Parse SID on security_policy

Chef InSpec
1

Is there a method to really list the SIDs of a security police and not only in one order, for example :

describe security_policy do
its('SeCreateGlobalPrivilege') { should eq (["S-1-5-32-544","S-1-5-19","S-1-5-20","S-1-5-32-544","S-1-5-6"]) }
end

["S-1-5-32-544","S-1-5-19","S-1-5-20","S-1-5-32-544","S-1-5-6"]
in this order it's fine, but if the result isn't in the same order it doesn't work.
and specialy in this example i can't enumerate all possibilities with describe.one .

I just want to know if we have something like => should eq "value1" and "value2" .
(I tried to make a regex but without convincing results) .

2

Hello -

Two thoughts on this:

  1. Possibly InSpec should sort the array of SIDs for security_policy so that people writing controls can also order their list of SIDs. I think this would be a very small change to InSpec. Or you could describe security_policy.SeCreateGlobalPrivilege.sort do in your control.
  2. You can use array union, intersection and difference operations to compare your expected SIDs with the actual security_policy. Unfortunately if your control is checking for an exact set of SIDs (no more, no less) then you need to do at least two array operations, to ensure you have all the expected SIDs and no more.
required_sids = ["S-1-5-32-544","S-1-5-19","S-1-5-20","S-1-5-32-544","S-1-5-6"]

# It has all the required SIDs
describe describe security_policy.SeCreateGlobalPrivilege & required_sids do
  it { should eq required_sids }
end

# It has no extra SIDs
describe describe security_policy.SeCreateGlobalPrivilege - required_sids do
  it { should be_empty }
end
3

Hello everybody,

Still on the same comparison issue, can we apply this to a registry key (reg_multi_sz).
because here we can't put the registry key directly in the describe so we can't compare it to a list :

path=["bla","bla","bla"]   
 describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurePipeServers\\Winreg\\AllowedExactPaths') do
            it { should have_property_value('Machine', :multi_sz, paths )} 
        end
    end

or

path=["bla","bla","bla"]
 paths.each do |path|  
        describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurePipeServers\\Winreg\\AllowedExactPaths') do
            its('Machine') { should include path } 
        end
    end

in both cases the order is mandatory and the addition of other entries in registry key is not detected