From a69531a2148a06fcb2db50ba52756584cab07f4a Mon Sep 17 00:00:00 2001
From: Seth Thoenen <seththoenen@gmail.com>
Date: Fri, 5 Jun 2020 15:58:25 -0500
Subject: [PATCH] Add adv_audit_policy resource Signed-off-by: Seth Thoenen
 <seththoenen@gmail.com>

---
 README.md                                     | 52 +++++++++++++++++++
 kitchen.yml                                   |  6 +++
 resources/adv_audit_policy.rb                 | 43 +++++++++++++++
 .../test/recipes/adv_audit_policy.rb          | 19 +++++++
 test/cookbooks/test/recipes/everything.rb     |  1 +
 .../adv_audit_policy/adv_audit_policy_test.rb | 15 ++++++
 6 files changed, 136 insertions(+)
 create mode 100644 resources/adv_audit_policy.rb
 create mode 100644 test/cookbooks/test/recipes/adv_audit_policy.rb
 create mode 100644 test/integration/adv_audit_policy/adv_audit_policy_test.rb

diff --git a/README.md b/README.md
index d34fc2eb..80b162c1 100644
--- a/README.md
+++ b/README.md
@@ -298,6 +298,58 @@ windows_zipfile 'c:/foo/baz/the_codez.zip' do
 end
 ```
 
+### adv_audit_policy
+
+Sets Windows advanced security audit policy settings.
+
+#### Actions
+
+- `manage` - The only action for this resource. Sets the inputted audit policy to the inputted value.
+
+#### Properties
+
+- `subcategory` - Audit Policy to be modified
+
+- `policy_state` - Value to be configured in the Audit Policy. Must be one of the following: ['Success and Failure', 'Success', 'Failure', 'No Auditing']
+
+#### Examples
+
+Sets `Credential Validation` to `Success and Failure`
+
+```ruby
+adv_audit_policy 'Set Account Logon\\Audit Credential Validation audit policy to "Success and Failure"' do
+  subcategory 'Credential Validation'
+  policy_state 'success and failure'
+end
+```
+
+Sets `Kerberos Authentication Service` to `Success`
+
+```ruby
+adv_audit_policy 'Set Account Logon\\Audit Kerberos Authentication Service audit policy to "Success"' do
+  subcategory 'Kerberos Authentication Service'
+  policy_state 'success'
+end
+```
+
+Sets `Audit Kerberos Service Ticket Operations` to `Failure`
+
+```ruby
+adv_audit_policy 'Set Account Logon\\Audit Kerberos Service Ticket Operations audit policy to "Failure"' do
+  subcategory 'Kerberos Service Ticket Operations'
+  policy_state 'failure'
+end
+```
+
+Sets `Audit Other Account Logon Events` to `No Auditing`
+
+```ruby
+adv_audit_policy 'Set Account Logon\\Audit Other Account Logon Events audit policy to "No Auditing"' do
+  subcategory 'Other Account Logon Events'
+  policy_state 'no auditing'
+end
+```
+
 ## Libraries
 
 ### WindowsHelper
diff --git a/kitchen.yml b/kitchen.yml
index 39c0ceac..c806136a 100644
--- a/kitchen.yml
+++ b/kitchen.yml
@@ -50,3 +50,9 @@ suites:
   - name: everything
     run_list:
       - recipe[test::everything]
+  - name: adv_audit_policy
+    run_list:
+      - recipe[test::adv_audit_policy]
+    verifier:
+      inspec_tests:
+        - test/integration/adv_audit_policy
diff --git a/resources/adv_audit_policy.rb b/resources/adv_audit_policy.rb
new file mode 100644
index 00000000..26055d87
--- /dev/null
+++ b/resources/adv_audit_policy.rb
@@ -0,0 +1,43 @@
+#
+# Author:: Seth Thoenen (<seththoenen@gmail.com>)
+# Cookbook:: windows
+# Resource:: adv_audit_policy
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+resource_name 'adv_audit_policy'
+
+property :subcategory, String, name_property: true
+property :policy_state, String, required: true, equal_to: ['success and failure', 'success', 'failure', 'no auditing']
+
+action :manage do
+  auditpol_command = 'auditpol.exe /set /subcategory:"' + new_resource.subcategory + '" '
+  case new_resource.policy_state.downcase
+  when 'success and failure'
+    auditpol_command += '/failure:enable /success:enable'
+  when 'success'
+    auditpol_command += '/failure:disable /success:enable'
+  when 'failure'
+    auditpol_command += '/failure:enable /success:disable'
+  when 'no auditing'
+    auditpol_command += '/failure:disable /success:disable'
+  end
+
+  auditpol_guard_command = 'auditpol /get /subcategory:"' + new_resource.subcategory + '" /r'
+
+  execute "Ensure '#{new_resource.subcategory}' is set to '#{new_resource.policy_state}'" do
+    command auditpol_command
+    not_if { shell_out(auditpol_guard_command).stdout.lines[1].split(',')[4].downcase.eql? new_resource.policy_state }
+  end
+end
diff --git a/test/cookbooks/test/recipes/adv_audit_policy.rb b/test/cookbooks/test/recipes/adv_audit_policy.rb
new file mode 100644
index 00000000..bd52e5ba
--- /dev/null
+++ b/test/cookbooks/test/recipes/adv_audit_policy.rb
@@ -0,0 +1,19 @@
+adv_audit_policy 'Set Account Logon\\Audit Credential Validation audit policy to "Success and Failure"' do
+  subcategory 'Credential Validation'
+  policy_state 'success and failure'
+end
+
+adv_audit_policy 'Set Account Logon\\Audit Kerberos Authentication Service audit policy to "Succes"' do
+  subcategory 'Kerberos Authentication Service'
+  policy_state 'success'
+end
+
+adv_audit_policy 'Set Account Logon\\Audit Kerberos Service Ticket Operations audit policy to "Failure"' do
+  subcategory 'Kerberos Service Ticket Operations'
+  policy_state 'failure'
+end
+
+adv_audit_policy 'Set Account Logon\\Audit Other Account Logon Events audit policy to "No Auditing"' do
+  subcategory 'Other Account Logon Events'
+  policy_state 'no auditing'
+end
diff --git a/test/cookbooks/test/recipes/everything.rb b/test/cookbooks/test/recipes/everything.rb
index d043806e..d2ccdc45 100644
--- a/test/cookbooks/test/recipes/everything.rb
+++ b/test/cookbooks/test/recipes/everything.rb
@@ -1,3 +1,4 @@
 include_recipe '::http_acl'
 include_recipe '::user_privilege'
 include_recipe '::zipfile'
+include_recipe '::adv_audit_policy'
diff --git a/test/integration/adv_audit_policy/adv_audit_policy_test.rb b/test/integration/adv_audit_policy/adv_audit_policy_test.rb
new file mode 100644
index 00000000..41da4461
--- /dev/null
+++ b/test/integration/adv_audit_policy/adv_audit_policy_test.rb
@@ -0,0 +1,15 @@
+describe audit_policy do
+  its('Credential Validation') { should eq 'Success and Failure' }
+end
+
+describe audit_policy do
+  its('Kerberos Authentication Service') { should eq 'Success' }
+end
+
+describe audit_policy do
+  its('Kerberos Service Ticket Operations') { should eq 'Failure' }
+end
+
+describe audit_policy do
+  its('Other Account Logon Events') { should eq 'No Auditing' }
+end
\ No newline at end of file