win_audit_rule - Adds an audit rule to files, folders, or registry keys
New in version 2.5.
Synopsis
- Used to apply audit rules to files, folders or registry keys.
- Once applied, it will begin recording the user who performed the operation defined into the Security Log in the Event viewer.
- The behavior is designed to ignore inherited rules since those cannot be adjusted without first disabling the inheritance behavior. It will still print inherited rules in the output though for debugging purposes.
Parameters
| Parameter | Choices/Defaults | Comments |
|---|---|---|
| audit_flags required |
| Defines whether to log on failure, success, or both. To log both define as comma seperated list "Success, Failure". |
| inheritance_flags |
ContainerInherit,ObjectInherit | Defines what objects inside of a folder or registry key will inherit the settings. If you are setting a rule on a file, this value has to be changed to none.For more information on the choices see MSDN PropagationFlags enumeration at https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.inheritanceflags.aspx. |
| path required | Path to the file, folder, or registry key. Registry paths should be in Powershell format, beginning with an abbreviation for the root such as, 'hklm:\software'. aliases: dest, destination | |
| propagation_flags |
| Propagation flag on the audit rules. This value is ignored when the path type is a file. For more information on the choices see MSDN PropagationFlags enumeration at https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.propagationflags.aspx. |
| rights required | Comma seperated list of the rights desired. Only required for adding a rule. If path is a file or directory, rights can be any right under MSDN FileSystemRights https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemrights.aspx. If path is a registry key, rights can be any right under MSDN RegistryRights https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.registryrights.aspx. | |
| state |
| Whether the rule should be present or absent.For absent, only path, user, and state are required. Specifying absent will remove all rules matching the defined user. |
| user required | The user or group to adjust rules for. |
Examples
- name: add filesystem audit rule for a folder
win_audit_rule:
path: 'c:\inetpub\wwwroot\website'
user: 'BUILTIN\Users'
rights: 'write,delete,changepermissions'
audit_flags: 'success,failure'
inheritance_flags: 'ContainerInherit,ObjectInherit'
- name: add filesystem audit rule for a file
win_audit_rule:
path: 'c:\inetpub\wwwroot\website\web.config'
user: 'BUILTIN\Users'
rights: write,delete,changepermissions
audit_flags: success,failure
inheritance_flags: None
- name: add registry audit rule
win_audit_rule:
path: 'hklm:\software'
user: 'BUILTIN\Users'
rights: 'delete'
audit_flags: 'success'
- name: remove filesystem audit rule
win_audit_rule:
path: 'c:\inetpub\wwwroot\website'
user: 'BUILTIN\Users'
state: absent
- name: remove registry audit rule
win_audit_rule:
path: 'hklm:\software'
user: 'BUILTIN\Users'
state: absent
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| current_audit_rules dictionary | always | The current rules on the defined path
Will return "No audit rules defined on path" Sample: { "audit_flags": "Success", "user": "Everyone", "inheritance_flags": "False", "is_inherited": "False", "propagation_flags": "None", "rights": "Delete" } |
| path_type string | always | The type of path being targetted. Will be one of file, directory, registry. |
Status
This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.
Author
- Noah Sparks (@nwsparks)
Hint
If you notice any issues in this documentation you can edit this document to improve it.
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.5/modules/win_audit_rule_module.html