powershell

Use the powershell InSpec audit resource to test a Powershell script on the Windows platform.

Syntax

A powershell resource block declares a Powershell script to be tested, and then compares the output of that command to the matcher in the test:

script = <<-EOH
  # a PowerShell script
EOH

describe powershell(script) do
  its('matcher') { should eq 'output' }
end

where

  • 'script' must specify a Powershell script to be run
  • 'matcher' is one of exit_status, stderr, or stdout
  • 'output' tests the output of the command run on the system versus the output value stated in the test

Matchers

This InSpec audit resource has the following matchers:

be

Use the be matcher to use a comparison operator—= (equal to), > (greater than), < (less than), >= (greater than or equal to), and <= (less than or equal to)—to compare two values: its('value') { should be >= value }, its('value') { should be < value }, and so on.

cmp

Use the cmp matcher compare two values, such as comparing strings to numbers, comparing a single value to an array of values, comparing an array of strings to a regular expression, improving the printing of octal values, and comparing while ignoring case sensitivity.

Compare a single value to an array:

describe some_resource do
  its('users') { should cmp 'root' }
  its('users') { should cmp ['root'] }
end

Compare strings and regular expressions:

describe some_resource do
  its('setting') { should cmp /raw/i }
end

Compare strings and numbers:

describe some_resource do
  its('setting') { should eq '2' }
end

vs:

describe some_resource do
  its('setting') { should cmp '2' }
  its('setting') { should cmp 2 }
end

Ignoring case sensitivity:

describe some_resource do
  its('setting') { should cmp 'raw' }
  its('setting') { should cmp 'RAW' }
end

Printing octal values:

describe some_resource('/proc/cpuinfo') do
  its('mode') { should cmp '0345' }
end

expected: 0345
got: 0444

eq

Use the eq matcher to test the equality of two values: its('Port') { should eq '22' }.

Using its('Port') { should eq 22 } will fail because 22 is not a string value! Use the cmp matcher for less restrictive value comparisons.

exit_status

The exit_status matcher tests the exit status for the command:

its('exit_status') { should eq 123 }

include

Use the include matcher to verify that a string value is included in a list: its('list') { should include 'string' }.

match

Use the match matcher to check if a string matches a regular expression: its('string') { should_not match /regex/ }.

stderr

The stderr matcher tests results of the command as returned in standard error (stderr):

its('stderr') { should eq 'error' }

stdout

The stdout matcher tests results of the command as returned in standard output (stdout):

its('stdout') { should eq '/^1$/' }

Examples

The following examples show how to use this InSpec audit resource.

Get all groups of Administrator user

script = <<-EOH
  # find user
  $user = Get-WmiObject Win32_UserAccount -filter "Name = 'Administrator'"
  # get related groups
  $groups = $user.GetRelated('Win32_Group') | Select-Object -Property Caption, Domain, Name, LocalAccount, SID, SIDType, Status
  $groups | ConvertTo-Json
EOH

describe powershell(script) do
  its('stdout') { should_not eq '' }
end

Write-Output ‘hello’

The following Powershell script:

script = <<-EOH
  Write-Output 'hello'
EOH

can be tested in the following ways.

For a newline:

describe powershell(script) do
  its('stdout') { should eq "hello\r\n" }
  its('stderr') { should eq '' }
end

Removing whitespace \r\n from stdout:

describe powershell(script) do
  its('strip') { should eq "hello" }
end

No newline:

describe powershell("'hello' | Write-Host -NoNewLine") do
  its('stdout') { should eq 'hello' }
  its('stderr') { should eq '' }
end