[Windows] Add a new windows test case of MDAG (#432)

* Add a new test case for windows Microsoft Defender Application Guard (MDAG) Signed-off-by: Yanan Shen <yanans@vmware.com>
vmware · Mar 15, 2023 · cf02c51 · cf02c51
1 parent 2e91d2e
commit cf02c51
Show file tree

Hide file tree

Showing 3 changed files with 228 additions and 0 deletions.
diff --git a/windows/mdag_enable_disable/disable_mdag.yml b/windows/mdag_enable_disable/disable_mdag.yml
@@ -0,0 +1,41 @@
+# Copyright 2023 VMware, Inc.
+# SPDX-License-Identifier: BSD-2-Clause
+---
+# Disabe MDAG in guest OS
+#
+- name: "Disable MDAG"
+  include_tasks: ../utils/win_execute_cmd.yml
+  vars:
+    win_powershell_cmd: "Disable-WindowsOptionalFeature -Online -NoRestart -FeatureName {{ mdag_feature_name }}"
+
+- name: "Restart the guest OS"
+  include_tasks: ../utils/win_shutdown_restart.yml
+  vars:
+    set_win_power_state: "restart"
+
+- name: "Get MDAG feature state"
+  include_tasks: ../utils/win_execute_cmd.yml
+  vars:
+    win_powershell_cmd: "(Get-WindowsOptionalFeature -Online -FeatureName {{ mdag_feature_name }}).State"
+
+- name: "Check if MDAG is disabled in guest OS"
+  ansible.builtin.assert:
+    that:
+      - win_powershell_cmd_output.stdout_lines is defined
+      - win_powershell_cmd_output.stdout_lines | length == 1
+      - win_powershell_cmd_output.stdout_lines[0].strip() == 'Disabled'
+    fail_msg: "MDAG feature state in guest OS is not 'Disabled': '{{ win_powershell_cmd_output.stdout_lines | default('') }}'"
+
+- name: "Get MDAG process {{ mdag_process }} after MDAG is disabled"
+  include_tasks: ../utils/win_execute_cmd.yml
+  vars:
+    win_powershell_cmd: "Get-Process -Name {{ mdag_process }}"
+    win_execute_cmd_ignore_error: true
+
+- name: "Check the MDAG process"
+  ansible.builtin.assert:
+    that:
+      - win_powershell_cmd_output.stderr_lines is defined
+      - win_powershell_cmd_output.stderr_lines | length != 0
+      - "'Cannot find a process' in win_powershell_cmd_output.stderr_lines[0]"
+    fail_msg: "There should not be process {{ mdag_process }} after disabling MDAG."
diff --git a/windows/mdag_enable_disable/enable_mdag.yml b/windows/mdag_enable_disable/enable_mdag.yml
@@ -0,0 +1,122 @@
+# Copyright 2023 VMware, Inc.
+# SPDX-License-Identifier: BSD-2-Clause
+---
+# Hardware requirements to run MDAG:
+# 1. CPU hardware virtualization is enabled.
+# 2. Minimum 4 cores (logical processors)
+# 3. Minimum 8-GB RAM
+#
+- name: "Initialize the VM hardware related variables"
+  ansible.builtin.set_fact:
+    vm_nested_virt_status: false
+    vm_initial_cpu_num: ""
+    vm_initial_mem_mb: ""
+
+- name: "Get CPU hardware virtualization status, CPU number and memory size"
+  include_tasks: ../../common/vm_get_config.yml
+  vars:
+    property_list: ['config.nestedHVEnabled', 'config.hardware.memoryMB', 'config.hardware.numCPU']
+
+- name: "Set facts of VM hardware related info"
+  ansible.builtin.set_fact:
+    vm_nested_virt_status: "{{ vm_config.config.nestedHVEnabled }}"
+    vm_initial_cpu_num: "{{ vm_config.config.hardware.numCPU }}"
+    vm_initial_mem_mb: "{{ vm_config.config.hardware.memoryMB }}"
+  when:
+    - vm_config.config is defined
+    - vm_config.config.nestedHVEnabled is defined
+    - vm_config.config.hardware.memoryMB is defined
+    - vm_config.config.hardware.numCPU is defined
+
+- name: "Edit VM Settings"
+  block:
+    - name: "Shutdown VM"
+      include_tasks: ../utils/win_shutdown_restart.yml
+      vars:
+        set_win_power_state: "shutdown"
+
+    - name: "Enable CPU hardware virtualization for the VM"
+      include_tasks: ../../common/vm_set_nested_virtual.yml
+      vars:
+        vm_nested_virt: true
+      when: not vm_nested_virt_status
+
+    - name: "Set VM CPU number to 4"
+      include_tasks: ../../common/vm_set_cpu_number.yml
+      vars:
+        num_cores_per_socket: 2
+        num_cpus: 4
+      when: vm_initial_cpu_num | int < 4
+
+    - name: "Set VM memory size to 8 GB"
+      include_tasks: ../../common/vm_set_memory_size.yml
+      vars:
+        memory_mb: 8192
+      when: vm_initial_mem_mb | int < 8 * 1024
+
+    - name: "Power on the VM"
+      include_tasks: ../../common/vm_set_power_state.yml
+      vars:
+        vm_power_state_set: 'powered-on'
+
+    - name: "Update the inventory"
+      include_tasks: ../utils/win_update_inventory.yml
+  when: >
+    (not vm_nested_virt_status) or
+    (vm_initial_cpu_num | int < 4) or 
+    (vm_initial_mem_mb | int < 8 * 1024) 
+
+- name: "Enable MDAG"
+  include_tasks: ../utils/win_execute_cmd.yml
+  vars:
+    win_powershell_cmd: "Enable-WindowsOptionalFeature -Online -NoRestart -FeatureName {{ mdag_feature_name }}"
+
+- name: "Restart the guest OS"
+  include_tasks: ../utils/win_shutdown_restart.yml
+  vars:
+    set_win_power_state: "restart"
+
+- name: "Get MDAG feature state"
+  include_tasks: ../utils/win_execute_cmd.yml
+  vars:
+    win_powershell_cmd: "(Get-WindowsOptionalFeature -Online -FeatureName {{ mdag_feature_name }}).State"
+
+- name: "Check if MDAG is enabled in guest OS"
+  ansible.builtin.assert:
+    that:
+      - win_powershell_cmd_output.stdout_lines is defined
+      - win_powershell_cmd_output.stdout_lines | length == 1
+      - win_powershell_cmd_output.stdout_lines[0].strip() == 'Enabled'
+    fail_msg: "MDAG feature state in guest OS is not 'Enabled': '{{ win_powershell_cmd_output.stdout_lines | default('') }}'"
+
+- name: "Set the MDAG related process name"
+  ansible.builtin.set_fact:
+    mdag_process: "vmmemMDAG"
+    virtual_process: "vmcompute"
+
+- name: "Get virtual process {{ virtual_process }} before restart"
+  include_tasks: ../utils/win_execute_cmd.yml
+  vars:
+    win_powershell_cmd: "Get-Process -Name {{ virtual_process }}"
+
+- name: "Get MDAG process {{ mdag_process }}"
+  include_tasks: ../utils/win_execute_cmd.yml
+  vars:
+    win_powershell_cmd: "Get-Process -Name {{ mdag_process }}"
+    win_execute_cmd_ignore_error: true
+
+- name: "Check MDAG process {{ mdag_process }} after restart"
+  block:
+    - name: "Restart the guest OS"
+      include_tasks: ../utils/win_shutdown_restart.yml
+      vars:
+        set_win_power_state: "restart"
+
+    - name: "Get MDAG process {{ mdag_process }} after restart"
+      include_tasks: ../utils/win_execute_cmd.yml
+      vars:
+        win_powershell_cmd: "Get-Process -Name {{ mdag_process }}"
+  when:
+    - guest_os_build_num | int > 22000
+    - win_powershell_cmd_output.rc is defined
+    - win_powershell_cmd_output.rc != 0
diff --git a/windows/mdag_enable_disable/mdag_enable_disable.yml b/windows/mdag_enable_disable/mdag_enable_disable.yml
@@ -0,0 +1,65 @@
+# Copyright 2023 VMware, Inc.
+# SPDX-License-Identifier: BSD-2-Clause
+---
+# Description:
+#   This case is to test Microsoft Defender Application Guard (MDAG), which will opens the untrusted websites
+# in an isolated Hyper-V-enabled container. For more details, please refer to
+# https://learn.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview
+#
+- name: mdag_enable_disable
+  hosts: localhost
+  gather_facts: no
+  vars_files:
+    - "{{ testing_vars_file | default('../../vars/test.yml') }}"
+  tasks:
+    - name: "Test case block"
+      block:
+        - name: "Test setup"
+          include_tasks: ../setup/test_setup.yml
+
+        - name: "Skip test case"
+          include_tasks: ../../common/skip_test_case.yml
+          vars:
+            skip_msg: "Skip test case due to MDAG is not supported on Windows Server."
+            skip_reason: "Not Supported"
+          when: guest_os_product_type | lower == 'server'
+
+        - name: "Skip test case"
+          include_tasks: ../../common/skip_test_case.yml
+          vars:
+            skip_msg: "Skip test case due to Hyper-V compatible hardware is 64bit processor, this guest OS is: {{ guest_os_ansible_architecture }}."
+            skip_reason: "Not Supported"
+          when: guest_os_ansible_architecture != "64-bit"
+
+        - name: "Skip test case"
+          include_tasks: ../../common/skip_test_case.yml
+          vars:
+            skip_msg: "Skip test case due to MDAG supported OS editions are 'Pro', 'Education' or 'Enterprise', this guest OS is: {{ guest_os_edition }}."
+            skip_reason: "Not Supported"
+          when:
+            - guest_os_edition | lower not in ['pro', 'enterprise', 'education']
+            - guest_os_product_type | lower == 'client'
+
+        - name: "Skip test case"
+          include_tasks: ../../common/skip_test_case.yml
+          vars:
+            skip_msg:
+              - "Skip test case due to MDAG supported OS version is 'Windows 10 version 1809 or later' and 'Windows 11'."
+              - "This guest OS major version: {{ guest_os_ansible_distribution_major_ver }}, build number: {{ guest_os_build_num }}."
+            skip_reason: "Not Supported"
+          when: >
+            (guest_os_ansible_distribution_major_ver | int == 10 and guest_os_build_num | int < 17763) or
+            (guest_os_ansible_distribution_major_ver | int < 10)
+
+        - name: "Set MDAG feature name"
+          ansible.builtin.set_fact:
+            mdag_feature_name: "Windows-Defender-ApplicationGuard"
+
+        - name: "Enable MDAG"
+          include_tasks: enable_mdag.yml
+
+        - name: "Disable MDAG"
+          include_tasks: disable_mdag.yml
+      rescue:
+        - name: "Test case failure"
+          include_tasks: ../../common/test_rescue.yml