anthonygrees · February 23, 2018 05:01
diff --git a/windows_inspec_test.rb b/windows_inspec_test.rb
 # # encoding: utf-8

 # Inspec test for recipe windows_kitchen::default

 # The Inspec reference, with examples and extensive documentation, can be
 # found at http://inspec.io/docs/reference/resources/

 ####
 # 1.Check whether certain application is able to launched (e.g. Acrobat Reader is able to be launched 
 # without errors)
 # - Upon completion of new hardware imaging, check the correct version of Windows 10 OS is installed
 # - When new Office version is installed
 # - Multiple software can be launch and open concurrently.

 script = <<-EOH
  # Open Internet Explorer
  $Browser = "C:\\Program Files\\Internet Explorer\\iexplore.exe"
  Start-Process $Browser
 EOH

 describe powershell(script) do
  its('stdout') { should eq '' }
  its('stderr') { should eq '' }
 end
 ####
 # 2.Check status of the hardware drivers
 # - Launch “Device Manager” in Windows Control Panel and check if all device drivers are installed 
 #   properly
 # Get-WmiObject Win32_PnPSignedDriver| select devicename, driverversion | where {$_.devicename -like "*nvidia*"}

 script = <<-EOH
  # Find a specific Device Name and Version
  Get-WmiObject Win32_PnPSignedDriver| select devicename, driverversion, ConfigManagerErrorCode | where {$_.devicename -like "*Volume Manager*"}
 EOH

 describe powershell(script) do
  its('stdout') { should contain "Volume Manager" }
  its('stderr') { should eq '' }
 end

 ####
 # 3. No missing drivers in Device manager
 # - Launch “Device Manager” in Windows Control Panel and ensure there’s no errors or exclamation 
 #   mark on the device.
 ## Error Codes https://msdn.microsoft.com/en-us/library/aa394353(v=vs.85).aspx

 script = <<-EOH
  # Find any device with an Error Code
  Get-WmiObject Win32_PNPEntity | Where-Object{$_.name -like "*Volume Manager*" -and $_.ConfigManagerErrorCode -ne 0} | Select Name, DeviceID
 EOH

 ## ConfigManagerErrorCode = 0 (No error.)
 describe powershell(script) do
  its('stdout') { should_not include ('Volume Manager') }
  its('stderr') { should eq '' }
 end

 ## ConfigManagerErrorCode = 28 (Device drivers are not installed.)
 script = <<-EOH
  # Find a specific Device Name and Version
  Get-WmiObject Win32_PNPEntity | Where-Object{$_.name -like "*Multimedia Audio Controller*" -and $_.ConfigManagerErrorCode -ne 0} | Select Name, DeviceID
  Write-Output stdout
 EOH

 describe powershell(script) do
  its('stdout') { should_not include ('Multimedia Audio Controller') }
  its('stderr') { should eq '' }
 end


 ####
 # 4. Compliance of the OS settings on the windows client
 # - Check and verify Group Policy Settings (GPO) with reference to CIS Windows 10 1703 benchmark 
 #   is begin applied
 # - When new monthly windows security patch is applied to the current image, to check if the new 
 #   patches is successfully applied. Where possible, show the status BEFORE and AFTER the patch 
 #   for comparison and highlight any errors etc..

 control "xccdf_org.cisecurity.benchmarks_rule_18.8.18.3_L1_Ensure_Configure_registry_policy_processing_Process_even_if_the_Group_Policy_objects_have_not_changed_is_set_to_Enabled_TRUE" do
  title "(L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'"
  desc  "
    The \"Process even if the Group Policy objects have not changed\" option updates and reapplies policies even if the policies have not changed.
    
    The recommended state for this setting is: Enabled: TRUE (checked).
    
    Rationale: Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again.
  "
  impact 1.0
  describe registry_key("HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Group Policy\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}") do
    it { should have_property "NoGPOListChanges" }
  end
  describe registry_key("HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Group Policy\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}") do
    its("NoGPOListChanges") { should cmp == 0 }
  end
 end

 control "xccdf_org.cisecurity.benchmarks_rule_18.8.18.4_L1_Ensure_Turn_off_background_refresh_of_Group_Policy_is_set_to_Disabled" do
  title "(L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'"
  desc  "
    This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and domain controllers.
    
    The recommended state for this setting is: Disabled.
    
    Rationale: Setting this option to false (unchecked) will ensure that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart.
  "
  impact 1.0
  describe registry_key("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") do
    it { should_not have_property "DisableBkGndGroupPolicy" }
  end
 end
	# # encoding: utf-8

	# Inspec test for recipe windows_kitchen::default

	# The Inspec reference, with examples and extensive documentation, can be
	# found at http://inspec.io/docs/reference/resources/

	####
	# 1.Check whether certain application is able to launched (e.g. Acrobat Reader is able to be launched
	# without errors)
	# - Upon completion of new hardware imaging, check the correct version of Windows 10 OS is installed
	# - When new Office version is installed
	# - Multiple software can be launch and open concurrently.

	script = <<-EOH
	# Open Internet Explorer
	$Browser = "C:\\Program Files\\Internet Explorer\\iexplore.exe"
	Start-Process $Browser
	EOH

	describe powershell(script) do
	its('stdout') { should eq '' }
	its('stderr') { should eq '' }
	end
	####
	# 2.Check status of the hardware drivers
	# - Launch “Device Manager” in Windows Control Panel and check if all device drivers are installed
	# properly
	# Get-WmiObject Win32_PnPSignedDriver\| select devicename, driverversion \| where {$_.devicename -like "nvidia"}

	script = <<-EOH
	# Find a specific Device Name and Version
	Get-WmiObject Win32_PnPSignedDriver\| select devicename, driverversion, ConfigManagerErrorCode \| where {$_.devicename -like "Volume Manager"}
	EOH

	describe powershell(script) do
	its('stdout') { should contain "Volume Manager" }
	its('stderr') { should eq '' }
	end

	####
	# 3. No missing drivers in Device manager
	# - Launch “Device Manager” in Windows Control Panel and ensure there’s no errors or exclamation
	# mark on the device.
	## Error Codes https://msdn.microsoft.com/en-us/library/aa394353(v=vs.85).aspx

	script = <<-EOH
	# Find any device with an Error Code
	Get-WmiObject Win32_PNPEntity \| Where-Object{$_.name -like "Volume Manager" -and $_.ConfigManagerErrorCode -ne 0} \| Select Name, DeviceID
	EOH

	## ConfigManagerErrorCode = 0 (No error.)
	describe powershell(script) do
	its('stdout') { should_not include ('Volume Manager') }
	its('stderr') { should eq '' }
	end

	## ConfigManagerErrorCode = 28 (Device drivers are not installed.)
	script = <<-EOH
	# Find a specific Device Name and Version
	Get-WmiObject Win32_PNPEntity \| Where-Object{$_.name -like "Multimedia Audio Controller" -and $_.ConfigManagerErrorCode -ne 0} \| Select Name, DeviceID
	Write-Output stdout
	EOH

	describe powershell(script) do
	its('stdout') { should_not include ('Multimedia Audio Controller') }
	its('stderr') { should eq '' }
	end


	####
	# 4. Compliance of the OS settings on the windows client
	# - Check and verify Group Policy Settings (GPO) with reference to CIS Windows 10 1703 benchmark
	# is begin applied
	# - When new monthly windows security patch is applied to the current image, to check if the new
	# patches is successfully applied. Where possible, show the status BEFORE and AFTER the patch
	# for comparison and highlight any errors etc..

	control "xccdf_org.cisecurity.benchmarks_rule_18.8.18.3_L1_Ensure_Configure_registry_policy_processing_Process_even_if_the_Group_Policy_objects_have_not_changed_is_set_to_Enabled_TRUE" do
	title "(L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'"
	desc "
	The \"Process even if the Group Policy objects have not changed\" option updates and reapplies policies even if the policies have not changed.

	The recommended state for this setting is: Enabled: TRUE (checked).

	Rationale: Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again.
	"
	impact 1.0
	describe registry_key("HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Group Policy\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}") do
	it { should have_property "NoGPOListChanges" }
	end
	describe registry_key("HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Group Policy\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}") do
	its("NoGPOListChanges") { should cmp == 0 }
	end
	end

	control "xccdf_org.cisecurity.benchmarks_rule_18.8.18.4_L1_Ensure_Turn_off_background_refresh_of_Group_Policy_is_set_to_Disabled" do
	title "(L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'"
	desc "
	This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and domain controllers.

	The recommended state for this setting is: Disabled.

	Rationale: Setting this option to false (unchecked) will ensure that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart.
	"
	impact 1.0
	describe registry_key("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") do
	it { should_not have_property "DisableBkGndGroupPolicy" }
	end
	end