windows_audit_policy Resource

This page is generated from the Chef source code.To suggest a change, edit the windows_audit_policy.rb file and submit a pull request to the Chef repository.

Resources Reference page


Use the windows_audit_policy resource to configure system level and per-user Windows advanced audit policy settings.

New in Chef Infra Client 16.2.

Syntax


The full syntax for all of the properties that are available to the windows_audit_policy resource is:

windows_audit_policy 'name' do
  audit_base_directories       true, false
  audit_base_objects           true, false
  crash_on_audit_fail          true, false
  exclude_user                 String
  failure                      true, false
  full_privilege_auditing      true, false
  include_user                 String
  subcategory                  String, Array
  success                      true, false
  action                       Symbol # defaults to :set if not specified
end

where:

  • windows_audit_policy is the resource.
  • name is the name given to the resource block.
  • action identifies which steps Chef Infra Client will take to bring the node into the desired state.
  • audit_base_directories, audit_base_objects, crash_on_audit_fail, exclude_user, failure, full_privilege_auditing, include_user, subcategory, and success are the properties available to this resource.

Actions


The windows_audit_policy resource has the following actions:

:nothing
This resource block does not act unless notified by another resource to take action. Once notified, this resource block either runs immediately or is queued up to run at the end of a Chef Infra Client run.
:set
Configure an audit policy.

Properties


The windows_audit_policy resource has the following properties:

audit_base_directories
Ruby Type: true, false

Setting this audit policy option to true will force the system to assign a System Access Control List to named objects to enable auditing of container objects such as directories.

audit_base_objects
Ruby Type: true, false

Setting this audit policy option to true will force the system to assign a System Access Control List to named objects to enable auditing of base objects such as mutexes.

crash_on_audit_fail
Ruby Type: true, false

Setting this audit policy option to true will cause the system to crash if the auditing system is unable to log events.

exclude_user
Ruby Type: String

The audit policy specified by the category or subcategory is applied per-user if specified. When a user is specified, exclude user. Include and exclude cannot be used at the same time.

failure
Ruby Type: true, false

Specify failure auditing. By setting this property to true the resource will enable failure for the category or sub category. Success is the default and is applied if neither success nor failure are specified.

full_privilege_auditing
Ruby Type: true, false

Setting this audit policy option to true will force the audit of all privilege changes except SeAuditPrivilege. Setting this property may cause the logs to fill up more quickly.

include_user
Ruby Type: String

The audit policy specified by the category or subcategory is applied per-user if specified. When a user is specified, include user. Include and exclude cannot be used at the same time.

subcategory
Ruby Type: String, Array

The audit policy subcategory, specified by GUID or name. Applied system-wide if no user is specified.

success
Ruby Type: true, false

Specify success auditing. By setting this property to true the resource will enable success for the category or sub category. Success is the default and is applied if neither success nor failure are specified.


Common Resource Functionality


Chef resources include common properties, notifications, and resource guards.

Common Properties

The following properties are common to every resource:

compile_time

Ruby Type: true, false | Default Value: false

Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).

ignore_failure

Ruby Type: true, false, :quiet | Default Value: false

Continue running a recipe if a resource fails for any reason. :quiet will not display the full stack trace and the recipe will continue to run if a resource fails.

retries

Ruby Type: Integer | Default Value: 0

The number of attempts to catch exceptions and retry the resource.

retry_delay

Ruby Type: Integer | Default Value: 2

The retry delay (in seconds).

sensitive

Ruby Type: true, false | Default Value: false

Ensure that sensitive resource data is not logged by Chef InfraClient.

Notifications

notifies

Ruby Type: Symbol, 'Chef::Resource[String]'

A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.

If the referenced resource does not exist, an error is raised. In contrast, subscribes will not fail if the source resource is not found.

A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:

:before

Specifies that the action on a notified resource should be run before processing the resource block in which the notification is located.

:delayed

Default. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.

:immediate, :immediately

Specifies that a notification should be run immediately, per resource notified.

The syntax for notifies is:

notifies :action, 'resource[name]', :timer
subscribes

Ruby Type: Symbol, 'Chef::Resource[String]'

A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.

Note that subscribes does not apply the specified action to the resource that it listens to - for example:

file '/etc/nginx/ssl/example.crt' do
  mode '0600'
  owner 'root'
end

service 'nginx' do
  subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end

In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes does not make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.

If the other resource does not exist, the subscription will not raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource does not exist.

A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:

:before

Specifies that the action on a notified resource should be run before processing the resource block in which the notification is located.

:delayed

Default. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.

:immediate, :immediately

Specifies that a notification should be run immediately, per resource notified.

The syntax for subscribes is:

subscribes :action, 'resource[name]', :timer

Guards

A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:

  • A string is executed as a shell command. If the command returns 0, the guard is applied. If the command returns any other value, then the guard property is not applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.
  • A block is executed as Ruby code that must return either true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property is not applied.

A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it is being executed, and then if the desired state is present, for Chef Infra Client to do nothing.

Properties

The following properties can be used to define a guard that is evaluated during the execution phase of a Chef Infra Client run:

not_if

Prevent a resource from executing when the condition returns true.

only_if

Allow a resource to execute only if the condition returns true.

Examples


The following examples demonstrate various approaches for using the windows_audit_policy resource in recipes:

Set Logon and Logoff policy to “Success and Failure”:

windows_audit_policy "Set Audit Policy for 'Logon and Logoff' actions to 'Success and Failure'" do
  subcategory %w(Logon Logoff)
  success true
  failure true
  action :set
end

Set Credential Validation policy to “Success”:

windows_audit_policy "Set Audit Policy for 'Credential Validation' actions to 'Success'" do
  subcategory 'Credential Validation'
  success true
  failure false
  action :set
end

Enable CrashOnAuditFail option:

windows_audit_policy 'Enable CrashOnAuditFail option' do
  crash_on_audit_fail true
  action :set
end

© Chef Software, Inc.
Licensed under the Creative Commons Attribution 3.0 Unported License.
The Chef™ Mark and Chef Logo are either registered trademarks/service marks or trademarks/servicemarks of Chef, in the United States and other countries and are used with Chef Inc's permission.
We are not affiliated with, endorsed or sponsored by Chef Inc.
https://docs.chef.io/resources/windows_audit_policy/