2015-09-03 18:36:46 +00:00
|
|
|
# encoding: utf-8
|
2015-10-06 16:55:44 +00:00
|
|
|
# author: Christoph Hartmann
|
|
|
|
# author: Dominik Richter
|
|
|
|
#
|
2015-04-17 13:37:17 +00:00
|
|
|
# Security Configuration and Analysis
|
|
|
|
#
|
|
|
|
# Export local security policy:
|
|
|
|
# secedit /export /cfg secpol.cfg
|
|
|
|
#
|
|
|
|
# @link http://www.microsoft.com/en-us/download/details.aspx?id=25250
|
2015-08-28 18:52:22 +00:00
|
|
|
#
|
2015-04-17 13:37:17 +00:00
|
|
|
# In Windows, some security options are managed differently that the local GPO
|
2015-08-28 18:52:22 +00:00
|
|
|
# All local GPO parameters can be examined via Registry, but not all security
|
2015-04-17 13:37:17 +00:00
|
|
|
# parameters. Therefore we need a combination of Registry and secedit output
|
|
|
|
|
2015-10-26 03:04:18 +00:00
|
|
|
class SecurityPolicy < Inspec.resource(1)
|
2015-08-28 18:52:22 +00:00
|
|
|
name 'security_policy'
|
2015-11-27 13:02:38 +00:00
|
|
|
desc 'Use the security_policy InSpec audit resource to test security policies on the Microsoft Windows platform.'
|
|
|
|
example "
|
|
|
|
describe security_policy do
|
|
|
|
its('SeNetworkLogonRight') { should eq '*S-1-5-11' }
|
|
|
|
end
|
|
|
|
"
|
2015-09-05 16:26:58 +00:00
|
|
|
def initialize
|
|
|
|
@loaded = false
|
|
|
|
@policy = nil
|
|
|
|
@exit_status = nil
|
|
|
|
end
|
2015-08-03 00:40:08 +00:00
|
|
|
|
2015-07-26 10:30:12 +00:00
|
|
|
# load security content
|
|
|
|
def load
|
|
|
|
# export the security policy
|
2015-12-15 15:29:54 +00:00
|
|
|
cmd = inspec.command('secedit /export /cfg win_secpol.cfg')
|
|
|
|
return nil if cmd.exit_status.to_i != 0
|
2015-07-26 10:30:12 +00:00
|
|
|
|
2015-12-15 15:29:54 +00:00
|
|
|
# store file content
|
|
|
|
cmd = inspec.command('Get-Content win_secpol.cfg')
|
|
|
|
@exit_status = cmd.exit_status.to_i
|
|
|
|
return nil if @exit_status != 0
|
|
|
|
@policy = cmd.stdout
|
2015-09-05 16:26:58 +00:00
|
|
|
@loaded = true
|
2015-12-17 13:56:43 +00:00
|
|
|
|
2015-07-26 10:30:12 +00:00
|
|
|
# returns self
|
|
|
|
self
|
2015-12-15 19:40:57 +00:00
|
|
|
|
|
|
|
ensure
|
|
|
|
# delete temp file
|
|
|
|
inspec.command('Remove-Item win_secpol.cfg').exit_status.to_i
|
2015-07-26 10:30:12 +00:00
|
|
|
end
|
2015-04-17 13:37:17 +00:00
|
|
|
|
2015-07-26 10:30:12 +00:00
|
|
|
def method_missing(method)
|
|
|
|
# load data if needed
|
2015-11-13 00:03:15 +00:00
|
|
|
if @loaded == false
|
2015-07-26 10:30:12 +00:00
|
|
|
load
|
2015-04-17 13:37:17 +00:00
|
|
|
end
|
|
|
|
|
2015-07-26 10:30:12 +00:00
|
|
|
# find line with key
|
2015-09-05 16:24:02 +00:00
|
|
|
key = Regexp.escape(method.to_s)
|
2015-09-03 21:18:28 +00:00
|
|
|
target = ''
|
2015-09-05 16:26:58 +00:00
|
|
|
@policy.each_line {|s|
|
2015-09-05 16:24:02 +00:00
|
|
|
target = s.strip if s.match(/^\s*#{key}\s*=\s*(.*)\b/)
|
2015-07-26 10:30:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
# extract variable value
|
|
|
|
result = target.match(/[=]{1}\s*(?<value>.*)/)
|
|
|
|
|
|
|
|
if !result.nil?
|
|
|
|
val = result[:value]
|
|
|
|
val = val.to_i if val.match(/^\d+$/)
|
|
|
|
else
|
2015-09-04 07:59:30 +00:00
|
|
|
# TODO: we may need to return skip or failure if the
|
2015-07-26 10:30:12 +00:00
|
|
|
# requested value is not available
|
2015-08-28 18:52:22 +00:00
|
|
|
val = nil
|
2015-04-17 13:37:17 +00:00
|
|
|
end
|
|
|
|
|
2015-07-26 10:30:12 +00:00
|
|
|
val
|
2015-04-17 13:37:17 +00:00
|
|
|
end
|
|
|
|
|
2015-07-26 10:30:12 +00:00
|
|
|
def to_s
|
2015-10-12 11:01:58 +00:00
|
|
|
'Security Policy'
|
2015-07-26 10:30:12 +00:00
|
|
|
end
|
|
|
|
end
|