Puppet Class: secure_windows::stig::v73389
- Defined in:
- manifests/stig/v73389.pp
Overview
This class manages: V-73373 Active Directory Group Policy objects must have proper access control permissions. V-73389 Active Directory Group Policy objects must be configured with proper audit settings.
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 |
# File 'manifests/stig/v73389.pp', line 6
class secure_windows::stig::v73389 (
Boolean $enforced = false,
) {
if $enforced {
if $facts['windows_server_type'] == 'windowsdc' {
$root_domain = $facts['root_domain']
ad_acl { "CN=Policies,CN=System,${root_domain}":
audit_rules => [
{
'ad_rights' => 'WriteProperty, WriteDacl',
'identity' => 'S-1-1-0',
'audit_flags' => 'Success',
'inheritance_type' => 'Descendents',
},
{
'ad_rights' => 'GenericAll',
'identity' => 'S-1-1-0',
'audit_flags' => 'Failure',
'inheritance_type' => 'None',
},
],
access_rules => [
{
'identity' => 'S-1-5-11',
'ad_rights' => 'GenericRead',
'access_control_type' => 'Allow',
'inheritance_type' => 'None'
},
{
'identity' => 'S-1-5-18',
'ad_rights' => 'GenericAll',
'access_control_type' => 'Allow',
'inheritance_type' => 'None'
},
{
'identity' => "${facts['domain_sid']}-512",
'ad_rights' => 'CreateChild, DeleteChild, Self, WriteProperty, ExtendedRight, GenericRead, WriteDacl, WriteOwner',
'access_control_type' => 'Allow',
'inheritance_type' => 'None'
},
{
'identity' => "${facts['domain_sid']}-520",
'ad_rights' => 'CreateChild',
'access_control_type' => 'Allow',
'inheritance_type' => 'None'
}],
}
}
}
}
|