inspec/lib/resources/security_policy.rb
ViolentOr 3c7bace964 Update security_policy resource to return Names, not SIDs (#2462)
* Added possibility to translate SID to human-readable name (using 'translate_sid: true' switch)

Signed-off-by: ViolentOr <github@violentor.me>

* fixed errors

Signed-off-by: ViolentOr <github@violentor.me>

* changed pars to opts

* renameg temp variable

Signed-off-by: ViolentOr <github@violentor.me>

* Required tests added

Signed-off-by: ViolentOr <github@violentor.me>

* fixed mistype

Signed-off-by: ViolentOr <github@violentor.me>

* should not copy-paste.

Signed-off-by: ViolentOr <github@violentor.me>

* replaced empty call with empty file

Signed-off-by: ViolentOr <github@violentor.me>

* tests fixed.

Signed-off-by: ViolentOr <github@violentor.me>

* grouped command mocks related to the security_policy resource

Signed-off-by: ViolentOr <github@violentor.me>

* bacgitend -> backend

Signed-off-by: ViolentOr <github@violentor.me>
2018-01-23 12:31:57 -08:00

181 lines
5.5 KiB
Ruby

# encoding: utf-8
# author: Christoph Hartmann
# author: Dominik Richter
#
# Security Configuration and Analysis
#
# Export local security policy:
# secedit /export /cfg secpol.cfg
#
# @link http://www.microsoft.com/en-us/download/details.aspx?id=25250
#
# In Windows, some security options are managed differently that the local GPO
# All local GPO parameters can be examined via Registry, but not all security
# parameters. Therefore we need a combination of Registry and secedit output
require 'hashie'
module Inspec::Resources
# known and supported MS privilege rights
# @see https://technet.microsoft.com/en-us/library/dd277311.aspx
# @see https://msdn.microsoft.com/en-us/library/windows/desktop/bb530716(v=vs.85).aspx
MS_PRIVILEGES_RIGHTS = [
'SeNetworkLogonRight',
'SeBackupPrivilege',
'SeChangeNotifyPrivilege',
'SeSystemtimePrivilege',
'SeCreatePagefilePrivilege',
'SeDebugPrivilege',
'SeRemoteShutdownPrivilege',
'SeAuditPrivilege',
'SeIncreaseQuotaPrivilege',
'SeIncreaseBasePriorityPrivilege',
'SeLoadDriverPrivilege',
'SeBatchLogonRight',
'SeServiceLogonRight',
'SeInteractiveLogonRight',
'SeSecurityPrivilege',
'SeSystemEnvironmentPrivilege',
'SeProfileSingleProcessPrivilege',
'SeSystemProfilePrivilege',
'SeAssignPrimaryTokenPrivilege',
'SeRestorePrivilege',
'SeShutdownPrivilege',
'SeTakeOwnershipPrivilege',
'SeUndockPrivilege',
'SeManageVolumePrivilege',
'SeRemoteInteractiveLogonRight',
'SeImpersonatePrivilege',
'SeCreateGlobalPrivilege',
'SeIncreaseWorking',
'SeTimeZonePrivilege',
'SeCreateSymbolicLinkPrivilege',
'SeDenyNetworkLogonRight', # Deny access to this computer from the network
'SeDenyInteractiveLogonRight', # Deny logon locally
'SeDenyBatchLogonRight', # Deny logon as a batch job
'SeDenyServiceLogonRight', # Deny logon as a service
'SeTcbPrivilege',
'SeMachineAccountPrivilege',
'SeCreateTokenPrivilege',
'SeCreatePermanentPrivilege',
'SeEnableDelegationPrivilege',
'SeLockMemoryPrivilege',
'SeSyncAgentPrivilege',
'SeUnsolicitedInputPrivilege',
'SeTrustedCredManAccessPrivilege',
'SeRelabelPrivilege', # the privilege to change a Windows integrity label (new to Windows Vista)
'SeDenyRemoteInteractiveLogonRight', # Deny logon through Terminal Services
].freeze
class SecurityPolicy < Inspec.resource(1)
name 'security_policy'
desc 'Use the security_policy InSpec audit resource to test security policies on the Microsoft Windows platform.'
example "
describe security_policy do
its('SeNetworkLogonRight') { should include 'S-1-5-11' }
end
describe security_policy(translate_sid: true) do
its('SeNetworkLogonRight') { should include 'NT AUTHORITY\\Authenticated Users' }
end
"
def initialize(opts = {})
@translate_sid = opts[:translate_sid] || false
end
def content
read_content
end
def params(*opts)
opts.inject(read_params) do |res, nxt|
res.respond_to?(:key) ? res[nxt] : nil
end
end
def method_missing(name)
params = read_params
return nil if params.nil?
# deep search for hash key
params.extend Hashie::Extensions::DeepFind
res = params.deep_find(name.to_s)
# return an empty array if configuration does not include rights configuration
return [] if res.nil? && MS_PRIVILEGES_RIGHTS.include?(name.to_s)
res
end
def to_s
'Security Policy'
end
private
def read_content
return @content if defined?(@content)
# using process pid to prevent any race conditions with multiple runners
export_file = "win_secpol-#{Process.pid}.cfg"
# export the security policy
cmd = inspec.command("secedit /export /cfg #{export_file}")
return nil if cmd.exit_status.to_i != 0
# store file content
cmd = inspec.command("Get-Content #{export_file}")
return skip_resource "Can't read security policy" if cmd.exit_status.to_i != 0
@content = cmd.stdout
ensure
# delete temp file
inspec.command("Remove-Item #{export_file}").exit_status.to_i
end
def read_params
return @params if defined?(@params)
return @params = {} if read_content.nil?
conf = SimpleConfig.new(
@content,
assignment_regex: /^\s*(.*)=\s*(\S*)\s*$/,
)
@params = convert_hash(conf.params)
end
# extracts the values, this methods detects:
# numbers and SIDs and optimizes them for further usage
def extract_value(val)
if val =~ /^\d+$/
val.to_i
# special handling for SID array
elsif val =~ /[,]{0,1}\*\S/
if @translate_sid
val.split(',').map { |v|
object_name = inspec.command("(New-Object System.Security.Principal.SecurityIdentifier(\"#{v.sub('*S', 'S')}\")).Translate( [System.Security.Principal.NTAccount]).Value").stdout.to_s.strip
object_name.empty? || object_name.nil? ? v.sub('*S', 'S') : object_name
}
else
val.split(',').map { |v|
v.sub('*S', 'S')
}
end
# special handling for string values with "
elsif !(m = /^\"(.*)\"$/.match(val)).nil?
m[1]
else
val
end
end
def convert_hash(hash)
new_hash = {}
hash.each do |k, v|
v.is_a?(Hash) ? value = convert_hash(v) : value = extract_value(v)
new_hash[k.strip] = value
end
new_hash
end
end
end