Skip to content

Commit

Permalink
Merge pull request #16 from sbaerlocher/develop/0.0.7
Browse files Browse the repository at this point in the history
Develop/0.0.8
  • Loading branch information
sbaerlocher authored Jun 21, 2021
2 parents 5d5c547 + e2a6078 commit 935673a
Show file tree
Hide file tree
Showing 5 changed files with 128 additions and 2 deletions.
6 changes: 6 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,12 @@ and [human-readable changelog](https://keepachangelog.com/en/1.0.0/).

## master

## 0.0.8

### Added

- Add module win_defender_exclusion

## 0.0.7

### Added
Expand Down
2 changes: 1 addition & 1 deletion galaxy.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
namespace: 'sbaerlocher'
name: 'windows'
version: 0.0.7
version: 0.0.8
readme: README.md
authors:
- 'Simon Baerlocher (https://sbaerlocher.ch)'
Expand Down
110 changes: 110 additions & 0 deletions plugins/modules/win_defender_exclusion.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
#!powershell
# (c) 2017, David Baumann <[email protected]>
# GNU GENERAL PUBLIC LICENSE v3
#
# WANT_JSON
# POWERSHELL_COMMON

Set-StrictMode -Version 2;
$ErrorActionPreference = "Stop";

# Compare Exclusion Lists if we need to Change something
function Compare-ExclusionLists($Current,$Desired,$Cleanup)
{
# We got nothing to Compare agains on Current so we need to change something
if($Current -eq $null -and $Desired -ne $null){ return $true;};

# We got nothing to Compare agains and $null is $null so nothing to change here
if($Current -eq $null -and $Desired -eq $null){ return $false;};

# We got nothing Desired and we also should not cleanup so we have nothing to change
if($Desired -eq $null -and -not $Cleanup) { return $false};

# We got nothing Desired but we NEED to Cleanup so we have to change
if($Desired -eq $null -and $Cleanup) { return $true;};

$diff = Compare-Object -ReferenceObject $Current -DifferenceObject $Desired -CaseSensitive:$false

# Ensure Nothing is missing on the from the Desired List
if( $($diff | Where-Object { $_.sideIndicator -eq "=>" }) ){
return $true;
}else{
# Check for Leftovers on the current Setting
if( $($diff | Where-Object { $_.sideIndicator -eq "<=" }) -and $Cleanup){
return $true;
}
return $false;
}
}

# Return current exclusion list of the desired type
function Get-CurrentExclusionList($ExclusionType){
return Get-MpPreference | Select-Object -ExpandProperty $("Exclusion" + $ExclusionType);
}

# Set the Defined Exclusion List
function Set-ExclusionList($ExclusionType,$List,$Cleanup=$false){

if($List){
# We got some Values to Set
$setParam = @{};
$setParam.Add($("Exclusion" + $ExclusionType),$List);
Set-MpPreference @setParam;
}else{
# We got a empty list
if($Cleanup){
# We need to Force Removal
$valuesToRemove = Get-MpPreference | Select-Object -ExpandProperty $("Exclusion" + $ExclusionType);
foreach($v in $valuesToRemove)
{
$removeParam=@{}
$removeParam.Add($("Exclusion" + $ExclusionType),$v);
Remove-MpPreference @removeParam;
}
}
}
}

# Defining Defaults
$changed = $false;

# Setting and Reading Params from Ansible
$parsed_args = Parse-Args $args -supports_check_mode $true;
$check_mode = Get-AnsibleParam $parsed_args "_ansible_check_mode" -default $false;

$clean = Get-AnsibleParam $parsed_args "clean" -default $false;
[string[]]$list = Get-AnsibleParam $parsed_args "list" -default [];
$type = Get-AnsibleParam $parsed_args "type" -validateset "Process","Extension","Path";


# Ensure List is Unique, Self fix some errored input
$list = $list | Sort-Object -Property @{Expression={$_.Trim()}} -Unique

# See if we need to Change something
[string[]]$current = Get-CurrentExclusionList -ExclusionType $type;
$haveToChange = Compare-ExclusionLists -Current $current -Desired $list -Cleanup $clean

# Check
if(-not $check_mode -and $haveToChange)
{
# Lets do some Real Work
if(-not $clean)
{
# We need to build a combined list with current and desired Values
$list = $list + $current;
$list = $list | Sort-Object -Property @{Expression={$_.Trim()}} -Unique
}
Set-ExclusionList -ExclusionType $type -List $list -Cleanup $clean
$changed = $true

}else{
# Dry Check Mode
$changed = $haveToChange
}

$result = @{
changed=$changed
list=$list
}

Exit-Json $result;
5 changes: 4 additions & 1 deletion roles/defender/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,7 @@
# defaults file for defender

# disables or enables Windows defender on the Windows system.
defender_disable: true
defender_disable: fales
# example
# defender_exclusion:
# - path:
7 changes: 7 additions & 0 deletions roles/defender/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,10 @@

- name: 'Disable or Enable Defender'
win_shell: 'Set-MpPreference -DisableRealtimeMonitoring ${{ defender_disable }}'
when: ansible_distribution_major_version is version('6', '>')

- name: 'Exclude from Scanning'
win_defender_exclusion:
list: '{{ item.value }}'
type: '{{ item.key }}'
with_dict: '{{ defender_exclusion }}'

0 comments on commit 935673a

Please sign in to comment.