': {
'lookup': self.firewall_inbound_connections,
'value_lookup': False,
},
'PutArgs': {
'lookup': self.firewall_inbound_connections,
'value_lookup': True,
},
},
},
'WfwPublicInboundConnections': {
'Policy': 'Network firewall: Public: Inbound connections',
'lgpo_section': self.windows_firewall_gpedit_path,
# Settings available are:
# - Block (default)
# - Block all connections
# - Allow
# - Not configured
'Settings': self.firewall_inbound_connections.keys(),
'NetSH': {
'Profile': 'public',
'Section': 'firewallpolicy',
'Option': 'Inbound'
},
'Transform': {
'Get': '_dict_lookup',
'Put': '_dict_lookup',
'GetArgs': {
'lookup': self.firewall_inbound_connections,
'value_lookup': False,
},
'PutArgs': {
'lookup': self.firewall_inbound_connections,
'value_lookup': True,
},
},
},
'WfwDomainOutboundConnections': {
'Policy': 'Network firewall: Domain: Outbound connections',
'lgpo_section': self.windows_firewall_gpedit_path,
@ -922,6 +1069,136 @@ class _policy_info(object):
},
},
},
'WfwPrivateOutboundConnections': {
'Policy': 'Network firewall: Private: Outbound connections',
'lgpo_section': self.windows_firewall_gpedit_path,
# Settings available are:
# - Block
# - Allow (default)
# - Not configured
'Settings': self.firewall_outbound_connections.keys(),
'NetSH': {
'Profile': 'private',
'Section': 'firewallpolicy',
'Option': 'Outbound'
},
'Transform': {
'Get': '_dict_lookup',
'Put': '_dict_lookup',
'GetArgs': {
'lookup': self.firewall_outbound_connections,
'value_lookup': False,
},
'PutArgs': {
'lookup': self.firewall_outbound_connections,
'value_lookup': True,
},
},
},
'WfwPublicOutboundConnections': {
'Policy': 'Network firewall: Public: Outbound connections',
'lgpo_section': self.windows_firewall_gpedit_path,
# Settings available are:
# - Block
# - Allow (default)
# - Not configured
'Settings': self.firewall_outbound_connections.keys(),
'NetSH': {
'Profile': 'public',
'Section': 'firewallpolicy',
'Option': 'Outbound'
},
'Transform': {
'Get': '_dict_lookup',
'Put': '_dict_lookup',
'GetArgs': {
'lookup': self.firewall_outbound_connections,
'value_lookup': False,
},
'PutArgs': {
'lookup': self.firewall_outbound_connections,
'value_lookup': True,
},
},
},
'WfwDomainSettingsNotification': {
'Policy': 'Network firewall: Domain: Settings: Display a notification',
'lgpo_section': self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes
# - No
# - Not configured
'Settings': self.firewall_notification.keys(),
'NetSH': {
'Profile': 'domain',
'Section': 'settings',
'Option': 'InboundUserNotification'
},
'Transform': {
'Get': '_dict_lookup',
'Put': '_dict_lookup',
'GetArgs': {
'lookup': self.firewall_notification,
'value_lookup': False,
},
'PutArgs': {
'lookup': self.firewall_notification,
'value_lookup': True,
},
},
},
'WfwPrivateSettingsNotification': {
'Policy': 'Network firewall: Private: Settings: Display a notification',
'lgpo_section': self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes
# - No
# - Not configured
'Settings': self.firewall_notification.keys(),
'NetSH': {
'Profile': 'private',
'Section': 'settings',
'Option': 'InboundUserNotification'
},
'Transform': {
'Get': '_dict_lookup',
'Put': '_dict_lookup',
'GetArgs': {
'lookup': self.firewall_notification,
'value_lookup': False,
},
'PutArgs': {
'lookup': self.firewall_notification,
'value_lookup': True,
},
},
},
'WfwPublicSettingsNotification': {
'Policy': 'Network firewall: Public: Settings: Display a notification',
'lgpo_section': self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes
# - No
# - Not configured
'Settings': self.firewall_notification.keys(),
'NetSH': {
'Profile': 'public',
'Section': 'settings',
'Option': 'InboundUserNotification'
},
'Transform': {
'Get': '_dict_lookup',
'Put': '_dict_lookup',
'GetArgs': {
'lookup': self.firewall_notification,
'value_lookup': False,
},
'PutArgs': {
'lookup': self.firewall_notification,
'value_lookup': True,
},
},
},
'WfwDomainSettingsLocalFirewallRules': {
'Policy': 'Network firewall: Domain: Settings: Apply '
'local firewall rules',
@ -949,6 +1226,60 @@ class _policy_info(object):
},
},
},
'WfwPrivateSettingsLocalFirewallRules': {
'Policy': 'Network firewall: Private: Settings: Apply '
'local firewall rules',
'lgpo_section': self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes (default)
# - No
# - Not configured
'Settings': self.firewall_rule_merging.keys(),
'NetSH': {
'Profile': 'private',
'Section': 'settings',
'Option': 'LocalFirewallRules'
},
'Transform': {
'Get': '_dict_lookup',
'Put': '_dict_lookup',
'GetArgs': {
'lookup': self.firewall_rule_merging,
'value_lookup': False,
},
'PutArgs': {
'lookup': self.firewall_rule_merging,
'value_lookup': True,
},
},
},
'WfwPublicSettingsLocalFirewallRules': {
'Policy': 'Network firewall: Public: Settings: Apply '
'local firewall rules',
'lgpo_section': self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes (default)
# - No
# - Not configured
'Settings': self.firewall_rule_merging.keys(),
'NetSH': {
'Profile': 'public',
'Section': 'settings',
'Option': 'LocalFirewallRules'
},
'Transform': {
'Get': '_dict_lookup',
'Put': '_dict_lookup',
'GetArgs': {
'lookup': self.firewall_rule_merging,
'value_lookup': False,
},
'PutArgs': {
'lookup': self.firewall_rule_merging,
'value_lookup': True,
},
},
},
'WfwDomainSettingsLocalConnectionRules': {
'Policy': 'Network firewall: Domain: Settings: Apply '
'local connection security rules',
@ -976,6 +1307,294 @@ class _policy_info(object):
},
},
},
'WfwPrivateSettingsLocalConnectionRules': {
'Policy': 'Network firewall: Private: Settings: Apply '
'local connection security rules',
'lgpo_section': self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes (default)
# - No
# - Not configured
'Settings': self.firewall_rule_merging.keys(),
'NetSH': {
'Profile': 'private',
'Section': 'settings',
'Option': 'LocalConSecRules'
},
'Transform': {
'Get': '_dict_lookup',
'Put': '_dict_lookup',
'GetArgs': {
'lookup': self.firewall_rule_merging,
'value_lookup': False,
},
'PutArgs': {
'lookup': self.firewall_rule_merging,
'value_lookup': True,
},
},
},
'WfwPublicSettingsLocalConnectionRules': {
'Policy': 'Network firewall: Public: Settings: Apply '
'local connection security rules',
'lgpo_section': self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes (default)
# - No
# - Not configured
'Settings': self.firewall_rule_merging.keys(),
'NetSH': {
'Profile': 'public',
'Section': 'settings',
'Option': 'LocalConSecRules'
},
'Transform': {
'Get': '_dict_lookup',
'Put': '_dict_lookup',
'GetArgs': {
'lookup': self.firewall_rule_merging,
'value_lookup': False,
},
'PutArgs': {
'lookup': self.firewall_rule_merging,
'value_lookup': True,
},
},
},
'WfwDomainLoggingName': {
'Policy': 'Network firewall: Domain: Logging: Name',
'lgpo_section': self.windows_firewall_gpedit_path,
# Settings available are:
# - <a full path to a file>
# - Not configured
'Settings': None,
'NetSH': {
'Profile': 'domain',
'Section': 'logging',
'Option': 'FileName'
}
},
'WfwPrivateLoggingName': {
'Policy': 'Network firewall: Private: Logging: Name',
'lgpo_section': self.windows_firewall_gpedit_path,
# Settings available are:
# - <a full path to a file>
# - Not configured
'Settings': None,
'NetSH': {
'Profile': 'private',
'Section': 'logging',
'Option': 'FileName'
}
},
'WfwPublicLoggingName': {
'Policy': 'Network firewall: Public: Logging: Name',
'lgpo_section': self.windows_firewall_gpedit_path,
# Settings available are:
# - <a full path to a file>
# - Not configured
'Settings': None,
'NetSH': {
'Profile': 'public',
'Section': 'logging',
'Option': 'FileName'
}
},
'WfwDomainLoggingMaxFileSize': {
'Policy': 'Network firewall: Domain: Logging: Size limit (KB)',
'lgpo_section': self.windows_firewall_gpedit_path,
# Settings available are:
# - <int between 1 and 32767>
# - Not configured
'Settings': None,
'NetSH': {
'Profile': 'domain',
'Section': 'logging',
'Option': 'MaxFileSize'
}
},
'WfwPrivateLoggingMaxFileSize': {
'Policy': 'Network firewall: Private: Logging: Size limit (KB)',
'lgpo_section': self.windows_firewall_gpedit_path,
# Settings available are:
# - <int between 1 and 32767>
# - Not configured
'Settings': None,
'NetSH': {
'Profile': 'private',
'Section': 'logging',
'Option': 'MaxFileSize'
}
},
'WfwPublicLoggingMaxFileSize': {
'Policy': 'Network firewall: Public: Logging: Size limit (KB)',
'lgpo_section': self.windows_firewall_gpedit_path,
# Settings available are:
# - <int between 1 and 32767>
# - Not configured
'Settings': None,
'NetSH': {
'Profile': 'public',
'Section': 'logging',
'Option': 'MaxFileSize'
}
},
'WfwDomainLoggingAllowedConnections': {
'Policy': 'Network firewall: Domain: Logging: Log successful connections',
'lgpo_section': self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes
# - No (default)
# - Not configured
'Settings': self.firewall_log_packets_connections.keys(),
'NetSH': {
'Profile': 'domain',
'Section': 'logging',
'Option': 'LogAllowedConnections'
},
'Transform': {
'Get': '_dict_lookup',
'Put': '_dict_lookup',
'GetArgs': {
'lookup': self.firewall_log_packets_connections,
'value_lookup': False,
},
'PutArgs': {
'lookup': self.firewall_log_packets_connections,
'value_lookup': True,
},
},
},
'WfwPrivateLoggingAllowedConnections': {
'Policy': 'Network firewall: Private: Logging: Log successful connections',
'lgpo_section': self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes
# - No (default)
# - Not configured
'Settings': self.firewall_log_packets_connections.keys(),
'NetSH': {
'Profile': 'private',
'Section': 'logging',
'Option': 'LogAllowedConnections'
},
'Transform': {
'Get': '_dict_lookup',
'Put': '_dict_lookup',
'GetArgs': {
'lookup': self.firewall_log_packets_connections,
'value_lookup': False,
},
'PutArgs': {
'lookup': self.firewall_log_packets_connections,
'value_lookup': True,
},
},
},
'WfwPublicLoggingAllowedConnections': {
'Policy': 'Network firewall: Public: Logging: Log successful connections',
'lgpo_section': self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes
# - No (default)
# - Not configured
'Settings': self.firewall_log_packets_connections.keys(),
'NetSH': {
'Profile': 'public',
'Section': 'logging',
'Option': 'LogAllowedConnections'
},
'Transform': {
'Get': '_dict_lookup',
'Put': '_dict_lookup',
'GetArgs': {
'lookup': self.firewall_log_packets_connections,
'value_lookup': False,
},
'PutArgs': {
'lookup': self.firewall_log_packets_connections,
'value_lookup': True,
},
},
},
'WfwDomainLoggingDroppedConnections': {
'Policy': 'Network firewall: Domain: Logging: Log dropped packets',
'lgpo_section': self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes
# - No (default)
# - Not configured
'Settings': self.firewall_log_packets_connections.keys(),
'NetSH': {
'Profile': 'domain',
'Section': 'logging',
'Option': 'LogDroppedConnections'
},
'Transform': {
'Get': '_dict_lookup',
'Put': '_dict_lookup',
'GetArgs': {
'lookup': self.firewall_log_packets_connections,
'value_lookup': False,
},
'PutArgs': {
'lookup': self.firewall_log_packets_connections,
'value_lookup': True,
},
},
},
'WfwPrivateLoggingDroppedConnections': {
'Policy': 'Network firewall: Private: Logging: Log dropped packets',
'lgpo_section': self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes
# - No (default)
# - Not configured
'Settings': self.firewall_log_packets_connections.keys(),
'NetSH': {
'Profile': 'private',
'Section': 'logging',
'Option': 'LogDroppedConnections'
},
'Transform': {
'Get': '_dict_lookup',
'Put': '_dict_lookup',
'GetArgs': {
'lookup': self.firewall_log_packets_connections,
'value_lookup': False,
},
'PutArgs': {
'lookup': self.firewall_log_packets_connections,
'value_lookup': True,
},
},
},
'WfwPublicLoggingDroppedConnections': {
'Policy': 'Network firewall: Public: Logging: Log dropped packets',
'lgpo_section': self.windows_firewall_gpedit_path,
# Settings available are:
# - Yes
# - No (default)
# - Not configured
'Settings': self.firewall_log_packets_connections.keys(),
'NetSH': {
'Profile': 'public',
'Section': 'logging',
'Option': 'LogDroppedConnections'
},
'Transform': {
'Get': '_dict_lookup',
'Put': '_dict_lookup',
'GetArgs': {
'lookup': self.firewall_log_packets_connections,
'value_lookup': False,
},
'PutArgs': {
'lookup': self.firewall_log_packets_connections,
'value_lookup': True,
},
},
},
'PasswordHistory': {
'Policy': 'Enforce password history',
'lgpo_section': self.password_policy_gpedit_path,
@ -3731,24 +4350,51 @@ def _buildElementNsmap(using_elements):
def _findOptionValueNetSH(profile, option):
settings = salt.utils.win_lgpo_netsh.get_all_settings(profile=profile,
store='lgpo')
return settings[option]
if 'lgpo.netsh_data' not in __context__:
__context__['lgpo.netsh_data'] = {}
if profile not in __context__['lgpo.netsh_data']:
log.debug('LGPO: Loading netsh data for {0} profile'.format(profile))
settings = salt.utils.win_lgpo_netsh.get_all_settings(profile=profile,
store='lgpo')
__context__['lgpo.netsh_data'].update({profile: settings})
log.debug('LGPO: netsh returning value: {0}'
''.format(__context__['lgpo.netsh_data'][profile][option]))
return __context__['lgpo.netsh_data'][profile][option]
def _setOptionValueNetSH(profile, section, option, value):
if section not in ('firewallpolicy', 'settings', 'logging', 'state'):
raise ValueError('LGPO: Invalid section: {0}'.format(section))
log.debug('LGPO: Setting the following\n'
'Profile: {0}\n'
'Section: {1}\n'
'Option: {2}\n'
'Value: {3}'.format(profile, section, option, value))
if section == 'firewallpolicy':
return salt.utils.win_lgpo_netsh.set_firewall_settings(
salt.utils.win_lgpo_netsh.set_firewall_settings(
profile=profile,
inbound=value if option == 'Inbound' else None,
outbound=value if option == 'Outbound' else None,
store='lgpo')
if section == 'settings':
return salt.utils.win_lgpo_netsh.set_settings(
profile=profile,
setting=option,
value=value,
store='lgpo')
salt.utils.win_lgpo_netsh.set_settings(
profile=profile, setting=option, value=value, store='lgpo')
if section == 'state':
salt.utils.win_lgpo_netsh.set_state(
profile=profile, state=value, store='lgpo')
if section == 'logging':
if option in ('FileName', 'MaxFileSize'):
if value == 'Not configured':
value = 'notconfigured'
# Trim log for the two logging options
if option.startswith('Log'):
option = option[3:]
salt.utils.win_lgpo_netsh.set_logging_settings(
profile=profile, setting=option, value=value, store='lgpo')
log.debug('LGPO: Clearing netsh data for {0} profile'.format(profile))
__context__['lgpo.netsh_data'].pop(profile)
return True
def _findOptionValueInSeceditFile(option):

16
salt/states/win_lgpo.py
View file

@ -308,13 +308,13 @@ def set_(name,
policy_changes.append(policy_name)
else:
if additional_policy_comments:
ret['comment'] = '"{0}" is already set ({1}).\n'.format(policy_name, ', '.join(additional_policy_comments))
ret['comment'] = '"{0}" is already set ({1})\n'.format(policy_name, ', '.join(additional_policy_comments))
else:
ret['comment'] = '"{0}" is already set.\n'.format(policy_name) + ret['comment']
ret['comment'] = '"{0}" is already set\n'.format(policy_name) + ret['comment']
else:
log.debug('%s current setting matches '
'the requested setting', policy_name)
ret['comment'] = '"{0}" is already set.\n'.format(policy_name) + ret['comment']
ret['comment'] = '"{0}" is already set\n'.format(policy_name) + ret['comment']
else:
policy_changes.append(policy_name)
log.debug('policy %s is not set, we will configure it',
@ -322,7 +322,7 @@ def set_(name,
if __opts__['test']:
if policy_changes:
ret['result'] = None
ret['comment'] = 'The following policies are set to change:\n{0}.'.format(
ret['comment'] = 'The following policies are set to change:\n{0}'.format(
'\n'.join(policy_changes))
else:
ret['comment'] = 'All specified policies are properly configured'
@ -334,13 +334,17 @@ def set_(name,
adml_language=adml_language)
if _ret:
ret['result'] = _ret
ret['comment'] = 'The following policies changed:\n{0}.'.format(
'\n'.join(policy_changes))
ret['changes'] = salt.utils.dictdiffer.deep_diff(
current_policy,
__salt__['lgpo.get'](policy_class=policy_class,
adml_language=adml_language,
hierarchical_return=False))
if ret['changes']:
ret['comment'] = 'The following policies changed:\n{0}' \
''.format('\n'.join(policy_changes))
else:
ret['comment'] = 'The following policies are in the correct state:\n{0}' \
''.format('\n'.join(policy_changes))
else:
ret['result'] = False
ret['comment'] = 'Errors occurred while attempting to configure policies: {0}'.format(_ret)

2
salt/utils/win_lgpo_netsh.py
View file

@ -443,7 +443,7 @@ def set_logging_settings(profile, setting, value, store='local'):
int(value)
except ValueError:
raise ValueError('Incorrect value: {0}'.format(value))
if not 1 >= int(value) <= 32767:
if not 1 <= int(value) <= 32767:
raise ValueError('Incorrect value: {0}'.format(value))
# Run the command
command = 'set {0}profile logging {1} {2}'.format(profile, setting, value)