inspec/lib/resources/audit_policy.rb

# encoding: utf-8
# copyright: 2015, Vulcano Security GmbH
# author: Christoph Hartmann
# author: Dominik Richter
# license: All rights reserved

# Advanced Auditing:
# As soon as you start applying Advanced Audit Configuration Policy, legacy policies will be completely ignored.
# reference: https://technet.microsoft.com/en-us/library/cc753632.aspx
# use:
#  - list all categories: Auditpol /list /subcategory:* /r
#  - list parameters: Auditpol /get /category:"System" /subcategory:"IPsec Driver"
#  - list specific parameter: Auditpol /get /subcategory:"IPsec Driver"
#
# @link: http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx
#
# Valid values are:
#
# - "No Auditing"
# - "Not Specified"
# - "Success"
# - "Success and Failure"
# - "Failure"
#
# Further information is available at: https://msdn.microsoft.com/en-us/library/dd973859.aspx
#
# Usage:
#
# describe audit_policy do
#   its('Other Account Logon Events') { should_not eq 'No Auditing' }
# end

class AuditPolicy < Inspec.resource(1)
  name 'audit_policy'

  def method_missing(method)
    key = method.to_s

    # expected result:
    # Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting
    # WIN-MB8NINQ388J,System,Kerberos Authentication Service,{0CCE9242-69AE-11D9-BED3-505054503030},No Auditing,
    result ||= inspec.command("Auditpol /get /subcategory:'#{key}' /r").stdout

    # find line
    target = nil
    result.each_line {|s|
      target = s.strip if s.match(/\b.*#{key}.*\b/)
    }

    # extract value
    values = nil
    unless target.nil?
      # split csv values and return value
      values = target.split(',')[4]
    end

    values
  end

  def to_s
    'Audit Policy'
  end
end