As part of the recent CVE disclosure CVE 2018-16859 we have come up with a 
playbook that can clear existing log entries as well as restrict the users 
who can view the PowerShell operational logs. While the CVE has been 
remediated in the latest release of Ansible, if you are running PowerShell 
v5+ or have explicitly enabled module logging then it would still be 
beneficial to secure the logs further.

The repo at 
https://github.com/jborean93/ansible-windows/tree/master/playbooks/secure-ps-logging
 
contains a playbook that can be run on any Windows host to clear the 
existing logs and restrict users who have read access. Once run it will 
restrict the event log 'Microsoft-Windows-PowerShell/Operational' to the 
following users;

* SYSTEM: Will have STANDARD_RIGHTS_REQUIRED, Read, and Clear rights
* BUILTIN\Administrators: Will have Read and Clear rights
* EVENT_LOG_READERS: Will only have Read rights

This is the same level of access as the 'Security' event log and will stop 
standard users from being able to read the log entries without elevating 
their privileges.

Changing these permissions will not mean that the logging is disabled, it 
will just restrict who can read the logs to a more privileged selection. 
You can find out more about securing the PowerShell operational logs by 
reading through 
https://blogs.technet.microsoft.com/kfalde/2017/05/13/securing-your-powershell-operational-logs/.

Thanks

Jordan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/927524c5-1146-43b4-ac3f-d918fad60ad4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to