Windows Audit Mode Chef or ChefDK Issues

Sean Horn -

There are two issues happening right now with running audit cookbooks like the following under Windows with recent Chef and ChefDK (0.5.1+) releases

  • convert_regexp windows-specific specinfra method was eating forward slashes found in URLs and anywhere else in the patterns
  • backslashes Backslashes must be escaped for them to make it into the attempted Powershell match
  1. Change the SpecInfra convert_regexp method's substitution section to look like this in the embedded ruby under c:/opscode/chefdk or c:/opscode/chef. I'm using ChefDK 0.5.1 and found the file at C:\opscode\chefdk\embedded\lib\ruby\gems\2.1.0\gems\specinfra-2.30.2\lib\specinfra\backend\powershell\command.rb . I believe you are using v2.36.9 of SpecInfra, and it still looks the same https://github.com/mizzy/specinfra/blob/v2.36.9/lib/specinfra/backend/powershell/command.rb#L20-L27

     def convert_regexp(target)
        case target
        when Regexp
          target.source
        else
          #target.to_s.gsub '/', ''
          target.to_s.gsub '(^\/|\/$)', ''
        end
     end
    
  2. Whenever there are literal backslashes in a token, like E:Inetpub\GLS\docdrop\", you must send that string to chef-audit like this, with three backslashes, to escape the backslash, which is a special character. E:\\\Inetpub\\\SSS\\\docdrop\\\".

 

The following examples work with the above patch, and not without it.

I had to add the two extra backslashes that would not otherwise be found in the patterns, and the patch above allows URLs and other patterns with forward slashes to be passed unmodified.

  1. control_group "Verify deployment" do

    control 'tokens' do
    it 'should handle dots and forward slashes and angle brackets' do
    expect(file(web_config_file)).to contain '<endpoint address="net.msmq://something.example.local/private/COMET.Enterprise.Trace.Messaging.Service/thingstoseenow.svc" binding="netMsmqBinding" bindingConfiguration="NetMsmqBinding" contract="COMET.Enterprise.Trace.Contracts.Service.ASomethingService" name="Watching"/>'
    end

    it 'should handle lots of backslashes' do
    expect(file(web_config_file)).to contain '<add key="filebin" value="E:\\\Inetpub\\\SSS\\\docdrop\\\"/>'
    end

    it 'should handle URLS and tags' do
    expect(file(web_config_file)).to contain '<value>http://something.example.net/Service.asmx</value>'
    end
    end
    end

The ChefDK ticket for the convert_regexp method issue can be found at https://github.com/chef/chef-dk/issues/526

Have more questions? Submit a request

Comments

Powered by Zendesk