inspec/lib/resources/audit_policy.rb

64 lines
1.8 KiB
Ruby
Raw Normal View History

2015-07-15 13:15:18 +00:00
# encoding: utf-8
# copyright: 2015, Vulcano Security GmbH
2015-10-06 16:55:44 +00:00
# author: Christoph Hartmann
# author: Dominik Richter
2015-07-15 13:15:18 +00:00
# license: All rights reserved
# Advanced Auditing:
# As soon as you start applying Advanced Audit Configuration Policy, legacy policies will be completely ignored.
# reference: https://technet.microsoft.com/en-us/library/cc753632.aspx
# use:
# - list all categories: Auditpol /list /subcategory:* /r
# - list parameters: Auditpol /get /category:"System" /subcategory:"IPsec Driver"
# - list specific parameter: Auditpol /get /subcategory:"IPsec Driver"
#
# @link: http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx
#
# Valid values are:
#
# - "No Auditing"
# - "Not Specified"
# - "Success"
# - "Success and Failure"
# - "Failure"
#
# Further information is available at: https://msdn.microsoft.com/en-us/library/dd973859.aspx
#
# Usage:
#
# describe audit_policy do
# its('Other Account Logon Events') { should_not eq 'No Auditing' }
# end
class AuditPolicy < Vulcano.resource(1)
name 'audit_policy'
2015-07-26 20:43:24 +00:00
def method_missing(method)
key = method.to_s
# expected result:
# Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting
# WIN-MB8NINQ388J,System,Kerberos Authentication Service,{0CCE9242-69AE-11D9-BED3-505054503030},No Auditing,
result ||= vulcano.command("Auditpol /get /subcategory:'#{key}' /r").stdout
2015-07-26 20:43:24 +00:00
# find line
target = nil
result.each_line {|s|
2015-07-26 20:43:24 +00:00
target = s.strip if s.match(/\b.*#{key}.*\b/)
}
# extract value
values = nil
unless target.nil?
2015-07-26 20:43:24 +00:00
# split csv values and return value
values = target.split(',')[4]
end
values
2015-07-26 20:43:24 +00:00
end
2015-07-26 20:43:24 +00:00
def to_s
'Windows Advanced Auditing'
end
end