From 5545d0c5a7f7c756b24daec38bf721fc5a0761d3 Mon Sep 17 00:00:00 2001 From: juju4 Date: Sun, 15 Nov 2020 16:36:08 -0500 Subject: [PATCH] Azure/Ansible: improve idempotency (2) --- Azure/Ansible/roles/dc/tasks/main.yml | 20 ++++++++++- Azure/Ansible/roles/wef/tasks/main.yml | 27 ++++++++++++--- Azure/Ansible/roles/win10/tasks/main.yml | 44 ++++++++++++++++++------ 3 files changed, 76 insertions(+), 15 deletions(-) diff --git a/Azure/Ansible/roles/dc/tasks/main.yml b/Azure/Ansible/roles/dc/tasks/main.yml index 6378468..c4f8baa 100644 --- a/Azure/Ansible/roles/dc/tasks/main.yml +++ b/Azure/Ansible/roles/dc/tasks/main.yml @@ -1,7 +1,12 @@ --- - name: Set DNS Address - win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 127.0.0.1,8.8.8.8" + win_dns_client: + adapter_names: '*' + ipv4_addresses: + - 127.0.0.1 + - 8.8.8.8 + log_path: C:\dns_log.txt - name: Install git win_chocolatey: @@ -33,6 +38,8 @@ - Users - Administrators password_never_expires: yes + # Fail after domain creation: Failed to remove Domain Users: Exception calling \"Remove\" with \"1\" argument(s): \"This operation is not allowed on this special group. + ignore_errors: true - name: Create the Domain win_shell: .\\provision.ps1 @@ -47,6 +54,7 @@ pre_reboot_delay: 15 reboot_timeout: 600 post_reboot_delay: 60 + when: domain_creation.changed - name: Configure OU win_shell: .\\configure-ou.ps1 @@ -60,6 +68,7 @@ ansible_become_password: vagrant ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only failed_when: "'Exception' in ou_creation.stderr" + changed_when: "'already exists. Moving On.' not in ou_creation.stdout" - debug: msg="{{ ou_creation.stdout_lines }}" @@ -75,8 +84,10 @@ ansible_become_password: vagrant ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only failed_when: "'Exception' in wef_gpo.stderr" + changed_when: "' already linked on ' not in wef_gpo.stdout" - debug: msg="{{ wef_gpo.stdout_lines }}" + when: wef_gpo.stdout_lines is defined - name: Configure Powershell Logging GPO win_shell: .\\configure-powershelllogging.ps1 @@ -90,8 +101,10 @@ ansible_become_password: vagrant ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only failed_when: "'Exception' in powershell_gpo.stderr" + changed_when: "' already linked on ' not in wef_gpo.stdout" - debug: msg="{{ powershell_gpo.stdout_lines }}" + when: powershell_gpo.stdout_lines is defined - name: Configure Auditing Policy GPO win_shell: .\\configure-AuditingPolicyGPOs.ps1 @@ -105,8 +118,10 @@ ansible_become_password: vagrant ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only failed_when: "'Exception' in audit_policy.stderr" + changed_when: "' already linked on ' not in audit_policy.stdout" - debug: msg="{{ audit_policy.stdout_lines }}" + when: audit_policy.stdout_lines is defined - name: Disable Windows Defender GPO win_shell: .\\configure-disable-windows-defender-gpo.ps1 @@ -120,6 +135,7 @@ ansible_become_password: vagrant ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only failed_when: "'Exception' in disable_win_def.stderr" + changed_when: "' already linked at ' not in disable_win_def.stdout" - debug: msg="{{ disable_win_def.stdout_lines }}" @@ -135,8 +151,10 @@ ansible_become_password: vagrant ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only failed_when: "'Exception' in rdp_gpo.stderr" + changed_when: "' already linked at ' not in rdp_gpo.stdout" - debug: msg="{{ rdp_gpo.stdout_lines }}" + when: rdp_gpo.stdout_lines is defined - name: Configure DC with raw Commands win_shell: "{{ item }}" diff --git a/Azure/Ansible/roles/wef/tasks/main.yml b/Azure/Ansible/roles/wef/tasks/main.yml index ffd6f19..44c03b6 100644 --- a/Azure/Ansible/roles/wef/tasks/main.yml +++ b/Azure/Ansible/roles/wef/tasks/main.yml @@ -1,7 +1,12 @@ --- -# This needs to be made idempodent + - name: Set HostOnly DNS Address - win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.38.102,8.8.8.8" + win_dns_client: + adapter_names: '*' + ipv4_addresses: + - 192.168.38.102 + - 8.8.8.8 + log_path: C:\dns_log.txt - name: Install git win_chocolatey: @@ -48,8 +53,20 @@ dest: "C:\\Users\\vagrant\\AppData\\Local\\Temp\\Microsoft ATA 1.9.iso" timeout: 3600 -- name: Clear Event Logs - win_shell: "wevtutil el | Select-String -notmatch \"Microsoft-Windows-LiveId\" | Foreach-Object {wevtutil cl \"$_\"}" +- name: Check if DetectionLab Clear Event Logs has been done + win_stat: + path: 'c:\Windows\.detectionlab_clear_done' + register: clearevt + +- block: + - name: Clear Event Logs + win_shell: "wevtutil el | Select-String -notmatch \"Microsoft-Windows-LiveId\" | Foreach-Object {wevtutil cl \"$_\"}" + + - name: Add marker for DetectionLab Clear Event + win_file: + path: 'c:\Windows\.detectionlab_clear_done' + state: touch + when: not clearevt.stat.exists - name: Downloading the Palantir WEF Configuration win_shell: ".\\download_palantir_wef.ps1" @@ -95,10 +112,12 @@ win_shell: ".\\configure-pslogstranscriptsshare.ps1" args: chdir: 'c:\vagrant\scripts' + creates: c:\pslogs register: pstranscriptshare failed_when: "'Exception' in pstranscriptshare.stdout" - debug: msg="{{ pstranscriptshare.stdout_lines }}" + when: pstranscriptshare.stdout_lines is defined - name: Installing the EVTX Event Samples win_shell: ".\\install-evtx-attack-samples.ps1" diff --git a/Azure/Ansible/roles/win10/tasks/main.yml b/Azure/Ansible/roles/win10/tasks/main.yml index 0b972b1..1f41cc2 100644 --- a/Azure/Ansible/roles/win10/tasks/main.yml +++ b/Azure/Ansible/roles/win10/tasks/main.yml @@ -1,6 +1,11 @@ --- - name: Set HostOnly DNS Address - win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.38.102,8.8.8.8" + win_dns_client: + adapter_names: '*' + ipv4_addresses: + - 192.168.38.102 + - 8.8.8.8 + log_path: C:\dns_log.txt - name: Install git win_chocolatey: @@ -50,8 +55,20 @@ post_reboot_delay: 60 when: win10_join_domain.changed -- name: Clear Event Logs - win_shell: "wevtutil el | Select-String -notmatch \"Microsoft-Windows-LiveId\" | Foreach-Object {wevtutil cl \"$_\"}" +- name: Check if DetectionLab Clear Event Logs has been done + win_stat: + path: 'c:\Windows\.detectionlab_clear_done' + register: clearevt + +- block: + - name: Clear Event Logs + win_shell: "wevtutil el | Select-String -notmatch \"Microsoft-Windows-LiveId\" | Foreach-Object {wevtutil cl \"$_\"}" + + - name: Add marker for DetectionLab Clear Event + win_file: + path: 'c:\Windows\.detectionlab_clear_done' + state: touch + when: not clearevt.stat.exists - name: Install Classic Shell with Chocolatey win_chocolatey: @@ -60,12 +77,19 @@ state: present install_args: "ADDLOCAL=ClassicStartMenu" -- name: Import ClassicShell config - win_shell: | - "C:\Program Files\Classic Shell\ClassicStartMenu.exe -xml c:\vagrant\resources\windows\MenuSettings.xml" - regedit /s c:\vagrant\resources\windows\MenuStyle_Default_Win7.reg - - - +- name: Check if DetectionLab Menu Install has been done + win_stat: + path: 'c:\Program Files\Classic Shell\.menu_install_done' + register: menu_install +- block: + - name: Import ClassicShell config + win_shell: | + "C:\Program Files\Classic Shell\ClassicStartMenu.exe -xml c:\vagrant\resources\windows\MenuSettings.xml" + regedit /s c:\vagrant\resources\windows\MenuStyle_Default_Win7.reg + - name: Add marker for DetectionLab Menu install + win_file: + path: 'c:\Program Files\Classic Shell\.menu_install_done' + state: touch + when: not menu_install.stat.exists