Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Uses builtin salt lgpo functions, removing external lgpo utility #56

Merged
merged 32 commits into from
Mar 19, 2020
Merged

Uses builtin salt lgpo functions, removing external lgpo utility #56

merged 32 commits into from
Mar 19, 2020

Conversation

lorengordon
Copy link
Member

@lorengordon lorengordon commented Mar 18, 2020
edited
Loading

Closes #29

@lorengordon lorengordon mentioned this pull request Mar 18, 2020
Merged
@lorengordon lorengordon requested a review from a team March 18, 2020 21:30
@lorengordon
Copy link
Member Author

The terrafirm logs are here, so you can see it is working:

Due to plus3it/terrafirm#63, the codebuild jobs are not succeeding, but watchmaker is actually completing.

YakDriver
YakDriver approved these changes Mar 18, 2020
View reviewed changes
Copy link

@YakDriver YakDriver left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will this affect standalones all-in-one feature if they have to download Apply_LGPO_Delta.exe separately?

@lorengordon
Copy link
Member Author

The standalone's have always had to download Apply_LGPO_Delta.exe. That was done by the salt state, it was not part of the watchmaker standalone package. Similar to how salt is not itself part of the watchmaker standalone package...

However, this set of patches is removing the need for Apply_LGPO_Delta.exe entirely...

@lorengordon
Uses salt lgpo module to write registry.pol
a652e3c
@lorengordon
Deprecates delete/create methods not supported by builtin salt lgpo m…
90455a5 
…odule
@lorengordon
Deletes unused custom execution module
2b850bc
@lorengordon
Renames ash lgpo file/state to avoid conflicts with builtins
28b2e35
@lorengordon
Deprecates requirement for Apply_LGPO_Delta in ash.lgpo state module
4be55ce
@lorengordon
Uses _ instead of . in virtualname to avoid loader bug
e4fbec7
@lorengordon
Updates sls baselines to use new ash_lgpo modules
f4f07a2
@lorengordon
Ensures secedit_data is in __context__
3f76e08 
Workaround for saltstack/salt#56288
@lorengordon
Allows use of ini_name instead of gpedit name in secedit policies
80bf2e5
@lorengordon
Accepts secedit values as displayed in gpedit or secedit ini files
e9898c5 
Without this, for example, Disabled is accepted but 0 results in a validation
error.

With this both 0 and Disabled will work.

Disabled/0 are just examples. The code will actually lookup the acceptable
values using the policy information maintained in the lgpo execution module.
@lorengordon
Supports retrieving list of valid secedit policies by name or type
3ef3618 
Also adds option to output policy details to help identify valid values for
all valid secedit policies
@lorengordon
Defaults to merging policies into existing regpol
efa0889
@lorengordon
Allows LsaRights value to be list of SID strings or friendly names
4092a26
@lorengordon
Coerces netusermodal values from string to int
8379cba
@lorengordon
Transforms secedit ini names to netusermodal names
82a2c0d
@lorengordon
Reconstructs vdata properly when it contains a colon
a4794b0
@lorengordon
Namespaces _write_regpol_data so salt dunder is available
3a599a8
@lorengordon
Coerces empty string to empty list for LsaRights values
c168013 
An empty string/list is used to clear the user privileges.
@lorengordon
Coerces -1 netmodal value to 0
ec22716
@lorengordon
Handles empty string regpol data and the DELETE regpol action
ddce7e4
@lorengordon
Adds function to create a local policy that deletes a registry value
34474d0
@lorengordon
Uses pure regex matches to replace policies in regpol files
7b5a555 
The salt builtin `_policyFileReplaceOrAppend()` has bugs when
the regpol file has DELETE policies, where it does not properly
match or replace the target policy.

This patch replaces `_policyFileReplaceOrAppend()` with a pure
regex-based solution that will properly match an existing policy
in the regpol file, regardless of the policy type (add value, delete
value, or delete all values)
@lorengordon
Removes remnants of unsupported actions
13762bb
@lorengordon
Accounts for potential for regpol encoding to inject newline chars
65d48ea
@lorengordon
Ensures regpol file is always read
b20e758
@lorengordon
Copy link
Member Author

Going to merge this and the terrafirm pr, then kick dependabot on watchmaker to update the submodule and get a good run of the tests...

@lorengordon lorengordon merged commit fe52185 into plus3it:master Mar 19, 2020
@lorengordon lorengordon deleted the lgpo branch March 19, 2020 14:54
@lorengordon lorengordon mentioned this pull request Mar 26, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YakDriver YakDriver YakDriver approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update lgpo custom python modules to use the newer LGPO.exe utility
2 participants
@lorengordon @YakDriver