From cf02c516737b680b074002d1954f1d7799d587d1 Mon Sep 17 00:00:00 2001 From: 123lzxm <53428732+123lzxm@users.noreply.github.com> Date: Wed, 15 Mar 2023 14:30:20 +0800 Subject: [PATCH] [Windows] Add a new windows test case of MDAG (#432) * Add a new test case for windows Microsoft Defender Application Guard (MDAG) Signed-off-by: Yanan Shen --- windows/mdag_enable_disable/disable_mdag.yml | 41 ++++++ windows/mdag_enable_disable/enable_mdag.yml | 122 ++++++++++++++++++ .../mdag_enable_disable.yml | 65 ++++++++++ 3 files changed, 228 insertions(+) create mode 100644 windows/mdag_enable_disable/disable_mdag.yml create mode 100644 windows/mdag_enable_disable/enable_mdag.yml create mode 100644 windows/mdag_enable_disable/mdag_enable_disable.yml diff --git a/windows/mdag_enable_disable/disable_mdag.yml b/windows/mdag_enable_disable/disable_mdag.yml new file mode 100644 index 000000000..09759a72d --- /dev/null +++ b/windows/mdag_enable_disable/disable_mdag.yml @@ -0,0 +1,41 @@ +# Copyright 2023 VMware, Inc. +# SPDX-License-Identifier: BSD-2-Clause +--- +# Disabe MDAG in guest OS +# +- name: "Disable MDAG" + include_tasks: ../utils/win_execute_cmd.yml + vars: + win_powershell_cmd: "Disable-WindowsOptionalFeature -Online -NoRestart -FeatureName {{ mdag_feature_name }}" + +- name: "Restart the guest OS" + include_tasks: ../utils/win_shutdown_restart.yml + vars: + set_win_power_state: "restart" + +- name: "Get MDAG feature state" + include_tasks: ../utils/win_execute_cmd.yml + vars: + win_powershell_cmd: "(Get-WindowsOptionalFeature -Online -FeatureName {{ mdag_feature_name }}).State" + +- name: "Check if MDAG is disabled in guest OS" + ansible.builtin.assert: + that: + - win_powershell_cmd_output.stdout_lines is defined + - win_powershell_cmd_output.stdout_lines | length == 1 + - win_powershell_cmd_output.stdout_lines[0].strip() == 'Disabled' + fail_msg: "MDAG feature state in guest OS is not 'Disabled': '{{ win_powershell_cmd_output.stdout_lines | default('') }}'" + +- name: "Get MDAG process {{ mdag_process }} after MDAG is disabled" + include_tasks: ../utils/win_execute_cmd.yml + vars: + win_powershell_cmd: "Get-Process -Name {{ mdag_process }}" + win_execute_cmd_ignore_error: true + +- name: "Check the MDAG process" + ansible.builtin.assert: + that: + - win_powershell_cmd_output.stderr_lines is defined + - win_powershell_cmd_output.stderr_lines | length != 0 + - "'Cannot find a process' in win_powershell_cmd_output.stderr_lines[0]" + fail_msg: "There should not be process {{ mdag_process }} after disabling MDAG." \ No newline at end of file diff --git a/windows/mdag_enable_disable/enable_mdag.yml b/windows/mdag_enable_disable/enable_mdag.yml new file mode 100644 index 000000000..49f7f35e3 --- /dev/null +++ b/windows/mdag_enable_disable/enable_mdag.yml @@ -0,0 +1,122 @@ +# Copyright 2023 VMware, Inc. +# SPDX-License-Identifier: BSD-2-Clause +--- +# Hardware requirements to run MDAG: +# 1. CPU hardware virtualization is enabled. +# 2. Minimum 4 cores (logical processors) +# 3. Minimum 8-GB RAM +# +- name: "Initialize the VM hardware related variables" + ansible.builtin.set_fact: + vm_nested_virt_status: false + vm_initial_cpu_num: "" + vm_initial_mem_mb: "" + +- name: "Get CPU hardware virtualization status, CPU number and memory size" + include_tasks: ../../common/vm_get_config.yml + vars: + property_list: ['config.nestedHVEnabled', 'config.hardware.memoryMB', 'config.hardware.numCPU'] + +- name: "Set facts of VM hardware related info" + ansible.builtin.set_fact: + vm_nested_virt_status: "{{ vm_config.config.nestedHVEnabled }}" + vm_initial_cpu_num: "{{ vm_config.config.hardware.numCPU }}" + vm_initial_mem_mb: "{{ vm_config.config.hardware.memoryMB }}" + when: + - vm_config.config is defined + - vm_config.config.nestedHVEnabled is defined + - vm_config.config.hardware.memoryMB is defined + - vm_config.config.hardware.numCPU is defined + +- name: "Edit VM Settings" + block: + - name: "Shutdown VM" + include_tasks: ../utils/win_shutdown_restart.yml + vars: + set_win_power_state: "shutdown" + + - name: "Enable CPU hardware virtualization for the VM" + include_tasks: ../../common/vm_set_nested_virtual.yml + vars: + vm_nested_virt: true + when: not vm_nested_virt_status + + - name: "Set VM CPU number to 4" + include_tasks: ../../common/vm_set_cpu_number.yml + vars: + num_cores_per_socket: 2 + num_cpus: 4 + when: vm_initial_cpu_num | int < 4 + + - name: "Set VM memory size to 8 GB" + include_tasks: ../../common/vm_set_memory_size.yml + vars: + memory_mb: 8192 + when: vm_initial_mem_mb | int < 8 * 1024 + + - name: "Power on the VM" + include_tasks: ../../common/vm_set_power_state.yml + vars: + vm_power_state_set: 'powered-on' + + - name: "Update the inventory" + include_tasks: ../utils/win_update_inventory.yml + when: > + (not vm_nested_virt_status) or + (vm_initial_cpu_num | int < 4) or + (vm_initial_mem_mb | int < 8 * 1024) + +- name: "Enable MDAG" + include_tasks: ../utils/win_execute_cmd.yml + vars: + win_powershell_cmd: "Enable-WindowsOptionalFeature -Online -NoRestart -FeatureName {{ mdag_feature_name }}" + +- name: "Restart the guest OS" + include_tasks: ../utils/win_shutdown_restart.yml + vars: + set_win_power_state: "restart" + +- name: "Get MDAG feature state" + include_tasks: ../utils/win_execute_cmd.yml + vars: + win_powershell_cmd: "(Get-WindowsOptionalFeature -Online -FeatureName {{ mdag_feature_name }}).State" + +- name: "Check if MDAG is enabled in guest OS" + ansible.builtin.assert: + that: + - win_powershell_cmd_output.stdout_lines is defined + - win_powershell_cmd_output.stdout_lines | length == 1 + - win_powershell_cmd_output.stdout_lines[0].strip() == 'Enabled' + fail_msg: "MDAG feature state in guest OS is not 'Enabled': '{{ win_powershell_cmd_output.stdout_lines | default('') }}'" + +- name: "Set the MDAG related process name" + ansible.builtin.set_fact: + mdag_process: "vmmemMDAG" + virtual_process: "vmcompute" + +- name: "Get virtual process {{ virtual_process }} before restart" + include_tasks: ../utils/win_execute_cmd.yml + vars: + win_powershell_cmd: "Get-Process -Name {{ virtual_process }}" + +- name: "Get MDAG process {{ mdag_process }}" + include_tasks: ../utils/win_execute_cmd.yml + vars: + win_powershell_cmd: "Get-Process -Name {{ mdag_process }}" + win_execute_cmd_ignore_error: true + +- name: "Check MDAG process {{ mdag_process }} after restart" + block: + - name: "Restart the guest OS" + include_tasks: ../utils/win_shutdown_restart.yml + vars: + set_win_power_state: "restart" + + - name: "Get MDAG process {{ mdag_process }} after restart" + include_tasks: ../utils/win_execute_cmd.yml + vars: + win_powershell_cmd: "Get-Process -Name {{ mdag_process }}" + when: + - guest_os_build_num | int > 22000 + - win_powershell_cmd_output.rc is defined + - win_powershell_cmd_output.rc != 0 \ No newline at end of file diff --git a/windows/mdag_enable_disable/mdag_enable_disable.yml b/windows/mdag_enable_disable/mdag_enable_disable.yml new file mode 100644 index 000000000..9b1c94e74 --- /dev/null +++ b/windows/mdag_enable_disable/mdag_enable_disable.yml @@ -0,0 +1,65 @@ +# Copyright 2023 VMware, Inc. +# SPDX-License-Identifier: BSD-2-Clause +--- +# Description: +# This case is to test Microsoft Defender Application Guard (MDAG), which will opens the untrusted websites +# in an isolated Hyper-V-enabled container. For more details, please refer to +# https://learn.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview +# +- name: mdag_enable_disable + hosts: localhost + gather_facts: no + vars_files: + - "{{ testing_vars_file | default('../../vars/test.yml') }}" + tasks: + - name: "Test case block" + block: + - name: "Test setup" + include_tasks: ../setup/test_setup.yml + + - name: "Skip test case" + include_tasks: ../../common/skip_test_case.yml + vars: + skip_msg: "Skip test case due to MDAG is not supported on Windows Server." + skip_reason: "Not Supported" + when: guest_os_product_type | lower == 'server' + + - name: "Skip test case" + include_tasks: ../../common/skip_test_case.yml + vars: + skip_msg: "Skip test case due to Hyper-V compatible hardware is 64bit processor, this guest OS is: {{ guest_os_ansible_architecture }}." + skip_reason: "Not Supported" + when: guest_os_ansible_architecture != "64-bit" + + - name: "Skip test case" + include_tasks: ../../common/skip_test_case.yml + vars: + skip_msg: "Skip test case due to MDAG supported OS editions are 'Pro', 'Education' or 'Enterprise', this guest OS is: {{ guest_os_edition }}." + skip_reason: "Not Supported" + when: + - guest_os_edition | lower not in ['pro', 'enterprise', 'education'] + - guest_os_product_type | lower == 'client' + + - name: "Skip test case" + include_tasks: ../../common/skip_test_case.yml + vars: + skip_msg: + - "Skip test case due to MDAG supported OS version is 'Windows 10 version 1809 or later' and 'Windows 11'." + - "This guest OS major version: {{ guest_os_ansible_distribution_major_ver }}, build number: {{ guest_os_build_num }}." + skip_reason: "Not Supported" + when: > + (guest_os_ansible_distribution_major_ver | int == 10 and guest_os_build_num | int < 17763) or + (guest_os_ansible_distribution_major_ver | int < 10) + + - name: "Set MDAG feature name" + ansible.builtin.set_fact: + mdag_feature_name: "Windows-Defender-ApplicationGuard" + + - name: "Enable MDAG" + include_tasks: enable_mdag.yml + + - name: "Disable MDAG" + include_tasks: disable_mdag.yml + rescue: + - name: "Test case failure" + include_tasks: ../../common/test_rescue.yml \ No newline at end of file