wmi

Use the wmi InSpec audit resource to test WMI settings on the Windows platform.

Syntax

A wmi resource block tests WMI settings on the Windows platform:

describe wmi({
  class: 'class_name'
  namespace: 'path\\to\\setting'
  filter: 'filter'
  query: 'query'
}) do
  its('setting_name') { should eq '' }
end

where

  • class, namespace, filter, and query comprise a Ruby Hash of the WMI object
  • ('class') is the WMI class to which the setting belongs, such as win32_service
  • ('namespace') is path to that object, such as root\\cimv2
  • Use ('filter') fine-tune the information defined by the WMI class, such as to find a specific service (filter: "name like '%winrm%'"), to find a specific setting (filter: 'KeyName = \'MinimumPasswordAge\' And precedence=1'), and so on
  • Use ('query') to run a query that returns data to be tested, such as "SELECT Setting FROM RSOP_SecuritySettingBoolean WHERE KeyName='LSAAnonymousNameLookup' AND Precedence=1"
  • ('setting_name') is a setting in the WMI object to be tested, and then should eq '' is the expected value for that setting

For example, both of the following tests will verify if WinRM is present on the target node. The first tests if WinRM belongs to the list of services running under the win32_service class:

describe wmi({class: 'win32_service'}) do
  its('DisplayName') { should include 'Windows Remote Management (WS-Management)'}
end

and the second uses a filter in the Ruby Hash to first identify WinRM, and then perform additional tests:

describe wmi({
  class: 'win32_service',
  filter: "name like '%winrm%'"
}) do
  its('Status') { should cmp 'ok' }
  its('State') { should cmp 'Running' }
  its('ExitCode') { should cmp 0 }
  its('DisplayName') { should eq 'Windows Remote Management (WS-Management)'}
end

Matchers

This InSpec audit resource has the following matchers:

be

Use the be matcher to use a comparison operator—= (equal to), > (greater than), < (less than), >= (greater than or equal to), and <= (less than or equal to)—to compare two values: its('value') { should be >= value }, its('value') { should be < value }, and so on.

cmp

Use the cmp matcher compare two values, such as comparing strings to numbers, comparing a single value to an array of values, comparing an array of strings to a regular expression, improving the printing of octal values, and comparing while ignoring case sensitivity.

Compare a single value to an array:

describe some_resource do
  its('users') { should cmp 'root' }
  its('users') { should cmp ['root'] }
end

Compare strings and regular expressions:

describe some_resource do
  its('setting') { should cmp /raw/i }
end

Compare strings and numbers:

describe some_resource do
  its('setting') { should eq '2' }
end

vs:

describe some_resource do
  its('setting') { should cmp '2' }
  its('setting') { should cmp 2 }
end

Ignoring case sensitivity:

describe some_resource do
  its('setting') { should cmp 'raw' }
  its('setting') { should cmp 'RAW' }
end

Printing octal values:

describe some_resource('/proc/cpuinfo') do
  its('mode') { should cmp '0345' }
end

expected: 0345
got: 0444

eq

Use the eq matcher to test the equality of two values: its('Port') { should eq '22' }.

Using its('Port') { should eq 22 } will fail because 22 is not a string value! Use the cmp matcher for less restrictive value comparisons.

include

Use the include matcher to verify that a string value is included in a list: its('list') { should include 'string' }.

match

Use the match matcher to check if a string matches a regular expression: its('string') { should_not match /regex/ }.

Examples

The following examples show how to use this InSpec audit resource.

Test a password expiration policy

describe wmi({
  class: 'RSOP_SecuritySettingNumeric',
  namespace: 'root\\rsop\\computer',
  filter: 'KeyName = \'MinimumPasswordAge\' And precedence=1'
}) do
   its('Setting') { should eq 1 }
end

Test if an anonymous user can query the Local Security Authority (LSA)

describe wmi({
  namespace: 'root\rsop\computer',
  query: "SELECT Setting FROM RSOP_SecuritySettingBoolean WHERE KeyName='LSAAnonymousNameLookup' AND Precedence=1"
}) do
  its('Setting') { should eq false }
end