Oh, nice! Thanks for the link, that's a really cool concept. After a bit of hunting around, I'd been thinking the same way as the blogger you linked to - that writing (or templating) an XML file and importing that is much neater than using their Powershell for making rules. So I suspect that a lot of the work involved in making AppLocker hands-off way is really in figuring out all the UUIDs and SIDs and so on you need for a valid XML AppLocker ruleset.
Really, the main piece I'm missing is a way to import an applocker policy from a local file - there's already Ansible solutions for 'grab this file from remotely' or 'template this onto the target host with these parameters', and for 'manage the state of this service' (for AppIDSvc). I'll let the internet know how it goes. Cheers, Nikki On 20 August 2016 at 19:08, Trond Hindenes <tr...@hindenes.com> wrote: > pretty sure that's not solved yet. > > Based on this: https://p0w3rsh3ll.wordpress.com/2015/04/02/ > configure-applocker-with-desired-state-configuration/ you could take that > DSC thing and run it thru my DSC-To-Ansible resource converter ( > https://github.com/trondhindenes/AnsibleDscModuleGenerator) but it would > of course only be compatible with nodes running Powershell V5. > > > On Wednesday, August 17, 2016 at 11:34:55 AM UTC+2, N. Bailey wrote: >> >> Hi ansible-devel, >> >> Quick question for anyone running Ansible on Windows: has anyone used >> Ansible to configure Applocker? It's a security/hardening/audit tool for >> Windows, replacing Software Restriction Policies. >> >> The natural way to deploy/manage it would be with group policy, but I'm >> running it on servers outside a domain, so I wanted an Ansible solution >> instead. Can't see any playbooks or modules out there so far about it, but >> there's a fairly neat set of powershell cmdlets to do it. I was planning on >> writing a module to do it, but I thought I'd ask stick my head up and check >> that this isn't a solved problem already :) >> >> Thanks, >> Nikki >> > -- > You received this message because you are subscribed to a topic in the > Google Groups "Ansible Development" group. > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/ansible-devel/kslynu8JLGk/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > ansible-devel+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-devel+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
