Parse SID on security_policy

Is there a method to really list the SIDs of a security police and not only in one order, for example :

describe security_policy do
its('SeCreateGlobalPrivilege') { should eq (["S-1-5-32-544","S-1-5-19","S-1-5-20","S-1-5-32-544","S-1-5-6"]) }

in this order it's fine, but if the result isn't in the same order it doesn't work.
and specialy in this example i can't enumerate all possibilities with .

I just want to know if we have something like => should eq "value1" and "value2" .
(I tried to make a regex but without convincing results) .

Hello -

Two thoughts on this:

  1. Possibly InSpec should sort the array of SIDs for security_policy so that people writing controls can also order their list of SIDs. I think this would be a very small change to InSpec. Or you could describe security_policy.SeCreateGlobalPrivilege.sort do in your control.
  2. You can use array union, intersection and difference operations to compare your expected SIDs with the actual security_policy. Unfortunately if your control is checking for an exact set of SIDs (no more, no less) then you need to do at least two array operations, to ensure you have all the expected SIDs and no more.
required_sids = ["S-1-5-32-544","S-1-5-19","S-1-5-20","S-1-5-32-544","S-1-5-6"]

# It has all the required SIDs
describe describe security_policy.SeCreateGlobalPrivilege & required_sids do
  it { should eq required_sids }

# It has no extra SIDs
describe describe security_policy.SeCreateGlobalPrivilege - required_sids do
  it { should be_empty }

Hello everybody,

Still on the same comparison issue, can we apply this to a registry key (reg_multi_sz).
because here we can't put the registry key directly in the describe so we can't compare it to a list :

 describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurePipeServers\\Winreg\\AllowedExactPaths') do
            it { should have_property_value('Machine', :multi_sz, paths )} 


 paths.each do |path|  
        describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurePipeServers\\Winreg\\AllowedExactPaths') do
            its('Machine') { should include path } 

in both cases the order is mandatory and the addition of other entries in registry key is not detected