I'm using Ansible to provision a Windows Server 2016. This is the task I'm running:
- name: Ensure 'Audit System Extension' is set to 'Success and Failure'
win_audit_policy_system:
subcategory: Security System Extension
audit_type: success, failure
output:
changed: [10.8.20.177] => {
"changed": true,
"current_audit_policy": {
"security system extension": "success and failure"
}
}
When I go to check on the machine if the change was really applied I find that it is not. I tried restarting the machine and it still didn't apply.
Windows Server 2016 system audit policies shows the following
Any ideas what's going on?
This command might give the expected result.
auditpol.exe /get /category:*
Microsoft mentioned something about this in the article below.
https://support.microsoft.com/en-us/help/2573113/auditpol-and-local-security-policy-results-may-differ
Related
Got the following odd error with ansible lint and I can't for the life of me figure out what we did wrong, it's probably something incredibly stupid but there you go.
ansible-lint -p disable-beats.yml
Couldn't parse task at disable-beats.yml:5 (conflicting action statements: systemd, __line__
The error appears to be in '<unicode string>': line 5, column 7, but may
be elsewhere in the file depending on the exact syntax problem.
(could not open file to display line))
{ 'name': 'disable auditbeats',
'skipped_rules': [],
'systemd': { '__file__': 'disable-beats.yml',
'__line__': 7,
'enabled': False,
'name': 'auditbeat'}}
the following is the contents of the file checked with linter:
---
- hosts: linuxservers
tasks:
- name: disable auditbeats
systemd:
name: auditbeat
enabled: no
That's a known issue with ansible-lint; upgrading to a more recent version such as 5.0.12 will make that go away. If it doesn't for your case, you can either comment on that issue or open a regression at which time you should provide the versions you are using
I have written a Terraform template that creates an Azure Windows VM. I need to configure the VM to Enable PowerShell Remoting for the release pipeline to be able to execute Powershell scripts. After the VM is created I can RDP to the VM and do everything I need to do to enable Powershell remoting, however, it would be ideal if I could script all of that so it could be executed in a Release pipeline. There are two things that prevent that.
The first, and the topic of this question is, that I have to run "WinRM quickconfig". I have the template working such that when I do RDP to the VM, after creation, that when I run "WinRM quickconfig" I receive the following responses:
WinRM service is already running on this machine.
WinRM is not set up to allow remote access to this machine for management.
The following changes must be made:
Configure LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.
Make these changes [y/n]?
I want to configure the VM in Terraform so LocalAccountTokenFilterPolicy is set and it becomes unnecessary to RDP to the VM to run "WinRM quickconfig". After some research it appeared I might be able to do that using the resource azure_virtual_machine_extension. I add this to my template:
resource "azurerm_virtual_machine_extension" "vmx" {
name = "hostname"
location = "${var.location}"
resource_group_name = "${var.vm-resource-group-name}"
virtual_machine_name = "${azurerm_virtual_machine.vm.name}"
publisher = "Microsoft.Azure.Extensions"
type = "CustomScript"
type_handler_version = "2.0"
settings = <<SETTINGS
{
# "commandToExecute": "powershell Set-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' -Name 'LocalAccountTokenFilterPolicy' -Value 1 -Force"
}
SETTINGS
}
When I apply this, I get the error:
Error: compute.VirtualMachineExtensionsClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: autorest/azure: Service returned an error. Status=<nil> Code="OperationNotAllowed" Message="This operation cannot be performed when extension operations are disallowed. To allow, please ensure VM Agent is installed on the VM and the osProfile.allowExtensionOperations property is true."
I couldn't find any Terraform documentation that addresses how to set the allowExtensionOperations property to true. On a whim, I tried adding the property "allow_extension_operations" to the os_profile block in the azurerm_virtual_machine resource but it is rejected as an invalid property. I also tried adding it to the os_profile_windows_config block and isn't valid there either.
I found a statement on Microsoft's documentation regarding the osProfile.allowExtensionOperations property that says:
"This may only be set to False when no extensions are present on the virtual machine."
https://learn.microsoft.com/en-us/dotnet/api/microsoft.azure.management.compute.models.osprofile.allowextensionoperations?view=azure-dotnet
This implies to me that the property is True by default but it doesn't actually say that and it certainly isn't acting like that. Is there a way in Terraform to set osProfile.alowExtensionOperations to true?
Running into the same issue adding extensions using Terraform, i created a Windows 2016 custom image,
provider "azurerm" version ="2.0.0"
Terraform 0.12.24
Terraform apply error:
compute.VirtualMachineExtensionsClient#CreateOrUpdate: Failure sending request: StatusCode=0
-- Original Error: autorest/azure: Service returned an error.
Status=<nil>
Code="OperationNotAllowed"
Message="This operation cannot be performed when extension operations are disallowed. To allow, please ensure VM Agent is installed on the VM and the osProfile.allowExtensionOperations property is true."
I ran into same error, possible solution depends on 2 things here.
You have to pass provider "azurerm" version ="2.5.0 and you have to pass os_profile_windows_config (see below) parameter in virtual machine resource as well. So, that terraform will consider the extensions that your are passing. This fixed my errors.
os_profile_windows_config {
provision_vm_agent = true
}
Why does this:
- name: Install Microsoft ASP.NET MVC 4
win_package:
path: https://download.microsoft.com/download/2/F/6/2F63CCD8-9288-4CC8-B58C-81D109F8F5A3/AspNetMVC4Setup.exe
arguments: '/q /norestart'
state: present
product_id: {aspmvc4}
Result in this?
amazon-ebs: TASK [Install Microsoft ASP.NET MVC 4] **************************************************
amazon-ebs: fatal: [default]: FAILED! => {"msg": "Invalid settings supplied for scp_executable: Requested option scp_executable was not defined in configuration"}
It's happening for both my software installs (the other is an .msi)
I'm using Ansible with Packer in this case and the error turned out to be related to the Ansible connection plugin (WinRM Communicator heading here: https://www.packer.io/docs/provisioners/ansible.html) that was missing the definition for scp_executable.
A sample [project]/playbooks/connection_plugins/packer.py can be found here: https://gist.github.com/adarobin/2f02b8b993936233e15d76f6cddb9e00
In one of my playbooks I start a service and poll for its status before moving onto the next task like the following:
- name: Poll for service status
uri:
url: http://some-service/status
register: response
until: response.status == 200
retries: 12
delay: 10
This logs a message each time it queries the URL which looks like
FAILED - RETRYING: TASK: Poll for service status
Is there a way to customise this message? Specifically remove the word FAILED.
After grepping around, I found the "FAILED - RETRYING" message in the default output callback (read about callbacks here). That means you can change the callback in ansible.cfg to something that suits your needs- or make your own. You can even search the code for v2_runner_retry to see the various outputs.
For instance, here's what stdout_callback=oneline returns. There are no "retrying" messages even at -vv. It still says "FAILED" but that's because it actually failed.
ansible-playbook -vvi localhost, p.yml
ansible-playbook 2.4.1.0
config file = /opt/app/ansible.cfg
configured module search path = ['/opt/app/library']
ansible python module location = /usr/local/lib/python3.5/dist-packages/ansible
executable location = /usr/local/bin/ansible-playbook
python version = 3.5.2 (default, Sep 14 2017, 22:51:06) [GCC 5.4.0 20160609]
Using /opt/app/ansible.cfg as config file
1 plays in p.yml
META: ran handlers
localhost | FAILED! => {"attempts": 3,"changed": false,"content": "","failed": true,"msg": "Status code was not [200]: Request failed: <urlopen error [Errno -2] Name or service not known>","redirected": false,"status": -1,"url": "http://some-service/status"}
Aside from setting it in ansible.cfg the documentation implies it can be done in a role. I have no idea how.
As #techraf said, the Ansible folks are pretty good at reviewing pull requests.
I was trying to copy a test file from a Linux control server to a Windows 7 client. my playbook is
- name: Test Copy from Linux to Windows
hosts: Windows
gather_facts: false
tasks:
- name: Copy
copy: src=/tmp/tmp.txt dest=C:\Ansible
And getting this error
failed: [10.8.0.4] => {"failed": true, "md5sum": "c9566265d534d0e3c666ea52daf96cc8", "parsed": false}
invalid output was: The argument 'C:\Users\me.HOMEPC\AppData\Local\Temp\ansible-tmp-1422383762.86-109261083693479\\copy.ps1' to the -File parameter does not exist. Provide the path to an existing '.ps1' file as an argument to the -File parameter.
FATAL: all hosts have already failed -- aborting
Any thoughts? How I can make this work?
There's a small bug in that fork version. Use https://gist.github.com/dmitrydigi/dc4843fca7e69bcca147 with the fix. If you use the mentioned version, then template will always report changed=true.
Looks like the copy module doesn't support for file copy function in Windows and atm, a win_copy module is in the dev phase.
However I have found this VERY useful module which is copy.ps1
https://gist.github.com/tkinz27/fd92ba9af0e0309614ee
And then things got working :-)
Important: You gotta upgrade your Windows (7) Powershell to Version 4.0