CHEF-7694 (CHEF-8271) : Fix security_policy resource returns array for non comma separated values (#6838)

* Adds unit test for more security policies Signed-off-by: Vasu1105 <vasundhara.jagdale@progress.com> * Fix for secuity_policy resource failing if policy includes single value in string format it returns array instead of string Signed-off-by: Vasu1105 <vasundhara.jagdale@progress.com> * Update code comments Signed-off-by: Vasu1105 <vasundhara.jagdale@progress.com> --------- Signed-off-by: Vasu1105 <vasundhara.jagdale@progress.com>
2024-11-10 07:04:15 +00:00 · 2023-11-08 13:16:36 +00:00 · 2023-11-08 13:16:36 +00:00 · ed033b9ac2
commit ed033b9ac2
parent f6f553981e
3 changed files with 19 additions and 2 deletions
--- a/lib/inspec/resources/security_policy.rb
+++ b/lib/inspec/resources/security_policy.rb
@ -169,9 +169,14 @@ module Inspec::Resources
      # special handling for string values with "
      elsif !(m = /^\"(.*)\"$/.match(val)).nil?
        m[1]
+      # We get some values of Registry Path as MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Setup\\RecoveryConsole\\SecurityLevel=4,0
+      # which we are not going to split as there are chances that it will break if anyone is using string comparison.
+      # In some cases privilege value which does not have corresponding SID it returns the values in comma seprated which breakes it for some of
+      # the privileges like SeServiceLogonRight as it returns array if previlege values are SID
+      elsif !key.include?("\\") && val.match(/,/)
+        val.split(",")
      else
-        # When there is Registry Values we are not spliting the value for backward compatibility
-        key.include?("\\") ? val : val.split(",")
+        val
      end
    end

--- a/test/fixtures/cmd/secedit-export
+++ b/test/fixtures/cmd/secedit-export
@ -1,7 +1,13 @@
 [System Access]
 MaximumPasswordAge = 42
+LockoutDuration = -1
+RequireLogonToChangePassword = 0
+NewAdministratorName = "Administrator"
+NewGuestName = "Guest"
 [Registry Values]
 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0
+MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,"10"
+MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,536870912
 [Privilege Rights]
 SeUndockPrivilege = *S-1-5-32-544
 SeRemoteInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-555
--- a/test/unit/resources/security_policy_test.rb
+++ b/test/unit/resources/security_policy_test.rb
@ -12,6 +12,12 @@ describe "Inspec::Resources::SecurityPolicy" do
    _(resource.SeUndockPrivilege).must_equal ["S-1-5-32-544"]
    _(resource.SeRemoteInteractiveLogonRight).must_equal ["S-1-5-32-544", "S-1-5-32-555"]
    _(resource.SeServiceLogonRight).must_equal %w{ DB2ADMNS db2admin }
+    _(resource.LockoutDuration).must_equal "-1"
+    _(resource.send('MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount')).must_equal "1,\"10\""
+    _(resource.send('MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec')).must_equal "4,536870912"
+    _(resource.NewAdministratorName).must_equal "Administrator"
+    _(resource.NewGuestName).must_equal "Guest"
+    _(resource.RequireLogonToChangePassword).must_equal 0
    _(resource.resource_id).must_equal "Security Policy"
  end