Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Creating SDDL string always report False with Test-DSCConfiguration #13

Open
SylvainMartel opened this issue Oct 16, 2017 · 3 comments
Open
Labels
bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community.

Comments

@SylvainMartel
Copy link

SylvainMartel commented Oct 16, 2017

On Windows 2016 with latest CU installed
DSC Code to secure the Application Log and the System Log

        xWinEventLog securEvtApplication
        {
            LogName = 'Application'
            SecurityDescriptor = 'O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-21-3455453797-2004565670-2676727958-53937)'

        }

        xWinEventLog securEvtSystem
        {
            LogName = 'System'
            SecurityDescriptor = 'O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-21-3455453797-2004565670-2676727958-53937)'

        }

This works fine, it creates the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\CustomSD with the SDDL string and it's sister key for the System log, but when we run Test-Dscconfiguration, it report those parts as a ResourcesNotInDesiredState

VERBOSE: []: LCM:  [ Start  Resource ]  [[xWinEventLog]securEvtApplication]
VERBOSE: []: LCM:  [ Start  Test     ]  [[xWinEventLog]securEvtApplication]
VERBOSE: []: LCM:  [ End    Test     ]  [[xWinEventLog]securEvtApplication] False in 0.0780 seconds.
VERBOSE: []: LCM:  [ End    Resource ]  [[xWinEventLog]securEvtApplication]
VERBOSE: []: LCM:  [ Start  Resource ]  [[xWinEventLog]securEvtSystem]
VERBOSE: []: LCM:  [ Start  Test     ]  [[xWinEventLog]securEvtSystem]
VERBOSE: []: LCM:  [ End    Test     ]  [[xWinEventLog]securEvtSystem] False in 0.0310 seconds.
VERBOSE: []: LCM:  [ End    Resource ]  [[xWinEventLog]securEvtSystem]
VERBOSE: []: LCM:  [ End    Test     ]     Completed processing test operation. The operation returned False.
VERBOSE: []: LCM:  [ End    Test     ]    in  0.7650 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.

PSComputerName  ResourcesInDesiredState        ResourcesNotInDesiredState     InDesiredState
--------------  -----------------------        --------------------------     --------------
localhost       {[cNtfsPermissionEntry]Perm... {[xWinEventLog]securEvtAppl... False
VERBOSE: Time taken for configuration job to complete is 0.877 seconds

If we run Start-DscConfiguration -UseExisting -Force -Wait -Verbose then it will do the Set, but it will never see it as in Desire State:

VERBOSE: []: LCM:  [ Start  Resource ]  [[xWinEventLog]securEvtApplication]
VERBOSE: []: LCM:  [ Start  Test     ]  [[xWinEventLog]securEvtApplication]
VERBOSE: []: LCM:  [ End    Test     ]  [[xWinEventLog]securEvtApplication]  in 0.0630 seconds.
VERBOSE: []: LCM:  [ Start  Set      ]  [[xWinEventLog]securEvtApplication]
VERBOSE: []: LCM:  [ End    Set      ]  [[xWinEventLog]securEvtApplication]  in 0.0310 seconds.
VERBOSE: []: LCM:  [ End    Resource ]  [[xWinEventLog]securEvtApplication]
VERBOSE: []: LCM:  [ Start  Resource ]  [[xWinEventLog]securEvtSystem]
VERBOSE: []: LCM:  [ Start  Test     ]  [[xWinEventLog]securEvtSystem]
VERBOSE: []: LCM:  [ End    Test     ]  [[xWinEventLog]securEvtSystem]  in 0.0160 seconds.
VERBOSE: []: LCM:  [ Start  Set      ]  [[xWinEventLog]securEvtSystem]
VERBOSE: []: LCM:  [ End    Set      ]  [[xWinEventLog]securEvtSystem]  in 0.0470 seconds.
VERBOSE: []: LCM:  [ End    Resource ]  [[xWinEventLog]securEvtSystem]
VERBOSE: []:                            [] Consistency check completed.

The same code works fine on Windows 10...

@SylvainMartel
Copy link
Author

SylvainMartel commented Oct 16, 2017

I took a look at the code and ran the test condition manually on the server(line 143 )
$log = Get-WinEvent -ListLog application

Then I compared $log.SecurityDescriptor to the string that got created in the registry by DSC, and indeed they are different. That test condition doesn't seem to work.

Also, running wevtutil gl application (which is the command line utility to set SDDL the old way)returns the correct SDDL string.

So, to continue the debuging, I tried the function Set-SecurityDescriptor line by line.

It doesn't seem to work. It doesn't return an error, but the change are not taken into account.
I tried this:

$SecurityDescriptor = 'O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-21-3455453797-2004565670-2676727958-53937)'
$log = Get-WinEvent -ListLog "application"
$log.SecurityDescriptor = $SecurityDescriptor
$log.SaveChanges()

and then

$log2 = Get-WinEvent -ListLog "application"
$log2.SecurityDescriptor

result

O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-21-3700697335-2754794931-3075335600-74107)

Not what it should be. Some weird behavior going on

@SylvainMartel
Copy link
Author

closing this, found a GPO that interfere.

@SylvainMartel
Copy link
Author

Reopening this. After making sure the system is completely isolated we still get the problem described above. Completely baffled.

@SylvainMartel SylvainMartel reopened this Oct 20, 2017
@johlju johlju added bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community. labels Apr 25, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community.
Projects
None yet
Development

No branches or pull requests

2 participants