inspec/lib/resources/audit_policy.rb

# encoding: utf-8
# copyright: 2015, Vulcano Security GmbH
# author: Christoph Hartmann
# author: Dominik Richter
# license: All rights reserved

# Advanced Auditing:
# As soon as you start applying Advanced Audit Configuration Policy, legacy policies will be completely ignored.
# reference: https://technet.microsoft.com/en-us/library/cc753632.aspx
# use:
#  - list all categories: Auditpol /list /subcategory:* /r
#  - list parameters: Auditpol /get /category:"System" /subcategory:"IPsec Driver"
#  - list specific parameter: Auditpol /get /subcategory:"IPsec Driver"
#
# @link: http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx
#
# Valid values are:
#
# - "No Auditing"
# - "Not Specified"
# - "Success"
# - "Success and Failure"
# - "Failure"
#
# Further information is available at: https://msdn.microsoft.com/en-us/library/dd973859.aspx

module Inspec::Resources
  class AuditPolicy < Inspec.resource(1)
    name 'audit_policy'
    desc 'Use the audit_policy InSpec audit resource to test auditing policies on the Microsoft Windows platform. An auditing policy is a category of security-related events to be audited. Auditing is disabled by default and may be enabled for categories like account management, logon events, policy changes, process tracking, privilege use, system events, or object access. For each auditing category property that is enabled, the auditing level may be set to No Auditing, Not Specified, Success, Success and Failure, or Failure.'
    example "
      describe audit_policy do
        its('parameter') { should eq 'value' }
      end
    "

    def method_missing(method)
      key = method.to_s

      # expected result:
      # Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting
      # WIN-MB8NINQ388J,System,Kerberos Authentication Service,{0CCE9242-69AE-11D9-BED3-505054503030},No Auditing,
      result ||= inspec.command("Auditpol /get /subcategory:'#{key}' /r").stdout

      # find line
      target = nil
      result.each_line {|s|
        target = s.strip if s =~ /\b.*#{key}.*\b/
      }

      # extract value
      values = nil
      unless target.nil?
        # split csv values and return value
        values = target.split(',')[4]
      end

      values
    end

    def to_s
      'Audit Policy'
    end
  end
end
update copyright header 2015-07-15 13:15:18 +00:00			`# encoding: utf-8`
			`# copyright: 2015, Vulcano Security GmbH`
add author header 2015-10-06 16:55:44 +00:00			`# author: Christoph Hartmann`
			`# author: Dominik Richter`
update copyright header 2015-07-15 13:15:18 +00:00			`# license: All rights reserved`

optimize comments for audit_policy resource 2015-09-05 20:45:43 +00:00			`# Advanced Auditing:`
migrate all of audit Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-28 23:04:52 +00:00			`# As soon as you start applying Advanced Audit Configuration Policy, legacy policies will be completely ignored.`
feature: add windows resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-17 13:37:17 +00:00			`# reference: https://technet.microsoft.com/en-us/library/cc753632.aspx`
migrate all of audit Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-28 23:04:52 +00:00			`# use:`
feature: add windows resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-17 13:37:17 +00:00			`# - list all categories: Auditpol /list /subcategory:* /r`
			`# - list parameters: Auditpol /get /category:"System" /subcategory:"IPsec Driver"`
			`# - list specific parameter: Auditpol /get /subcategory:"IPsec Driver"`
migrate all of audit Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-28 23:04:52 +00:00			`#`
			`# @link: http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx`
optimize comments for audit_policy resource 2015-09-05 20:45:43 +00:00			`#`
			`# Valid values are:`
			`#`
			`# - "No Auditing"`
			`# - "Not Specified"`
			`# - "Success"`
			`# - "Success and Failure"`
			`# - "Failure"`
			`#`
			`# Further information is available at: https://msdn.microsoft.com/en-us/library/dd973859.aspx`
feature: add windows resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-17 13:37:17 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`module Inspec::Resources`
			`class AuditPolicy < Inspec.resource(1)`
			`name 'audit_policy'`
			desc 'Use the audit_policy InSpec audit resource to test auditing policies on the Microsoft Windows platform. An auditing policy is a category of security-related events to be audited. Auditing is disabled by default and may be enabled for categories like account management, logon events, policy changes, process tracking, privilege use, system events, or object access. For each auditing category property that is enabled, the auditing level may be set to No Auditing, Not Specified, Success, Success and Failure, or Failure.'
			`example "`
			`describe audit_policy do`
			`its('parameter') { should eq 'value' }`
			`end`
			`"`
feature: add windows resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-17 13:37:17 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`def method_missing(method)`
			`key = method.to_s`

			`# expected result:`
			`# Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting`
			`# WIN-MB8NINQ388J,System,Kerberos Authentication Service,{0CCE9242-69AE-11D9-BED3-505054503030},No Auditing,`
			`result \|\|= inspec.command("Auditpol /get /subcategory:'#{key}' /r").stdout`

			`# find line`
			`target = nil`
			`result.each_line {\|s\|`
			`target = s.strip if s =~ /\b.#{key}.\b/`
			`}`
feature: add windows resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-17 13:37:17 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`# extract value`
			`values = nil`
			`unless target.nil?`
			`# split csv values and return value`
			`values = target.split(',')[4]`
			`end`

			`values`
			`end`

			`def to_s`
			`'Audit Policy'`
			`end`
feature: add windows resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-17 13:37:17 +00:00			`end`
			`end`