trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Azure/Ansible: improve idempotency (2)

Browse Source
This commit is contained in:
juju4
2020-11-15 16:36:08 -05:00
parent cf336b578a
commit 5545d0c5a7
3 changed files with 76 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
Azure/Ansible/roles/dc/tasks/main.yml
View File

@@ -1,7 +1,12 @@
--- ---
- name: Set DNS Address - name: Set DNS Address
win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 127.0.0.1,8.8.8.8" win_dns_client:
adapter_names: '*'
ipv4_addresses:
- 127.0.0.1
- 8.8.8.8
log_path: C:\dns_log.txt
- name: Install git - name: Install git
win_chocolatey: win_chocolatey:
@@ -33,6 +38,8 @@
- Users - Users
- Administrators - Administrators
password_never_expires: yes password_never_expires: yes
# Fail after domain creation: Failed to remove Domain Users: Exception calling \"Remove\" with \"1\" argument(s): \"This operation is not allowed on this special group.
ignore_errors: true
- name: Create the Domain - name: Create the Domain
win_shell: .\\provision.ps1 win_shell: .\\provision.ps1
@@ -47,6 +54,7 @@
pre_reboot_delay: 15 pre_reboot_delay: 15
reboot_timeout: 600 reboot_timeout: 600
post_reboot_delay: 60 post_reboot_delay: 60
when: domain_creation.changed
- name: Configure OU - name: Configure OU
win_shell: .\\configure-ou.ps1 win_shell: .\\configure-ou.ps1
@@ -60,6 +68,7 @@
ansible_become_password: vagrant ansible_become_password: vagrant
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
failed_when: "'Exception' in ou_creation.stderr" failed_when: "'Exception' in ou_creation.stderr"
changed_when: "'already exists. Moving On.' not in ou_creation.stdout"
- debug: msg="{{ ou_creation.stdout_lines }}" - debug: msg="{{ ou_creation.stdout_lines }}"
@@ -75,8 +84,10 @@
ansible_become_password: vagrant ansible_become_password: vagrant
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
failed_when: "'Exception' in wef_gpo.stderr" failed_when: "'Exception' in wef_gpo.stderr"
changed_when: "' already linked on ' not in wef_gpo.stdout"
- debug: msg="{{ wef_gpo.stdout_lines }}" - debug: msg="{{ wef_gpo.stdout_lines }}"
when: wef_gpo.stdout_lines is defined
- name: Configure Powershell Logging GPO - name: Configure Powershell Logging GPO
win_shell: .\\configure-powershelllogging.ps1 win_shell: .\\configure-powershelllogging.ps1
@@ -90,8 +101,10 @@
ansible_become_password: vagrant ansible_become_password: vagrant
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
failed_when: "'Exception' in powershell_gpo.stderr" failed_when: "'Exception' in powershell_gpo.stderr"
changed_when: "' already linked on ' not in wef_gpo.stdout"
- debug: msg="{{ powershell_gpo.stdout_lines }}" - debug: msg="{{ powershell_gpo.stdout_lines }}"
when: powershell_gpo.stdout_lines is defined
- name: Configure Auditing Policy GPO - name: Configure Auditing Policy GPO
win_shell: .\\configure-AuditingPolicyGPOs.ps1 win_shell: .\\configure-AuditingPolicyGPOs.ps1
@@ -105,8 +118,10 @@
ansible_become_password: vagrant ansible_become_password: vagrant
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
failed_when: "'Exception' in audit_policy.stderr" failed_when: "'Exception' in audit_policy.stderr"
changed_when: "' already linked on ' not in audit_policy.stdout"
- debug: msg="{{ audit_policy.stdout_lines }}" - debug: msg="{{ audit_policy.stdout_lines }}"
when: audit_policy.stdout_lines is defined
- name: Disable Windows Defender GPO - name: Disable Windows Defender GPO
win_shell: .\\configure-disable-windows-defender-gpo.ps1 win_shell: .\\configure-disable-windows-defender-gpo.ps1
@@ -120,6 +135,7 @@
ansible_become_password: vagrant ansible_become_password: vagrant
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
failed_when: "'Exception' in disable_win_def.stderr" failed_when: "'Exception' in disable_win_def.stderr"
changed_when: "' already linked at ' not in disable_win_def.stdout"
- debug: msg="{{ disable_win_def.stdout_lines }}" - debug: msg="{{ disable_win_def.stdout_lines }}"
@@ -135,8 +151,10 @@
ansible_become_password: vagrant ansible_become_password: vagrant
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
failed_when: "'Exception' in rdp_gpo.stderr" failed_when: "'Exception' in rdp_gpo.stderr"
changed_when: "' already linked at ' not in rdp_gpo.stdout"
- debug: msg="{{ rdp_gpo.stdout_lines }}" - debug: msg="{{ rdp_gpo.stdout_lines }}"
when: rdp_gpo.stdout_lines is defined
- name: Configure DC with raw Commands - name: Configure DC with raw Commands
win_shell: "{{ item }}" win_shell: "{{ item }}"

27
Azure/Ansible/roles/wef/tasks/main.yml
View File

@@ -1,7 +1,12 @@
--- ---
# This needs to be made idempodent
- name: Set HostOnly DNS Address - name: Set HostOnly DNS Address
win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.38.102,8.8.8.8" win_dns_client:
adapter_names: '*'
ipv4_addresses:
- 192.168.38.102
- 8.8.8.8
log_path: C:\dns_log.txt
- name: Install git - name: Install git
win_chocolatey: win_chocolatey:
@@ -48,8 +53,20 @@
dest: "C:\\Users\\vagrant\\AppData\\Local\\Temp\\Microsoft ATA 1.9.iso" dest: "C:\\Users\\vagrant\\AppData\\Local\\Temp\\Microsoft ATA 1.9.iso"
timeout: 3600 timeout: 3600
- name: Clear Event Logs - name: Check if DetectionLab Clear Event Logs has been done
win_shell: "wevtutil el | Select-String -notmatch \"Microsoft-Windows-LiveId\" | Foreach-Object {wevtutil cl \"$_\"}" win_stat:
path: 'c:\Windows\.detectionlab_clear_done'
register: clearevt
- block:
- name: Clear Event Logs
win_shell: "wevtutil el | Select-String -notmatch \"Microsoft-Windows-LiveId\" | Foreach-Object {wevtutil cl \"$_\"}"
- name: Add marker for DetectionLab Clear Event
win_file:
path: 'c:\Windows\.detectionlab_clear_done'
state: touch
when: not clearevt.stat.exists
- name: Downloading the Palantir WEF Configuration - name: Downloading the Palantir WEF Configuration
win_shell: ".\\download_palantir_wef.ps1" win_shell: ".\\download_palantir_wef.ps1"
@@ -95,10 +112,12 @@
win_shell: ".\\configure-pslogstranscriptsshare.ps1" win_shell: ".\\configure-pslogstranscriptsshare.ps1"
args: args:
chdir: 'c:\vagrant\scripts' chdir: 'c:\vagrant\scripts'
creates: c:\pslogs
register: pstranscriptshare register: pstranscriptshare
failed_when: "'Exception' in pstranscriptshare.stdout" failed_when: "'Exception' in pstranscriptshare.stdout"
- debug: msg="{{ pstranscriptshare.stdout_lines }}" - debug: msg="{{ pstranscriptshare.stdout_lines }}"
when: pstranscriptshare.stdout_lines is defined
- name: Installing the EVTX Event Samples - name: Installing the EVTX Event Samples
win_shell: ".\\install-evtx-attack-samples.ps1" win_shell: ".\\install-evtx-attack-samples.ps1"

44
Azure/Ansible/roles/win10/tasks/main.yml
View File

@@ -1,6 +1,11 @@
--- ---
- name: Set HostOnly DNS Address - name: Set HostOnly DNS Address
win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.38.102,8.8.8.8" win_dns_client:
adapter_names: '*'
ipv4_addresses:
- 192.168.38.102
- 8.8.8.8
log_path: C:\dns_log.txt
- name: Install git - name: Install git
win_chocolatey: win_chocolatey:
@@ -50,8 +55,20 @@
post_reboot_delay: 60 post_reboot_delay: 60
when: win10_join_domain.changed when: win10_join_domain.changed
- name: Clear Event Logs - name: Check if DetectionLab Clear Event Logs has been done
win_shell: "wevtutil el | Select-String -notmatch \"Microsoft-Windows-LiveId\" | Foreach-Object {wevtutil cl \"$_\"}" win_stat:
path: 'c:\Windows\.detectionlab_clear_done'
register: clearevt
- block:
- name: Clear Event Logs
win_shell: "wevtutil el | Select-String -notmatch \"Microsoft-Windows-LiveId\" | Foreach-Object {wevtutil cl \"$_\"}"
- name: Add marker for DetectionLab Clear Event
win_file:
path: 'c:\Windows\.detectionlab_clear_done'
state: touch
when: not clearevt.stat.exists
- name: Install Classic Shell with Chocolatey - name: Install Classic Shell with Chocolatey
win_chocolatey: win_chocolatey:
@@ -60,12 +77,19 @@
state: present state: present
install_args: "ADDLOCAL=ClassicStartMenu" install_args: "ADDLOCAL=ClassicStartMenu"
- name: Import ClassicShell config - name: Check if DetectionLab Menu Install has been done
win_shell: | win_stat:
"C:\Program Files\Classic Shell\ClassicStartMenu.exe -xml c:\vagrant\resources\windows\MenuSettings.xml" path: 'c:\Program Files\Classic Shell\.menu_install_done'
regedit /s c:\vagrant\resources\windows\MenuStyle_Default_Win7.reg register: menu_install
- block:
- name: Import ClassicShell config
win_shell: |
"C:\Program Files\Classic Shell\ClassicStartMenu.exe -xml c:\vagrant\resources\windows\MenuSettings.xml"
regedit /s c:\vagrant\resources\windows\MenuStyle_Default_Win7.reg
- name: Add marker for DetectionLab Menu install
win_file:
path: 'c:\Program Files\Classic Shell\.menu_install_done'
state: touch
when: not menu_install.stat.exists