2016-09-22 12:43:57 +00:00
---
title: About the users Resource
2018-02-16 00:28:15 +00:00
platform: os
2016-09-22 12:43:57 +00:00
---
# users
2019-04-26 18:24:29 +00:00
Use the `users` Chef InSpec audit resource to look up all local users available on the system, and then test specific properties of those users. This resource does not return information about users that may be located on other systems, such as LDAP or Active Directory.
2016-09-22 12:43:57 +00:00
2017-10-03 21:35:10 +00:00
<br>
2018-08-09 12:34:49 +00:00
## Availability
### Installation
2019-04-26 18:24:29 +00:00
This resource is distributed along with Chef InSpec itself. You can use it automatically.
2018-08-09 12:34:49 +00:00
### Version
This resource first became available in v1.0.0 of InSpec.
2016-09-27 19:03:23 +00:00
## Syntax
2016-09-22 12:43:57 +00:00
A `users` resource block declares a user name, and then one (or more) matchers:
describe users.where(uid: 0).entries do
it { should eq ['root'] }
its('uids') { should eq [1234] }
its('gids') { should eq [1234] }
end
where
2019-09-18 09:09:05 +00:00
* `gid`, `group`, `groups`, `home`, `maxdays`, `mindays`, `shell`, `uid`, `warndays`, `passwordage`, `maxbadpasswords` and `badpasswordattempts` are valid matchers for this resource
2016-09-22 12:43:57 +00:00
* `where(uid: 0).entries` represents a filter that runs the test only against matching users
For example:
describe users.where { username =~ /.*/ } do
it { should exist }
end
or:
describe users.where { uid =~ /^S-1-5-[0-9-]+-501$/ } do
it { should exist }
end
2017-10-03 21:35:10 +00:00
<br>
2016-09-22 12:43:57 +00:00
2017-10-03 21:35:10 +00:00
## Examples
2016-09-22 12:43:57 +00:00
2019-04-26 18:24:29 +00:00
The following examples show how to use this Chef InSpec audit resource.
2016-09-22 12:43:57 +00:00
2017-10-03 21:35:10 +00:00
### Use a regular expression to find users
2016-09-22 12:43:57 +00:00
2017-10-03 21:35:10 +00:00
describe users.where { uid =~ /S\-1\-5\-21\-\d+\-\d+\-\d+\-500/ } do
it { should exist }
end
2016-09-22 12:43:57 +00:00
2019-07-08 18:30:20 +00:00
### Test only allowed users exist
allowed_users = %w(user1 user2 user3)
users.where { uid > 1000 && uid < 65534 }.usernames.sort.each do |u|
describe user(u) do
if allowed_users.include?(u)
it { should exist }
else
it { should_not exist }
end
end
end
2017-10-03 21:35:10 +00:00
<br>
2016-09-22 12:43:57 +00:00
2017-10-03 21:35:10 +00:00
## Matchers
2016-09-22 12:43:57 +00:00
2018-02-16 03:07:18 +00:00
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
2016-09-22 12:43:57 +00:00
2016-09-27 19:03:23 +00:00
### exist
2016-09-22 12:43:57 +00:00
The `exist` matcher tests if the named user exists:
it { should exist }
2016-09-27 19:03:23 +00:00
### gid
2016-09-22 12:43:57 +00:00
The `gid` matcher tests the group identifier:
its('gid') { should eq 1234 } }
where `1234` represents the user identifier.
2016-09-27 19:03:23 +00:00
### group
2016-09-22 12:43:57 +00:00
The `group` matcher tests the group to which the user belongs:
its('group') { should eq 'root' }
where `root` represents the group.
2016-09-27 19:03:23 +00:00
### groups
2016-09-22 12:43:57 +00:00
The `groups` matcher tests two (or more) groups to which the user belongs:
its('groups') { should eq ['root', 'other']}
2016-09-27 19:03:23 +00:00
### home
2016-09-22 12:43:57 +00:00
The `home` matcher tests the home directory path for the user:
its('home') { should eq '/root' }
2016-09-27 19:03:23 +00:00
### maxdays
2016-09-22 12:43:57 +00:00
The `maxdays` matcher tests the maximum number of days between password changes:
its('maxdays') { should eq 99 }
where `99` represents the maximum number of days.
2016-09-27 19:03:23 +00:00
### mindays
2016-09-22 12:43:57 +00:00
The `mindays` matcher tests the minimum number of days between password changes:
its('mindays') { should eq 0 }
where `0` represents the maximum number of days.
2016-09-27 19:03:23 +00:00
### shell
2016-09-22 12:43:57 +00:00
The `shell` matcher tests the path to the default shell for the user:
2018-04-19 17:06:20 +00:00
its('shells') { should eq ['/bin/bash'] }
2016-09-22 12:43:57 +00:00
2016-09-27 19:03:23 +00:00
### uid
2016-09-22 12:43:57 +00:00
The `uid` matcher tests the user identifier:
its('uid') { should eq 1234 } }
where `1234` represents the user identifier.
2016-09-27 19:03:23 +00:00
### warndays
2016-09-22 12:43:57 +00:00
The `warndays` matcher tests the number of days a user is warned before a password must be changed:
its('warndays') { should eq 5 }
where `5` represents the number of days a user is warned.
2019-09-18 09:09:05 +00:00
### passwordage
The `passwordage` matcher tests the number of days a user changed its password:
its('passwordage') { should_be <= 365 }
where `365` represents the number of days since the last password change.
### maxbadpasswords
The `maxbadpasswords` matcher tests the count of max badpassword settings for a specific user.
its('maxbadpasswords') { should eq 7 }
where `7` is the count of maximum bad password attempts.
### badpasswordattempts
The `badpasswordattempts` matcher tests the count of bad password attempts for a user.
its('badpasswordattempts') { should eq 0 }
where `0` is the count of bad passwords for a user.
On Linux based operating systems it relies on `lastb` and for Windows it uses information stored for the user object.
These settings will be resetted to `0` depending on your operating system configuration.
