inspec / inspec Goto Github PK

InSpec: Auditing and Testing Framework

License: Other

Ruby 96.92% Shell 0.64% HTML 1.86% CSS 0.07% JavaScript 0.08% Dockerfile 0.04% PowerShell 0.30% Makefile 0.04% Go 0.01% Mustache 0.02% Standard ML 0.01%

audit inspec security compliance devsec devops tdd-utilities tdd spec testing

inspec's People

Stargazers

Watchers

Forkers

srenatus justinstoller juliandunn tjsoftworks zmalone lmeyemezu lazycrazyowl higanworks stevegerick vainikkaj jeremymv2 foobarbam thomascate rbhitchcock intfrr rosskusler linearregression arothian ldesiqueira sunnyc7 mhedgpeth geofruck coderanger kaushik512 sebbrandt87 joshbrand cityhawk gitter-badger cullenmcdermott macciato2 muddasani nathenharvey jmccann spuranam paulmakl timurb tpcwang slietz blakme mychapati rogwfu anniehedgpeth agiza halltony nickrycar brentm5 pkleanthous-zz arlimus tanahlayang rojomisin kashifrashid martinheg davidcpell stratoag unixorn dispader jcii td-4242 davidwrede cvent artem-forks jonathanmorley stevenoneill dadbob johnsonjr swalberg rdepping grimm26 jerearista hj70ft tomeon robbkidd joventuraz username-is-already-taken2 jkerry kkirsche jcastillocano wing924 jvrplmlmn gstankovski yportnoy makotots jaxxstorm hanumanthvendra gscho greenantdotcom nicovs techraf enzor avii-wix scboucher trumant jbenden rx007 spiffytech chrisevett tescalada enterstudio lijoyoung nvtkaszpir

inspec's Issues

make all transport configurable and optional

Use-case:

only pull in dependencies that are required; enable minimal core library
make sure transport layer is fully modular

OS resource requires requires a Symbol not a String (wrong in docs)

Platform: Windows 10/ChefDK 0.9/InSpec 0.9 + Test Kitchen/AzureRM driver/Windows 2012 R2 Datacenter instance.

As per https://docs.chef.io/release/compliance_1-0/inspec_os.html

Input:

describe os['family'] do
  it { should eq 'windows' }
end

Outcome:

  1)  should eq "windows"
     Failure/Error: it { should eq 'windows' }

       expected: "windows"
            got: nil

       (compared using ==)

Correct usage appears to be:

describe os[:family] do
  it { should eq 'windows' }
end

Submitting a doc PR for this shortly.

run docker backend in one exec loop

support legacy backend configuration calls (rspec/serverspec)

set :backend, :ssh
RSpec.configure do |conf|
  conf.host = ...
  conf.ssh_options = ...
end

os_env not working

I used os_env but i don't get a result from it. I tested it in inspec shell

command('echo $PATH').stdout => "/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/lib/jvm/default/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl\n"

os_env('PATH').content => nil

Multiple computed calls to describe aren't registered

As reported by @schisamo :

%w(
  candle.exe
  heat.exe
  light.exe
).each do |utility|
  describe file("C:/wix/#{utility}") do
    it { should be_file }
  end

This will only register one describe call, not all 3.

Can the maintainers please update the CHANGELOG.md to a good format? It also appears that the CHANGELOG.md is currently out of date -- the most current version on Rubygems is 0.9.1, and the changelog only covers to 0.8.0.

Here is a good way to do a changelog:

Release 0.1.0 YYYY/MM/DD

Initial release of example_inspec

We added a feature, here's a short description.
We added another feature.
Also we fixed this bug, rejoice!

[#25] A github style reference to github issue 25.
[#431] Another github style reference.

Readme: What is being installed?

Explain what is going on in the install instruction, what is being installed, and what the user can expect at the end.

ensure all resources do OS check

ensure all resources have a proper to_s method

directory: add globbing

the resource should cover cases like:

Dir.glob('c:/inetpub/wwwroot/**/*.htm') { |web_file|
  ..
}

update license

docker resources

    describe docker.container('busybox') do
      it { should exist }
      it { should be_running }
    end

    describe docker.image('busybox:latest') do
      it { should exist }
    end

Custom resource not available, undefined local variable or method `gordon_config`

I've followed the setup instructions... gem install, simple file with example GordonConfig. Through debugging I see that the resource is listed in the registry. However, I am seeing:

app_server_spec.rb:19:in `load': undefined local variable or method `gordon_config' for #<#<Class:0x007fb204862a78>:0x007fb204862528> (NameError)
    from /Users/aiwilliams/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/inspec-0.9.2/lib/inspec/profile_context.rb:31:in `instance_eval'
    from /Users/aiwilliams/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/inspec-0.9.2/lib/inspec/profile_context.rb:31:in `load'
    from /Users/aiwilliams/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/inspec-0.9.2/lib/inspec/runner.rb:76:in `add_content'
    from /Users/aiwilliams/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/inspec-0.9.2/lib/inspec/runner.rb:57:in `block in add_tests'
    from /Users/aiwilliams/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/inspec-0.9.2/lib/inspec/runner.rb:56:in `each'
    from /Users/aiwilliams/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/inspec-0.9.2/lib/inspec/runner.rb:56:in `add_tests'
    from /Users/aiwilliams/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/inspec-0.9.2/bin/inspec:77:in `exec'
    from /Users/aiwilliams/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor/command.rb:27:in `run'
    from /Users/aiwilliams/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor/invocation.rb:126:in `invoke_command'
    from /Users/aiwilliams/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor.rb:359:in `dispatch'
    from /Users/aiwilliams/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor/base.rb:440:in `start'
    from /Users/aiwilliams/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/inspec-0.9.2/bin/inspec:109:in `<top (required)>'
    from /Users/aiwilliams/.rbenv/versions/2.1.6/bin/inspec:23:in `load'
    from /Users/aiwilliams/.rbenv/versions/2.1.6/bin/inspec:23:in `<main>'

inspec does not extract section name from test file header

add cla bot

file resource mode matcher does not display file permissions correctly on failure

When a file does not match the intended mode value, the failure return does not list what the mode is in the typical fashion, i.e., 0644, 0777, etc. Instead, as in the following example, it returns that it should equal 416 but instead equals 420. I would expect it to return the file permissions.

root@997d17a0fd01:~# cat spec.rb
describe file('/root/file') do
    its('mode') { should eq 0640 }
end
root@997d17a0fd01:~# ls -l file
-rw-r--r-- 1 root root 0 Nov 10 18:17 file
root@997d17a0fd01:~# inspec exec spec.rb
F

Failures:

  1) File /root/file mode should eq 416
     Failure/Error: its('mode') { should eq 0640 }

       expected: 416
            got: 420

       (compared using ==)
     # spec.rb:2:in `block (2 levels) in load'
     # /var/lib/gems/1.9.1/gems/inspec-0.9.2/lib/inspec/runner.rb:89:in `run_with'
     # /var/lib/gems/1.9.1/gems/inspec-0.9.2/lib/inspec/runner.rb:85:in `run'
     # /var/lib/gems/1.9.1/gems/thor-0.19.1/lib/thor/command.rb:27:in `run'
     # /var/lib/gems/1.9.1/gems/thor-0.19.1/lib/thor/invocation.rb:126:in `invoke_command'
     # /var/lib/gems/1.9.1/gems/thor-0.19.1/lib/thor.rb:359:in `dispatch'
     # /var/lib/gems/1.9.1/gems/thor-0.19.1/lib/thor/base.rb:440:in `start'

Finished in 0.04819 seconds (files took 0.21259 seconds to load)
1 example, 1 failure

Failed examples:

rspec  # File /root/file mode should eq 416

Support the control keyword, synonymous to rule

expose all necessary methods in OS resource

resource integration tests

extend current test suits to run resources tests against real machines

`inspec check` on examples generates errors

The command line description of inspec check says that it will verify the test structure. Used on the example in this repo, however, returns warnings and errors:

[test-kitchen]$ ll                                                                                                                                                            
total 48
drwxr-xr-x  11 tball  staff   374B Nov  3 19:51 .
drwxr-xr-x   3 tball  staff   102B Nov  3 10:49 ..
drwxr-xr-x   4 tball  staff   136B Nov  3 13:40 .kitchen
-rw-r--r--   1 tball  staff   246B Nov  3 10:49 .kitchen.yml
-rw-r--r--   1 tball  staff    47B Nov  3 10:49 Berksfile
-rw-------   1 tball  staff   145B Nov  3 13:39 Berksfile.lock
-rw-r--r--   1 tball  staff   498B Nov  3 19:51 Gemfile
-rw-r--r--   1 tball  staff   896B Nov  3 10:49 README.md
-rw-r--r--   1 tball  staff   191B Nov  3 10:49 metadata.rb
drwxr-xr-x   4 tball  staff   136B Nov  3 10:49 recipes
drwxr-xr-x   3 tball  staff   102B Nov  3 10:49 test
[test-kitchen]$ chef exec inspec check .
W, [2015-11-04T14:38:32.092497 #27616]  WARN -- : metadata.rb doesn't support: depends ["apt"]
W, [2015-11-04T14:38:32.092578 #27616]  WARN -- : metadata.rb doesn't support: depends ["yum"]
I, [2015-11-04T14:38:32.153793 #27616]  INFO -- : Checking profile in .
E, [2015-11-04T14:38:32.154004 #27616] ERROR -- : Profile name must be defined as: OWNER/ID
D, [2015-11-04T14:38:32.154080 #27616] DEBUG -- : Found 7 rules.
D, [2015-11-04T14:38:32.154114 #27616] DEBUG -- : Verify all rules in  ./test/integration/default/web_spec.rb
W, [2015-11-04T14:38:32.154173 #27616]  WARN -- : Rule web_spec.rb:6 has no title
W, [2015-11-04T14:38:32.154226 #27616]  WARN -- : Rule web_spec.rb:6 has no description
W, [2015-11-04T14:38:32.154279 #27616]  WARN -- : Rule web_spec.rb:26 has no title
W, [2015-11-04T14:38:32.154320 #27616]  WARN -- : Rule web_spec.rb:26 has no description

We should clean up the built in examples so they pass inspec check

script resource

Currently we have no built-in support to run long powershell scripts.

port resource does not work on CentOS

When using port on CentOS, the following is logged

The `port` resource is not supported on your OS yet.

See https://github.com/chef/inspec/blob/master/lib/resources/port.rb#L26-L38

I think 'centos' should be in the family list for Linux

document output and/or expected results

All of the inspec exec examples provide no hints as to what the expected outcome should be. For those who don't come from a Ruby universe, this is particularly confusing. Is it just a pass/fail as a return value? Is it JSON? Is it unformatted text? Is it rspec? Is it TAP?

It seems extremely realistic that someone would want to hook this up to, say, Jenkins. But with the lack of documentation on the consumer output, many will just take a pass and move on to something else.

Escape commands before we execute them

Use http://ruby-doc.org/stdlib-2.0.0/libdoc/shellwords/rdoc/Shellwords.html for command escape

Support the -i switch for key files as per ssh

Reported by @alexmanly

Some inconsistencies with naming across the resources

Configuration File Resources

Some of the resources have a name that includes _config (spelled out), whereas others are shortened to just _conf.

Ones that have _config:

inetd_config << suggest inetd_conf
parse_config
parse_config_file
ssh_config
sshd_config

_conf:
apache_conf
audit_daemon_conf << suggest auditd_conf
limits_conf
mysql_conf
ntp_conf
postgres_conf

Only two of them are truly inconsistent, with inetd_config and audit_daemon_conf not having a name directly similar to the actual filename, like ntp_conf and the other _conf resources. Naming suggestions listed above.

parse_config options

suggest renaming assignment_re => assign_regex << no more guessing as to what _re might mean
suggest renaming key_vals => key_values (to be consistent with multiple_values and to preserve the highest level of human readability)

Miscellaneous (these are not as important)

The name of the login_def (file name) resource is login_defs (resource name) << can both be the same (plural)? This suggestion changes the resource filename to login_defs.rb
The name of the processes resource << can it be shortened to just process? It also seems that one can test just a single "process"
There is an /etc/group => etc_group resource, there is an /etc/passwd => passwd resource ... could the passwd resource be named etc_passwd? (Note that I see why it's etc_group, specifically, so as to not conflict with the group resource.)

User resource doesn't handle group names with spaces

On a Linux server that is joined to a Windows domain, users generaly are member of groups that contain spaces in their names. Eg "domain users". However, this currenly fails.

Test:

describe user('jfolmer') do
  its('groups') { should eq ['domain users', 'domain admins', 'denied rodc password replication group'] }
end

Output:

Failures:

  1) User jfolmer groups should eq ["domain users", "domain admins", "denied rodc password replication group"]
     Failure/Error: DEFAULT_FAILURE_NOTIFIER = lambda { |failure, _opts| raise failure }

       expected: ["domain users", "domain admins", "denied rodc password replication group"]
            got: ["domain"]

Add WinRM transport layer

service resource misbehaves on upstart hosts

Some services, like ntp, don't show up in initctl on Ubuntu 14.04 and other pre-systemd platforms. They are visible in /etc/init.d and via the service command, but are not in initctl.

Currently, inspec checks initctl for all service resources on pre-15.04 hosts, so it will fail to detect running ntp processes, even though they are present and enabled.

I'm not sure what the proper fix here is, possibly checking /etc/init.d/, service, and initctl for a service, and or-ing the results together?

OS resource with string and symbol support

Currently, the os resource only supports symbols. It should support strings as well. See #224

Port resource returns arrays

process, pid and protocol for port all get compared to an array instead of string/number causing weirdness like this

Port  22 pid should eq "957"
    Failure/Error: DEFAULT_FAILURE_NOTIFIER = lambda { |failure, _opts| raise failure }

      expected: "957"
           got: [957]

Thanks for reporting Thomas Cate

Readme: differentiate from Serverspec

Kudos for giving a nod to Serverspec.

It would be really helpful to explain why this is different from serverspec and why someone might choose to use inspec instead of serverspec.

Support writing full tests in inspec shell

At the moment it is not possible to start an inspec shell and paste either a control or a describe block and have it execute and report results.

I.e:

inspec shell

And then enter:

describe file('/not/here') do
   it { should_not exist }
end

which will only result in:

=> [["describe", [File /not/here], #<Proc:0x000000013f3850@(pry):1>]]

The desired output should be:

A print of the execution using the default cli formatter, without the additonal profile context and version. i.e.:
```
  ✔  ssh-1: Allow only SSH Protocol 2
```
The test should return a result object, which has a result value embedded.

specify process supervision type in service resource

The Inspec service resource determines the process supervision type based on os release version and uses a single process supervision type to check if a process is running, enabled etc.

Given many chef cookbooks use many different process supervison tools (init, upstart, runit, etc etc) It would be better if you could override the service_mgmt instance variable to specify the specific one for your service.

Is this a design decision, or could this be changed?

Readme: Point to sources of documentation

Users cannot currently easily find their way to documentation when starting here on github.

add xml resource

Support reading XML files via a resource

Suse Support

improve package resource on windows

The current package resource is reported to be very slow Windows:

describe package('Orca') do
  it { should be_installed }      
end

This code should be improved: https://github.com/chef/inspec/blob/master/lib/resources/package.rb#L187-L209 and we should not require wmi

verifiy input parameter of `user` resources

describe user(nil) do
...
end

should throw an error and fail the test

add project docs

Make text replacements in documentation work correctly

Not sure if this means merely making sure inspec-specific things like |inspec resource| exist in https://github.com/chef/chef-web-docs/blob/master/swaps/swap_names.txt or whether there should be a replacements file here.

Better wording for check

Documentation for inspec command check:

Use inspec check to run all tests at the specified path.

Documentation for inspec command exec:

Use inspec exec to run all tests at the specified path.

What is the difference?

Reported by @alexmanly

convert logindef values to integer if possible

describe login_defs do
   its('PASS_MAX_DAYS') { should eq '180' }
end

Cannot run against remote WinRM SSL systems

When I attempt to run a simple inspec file (just contains the port 80 should not not be open example from the readme), I get the following error:

troyready@myworkstation:~/myscripts$ ~/.chefdk/gem/ruby/2.1.0/bin/inspec exec inspec_recent_patching.rb -b winrm --user Administrator --host mywinhost.myorg.com --password "mypa33w#rd" --ssl --self-signed
/opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.3.4/lib/winrm/http/response_handler.rb:57:in `raise_if_auth_error': WinRM::WinRMAuthorizationError (WinRM::WinRMAuthorizationError)
    from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.3.4/lib/winrm/http/response_handler.rb:50:in `raise_if_error'
    from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.3.4/lib/winrm/http/response_handler.rb:35:in `parse_to_xml'
    from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.3.4/lib/winrm/http/transport.rb:50:in `send_request'
    from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.3.4/lib/winrm/winrm_service.rb:430:in `send_message'
    from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.3.4/lib/winrm/winrm_service.rb:126:in `open_shell'
    from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-transport-1.0.2/lib/winrm/transport/command_executor.rb:78:in `open'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/transports/winrm_connection.rb:158:in `block in establish_shell'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/transports/winrm_connection.rb:212:in `retryable'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/transports/winrm_connection.rb:156:in `establish_shell'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/transports/winrm_connection.rb:238:in `session'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/transports/winrm_connection.rb:66:in `run_command'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/extras/os_detect_windows.rb:60:in `detect_windows'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/extras/os_common.rb:105:in `detect_family_type'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/extras/os_common.rb:78:in `detect_family'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/extras/os_common.rb:26:in `initialize'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/transports/winrm_connection.rb:254:in `initialize'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/transports/winrm_connection.rb:54:in `new'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/transports/winrm_connection.rb:54:in `os'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/resources/os.rb:16:in `[]'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/resources/port.rb:26:in `initialize'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/inspec/plugins/resource.rb:23:in `initialize'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/inspec/profile_context.rb:74:in `new'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/inspec/profile_context.rb:74:in `block (3 levels) in create_inner_dsl'
    from inspec_recent_patching.rb:1:in `load'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/inspec/profile_context.rb:31:in `instance_eval'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/inspec/profile_context.rb:31:in `load'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/inspec/runner.rb:76:in `add_content'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/inspec/runner.rb:57:in `block in add_tests'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/inspec/runner.rb:56:in `each'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/inspec/runner.rb:56:in `add_tests'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/bin/inspec:77:in `exec'
    from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor/command.rb:27:in `run'
    from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor/invocation.rb:126:in `invoke_command'
    from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor.rb:359:in `dispatch'
    from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor/base.rb:440:in `start'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/bin/inspec:109:in `<top (required)>'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/bin/inspec:23:in `load'
    from /home/troyready/.chefdk/gem/ruby/2.1.0/bin/inspec:23:in `<main>'

I tried connecting directly with train though and I don't experience any errors:

require 'train'
train = Train.create(
  'winrm',
  host: 'mywinhost.myorg.com',
  user: 'Administrator',
  password: 'mypa33w#rd',
  ssl: true,
  self_signed: true
)
conn = train.connection
puts conn.run_command('ipconfig /all').stdout
conn.close

(^ outputs my ip info as expected)

I've tried debugging this for a bit and didn't come up with anything conclusive. Would greatly appreciate any advice/direction on troubleshooting it / improving the project.

OS detection on debian does not detect versions

The new OS detector does not play nice with Debian yet. detect.rb returns the following data:

{"os_name":null,"os_family":"debian","os_release":null,"os_arch":"x86_64"}

The version is missing.

registry_key needs to be case insensitive

Repro steps:

Take a Windows 2012r2 instance and run the following Powershell command:

PS C:\> Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0 -name NTLMMinServerSec

NtlmMinServerSec : 536870912

Use this chef-client resource to set NTLMMinServerSec to the desired value:

registry_key 'HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0' do
  values [{ name: 'NTLMMinServerSec', type: :dword, data: 537_395_200 }]
  recursive true
  action :create
end

Run the following Powershell command to retrieve the value of the registry key:

PS C:\> Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0 -name NTLMMinServerSec

NtlmMinServerSec : 537395200

^ This shows that the chef-client registry_key resource found the entry and set the desired value. Observe the case insensitive nature of the NTLM in the Powershell and chef-client context.

Run an inspec test using this rule, currently used in compliance-profiles/base/windows/test/base_spec.rb:

rule 'windows-base-203' do
  impact 1.0
  title 'Enable Strong Encryption for Windows Network Sessions on Servers'
  describe registry_key('HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0') do
    it { should exist }
    its('NTLMMinServerSec') { should eq 537395200 }
  end
end

Run an inspec test using this rule:

rule 'windows-base-203' do
  impact 1.0
  title 'Enable Strong Encryption for Windows Network Sessions on Servers'
  describe registry_key('HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0') do
    it { should exist }
    its('NtlmMinServerSec') { should eq 537395200 }
  end
end

Expected results:

Test 4 succeeds
Test 5 succeeds

Actual results:

Test 4 fails with this output:

    3) Registry Key HKLM\System\CurrentControlSet\Control\Lsa\MSV10 NTLMMinServerSec
       Failure/Error: its('NTLMMinServerSec') { should eq 537395200 }
       NoMethodError:
         undefined method `[]' for nil:NilClass
       # /Users/apop/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.3/lib/resources/registry_key.rb:56:in `method_missing'
       # demo/windows/test/random.rb:48:in `block (3 levels) in load'

Test 5 succeeds

Test 4 fails because the registry_key inspec resource is case sensitive.