-
-
Save Iristyle/471e9c083c51a0bd65e7423f924dea4e to your computer and use it in GitHub Desktop.
Manifest to set Windows Puppet permissions for CVE-2018-6513
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# using this manifest requires 2 modules be installed: | |
# puppetlabs-stdlib | |
# puppetlabs-registry | |
$tool_root = $facts['os']['windows']['system32'] | |
$cmd = "$tool_root\\cmd.exe" | |
$takeown = "$tool_root\\takeown.exe" | |
$cacls = "$tool_root\\cacls.exe" | |
$icacls = "$tool_root\\icacls.exe" | |
# Modify the ProgramData location if different on your system | |
$programData = "C:\\ProgramData\\PuppetLabs" | |
# Change the root of the basemodulepath if different on your system | |
# if basemodulepath is already set in puppet.conf then it must be edited manually | |
$basemodulepath = 'C:/ProgramData/PuppetLabs/code/modules' | |
# Change the root of the Puppet installation path if different on your system | |
$puppetInstallPath = 'C:\\Program Files\\Puppet Labs\\Puppet' | |
# should not need to change | |
$puppetData = "$programData\\puppet" | |
$codeData = "$programData\\code" | |
$facterData = "$programData\\facter" | |
$pxpData = "$programData\\pxp-agent" | |
$mcoData = "$programData\\mcollective" | |
exec { 'PuppetLabs SDDL' : | |
command => "$cmd /c echo y|$cacls \"\"$programData\"\" /S:O:SYG:SYD:P(A;OICI;0x1200a9;;;WD)(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)", | |
logoutput => true, | |
} | |
exec { 'PuppetData SDDL' : | |
command => "$cmd /c echo y|$cacls \"\"$puppetData\"\" /S:O:SYG:SYD:P(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)", | |
logoutput => true, | |
} | |
exec { 'Code SDDL' : | |
command => "$cmd /c echo y|$cacls \"\"$codeData\"\" /S:O:SYG:SYD:P(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)", | |
logoutput => true, | |
} | |
exec { 'Facter SDDL' : | |
command => "$cmd /c echo y|$cacls \"\"$facterData\"\" /S:O:SYG:SYD:P(A;OICI;0x1200a9;;;WD)(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)", | |
logoutput => true, | |
} | |
exec { 'PXP SDDL' : | |
command => "$cmd /c echo y|$cacls \"\"$pxpData\"\" /S:O:SYG:SYD:P(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)", | |
logoutput => true, | |
} | |
exec { 'MCO SDDL' : | |
command => "$cmd /c echo y|$cacls \"\"$mcoData\"\" /S:O:SYG:SYD:P(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)", | |
logoutput => true, | |
} | |
exec { 'PuppetData ownership' : | |
command => "$takeown /F \"$puppetData\\*\" /R /A /D N", | |
logoutput => true, | |
} | |
exec { 'PuppetData permission set' : | |
command => "$icacls \"$puppetData\\*\" /grant \"*S-1-5-32-544:(F)\" \"*S-1-5-18:(F)\" /T /C", | |
logoutput => true, | |
} | |
exec { 'Code permissions reset' : | |
command => "$icacls \"$codeData\\*\" /reset /T /C", | |
logoutput => true, | |
} | |
exec { 'Facter permissions reset' : | |
command => "$icacls \"$facterData\\*\" /reset /T /C", | |
logoutput => true, | |
} | |
exec { 'PXP permissions reset' : | |
command => "$icacls \"$pxpData\\*\" /reset /T /C", | |
logoutput => true, | |
} | |
exec { 'PuppetData permissions reset' : | |
command => "$icacls \"$puppetData\\*\" /reset /T /C", | |
logoutput => true, | |
} | |
exec { 'MCO permissions reset' : | |
command => "$icacls \"$mcoData\\*\" /reset /T /C", | |
logoutput => true, | |
} | |
# requires use of stdlib module | |
file_line { "basemodulepath": | |
ensure => present, | |
path => "$puppetData\\etc\\puppet.conf", | |
line => "basemodulepath=$basemodulepath", | |
replace => false, | |
match => '^basemodulepath=.*$', | |
} | |
file_line { "manage_internal_file_permissions": | |
ensure => present, | |
path => "$puppetData\\etc\\puppet.conf", | |
line => "manage_internal_file_permissions=false", | |
replace => false, | |
match => '^manage_internal_file_permissions=.*$', | |
} | |
# reconfigure PXP agent registry keys | |
registry_value { 'HKLM\SYSTEM\CurrentControlSet\Services\pxp-agent\Parameters\AppEnvironmentExtra': | |
ensure => 'present', | |
type => array, | |
data => [ | |
"PATH=$puppetInstallPath\\pxp-agent\\bin;$puppetInstallPath\\puppet\\bin;$puppetInstallPath\\facter\\bin;$puppetInstallPath\\sys\\ruby\\bin;%PATH%", | |
"RUBYLIB=$puppetInstallPath\\puppet\\lib;$puppetInstallPath\\hiera\\lib;$puppetInstallPath\\mcollective\\lib;$puppetInstallPath\\facter\\lib;%RUBYLIB%", | |
"OPENSSL_CONF=$puppetInstallPath\\puppet\\ssl\\openssl.cnf", | |
], | |
} ~> | |
service { 'pxp-agent': | |
ensure => 'running', | |
enable => 'true', | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Continued ...