class Inspec::Resources::SecurityPolicy

Public Class Methods

new(opts = {}) click to toggle source
# File lib/inspec/resources/security_policy.rb, line 83
def initialize(opts = {})
  @translate_sid = opts[:translate_sid] || false
end

Public Instance Methods

content() click to toggle source
# File lib/inspec/resources/security_policy.rb, line 87
def content
  read_content
end
method_missing(name) click to toggle source
# File lib/inspec/resources/security_policy.rb, line 97
def method_missing(name)
  params = read_params
  return nil if params.nil?

  # deep search for hash key
  params.extend Hashie::Extensions::DeepFind
  res = params.deep_find(name.to_s)

  # return an empty array if configuration does not include rights configuration
  return [] if res.nil? && MS_PRIVILEGES_RIGHTS.include?(name.to_s)

  res
end
params(*opts) click to toggle source
# File lib/inspec/resources/security_policy.rb, line 91
def params(*opts)
  opts.inject(read_params) do |res, nxt|
    res.respond_to?(:key) ? res[nxt] : nil
  end
end
to_s() click to toggle source
# File lib/inspec/resources/security_policy.rb, line 111
def to_s
  "Security Policy"
end

Private Instance Methods

convert_hash(hash) click to toggle source
# File lib/inspec/resources/security_policy.rb, line 174
def convert_hash(hash)
  new_hash = {}
  hash.each do |k, v|
    v.is_a?(Hash) ? value = convert_hash(v) : value = extract_value(k, v)
    new_hash[k.strip] = value
  end
  new_hash
end
extract_value(key, val) click to toggle source

extracts the values, this methods detects: numbers and SIDs and optimizes them for further usage

# File lib/inspec/resources/security_policy.rb, line 150
def extract_value(key, val)
  if val =~ /^\d+$/
    val.to_i
  # special handling for SID array
  elsif val =~ /[,]{0,1}\*\S/
    if @translate_sid
      val.split(",").map do |v|
        object_name = inspec.command("(New-Object System.Security.Principal.SecurityIdentifier(\"#{v.sub("*S", "S")}\")).Translate( [System.Security.Principal.NTAccount]).Value").stdout.to_s.strip
        object_name.empty? || object_name.nil? ? v.sub("*S", "S") : object_name
      end
    else
      val.split(",").map do |v|
        v.sub("*S", "S")
      end
    end
  # special handling for string values with "
  elsif !(m = /^\"(.*)\"$/.match(val)).nil?
    m[1]
  else
    # When there is Registry Values we are not spliting the value for backward compatibility
    key.include?("\\") ? val : val.split(",")
  end
end
read_content() click to toggle source
# File lib/inspec/resources/security_policy.rb, line 117
def read_content
  return @content if defined?(@content)

  # using process pid to prevent any race conditions with multiple runners
  export_file = "win_secpol-#{Process.pid}.cfg"

  # export the security policy
  cmd = inspec.command("secedit /export /cfg #{export_file}")
  return nil if cmd.exit_status.to_i != 0

  # store file content
  cmd = inspec.command("Get-Content #{export_file}")
  return skip_resource "Can't read security policy" if cmd.exit_status.to_i != 0

  @content = cmd.stdout
ensure
  # delete temp file
  inspec.command("Remove-Item #{export_file}").exit_status.to_i
end
read_params() click to toggle source
# File lib/inspec/resources/security_policy.rb, line 137
def read_params
  return @params if defined?(@params)
  return @params = {} if read_content.nil?

  conf = SimpleConfig.new(
    @content,
    assignment_regex: /^\s*(.*)=\s*(\S*)\s*$/
  )
  @params = convert_hash(conf.params)
end