Edit this page in the Chef repository

All Infra resources page

Use the windows_audit_policy resource to configure system level and per-user Windows advanced audit policy settings.

New in Chef Infra Client 16.2.

Syntax

The full syntax for all of the properties that are available to the windows_audit_policy resource is:

windows_audit_policy 'name' do
  audit_base_directories       true, false
  audit_base_objects           true, false
  crash_on_audit_fail          true, false
  exclude_user                 String
  failure                      true, false
  full_privilege_auditing      true, false
  include_user                 String
  subcategory                  String, Array
  success                      true, false
  action                       Symbol # defaults to :set if not specified
end

where:

• windows_audit_policy is the resource.
• name is the name given to the resource block.
• action identifies which steps Chef Infra Client will take to bring the node into the desired state.
• audit_base_directories, audit_base_objects, crash_on_audit_fail, exclude_user, failure, full_privilege_auditing, include_user, subcategory, and success are the properties available to this resource.

Actions

The windows_audit_policy resource has the following actions:

:nothing

This resource block does not act unless notified by another resource to take action. Once notified, this resource block either runs immediately or is queued up to run at the end of a Chef Infra Client run.

:set

Configure an audit policy. (default)

Properties

The windows_audit_policy resource has the following properties:

audit_base_directories

Ruby Type: true, false

Setting this audit policy option to true will force the system to assign a System Access Control List to named objects to enable auditing of container objects such as directories.

audit_base_objects

Ruby Type: true, false

Setting this audit policy option to true will force the system to assign a System Access Control List to named objects to enable auditing of base objects such as mutexes.

crash_on_audit_fail

Ruby Type: true, false

Setting this audit policy option to true will cause the system to crash if the auditing system is unable to log events.

exclude_user

Ruby Type: String

The audit policy specified by the category or subcategory is applied per-user if specified. When a user is specified, exclude user. Include and exclude cannot be used at the same time.

failure

Ruby Type: true, false

Specify failure auditing. By setting this property to true the resource will enable failure for the category or sub category. Success is the default and is applied if neither success nor failure are specified.

full_privilege_auditing

Ruby Type: true, false

Setting this audit policy option to true will force the audit of all privilege changes except SeAuditPrivilege. Setting this property may cause the logs to fill up more quickly.

include_user

Ruby Type: String

The audit policy specified by the category or subcategory is applied per-user if specified. When a user is specified, include user. Include and exclude cannot be used at the same time.

subcategory

Ruby Type: String, Array

The audit policy subcategory, specified by GUID or name. Applied system-wide if no user is specified.

success

Ruby Type: true, false

Specify success auditing. By setting this property to true the resource will enable success for the category or sub category. Success is the default and is applied if neither success nor failure are specified.

Common Resource Functionality

Chef resources include common properties, notifications, and resource guards.

Common Properties

The following properties are common to every resource:

compile_time

Ruby Type: true, false | Default Value: false

Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).

ignore_failure

Ruby Type: true, false, :quiet | Default Value: false

Continue running a recipe if a resource fails for any reason. :quiet will not display the full stack trace and the recipe will continue to run if a resource fails.

retries

Ruby Type: Integer | Default Value: 0

The number of attempts to catch exceptions and retry the resource.

retry_delay

Ruby Type: Integer | Default Value: 2

The delay in seconds between retry attempts.

sensitive

Ruby Type: true, false | Default Value: false

Ensure that sensitive resource data is not logged by Chef Infra Client.

Notifications

notifies

Ruby Type: Symbol, 'Chef::Resource[String]'

A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.

If the referenced resource does not exist, an error is raised. In contrast, subscribes will not fail if the source resource is not found.

A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:

:before

Specifies that the action on a notified resource should be run before processing the resource block in which the notification is located.

:delayed

Default. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.

:immediate, :immediately

Specifies that a notification should be run immediately, per resource notified.

The syntax for notifies is:

notifies :action, 'resource[name]', :timer

subscribes

Ruby Type: Symbol, 'Chef::Resource[String]'

A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.

Note that subscribes does not apply the specified action to the resource that it listens to - for example:

file '/etc/nginx/ssl/example.crt' do
  mode '0600'
  owner 'root'
end

service 'nginx' do
  subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end

In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes does not make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.

If the other resource does not exist, the subscription will not raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource does not exist.

A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:

:before

Specifies that the action on a notified resource should be run before processing the resource block in which the notification is located.

:delayed

Default. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.

:immediate, :immediately

Specifies that a notification should be run immediately, per resource notified.

The syntax for subscribes is:

subscribes :action, 'resource[name]', :timer

Guards

A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:

• A string is executed as a shell command. If the command returns 0, the guard is applied. If the command returns any other value, then the guard property is not applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.
• A block is executed as Ruby code that must return either true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property is not applied.

A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it is being executed, and then if the desired state is present, for Chef Infra Client to do nothing.

The following properties can be used to define a guard that is evaluated during the execution phase of a Chef Infra Client run:

not_if

Prevent a resource from executing when the condition returns true.

only_if

Allow a resource to execute only if the condition returns true.

Examples

The following examples demonstrate various approaches for using the windows_audit_policy resource in recipes:

Set Logon and Logoff policy to “Success and Failure”:

windows_audit_policy "Set Audit Policy for 'Logon and Logoff' actions to 'Success and Failure'" do
  subcategory %w(Logon Logoff)
  success true
  failure true
  action :set
end

Set Credential Validation policy to “Success”:

windows_audit_policy "Set Audit Policy for 'Credential Validation' actions to 'Success'" do
  subcategory 'Credential Validation'
  success true
  failure false
  action :set
end

Enable CrashOnAuditFail option:

windows_audit_policy 'Enable CrashOnAuditFail option' do
  crash_on_audit_fail true
  action :set
end