cookstyle icon indicating copy to clipboard operation
cookstyle copied to clipboard

Published 20 hours ago verified publisher icon chef

Chef/Modernize/WindowsRegistryUAC reporting on a registry value that the windows_uac does not support

Open tarcinil opened this issue 4 years ago • 2 comments

Version:

$ be cookstyle -v Cookstyle 7.3.11

  • RuboCop 1.5.2

Environment:

Windows Server 2019 DC (Guest) Mac 10.15.7 (Host) Test Kitchen version 2.8.0

Scenario:

I am using the following disable UAC Remote Restrictions which is outlined here.

When working on servers joined to a domain with domain service accounts (usually added to the Local Administrators Group), and are connecting via WinRM, this is a lever that has to be tweaked.

This triggers the "Actual Result" even though the windows_uac resource does not have a property that manages that value inside of the registry.

Steps to Reproduce:

Running Windows 2019 with the following registry resource works for the cinc-client run, but raises cookstyle error in my pre-commit hooks.

registry_key 'HKLM\software\Microsoft\Windows\CurrentVersion\Policies\system' do
  action    :create
  recursive true
  values    [ { name: 'LocalAccountTokenFilterPolicy', type: :dword, data: 1 } ]
  notifies :restart, 'windows_service[WinRM]', :delayed
end

Expected Result:

I would have expected cookstyle to not complain because the resource to modernize towards does not support the specific value being set. https://docs.chef.io/resources/windows_uac#properties

Actual Result:

recipes/default.rb:67:1: R: Chef/Modernize/WindowsRegistryUAC: Chef Infra Client 15.0 and later includes a windows_uac resource that should be used to set Windows UAC values instead of setting registry keys directly.
registry_key 'HKLM\software\Microsoft\Windows\CurrentVersion\Policies\system' do

tarcinil avatar Feb 05 '21 17:02 tarcinil

Any update on this? I'm experiencing the same issue.

jarvin521 avatar Apr 05 '21 18:04 jarvin521

Similar thing different value

# These regkey changes are needed along with patches to help mitigate CVE-2018-0886/RDP MITM Vuln
# WARNING: These require a reboot to apply

registry_key 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' do
  values [{
    name: 'AllowEncryptionOracle',
    type: :dword,
    data: '1',
  }]
  action :create
  recursive true
end

Url: https://support.microsoft.com/en-us/topic/credssp-updates-for-cve-2018-0886-5cbf9e5f-dc6d-744f-9e97-7ba400d6d3ea

recipes/registry_cve2018_0886.rb:12:1: R: Chef/Modernize/WindowsRegistryUAC: Chef Infra Client 15.0 and later includes a windows_uac resource that should be used to set Windows UAC values instead of setting registry keys directly. (https://docs.chef.io/workstation/cookstyle/chef_modernize_windowsregistryuac)
registry_key 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' do
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

knightorc avatar May 14 '21 23:05 knightorc