win_audit_rule reports unhandled exception when changing audit rule on a protected OS file

[jborean93]

From @Castingnet on Feb 21, 2020 09:41

SUMMARY

win_audit_rule will try to get item type before doing the rule setting, (Get-Item $path).GetType() will work for most cases but not for a protected OS file, for example, C:\bootmgr.
To make it work for this scenario, a force is expected.
(Get-Item -force $path).GetType()

ISSUE TYPE

• Bug Report

COMPONENT NAME

module win_audit_rule

ANSIBLE VERSION

2.9.5

CONFIGURATION

ANSIBLE_SSH_ARGS(/etc/ansible/ansible.cfg) = -C -o ControlMaster=auto -o ControlPersist=60s -o PasswordAuthentication=yes
DEFAULT_MODULE_PATH(env: ANSIBLE_LIBRARY) = [u'/root/ansible_lib/modules']
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False

OS / ENVIRONMENT

Target: windows system

STEPS TO REPRODUCE

win_audit_rule:
  path: C:\bootmgr
  user: Everyone
  rights: FullControl
  audit_flags: Failure
  inheritance_flags: None

EXPECTED RESULTS

win_audit_rule could change audit rule of a protected OS file without any exception

ACTUAL RESULTS

Pipelining is enabled.
EXEC (via pipeline wrapper)
The full traceback is:
Could not find item C:\bootmgr.
At line:69 char:14^M
+ $ItemType = (Get-Item $path).GetType()
+              ~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\bootmgr:String) [Get-Item], IOException
    + FullyQualifiedErrorId : ItemNotFound,Microsoft.PowerShell.Commands.GetItemCommand
  
 ScriptStackTrace:
 at <ScriptBlock>, <No file>: line 69
 failed: [9.112.238.18] (item=C:\bootmgr) => {
     "ansible_loop_var": "item",
     "changed": false,
    "item": "C:\\bootmgr",
     "msg": "Unhandled exception while executing module: Could not find item C:\\bootmgr."
 }

Copied from original issue: ansible/ansible#67642

[jborean93]

From @ShachafGoldstein on Mar 01, 2020 02:31

Can you please post the output of get-childitem C:\ -Force?
and are you sure that file is there and you are able to manipulate it from the GUI for example?

I vaguely remember that specific file not always present, on my win10 machine it is not there.

[jborean93]

From @Castingnet on Mar 08, 2020 03:56

The bootmgr is there when I use the command provided. And currently, I worked around the issue by using win_shell module. So I could make sure the file does exist.

Yes, it's not present by default. To show system protected file, you need follow the guide below:
https://www.ilovefreesoftware.com/05/windows-10/show-protected-system-files-windows-10.html

Here is the output for my system:

PS C:\Users\Administrator> get-childitem c:\ -force

    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--hs-        2/23/2020   5:29 PM                $Recycle.Bin
d--hs-        2/24/2020   4:29 PM                Boot
d--hsl        2/23/2020   5:29 PM                Documents and Settings
d-----        2/24/2020   4:21 PM                PerfLogs
d-r---        2/24/2020   3:15 PM                Program Files
d-----        7/16/2016   6:23 AM                Program Files (x86)
d--h--         3/6/2020  12:04 PM                ProgramData
d-----        2/27/2020   2:11 PM                pvscsi
d--hs-        2/23/2020   5:29 PM                Recovery
d--hs-        2/26/2020  12:41 PM                System Volume Information
d-----        2/26/2020   6:16 PM                Temp
d-r---        2/23/2020   5:29 PM                Users
d-----        2/24/2020   5:48 PM                Windows
-a----        2/24/2020   3:15 PM           1024 .rnd
-arhs-        1/31/2020  10:33 AM         388704 bootmgr
-a-hs-        7/16/2016   6:18 AM              1 BOOTNXT
-arhs-        2/23/2020   5:27 PM           8192 BOOTSECT.BAK
-a-hs-         3/6/2020  11:11 AM     1073741824 pagefile.sys

[sebyx]

Same issue here. The module is not working for protected OS files.

Also, the module successfully run if I manually apply this modification to the source file.