Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2024-11-10 23:24:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

Adds user_permissions property to list user or group permissions on registry key and adds be_inherit matcher to check whether inheritance is enabled on the registry key

Browse source 
Signed-off-by: Vasu1105 <vasundhara.jagdale@chef.io>
This commit is contained in:
Vasu1105 2021-12-27 18:18:43 +05:30
parent 01bc7afc7a
commit 084bf70392
3 changed files with 59 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
docs-chef-io/content/inspec/resources/registry_key.md
View file

@ -95,6 +95,16 @@ where `'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule'` is the f
its('ProductName') { should match /^[a-zA-Z0-9\(\)\s]*2012\s[rR]2[a-zA-Z0-9\(\)\s]*$/ } its('ProductName') { should match /^[a-zA-Z0-9\(\)\s]*2012\s[rR]2[a-zA-Z0-9\(\)\s]*$/ }
end end
## Properties
### user_permissions
The `user_permissions` property returns the hash containing the list of users or groups and their registry key permissions. for e.g. `{ "NT AUTHORITY\\SYSTEM" => "FullControl", "NT AUTHORITY\\Authenticated Users" => "ReadAndExecute", "BUILTIN\\Administrators" => "FullControl" }`
its('user_permissions') { should cmp { "NT AUTHORITY\\SYSTEM" => "FullControl", "NT AUTHORITY\\Authenticated Users" => "ReadAndExecute", "BUILTIN\\Administrators" => "FullControl" } }
its('user_permissions') { should include "NT AUTHORITY\\SYSTEM"=>"FullControl" }
## Matchers ## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
@ -153,6 +163,12 @@ The `name` matcher tests the value for the specified registry setting:
its('name') { should eq 'value' } its('name') { should eq 'value' }
### be_inherit
The `be_inherit` matcher returns the `Boolean`. It will return `true` if registry key has inheritance enabled.
it { should be_inherit }
**Warning**: Any name with a dot will not work as expected: <code>its('explorer.exe') { should eq 'test' }</code>. For details, see <a href="https://github.com/inspec/inspec/issues/1281">https://github.com/inspec/inspec/issues/1281</a> **Warning**: Any name with a dot will not work as expected: <code>its('explorer.exe') { should eq 'test' }</code>. For details, see <a href="https://github.com/inspec/inspec/issues/1281">https://github.com/inspec/inspec/issues/1281</a>
# instead of: # instead of:

30
lib/inspec/resources/registry_key.rb
View file

@ -105,6 +105,21 @@ module Inspec::Resources
children_keys(@options[:path], filter) children_keys(@options[:path], filter)
end end
# returns hash containing users / groups and their permission
def user_permissions
return {} unless exists?
get_permissions(@options[:path])
end
# returns true if inheritance is enabled for registry key.
def inherit?
return false unless exists?
cmd = inspec.command("(Get-Acl -Path 'Registry::#{@options[:path]}').access| Where-Object {$_.IsInherited -eq $true} | measure | % { $_.Count }")
cmd.stdout.chomp == "0" ? false : true
end
# returns nil, if not existent or value # returns nil, if not existent or value
def method_missing(*keys) def method_missing(*keys)
# allow the use of array syntax in an `its` block so that users # allow the use of array syntax in an `its` block so that users
@ -283,6 +298,21 @@ module Inspec::Resources
key.start_with?("\\") ? key : "\\#{key}" key.start_with?("\\") ? key : "\\#{key}"
end end
def get_permissions(path)
script = <<~EOH
$path = '#{path}'
$Acl = Get-Acl -Path ('Registry::' + $path)
$Result = foreach ($Access in $acl.Access) {
[PSCustomObject]@{
$Access.IdentityReference = $Access.RegistryRights.ToString()
}
}
$Result | ConvertTo-Json
EOH
result = inspec.powershell(script)
JSON.load(result.stdout).inject(&:merge) unless result.stdout.empty?
end
end end
class WindowsRegistryKey < RegistryKey class WindowsRegistryKey < RegistryKey

13
test/unit/resources/registry_key_test.rb
View file

@ -36,4 +36,17 @@ describe "Inspec::Resources::RegistryKey" do
_(resource.send(:generate_registry_key_path_from_options)).must_equal 'my_hive\\key_with_no_slash' _(resource.send(:generate_registry_key_path_from_options)).must_equal 'my_hive\\key_with_no_slash'
end end
it "returns inherit and user permissions values" do
resource = MockLoader.new(:windows).load_resource("registry_key", 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule')
resource.stubs(:exist?).returns(true)
resource.stubs(:user_permissions).returns({ "NT AUTHORITY\\SYSTEM" => "FullControl", "NT AUTHORITY\\Authenticated Users" => "ReadAndExecute", "BUILTIN\\Administrators" => "FullControl" })
_(resource.user_permissions).must_equal({ "NT AUTHORITY\\SYSTEM" => "FullControl", "NT AUTHORITY\\Authenticated Users" => "ReadAndExecute", "BUILTIN\\Administrators" => "FullControl" })
end
it "returns true if file has inherit enabled on Windows." do
resource = MockLoader.new(:windows).load_resource("registry_key", 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule')
resource.stubs(:exist?).returns(true)
resource.stubs(:inherit?).returns(true)
_(resource.inherit?).must_equal true
end
end end