Class: Inspec::Resources::WindowsUser
Overview
This optimization was inspired by Alternative solutions are WMI Win32_UserAccount
Instance Attribute Summary
Attributes inherited from UserInfo
#inspec
Instance Method Summary
collapse
Methods inherited from UserInfo
#initialize, #user_details
Methods included from Converter
#convert_to_i, to_boolean
Instance Method Details
#collect_user_details ⇒ Object
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
|
# File 'lib/inspec/resources/users.rb', line 747
def collect_user_details return @users_cache if defined?(@users_cache)
script = <<~EOH
Function ConvertTo-SID { Param([byte[]]$BinarySID)
(New-Object System.Security.Principal.SecurityIdentifier($BinarySID,0)).Value
}
Function Convert-UserFlag { Param ($UserFlag)
$List = @()
Switch ($UserFlag) {
($UserFlag -BOR 0x0001) { $List += 'SCRIPT' }
($UserFlag -BOR 0x0002) { $List += 'ACCOUNTDISABLE' }
($UserFlag -BOR 0x0008) { $List += 'HOMEDIR_REQUIRED' }
($UserFlag -BOR 0x0010) { $List += 'LOCKOUT' }
($UserFlag -BOR 0x0020) { $List += 'PASSWD_NOTREQD' }
($UserFlag -BOR 0x0040) { $List += 'PASSWD_CANT_CHANGE' }
($UserFlag -BOR 0x0080) { $List += 'ENCRYPTED_TEXT_PWD_ALLOWED' }
($UserFlag -BOR 0x0100) { $List += 'TEMP_DUPLICATE_ACCOUNT' }
($UserFlag -BOR 0x0200) { $List += 'NORMAL_ACCOUNT' }
($UserFlag -BOR 0x0800) { $List += 'INTERDOMAIN_TRUST_ACCOUNT' }
($UserFlag -BOR 0x1000) { $List += 'WORKSTATION_TRUST_ACCOUNT' }
($UserFlag -BOR 0x2000) { $List += 'SERVER_TRUST_ACCOUNT' }
($UserFlag -BOR 0x10000) { $List += 'DONT_EXPIRE_PASSWORD' }
($UserFlag -BOR 0x20000) { $List += 'MNS_LOGON_ACCOUNT' }
($UserFlag -BOR 0x40000) { $List += 'SMARTCARD_REQUIRED' }
($UserFlag -BOR 0x80000) { $List += 'TRUSTED_FOR_DELEGATION' }
($UserFlag -BOR 0x100000) { $List += 'NOT_DELEGATED' }
($UserFlag -BOR 0x200000) { $List += 'USE_DES_KEY_ONLY' }
($UserFlag -BOR 0x400000) { $List += 'DONT_REQ_PREAUTH' }
($UserFlag -BOR 0x800000) { $List += 'PASSWORD_EXPIRED' }
($UserFlag -BOR 0x1000000) { $List += 'TRUSTED_TO_AUTH_FOR_DELEGATION' }
($UserFlag -BOR 0x04000000) { $List += 'PARTIAL_SECRETS_ACCOUNT' }
}
$List
}
$Computername = $Env:Computername
$adsi = [ADSI]"WinNT://$Computername"
$adsi.Children | where {$_.SchemaClassName -eq 'user'} | ForEach {
New-Object PSObject -property @{
uid = ConvertTo-SID -BinarySID $_.ObjectSID[0]
username = $_.Name[0]
description = $_.Description[0]
disabled = $_.AccountDisabled[0]
userflags = Convert-UserFlag -UserFlag $_.UserFlags[0]
passwordage = [math]::Round($_.PasswordAge[0]/86400)
minpasswordlength = $_.MinPasswordLength[0]
mindays = [math]::Round($_.MinPasswordAge[0]/86400)
maxdays = [math]::Round($_.MaxPasswordAge[0]/86400)
warndays = $null
badpasswordattempts = $_.BadPasswordAttempts[0]
maxbadpasswords = $_.MaxBadPasswordsAllowed[0]
gid = $null
group = $null
groups = @($_.Groups() | Foreach-Object { $_.GetType().InvokeMember('Name', 'GetProperty', $null, $_, $null) })
home = $_.HomeDirectory[0]
shell = $null
domain = $Computername
lastlogin = if($_.lastlogin.getType().Tostring() -eq "System.Management.Automation.PSMethod" ){ $null }else{[String]$_.lastlogin}
}
} | ConvertTo-Json
EOH
cmd = inspec.powershell(script)
begin
users = JSON.parse(cmd.stdout)
rescue JSON::ParserError => _e
return nil
end
users = [users] unless users.is_a?(Array)
@users_cache = users.map { |user| user.each_with_object({}) { |(k, v), h| h[k.to_sym] = v } }
end
|
#credentials(username) ⇒ Object
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
|
# File 'lib/inspec/resources/users.rb', line 726
def credentials(username)
res = identity(username)
return if res.nil?
{
mindays: res[:mindays],
maxdays: res[:maxdays],
warndays: res[:warndays],
badpasswordattempts: res[:badpasswordattempts],
maxbadpasswords: res[:maxbadpasswords],
minpasswordlength: res[:minpasswordlength],
passwordage: res[:passwordage],
}
end
|
#identity(username) ⇒ Object
703
704
705
706
707
708
709
710
|
# File 'lib/inspec/resources/users.rb', line 703
def identity(username)
name, _domain = parse_windows_account(username)
return if collect_user_details.nil?
res = collect_user_details.select { |user| user[:username].casecmp? name }
res[0] unless res.empty?
end
|
#list_users ⇒ Object
742
743
744
|
# File 'lib/inspec/resources/users.rb', line 742
def list_users
collect_user_details.map { |user| user[:username] }
end
|
712
713
714
715
716
717
718
719
720
721
722
723
724
|
# File 'lib/inspec/resources/users.rb', line 712
def meta_info(username)
res = identity(username)
return if res.nil?
{
home: res[:home],
shell: res[:shell],
domain: res[:domain],
userflags: res[:userflags],
lastlogin: res[:lastlogin],
}
end
|
#parse_windows_account(username) ⇒ Object
696
697
698
699
700
701
|
# File 'lib/inspec/resources/users.rb', line 696
def parse_windows_account(username)
account = username.split("\\")
name = account.pop
domain = account.pop unless account.empty?
[name, domain]
end
|