xsystemsecurity
Documentation
Table of Contents
Description
This is an auto-generated module, using the Puppet DSC Builder to vendor and expose the PowerShell module's DSC resources as Puppet resources. The functionality of this module comes entirely from the vendored PowerShell resources, which are pinned at v1.5.1. The PowerShell module describes itself like this:
This module contains DSC resources for configuring and managing computer security.
For information on troubleshooting to determine whether any encountered problems are with the Puppet wrapper or the DSC resource, see the troubleshooting section below.
Requirements
This module, like all auto-generated Puppetized DSC modules, relies on two important technologies in the Puppet stack: the Puppet Resource API and the puppetlabs/pwshlib Puppet module.
The Resource API provides a simplified option for writing types and providers and is responsible for how this module is structured. The Resource API ships inside of Puppet starting with version 6. While it is technically possible to add the Resource API functionality to Puppet 5.5.x, the DSC functionality has not been tested in this setup. For more information on the Resource API, review the documentation.
The module also depends on the pwshlib module. This Puppet module includes two important things: the ruby-pwsh library for running PowerShell code from ruby and the base provider for DSC resources, which this module leverages.
All of the actual work being done to call the DSC resources vendored with this module is in this file from the pwshlib module. This is important for troubleshooting and bug reporting, but doesn't impact your use of the module except that the end result will be that nothing works, as the dependency is not installed alongside this module!
Usage
You can specify any of the DSC resources from this module like a normal Puppet resource in your manifests. The examples below use DSC resources from from the PowerShellGet repository, regardless of what module you're looking at here; the syntax, not the specifics, is what's important.
For reference documentation about the DSC resources exposed in this module, see the Reference Forge tab, or the REFERENCE.md file.
# Include a meaningful title for your resource declaration
dsc_psrepository { 'Add team module repo':
dsc_name => 'foo',
dsc_ensure => present,
# This location is nonsense, can be any valid folder on your
# machine or in a share, any location the SourceLocation param
# for the DSC resource will accept.
dsc_sourcelocation => 'C:\Program Files',
# You must always pass an enum fully lower-cased;
# Puppet is case sensitive even when PowerShell isn't
dsc_installationpolicy => untrusted,
}
dsc_psrepository { 'Trust public gallery':
dsc_name => 'PSGallery',
dsc_ensure => present,
dsc_installationpolicy => trusted,
}
dsc_psmodule { 'Make Ruby manageable via uru':
dsc_name => 'RubyInstaller',
dsc_ensure => present,
}
For more information about using a built module, check out our narrative documentation.
Properties
Note that the only properties specified in a resource declaration which are passed to Invoke-Dsc are all prepended with dsc.
If a property does _not start with dsc_ it is used to control how Puppet interacts with DSC/other Puppet resources - for example,
specifying a unique name for the resource for Puppet to distinguish between declarations or Puppet metaparameters (notifies,
before, etc).
Troubleshooting
In general, there are three broad categories of problems:
- Problems with the way the underlying DSC resource works.
- Problems with the type definition, where you can't specify a valid set of properties for the DSC resource
- Problems with calling the underlying DSC resource - the parameters aren't being passed correctly or the resource can't be found
Unfortunately, problems with the way the underlying DSC resource works are something we can't help directly with. You'll need to file an issue with the upstream maintainers for the PowerShell module.
Problems with the type definition are when a value that should be valid according to the DSC resource's documentation and code is not accepted by the Puppet wrapper. If and when you run across one of these, please file an issue with the Puppet DSC Builder; this is where the conversion happens and once we know of a problem we can fix it and regenerate the Puppet modules. To help us identify the issue, please specify the DSC module, version, resource, property and values that are giving you issues. Once a fix is available we will regenerate and release updated versions of this Puppet wrapper.
Problems with calling the underlying DSC resource become apparent by comparing <value passed in in puppet>
with <value received by DSC>
.
In this case, please file an issue with the puppetlabs/pwshlib module, which is where the DSC base provider actually lives.
We'll investigate and prioritize a fix and update the puppetlabs/pwshlib module.
Updating to the pwshlib version with the fix will immediately take advantage of the improved functionality without waiting for this module to be reconverted and published.
For specific information on troubleshooting a generated module, check the troubleshooting guide for the puppet.dsc module.
Known Limitations
Currently, because of the way Puppet caches files on agents, use of the legacy puppetlabs-dsc
module is not compatible with this or any auto-generated DSC module.
Inclusion of both will lead to pluginsync conflicts.
Reference
Table of Contents
Resource types
dsc_xfilesystemaccessrule
: The DSC xFileSystemAccessRule resource type. Automatically generated from version 1.5.1dsc_xieesc
: The DSC resource type. Automatically generated from version 1.5.1dsc_xuac
: The DSC resource type. Automatically generated from version 1.5.1
Resource types
dsc_xfilesystemaccessrule
The DSC xFileSystemAccessRule resource type. Automatically generated from version 1.5.1
Properties
The following properties are available in the dsc_xfilesystemaccessrule
type.
dsc_ensure
Data type: Optional[Enum['Present', 'Absent']]
Present to create the rule, Absent to remove an existing rule. Default value is 'Present'.
dsc_isactivenode
Data type: Optional[Boolean]
Determines if the current node is actively hosting the filesystem object.
dsc_processonlyonactivenode
Data type: Optional[Boolean]
Specifies that the resource will only determine if a change is needed if the target node is the active host of the filesystem object. The user the configuration is run as must have permission to the Windows Server Failover Cluster.
dsc_rights
Data type: Optional[Array[Enum['ListDirectory', 'ReadData', 'WriteData', 'CreateFiles', 'CreateDirectories', 'AppendData', 'ReadExtendedAttributes', 'WriteExtendedAttributes', 'Traverse', 'ExecuteFile', 'DeleteSubdirectoriesAndFiles', 'ReadAttributes', 'WriteAttributes', 'Write', 'Delete', 'ReadPermissions', 'Read', 'ReadAndExecute', 'Modify', 'ChangePermissions', 'TakeOwnership', 'Synchronize', 'FullControl']]]
The permissions to include in this rule. Optional if Ensure is set to value 'Absent'.
Parameters
The following parameters are available in the dsc_xfilesystemaccessrule
type.
dsc_identity
namevar
Data type: String
The identity to set permissions for
dsc_path
namevar
Data type: String
The path to the item that should have permissions set
dsc_psdscrunascredential
Data type: Optional[Struct[{ user => String[1], password => Sensitive[String[1]] }]]
name
namevar
Data type: String
Description of the purpose for this resource declaration.
dsc_xieesc
The DSC resource type. Automatically generated from version 1.5.1
Properties
The following properties are available in the dsc_xieesc
type.
dsc_psdscrunascredential
Data type: Optional[Struct[{ user => String[1], password => Sensitive[String[1]] }]]
Parameters
The following parameters are available in the dsc_xieesc
type.
dsc_isenabled
namevar
Data type: Boolean
dsc_userrole
namevar
Data type: String
name
namevar
Data type: String
Description of the purpose for this resource declaration.
dsc_xuac
The DSC resource type. Automatically generated from version 1.5.1
Properties
The following properties are available in the dsc_xuac
type.
dsc_psdscrunascredential
Data type: Optional[Struct[{ user => String[1], password => Sensitive[String[1]] }]]
Parameters
The following parameters are available in the dsc_xuac
type.
dsc_setting
namevar
Data type: String
name
namevar
Data type: String
Description of the purpose for this resource declaration.
[1.5.1] - 2020-03-13
Deprecated
- THIS MODULE HAS BEEN DEPRECATED. It will no longer be released. Please use
the following modules instead:
- The resource
xIEEsc
have been replaced byIEEnhancedSecurityConfiguration
in the module ComputerManagementDsc. - The resource
xUac
have been replaced byUserAccountControl
in the module ComputerManagementDsc. - The resource
xFileSystemAccessRule
have been replaced byFileSystemAccessRule
in the module FileSystemDsc.
- The resource
Fixed
- Fixes issue with importing composite resources (issue #34).
[1.5.0] - 2020-01-29
Added
- xSystemSecurity
- Added continuous delivery with a new CI pipeline.
Fixed
- xSystemSecurity
- Fixed the correct URL on status badges.
- xFileSystemAccessRule
- Corrected flag handling so that the
Test-TargetResource
passes correctly. - Using
Ensure = 'Absent'
with no rights specified will now correctly remove existing ACLs for the specified identity, rather than silently leaving them there. - Correctly returns property
Ensure
from the functionGet-TargetResource
.
- Corrected flag handling so that the
[1.4.0.0] - 2018-06-13
- Changes to xFileSystemAccessRule
- Fixed issue when cluster shared disk is not present on the server (issue #16). Dan Reist (@randomnote1)
[1.3.0.0] - 2017-12-20
- Updated FileSystemACL Set
[1.2.0.0] - 2016-09-21
- Converted appveyor.yml to install Pester from PSGallery instead of from Chocolatey.
- Added xFileSystemAccessRule resource
[1.1.0.0] - 2015-09-11
- Fixed encoding
[1.0.0.0] - 2015-04-23
- Initial release with the following resources
- xUAC
- xIEEsc
Dependencies
- puppetlabs/pwshlib (>= 0.7.0 < 2.0.0)