Forge Home

acsc_e8_application_control

pdk
Enforces ACSC E8 application control

276 downloads

276 latest version

5.0 quality score

Version information

  • 0.1.0 (latest)
released Nov 9th 2021
This version is compatible with:
  • Puppet Enterprise 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
  • Puppet >= 6.21.0 < 8.0.0
  • windows

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'benjaminrobertson-acsc_e8_application_control', '0.1.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add benjaminrobertson-acsc_e8_application_control
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install benjaminrobertson-acsc_e8_application_control --version 0.1.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

benjaminrobertson/acsc_e8_application_control — version 0.1.0 Nov 9th 2021

acsc_e8_application_control

A Puppet module which automates the setup of the ACSC essential 8 application control on Windows, without requiring the use of group policy. This module allows for application control to be configured at scale as ACSC intended across all Puppet managed environment using a repeatable method.

For more information about applocker: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview

For more information about Essential 8: https://www.cyber.gov.au/acsc/view-all-content/essential-eight

For more information about Application control: https://www.cyber.gov.au/acsc/view-all-content/publications/implementing-application-control

Table of Contents

  1. Description
  2. Setup - The basics of getting started with acsc_e8_application_control
  3. Usage - Configuration options and additional functionality
  4. Limitations - OS compatibility, etc.
  5. Development - Guide for contributing to the module

Description

Use this module to easily implement basic application control on your Windows hosts. This module will implement application control as described in ACSC link Backup link

Setup

What acsc_e8_application_control affects

See here page 2 for information on which applocker rules will be configured.

In addition, the c:\choco will also be whitelisted for executables to allow chocolatey to run from its default directly. Chocolate is commonly used in conjunction with Puppet on Window for package management. Chocolately

Warning

Please only apply this module to test nodes initially. Applocker can prevent application from running and could cause outages in production systems.

Setup Requirements

The following modules are dependencies are required acsc_e8_application_control

Beginning with acsc_e8_application_control

include acsc_e8_application_control

Usage

Standard defaults

class { 'acsc_e8_application_control'
  executable_rules   => 'Enabled',
  msi_rules          => 'Enabled',
  dll_rules          => 'Enabled',
  script_rules       => 'Enabled',
  packaged_app_rules => 'Enabled',
  start_service      => true,
}

Additional applocker rules can be specified as shown. Hiera is preferred method to configure and manage large hash sets

class { 'acsc_e8_application_control':
  additional_exec_applocker_rules => {
    'Exec c:\\temp' => {
      'ensure'            => 'present',
      'action'            => 'Allow',
    'conditions' => {
      'path'              => '%OSDRIVE%\\temp\\*',
    },
      'description'       => 'Allow all users to run executable from c:\\temp',
      'rule_type'         => 'path',
      'type'              => 'Exe',
      'user_or_group_sid' => 'S-1-1-0',
    },
  },
  executable_rules   => 'Enabled',
  msi_rules          => 'Enabled',
  dll_rules          => 'Enabled',
  script_rules       => 'Enabled',
  packaged_app_rules => 'Enabled',
  start_service      => true,
  }
}

To remove the rule change 'ensure' to 'absent' Eg

class { 'acsc_e8_application_control':
  additional_exec_applocker_rules => {
    'Exec c:\\temp' => {
      'ensure'            => 'absent',
      'action'            => 'Allow',
    'conditions' => {
      'path'              => '%OSDRIVE%\\temp\\*',
    },
      'description'       => 'Allow all users to run executable from c:\\temp',
      'rule_type'         => 'path',
      'type'              => 'Exe',
      'user_or_group_sid' => 'S-1-1-0',
    },
  },
  executable_rules   => 'Enabled',
  msi_rules          => 'Enabled',
  dll_rules          => 'Enabled',
  script_rules       => 'Enabled',
  packaged_app_rules => 'Enabled',
  start_service      => true,
  }
}

For more information on how to construct applocker rules, please see https://forge.puppet.com/modules/fervid/applocker documentation.

Limitations

Currently, we are unable to set the Applocker rules to run in audit only. This is due to a limitation in the underlying custom type.

This module has been tested on

  • Windows Server 2016
  • Windows Server 2019

Windows 10 hasn't been tested, however it expected to work.

It can take a few minutes for applocker to apply policies once running Puppet. Especially when setting up applocker for the first time. I have seen it take over 20 minutes in some cases.

Development

Open to Pull requests :)