Chef Ideas

We believe that the best way to build software is to do it in close collaboration with the people who use it. We invite you to submit your ideas using the form below. Please be sure to include the problem for which you are solving and the benefits of implementing the idea.

We do our best to implement as many Ideas as we can. Our Product team will evaluate all submitted ideas in a timely manner and will disposition each into one of the following categories: will integrate into the product roadmap, further research is needed, unlikely to implement.

Thanks for collaborating with us!

A way to set the values on child keys in the HKEY_USERS registry hive.

I am writing a cookbook that hardens a Windows 2019 server in accordance with CIS level 1 requirements. So far I have completed rule sections 1, 2, 9, 17 and 18 using:

windows_user_policy resource

windows_security_policy resource

windows_audit_policy resource

registry_key resource

All were pretty straight forward however, rule section 19 requires setting key values for each user in the HKEY_USERS hive and I can't seem to find a way to use registry_get_value resource to extrapolate each user key into an array and then pass that array to the registry_key resource to set the required key value for each user in the hive. I can't find any reference to passing variables to the registry_key resource or examples. I see how Inspec uses the following line to check them:

registry_key({hive: 'HKEY_USERS'}).children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| x.to_s + "\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop" }.each do |entry|

But this syntax does not work in Chef server cookbooks. Below is the first Inspec control I am trying to satisfy:

control "xccdf_org.cisecurity.benchmarks_rule_19.1.3.1_L1_Ensure_Enable_screen_saver_is_set_to_Enabled" do
title "(L1) Ensure 'Enable screen saver' is set to 'Enabled'"
desc "
This policy setting enables/disables the use of desktop screen savers.

The recommended state for this setting is: Enabled .

Rationale: If a user forgets to lock their computer when they walk away, it is possible that a passerby will hijack it. Configuring a timed screen saver with password lock will help to protect against these hijacks.
impact 1.0
tag cce: "CCE-37970-1"
registry_key({hive: 'HKEY_USERS'}).children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| x.to_s + "\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop" }.each do |entry|
describe registry_key(entry) do
it { should have_property "ScreenSaveActive" }
its("ScreenSaveActive") { should eq "1" }
  • Guest
  • Jun 8 2022
  • New
  • Attach files