Add adv_audit_policy resource

README.md

@@ -298,6 +298,58 @@ windows_zipfile 'c:/foo/baz/the_codez.zip' do
 end
 ```
 
+### adv_audit_policy
+
+Sets Windows advanced security audit policy settings.
+
+#### Actions
+
+- `manage` - The only action for this resource. Sets the inputted audit policy to the inputted value.
+
+#### Properties
+
+- `subcategory` - Audit Policy to be modified
+
+- `policy_state` - Value to be configured in the Audit Policy. Must be one of the following: ['Success and Failure', 'Success', 'Failure', 'No Auditing']
+
+#### Examples
+
+Sets `Credential Validation` to `Success and Failure`
+
+```ruby
+adv_audit_policy 'Set Account Logon\\Audit Credential Validation audit policy to "Success and Failure"' do
+  subcategory 'Credential Validation'
+  policy_state 'success and failure'
+end
+```
+
+Sets `Kerberos Authentication Service` to `Success`
+
+```ruby
+adv_audit_policy 'Set Account Logon\\Audit Kerberos Authentication Service audit policy to "Success"' do
+  subcategory 'Kerberos Authentication Service'
+  policy_state 'success'
+end
+```
+
+Sets `Audit Kerberos Service Ticket Operations` to `Failure`
+
+```ruby
+adv_audit_policy 'Set Account Logon\\Audit Kerberos Service Ticket Operations audit policy to "Failure"' do
+  subcategory 'Kerberos Service Ticket Operations'
+  policy_state 'failure'
+end
+```
+
+Sets `Audit Other Account Logon Events` to `No Auditing`
+
+```ruby
+adv_audit_policy 'Set Account Logon\\Audit Other Account Logon Events audit policy to "No Auditing"' do
+  subcategory 'Other Account Logon Events'
+  policy_state 'no auditing'
+end
+```
+
 ## Libraries
 
 ### WindowsHelper

kitchen.yml

@@ -50,3 +50,9 @@ suites:
   - name: everything
     run_list:
       - recipe[test::everything]
+  - name: adv_audit_policy
+    run_list:
+      - recipe[test::adv_audit_policy]
+    verifier:
+      inspec_tests:
+        - test/integration/adv_audit_policy

resources/adv_audit_policy.rb

@@ -0,0 +1,43 @@
+#
+# Author:: Seth Thoenen (<[email protected]>)
+# Cookbook:: windows
+# Resource:: adv_audit_policy
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+resource_name 'adv_audit_policy'
+
+property :subcategory, String, name_property: true
+property :policy_state, String, required: true, equal_to: ['success and failure', 'success', 'failure', 'no auditing']
+
+action :manage do
+  auditpol_command = 'auditpol.exe /set /subcategory:"' + new_resource.subcategory + '" '
+  case new_resource.policy_state.downcase
+  when 'success and failure'
+    auditpol_command += '/failure:enable /success:enable'
+  when 'success'
+    auditpol_command += '/failure:disable /success:enable'
+  when 'failure'
+    auditpol_command += '/failure:enable /success:disable'
+  when 'no auditing'
+    auditpol_command += '/failure:disable /success:disable'
+  end
+
+  auditpol_guard_command = 'auditpol /get /subcategory:"' + new_resource.subcategory + '" /r'
+
+  execute "Ensure '#{new_resource.subcategory}' is set to '#{new_resource.policy_state}'" do
+    command auditpol_command
+    not_if { shell_out(auditpol_guard_command).stdout.lines[1].split(',')[4].downcase.eql? new_resource.policy_state }
+  end
+end

test/cookbooks/test/recipes/adv_audit_policy.rb

@@ -0,0 +1,19 @@
+adv_audit_policy 'Set Account Logon\\Audit Credential Validation audit policy to "Success and Failure"' do
+  subcategory 'Credential Validation'
+  policy_state 'success and failure'
+end
+
+adv_audit_policy 'Set Account Logon\\Audit Kerberos Authentication Service audit policy to "Succes"' do
+  subcategory 'Kerberos Authentication Service'
+  policy_state 'success'
+end
+
+adv_audit_policy 'Set Account Logon\\Audit Kerberos Service Ticket Operations audit policy to "Failure"' do
+  subcategory 'Kerberos Service Ticket Operations'
+  policy_state 'failure'
+end
+
+adv_audit_policy 'Set Account Logon\\Audit Other Account Logon Events audit policy to "No Auditing"' do
+  subcategory 'Other Account Logon Events'
+  policy_state 'no auditing'
+end

test/cookbooks/test/recipes/everything.rb

@@ -1,3 +1,4 @@
 include_recipe '::http_acl'
 include_recipe '::user_privilege'
 include_recipe '::zipfile'
+include_recipe '::adv_audit_policy'

test/integration/adv_audit_policy/adv_audit_policy_test.rb

@@ -0,0 +1,15 @@
+describe audit_policy do
+  its('Credential Validation') { should eq 'Success and Failure' }
+end
+
+describe audit_policy do
+  its('Kerberos Authentication Service') { should eq 'Success' }
+end
+
+describe audit_policy do
+  its('Kerberos Service Ticket Operations') { should eq 'Failure' }
+end
+
+describe audit_policy do
+  its('Other Account Logon Events') { should eq 'No Auditing' }
+end