Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chef/Modernize/WindowsRegistryUAC reporting on a registry value that the windows_uac does not support #827

Open
tarcinil opened this issue Feb 5, 2021 · 2 comments
Open

Chef/Modernize/WindowsRegistryUAC reporting on a registry value that the windows_uac does not support #827

tarcinil opened this issue Feb 5, 2021 · 2 comments
Labels
Status: Untriaged An issue that has yet to be triaged. Type: Bug Does not work as expected.

Comments

@tarcinil
Copy link

tarcinil commented Feb 5, 2021

Version:

$ be cookstyle -v
Cookstyle 7.3.11

  • RuboCop 1.5.2

Environment:

Windows Server 2019 DC (Guest)
Mac 10.15.7 (Host)
Test Kitchen version 2.8.0

Scenario:

I am using the following disable UAC Remote Restrictions which is outlined here.

When working on servers joined to a domain with domain service accounts (usually added to the Local Administrators Group), and are connecting via WinRM, this is a lever that has to be tweaked.

This triggers the "Actual Result" even though the windows_uac resource does not have a property that manages that value inside of the registry.

Steps to Reproduce:

Running Windows 2019 with the following registry resource works for the cinc-client run, but raises cookstyle error in my pre-commit hooks.

registry_key 'HKLM\software\Microsoft\Windows\CurrentVersion\Policies\system' do
  action    :create
  recursive true
  values    [ { name: 'LocalAccountTokenFilterPolicy', type: :dword, data: 1 } ]
  notifies :restart, 'windows_service[WinRM]', :delayed
end

Expected Result:

I would have expected cookstyle to not complain because the resource to modernize towards does not support the specific value being set. https://docs.chef.io/resources/windows_uac#properties

Actual Result:

recipes/default.rb:67:1: R: Chef/Modernize/WindowsRegistryUAC: Chef Infra Client 15.0 and later includes a windows_uac resource that should be used to set Windows UAC values instead of setting registry keys directly.
registry_key 'HKLM\software\Microsoft\Windows\CurrentVersion\Policies\system' do
@tarcinil tarcinil added Status: Untriaged An issue that has yet to be triaged. Type: Bug Does not work as expected. labels Feb 5, 2021
@jarvin521
Copy link

Any update on this? I'm experiencing the same issue.

@knightorc
Copy link

Similar thing different value

# These regkey changes are needed along with patches to help mitigate CVE-2018-0886/RDP MITM Vuln
# WARNING: These require a reboot to apply

registry_key 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' do
  values [{
    name: 'AllowEncryptionOracle',
    type: :dword,
    data: '1',
  }]
  action :create
  recursive true
end

Url: https://support.microsoft.com/en-us/topic/credssp-updates-for-cve-2018-0886-5cbf9e5f-dc6d-744f-9e97-7ba400d6d3ea

recipes/registry_cve2018_0886.rb:12:1: R: Chef/Modernize/WindowsRegistryUAC: Chef Infra Client 15.0 and later includes a windows_uac resource that should be used to set Windows UAC values instead of setting registry keys directly. (https://docs.chef.io/workstation/cookstyle/chef_modernize_windowsregistryuac)
registry_key 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' do
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Status: Untriaged An issue that has yet to be triaged. Type: Bug Does not work as expected.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@knightorc @tarcinil @jarvin521