239 lines
9.6 KiB
YAML
239 lines
9.6 KiB
YAML
|
---
|
||
|
- name: run win_whoami with normal execution
|
||
|
win_whoami:
|
||
|
register: win_whoami_result
|
||
|
|
||
|
- name: assert win_whoami with normal execution
|
||
|
assert:
|
||
|
that:
|
||
|
- not win_whoami_result is changed
|
||
|
- win_whoami_result.account.account_name is defined
|
||
|
- win_whoami_result.account.domain_name is defined
|
||
|
- win_whoami_result.account.sid is defined
|
||
|
- win_whoami_result.account.type == 'User'
|
||
|
- win_whoami_result.authentication_package is defined
|
||
|
- win_whoami_result.dns_domain_name is defined
|
||
|
- win_whoami_result.groups|count >= 1
|
||
|
- win_whoami_result.groups[0].account_name is defined
|
||
|
- win_whoami_result.groups[0].attributes is defined
|
||
|
- win_whoami_result.groups[0].domain_name is defined
|
||
|
- win_whoami_result.groups[0].sid is defined
|
||
|
- win_whoami_result.groups[0].type is defined
|
||
|
- win_whoami_result.impersonation_level == 'SecurityAnonymous'
|
||
|
- win_whoami_result.label.account_name == 'High Mandatory Level'
|
||
|
- win_whoami_result.label.domain_name == 'Mandatory Label'
|
||
|
- win_whoami_result.label.sid == 'S-1-16-12288'
|
||
|
- win_whoami_result.label.type == 'Label'
|
||
|
- win_whoami_result.login_domain is defined
|
||
|
- win_whoami_result.login_time is defined
|
||
|
- win_whoami_result.logon_id is defined
|
||
|
- win_whoami_result.logon_server is defined
|
||
|
- win_whoami_result.logon_sid.account_name is defined
|
||
|
- win_whoami_result.logon_sid.domain_name is defined
|
||
|
- win_whoami_result.logon_sid.sid is defined
|
||
|
- win_whoami_result.logon_sid.type == 'Logon'
|
||
|
- win_whoami_result.logon_type.startswith('Network')
|
||
|
- win_whoami_result.privileges is defined
|
||
|
- win_whoami_result.rights|count >= 1
|
||
|
- win_whoami_result.token_type == 'TokenPrimary'
|
||
|
- win_whoami_result.upn is defined
|
||
|
- win_whoami_result.user_flags is defined
|
||
|
|
||
|
- name: run win_whoami with SYSTEM execution
|
||
|
win_whoami:
|
||
|
become: yes
|
||
|
become_method: runas
|
||
|
become_user: SYSTEM
|
||
|
register: win_whoami_result
|
||
|
|
||
|
- name: assert win_whoami with SYSTEM execution
|
||
|
assert:
|
||
|
that:
|
||
|
- not win_whoami_result is changed
|
||
|
- win_whoami_result.account.account_name == 'SYSTEM'
|
||
|
- win_whoami_result.account.domain_name == 'NT AUTHORITY'
|
||
|
- win_whoami_result.account.sid == 'S-1-5-18'
|
||
|
- win_whoami_result.account.type == 'User'
|
||
|
- win_whoami_result.authentication_package is defined
|
||
|
- win_whoami_result.dns_domain_name is defined
|
||
|
- win_whoami_result.groups|count >= 1
|
||
|
- win_whoami_result.groups[0].account_name is defined
|
||
|
- win_whoami_result.groups[0].attributes is defined
|
||
|
- win_whoami_result.groups[0].domain_name is defined
|
||
|
- win_whoami_result.groups[0].sid is defined
|
||
|
- win_whoami_result.groups[0].type is defined
|
||
|
- win_whoami_result.impersonation_level == 'SecurityAnonymous'
|
||
|
- win_whoami_result.label.account_name == 'System Mandatory Level'
|
||
|
- win_whoami_result.label.domain_name == 'Mandatory Label'
|
||
|
- win_whoami_result.label.sid == 'S-1-16-16384'
|
||
|
- win_whoami_result.label.type == 'Label'
|
||
|
- win_whoami_result.login_domain is defined
|
||
|
- win_whoami_result.login_time is defined
|
||
|
- win_whoami_result.logon_id is defined
|
||
|
- win_whoami_result.logon_server is defined
|
||
|
- win_whoami_result.logon_sid == None
|
||
|
- win_whoami_result.logon_type == 'System'
|
||
|
- win_whoami_result.privileges is defined
|
||
|
- win_whoami_result.rights|count >= 1
|
||
|
- win_whoami_result.token_type == 'TokenPrimary'
|
||
|
- win_whoami_result.upn is defined
|
||
|
- win_whoami_result.user_flags is defined
|
||
|
|
||
|
- set_fact:
|
||
|
become_username: ansible_become
|
||
|
become_username_limited: ansible_limited
|
||
|
gen_pw: password123! + {{lookup('password', '/dev/null chars=ascii_letters,digits length=8')}}
|
||
|
|
||
|
- name: ensure current user is not the become user
|
||
|
win_shell: whoami
|
||
|
register: whoami_out
|
||
|
failed_when: whoami_out.stdout_lines[0].endswith(become_username) or whoami_out.stdout_lines[0].endswith(become_username_limited)
|
||
|
|
||
|
- name: create user
|
||
|
win_user:
|
||
|
name: '{{become_username}}'
|
||
|
password: '{{gen_pw}}'
|
||
|
update_password: always
|
||
|
groups: Administrators
|
||
|
register: become_user_info
|
||
|
|
||
|
- name: create user limited
|
||
|
win_user:
|
||
|
name: '{{become_username_limited}}'
|
||
|
password: '{{gen_pw}}'
|
||
|
update_password: always
|
||
|
groups: Users
|
||
|
register: become_user_info_limited
|
||
|
|
||
|
- block:
|
||
|
- name: get become user profile dir so we can clean it up later
|
||
|
vars: &become_vars
|
||
|
ansible_become_user: '{{become_username}}'
|
||
|
ansible_become_password: '{{gen_pw}}'
|
||
|
ansible_become_method: runas
|
||
|
ansible_become: yes
|
||
|
win_shell: $env:USERPROFILE
|
||
|
register: profile_dir_out
|
||
|
|
||
|
- name: ensure profile dir contains test username (eg, if become fails silently, prevent deletion of real user profile)
|
||
|
assert:
|
||
|
that:
|
||
|
- become_username in profile_dir_out.stdout_lines[0]
|
||
|
|
||
|
- name: get become user limited profile dir so we can clean it up later
|
||
|
vars: &become_vars_limited
|
||
|
ansible_become_user: '{{become_username_limited}}'
|
||
|
ansible_become_password: '{{gen_pw}}'
|
||
|
ansible_become_method: runas
|
||
|
ansible_become: yes
|
||
|
win_shell: $env:USERPROFILE
|
||
|
register: profile_dir_out_limited
|
||
|
|
||
|
- name: ensure limited profile dir contains test username (eg, if become fails silently, prevent deletion of real user profile)
|
||
|
assert:
|
||
|
that:
|
||
|
- become_username_limited in profile_dir_out_limited.stdout_lines[0]
|
||
|
|
||
|
- name: run win_whoami with become execution
|
||
|
win_whoami:
|
||
|
vars: *become_vars
|
||
|
register: win_whoami_result
|
||
|
|
||
|
- name: assert win_whoami with become execution
|
||
|
assert:
|
||
|
that:
|
||
|
- not win_whoami_result is changed
|
||
|
- win_whoami_result.account.account_name == "ansible_become"
|
||
|
- win_whoami_result.account.domain_name is defined
|
||
|
- win_whoami_result.account.sid == become_user_info.sid
|
||
|
- win_whoami_result.account.type == 'User'
|
||
|
- win_whoami_result.authentication_package == "NTLM"
|
||
|
- win_whoami_result.dns_domain_name == ""
|
||
|
- win_whoami_result.groups|count >= 1
|
||
|
- win_whoami_result.groups[0].account_name is defined
|
||
|
- win_whoami_result.groups[0].attributes is defined
|
||
|
- win_whoami_result.groups[0].domain_name is defined
|
||
|
- win_whoami_result.groups[0].sid is defined
|
||
|
- win_whoami_result.groups[0].type is defined
|
||
|
- win_whoami_result.impersonation_level is defined
|
||
|
- win_whoami_result.label.account_name == 'High Mandatory Level'
|
||
|
- win_whoami_result.label.domain_name == 'Mandatory Label'
|
||
|
- win_whoami_result.label.sid == 'S-1-16-12288'
|
||
|
- win_whoami_result.label.type == 'Label'
|
||
|
- win_whoami_result.login_domain is defined
|
||
|
- win_whoami_result.login_time is defined
|
||
|
- win_whoami_result.logon_id is defined
|
||
|
- win_whoami_result.logon_server is defined
|
||
|
- win_whoami_result.logon_sid.account_name is defined
|
||
|
- win_whoami_result.logon_sid.domain_name is defined
|
||
|
- win_whoami_result.logon_sid.sid is defined
|
||
|
- win_whoami_result.logon_sid.type == 'Logon'
|
||
|
- win_whoami_result.logon_type == "Interactive"
|
||
|
- win_whoami_result.privileges is defined
|
||
|
- '"SeInteractiveLogonRight" in win_whoami_result.rights'
|
||
|
- win_whoami_result.token_type == 'TokenPrimary'
|
||
|
- win_whoami_result.upn == ''
|
||
|
- win_whoami_result.user_flags is defined
|
||
|
|
||
|
- name: run win_whoami with limited become execution
|
||
|
win_whoami:
|
||
|
vars: *become_vars_limited
|
||
|
register: win_whoami_result
|
||
|
|
||
|
- name: assert win_whoami with limited become execution
|
||
|
assert:
|
||
|
that:
|
||
|
- not win_whoami_result is changed
|
||
|
- win_whoami_result.account.account_name == "ansible_limited"
|
||
|
- win_whoami_result.account.domain_name is defined
|
||
|
- win_whoami_result.account.sid == become_user_info_limited.sid
|
||
|
- win_whoami_result.account.type == 'User'
|
||
|
- win_whoami_result.authentication_package == "NTLM"
|
||
|
- win_whoami_result.dns_domain_name == ""
|
||
|
- win_whoami_result.groups|count >= 1
|
||
|
- win_whoami_result.groups[0].account_name is defined
|
||
|
- win_whoami_result.groups[0].attributes is defined
|
||
|
- win_whoami_result.groups[0].domain_name is defined
|
||
|
- win_whoami_result.groups[0].sid is defined
|
||
|
- win_whoami_result.groups[0].type is defined
|
||
|
- win_whoami_result.impersonation_level is defined
|
||
|
- win_whoami_result.label.account_name == 'Medium Mandatory Level'
|
||
|
- win_whoami_result.label.domain_name == 'Mandatory Label'
|
||
|
- win_whoami_result.label.sid == 'S-1-16-8192'
|
||
|
- win_whoami_result.label.type == 'Label'
|
||
|
- win_whoami_result.login_domain is defined
|
||
|
- win_whoami_result.login_time is defined
|
||
|
- win_whoami_result.logon_id is defined
|
||
|
- win_whoami_result.logon_server is defined
|
||
|
- win_whoami_result.logon_sid.account_name is defined
|
||
|
- win_whoami_result.logon_sid.domain_name is defined
|
||
|
- win_whoami_result.logon_sid.sid is defined
|
||
|
- win_whoami_result.logon_sid.type == 'Logon'
|
||
|
- win_whoami_result.logon_type == "Interactive"
|
||
|
- win_whoami_result.privileges is defined
|
||
|
- win_whoami_result.rights == []
|
||
|
- win_whoami_result.token_type == 'TokenPrimary'
|
||
|
- win_whoami_result.upn == ''
|
||
|
- win_whoami_result.user_flags is defined
|
||
|
|
||
|
always:
|
||
|
- name: ensure test user is deleted
|
||
|
win_user:
|
||
|
name: '{{item}}'
|
||
|
state: absent
|
||
|
with_items:
|
||
|
- '{{become_username}}'
|
||
|
- '{{become_username_limited}}'
|
||
|
|
||
|
- name: ensure test user profile is deleted
|
||
|
win_shell: rmdir /S /Q {{profile_dir_out.stdout_lines[0]}}
|
||
|
args:
|
||
|
executable: cmd.exe
|
||
|
when: become_username in profile_dir_out.stdout_lines[0]
|
||
|
|
||
|
- name: ensure limited test user profile is deleted
|
||
|
win_shell: rmdir /S /Q {{profile_dir_out_limited.stdout_lines[0]}}
|
||
|
args:
|
||
|
executable: cmd.exe
|
||
|
when: become_username_limited in profile_dir_out_limited.stdout_lines[0]
|