mirror of
https://github.com/inspec/inspec
synced 2024-09-21 06:51:56 +00:00
577688a3a0
Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the *real* changes. :)
84 lines
2.1 KiB
Ruby
84 lines
2.1 KiB
Ruby
# encoding: utf-8
|
|
# author: Christoph Hartmann
|
|
# author: Dominik Richter
|
|
#
|
|
# Security Configuration and Analysis
|
|
#
|
|
# Export local security policy:
|
|
# secedit /export /cfg secpol.cfg
|
|
#
|
|
# @link http://www.microsoft.com/en-us/download/details.aspx?id=25250
|
|
#
|
|
# In Windows, some security options are managed differently that the local GPO
|
|
# All local GPO parameters can be examined via Registry, but not all security
|
|
# parameters. Therefore we need a combination of Registry and secedit output
|
|
|
|
module Inspec::Resources
|
|
class SecurityPolicy < Inspec.resource(1)
|
|
name 'security_policy'
|
|
desc 'Use the security_policy InSpec audit resource to test security policies on the Microsoft Windows platform.'
|
|
example "
|
|
describe security_policy do
|
|
its('SeNetworkLogonRight') { should eq '*S-1-5-11' }
|
|
end
|
|
"
|
|
def initialize
|
|
@loaded = false
|
|
@policy = nil
|
|
@exit_status = nil
|
|
end
|
|
|
|
# load security content
|
|
def load
|
|
# export the security policy
|
|
cmd = inspec.command('secedit /export /cfg win_secpol.cfg')
|
|
return nil if cmd.exit_status.to_i != 0
|
|
|
|
# store file content
|
|
cmd = inspec.command('Get-Content win_secpol.cfg')
|
|
@exit_status = cmd.exit_status.to_i
|
|
return nil if @exit_status != 0
|
|
@policy = cmd.stdout
|
|
@loaded = true
|
|
|
|
# returns self
|
|
self
|
|
|
|
ensure
|
|
# delete temp file
|
|
inspec.command('Remove-Item win_secpol.cfg').exit_status.to_i
|
|
end
|
|
|
|
def method_missing(method)
|
|
# load data if needed
|
|
if @loaded == false
|
|
load
|
|
end
|
|
|
|
# find line with key
|
|
key = Regexp.escape(method.to_s)
|
|
target = ''
|
|
@policy.each_line {|s|
|
|
target = s.strip if s =~ /^\s*#{key}\s*=\s*(.*)\b/
|
|
}
|
|
|
|
# extract variable value
|
|
result = target.match(/[=]{1}\s*(?<value>.*)/)
|
|
|
|
if !result.nil?
|
|
val = result[:value]
|
|
val = val.to_i if val =~ /^\d+$/
|
|
else
|
|
# TODO: we may need to return skip or failure if the
|
|
# requested value is not available
|
|
val = nil
|
|
end
|
|
|
|
val
|
|
end
|
|
|
|
def to_s
|
|
'Security Policy'
|
|
end
|
|
end
|
|
end
|