Use the users Chef InSpec audit resource to look up all local users available on the system, and then test specific properties of those users. This resource does not return information about users that may be located on other systems, such as LDAP or Active Directory.
This resource is distributed along with Chef InSpec itself. You can use it automatically.
This resource first became available in v1.0.0 of InSpec.
A users resource block declares a user name, and then one (or more) matchers:
describe users.where(uid: 0).entries do
it { should eq ['root'] }
its('uids') { should eq [1234] }
its('gids') { should eq [1234] }
end
where
gid, group, groups, home, maxdays, mindays, shell, uid, warndays, passwordage, maxbadpasswords and badpasswordattempts are valid matchers for this resourcewhere(uid: 0).entries represents a filter that runs the test only against matching usersFor example:
describe users.where { username =~ /.*/ } do
it { should exist }
end
or:
describe users.where { uid =~ /^S-1-5-[0-9-]+-501$/ } do
it { should exist }
end
The gid property tests the group identifier:
its('gid') { should eq 1234 } }
where 1234 represents the user identifier.
The group property tests the group to which the user belongs:
its('group') { should eq 'root' }
where root represents the group.
The groups property tests two (or more) groups to which the user belongs:
its('groups') { should eq ['root', 'other']}
The home property tests the home directory path for the user:
its('home') { should eq '/root' }
The maxdays property tests the maximum number of days between password changes:
its('maxdays') { should eq 99 }
where 99 represents the maximum number of days.
The mindays property tests the minimum number of days between password changes:
its('mindays') { should eq 0 }
where 0 represents the maximum number of days.
The shell property tests the path to the default shell for the user:
its('shells') { should eq ['/bin/bash'] }
The uid property tests the user identifier:
its('uid') { should eq 1234 } }
where 1234 represents the user identifier.
The warndays property tests the number of days a user is warned before a password must be changed:
its('warndays') { should eq 5 }
where 5 represents the number of days a user is warned.
The passwordage property tests the number of days a user changed its password:
its('passwordage') { should_be <= 365 }
where 365 represents the number of days since the last password change.
The maxbadpasswords property tests the count of max badpassword settings for a specific user.
its('maxbadpasswords') { should eq 7 }
where 7 is the count of maximum bad password attempts.
The badpasswordattempts property tests the count of bad password attempts for a user.
its('badpasswordattempts') { should eq 0 }
where 0 is the count of bad passwords for a user. On Linux based operating systems it relies on lastb and for Windows it uses information stored for the user object. These settings will be resetted to 0 depending on your operating system configuration.
The following examples show how to use this Chef InSpec audit resource.
describe users.where { uid =~ /S\-1\-5\-21\-\d+\-\d+\-\d+\-500/ } do
it { should exist }
end
allowed_users = %w(user1 user2 user3)
users.where { uid > 1000 && uid < 65534 }.usernames.sort.each do |u|
describe user(u) do
if allowed_users.include?(u)
it { should exist }
else
it { should_not exist }
end
end
end
For a full list of available matchers, please visit our matchers page.
The exist matcher tests if the named user exists:
it { should exist }
© Chef Software, Inc.
Licensed under the Creative Commons Attribution 3.0 Unported License.
The Chef™ Mark and Chef Logo are either registered trademarks/service marks or trademarks/servicemarks of Chef, in the United States and other countries and are used with Chef Inc's permission.
We are not affiliated with, endorsed or sponsored by Chef Inc.
https://docs.chef.io/inspec/resources/users/