The 'should include' does not check for unwanted accounts

Question

The 'should include' does not check for unwanted accounts

mmoazam opened this issue 7 years ago · 1 comments

The 'should include' doesn't check that unwanted accounts are not present so this control is invalid.

control 'cis-adjust-memory-quotas-2.2.5' do
impact 0.7
title '2.2.5 Set Adust memory quotas for a process to Administrators, LOCAL SERVICE, NETWORK SERVICE'
desc 'Set Adust memory quotas for a process to Administrators, LOCAL SERVICE, NETWORK SERVICE'
describe security_policy do
its('SeIncreaseQuotaPrivilege') { should include 'S-1-5-19' }
its('SeIncreaseQuotaPrivilege') { should include 'S-1-5-20' }
its('SeIncreaseQuotaPrivilege') { should include 'S-1-5-32-544' }
end
end

I suggest the following. This will work only if the returned array is always sorted which I think is true.
Otherwise we need to check no other account is added.

control 'cis-adjust-memory-quotas-2.2.5' do
impact 0.7
title '2.2.5 Set Adust memory quotas for a process to Administrators, LOCAL SERVICE, NETWORK SERVICE'
desc 'Set Adust memory quotas for a process to Administrators, LOCAL SERVICE, NETWORK SERVICE'
describe security_policy do
its('SeIncreaseQuotaPrivilege') { should eq ['S-1-5-19','S-1-5-20','S-1-5-32-544'] }
end
end

Answer 1 · 2019-06-11T18:28:45.000Z

@mmoazam yes, this is correct. Can you introduce a new variable to check this?