RubyGems - inspec - Versions diffs - 1.51.6 → 1.51.15 - Mend

inspec 1.51.6 → 1.51.15

Files changed (404) hide show

checksums.yaml +4 -4
data/.rubocop.yml +101 -101
data/CHANGELOG.md +2915 -2902
data/Gemfile +53 -53
data/LICENSE +14 -14
data/MAINTAINERS.md +31 -31
data/MAINTAINERS.toml +47 -47
data/README.md +419 -419
data/Rakefile +167 -167
data/bin/inspec +12 -12
data/docs/.gitignore +2 -2
data/docs/README.md +40 -40
data/docs/dsl_inspec.md +258 -258
data/docs/dsl_resource.md +93 -93
data/docs/glossary.md +99 -99
data/docs/habitat.md +191 -191
data/docs/inspec_and_friends.md +107 -107
data/docs/matchers.md +165 -165
data/docs/migration.md +293 -293
data/docs/plugin_kitchen_inspec.md +49 -49
data/docs/profiles.md +370 -370
data/docs/resources/aide_conf.md.erb +78 -78
data/docs/resources/apache.md.erb +66 -66
data/docs/resources/apache_conf.md.erb +67 -67
data/docs/resources/apt.md.erb +70 -70
data/docs/resources/audit_policy.md.erb +46 -46
data/docs/resources/auditd.md.erb +78 -78
data/docs/resources/auditd_conf.md.erb +68 -68
data/docs/resources/auditd_rules.md.erb +116 -116
data/docs/resources/bash.md.erb +74 -74
data/docs/resources/bond.md.erb +89 -89
data/docs/resources/bridge.md.erb +54 -54
data/docs/resources/bsd_service.md.erb +65 -65
data/docs/resources/command.md.erb +137 -137
data/docs/resources/cpan.md.erb +77 -77
data/docs/resources/cran.md.erb +63 -63
data/docs/resources/crontab.md.erb +87 -87
data/docs/resources/csv.md.erb +53 -53
data/docs/resources/dh_params.md.erb +216 -216
data/docs/resources/directory.md.erb +28 -28
data/docs/resources/docker.md.erb +163 -163
data/docs/resources/docker_container.md.erb +99 -99
data/docs/resources/docker_image.md.erb +93 -93
data/docs/resources/docker_service.md.erb +113 -113
data/docs/resources/elasticsearch.md.erb +230 -230
data/docs/resources/etc_fstab.md.erb +124 -124
data/docs/resources/etc_group.md.erb +74 -74
data/docs/resources/etc_hosts.md.erb +75 -75
data/docs/resources/etc_hosts_allow.md.erb +73 -73
data/docs/resources/etc_hosts_deny.md.erb +73 -73
data/docs/resources/file.md.erb +512 -512
data/docs/resources/filesystem.md.erb +40 -40
data/docs/resources/firewalld.md.erb +105 -105
data/docs/resources/gem.md.erb +78 -78
data/docs/resources/group.md.erb +60 -60
data/docs/resources/grub_conf.md.erb +101 -100
data/docs/resources/host.md.erb +77 -77
data/docs/resources/http.md.erb +104 -98
data/docs/resources/iis_app.md.erb +120 -116
data/docs/resources/iis_site.md.erb +132 -128
data/docs/resources/inetd_conf.md.erb +95 -84
data/docs/resources/ini.md.erb +72 -69
data/docs/resources/interface.md.erb +55 -46
data/docs/resources/iptables.md.erb +63 -63
data/docs/resources/json.md.erb +61 -61
data/docs/resources/kernel_module.md.erb +106 -106
data/docs/resources/kernel_parameter.md.erb +58 -58
data/docs/resources/key_rsa.md.erb +73 -73
data/docs/resources/launchd_service.md.erb +56 -56
data/docs/resources/limits_conf.md.erb +66 -66
data/docs/resources/login_def.md.erb +62 -62
data/docs/resources/mount.md.erb +68 -68
data/docs/resources/mssql_session.md.erb +59 -59
data/docs/resources/mysql_conf.md.erb +98 -98
data/docs/resources/mysql_session.md.erb +73 -73
data/docs/resources/nginx.md.erb +78 -78
data/docs/resources/nginx_conf.md.erb +127 -127
data/docs/resources/npm.md.erb +59 -59
data/docs/resources/ntp_conf.md.erb +59 -59
data/docs/resources/oneget.md.erb +52 -52
data/docs/resources/oracledb_session.md.erb +51 -51
data/docs/resources/os.md.erb +140 -140
data/docs/resources/os_env.md.erb +77 -77
data/docs/resources/package.md.erb +119 -119
data/docs/resources/packages.md.erb +66 -66
data/docs/resources/parse_config.md.erb +102 -102
data/docs/resources/parse_config_file.md.erb +137 -137
data/docs/resources/passwd.md.erb +140 -140
data/docs/resources/pip.md.erb +66 -66
data/docs/resources/port.md.erb +136 -136
data/docs/resources/postgres_conf.md.erb +78 -78
data/docs/resources/postgres_hba_conf.md.erb +92 -92
data/docs/resources/postgres_ident_conf.md.erb +75 -75
data/docs/resources/postgres_session.md.erb +68 -68
data/docs/resources/powershell.md.erb +101 -101
data/docs/resources/processes.md.erb +107 -107
data/docs/resources/rabbitmq_config.md.erb +40 -40
data/docs/resources/registry_key.md.erb +157 -157
data/docs/resources/runit_service.md.erb +56 -56
data/docs/resources/security_policy.md.erb +46 -46
data/docs/resources/service.md.erb +120 -120
data/docs/resources/shadow.md.erb +143 -143
data/docs/resources/ssh_config.md.erb +79 -79
data/docs/resources/sshd_config.md.erb +82 -82
data/docs/resources/ssl.md.erb +118 -118
data/docs/resources/sys_info.md.erb +41 -41
data/docs/resources/systemd_service.md.erb +56 -56
data/docs/resources/sysv_service.md.erb +56 -56
data/docs/resources/upstart_service.md.erb +56 -56
data/docs/resources/user.md.erb +139 -139
data/docs/resources/users.md.erb +126 -126
data/docs/resources/vbscript.md.erb +54 -54
data/docs/resources/virtualization.md.erb +56 -56
data/docs/resources/windows_feature.md.erb +46 -46
data/docs/resources/windows_hotfix.md.erb +52 -52
data/docs/resources/windows_task.md.erb +89 -89
data/docs/resources/wmi.md.erb +80 -80
data/docs/resources/x509_certificate.md.erb +150 -150
data/docs/resources/xinetd_conf.md.erb +155 -155
data/docs/resources/xml.md.erb +84 -84
data/docs/resources/yaml.md.erb +68 -68
data/docs/resources/yum.md.erb +97 -97
data/docs/resources/zfs_dataset.md.erb +52 -52
data/docs/resources/zfs_pool.md.erb +46 -46
data/docs/ruby_usage.md +203 -203
data/docs/shared/matcher_be.md.erb +1 -1
data/docs/shared/matcher_cmp.md.erb +43 -43
data/docs/shared/matcher_eq.md.erb +3 -3
data/docs/shared/matcher_include.md.erb +1 -1
data/docs/shared/matcher_match.md.erb +1 -1
data/docs/shell.md +172 -172
data/examples/README.md +8 -8
data/examples/inheritance/README.md +65 -65
data/examples/inheritance/controls/example.rb +14 -14
data/examples/inheritance/inspec.yml +15 -15
data/examples/kitchen-ansible/.kitchen.yml +25 -25
data/examples/kitchen-ansible/Gemfile +19 -19
data/examples/kitchen-ansible/README.md +53 -53
data/examples/kitchen-ansible/files/nginx.repo +6 -6
data/examples/kitchen-ansible/tasks/main.yml +16 -16
data/examples/kitchen-ansible/test/integration/default/default.yml +5 -5
data/examples/kitchen-ansible/test/integration/default/web_spec.rb +28 -28
data/examples/kitchen-chef/.kitchen.yml +20 -20
data/examples/kitchen-chef/Berksfile +3 -3
data/examples/kitchen-chef/Gemfile +19 -19
data/examples/kitchen-chef/README.md +27 -27
data/examples/kitchen-chef/metadata.rb +7 -7
data/examples/kitchen-chef/recipes/default.rb +6 -6
data/examples/kitchen-chef/recipes/nginx.rb +30 -30
data/examples/kitchen-chef/test/integration/default/web_spec.rb +28 -28
data/examples/kitchen-puppet/.kitchen.yml +22 -22
data/examples/kitchen-puppet/Gemfile +20 -20
data/examples/kitchen-puppet/Puppetfile +25 -25
data/examples/kitchen-puppet/README.md +53 -53
data/examples/kitchen-puppet/manifests/site.pp +33 -33
data/examples/kitchen-puppet/metadata.json +11 -11
data/examples/kitchen-puppet/test/integration/default/web_spec.rb +28 -28
data/examples/meta-profile/README.md +37 -37
data/examples/meta-profile/controls/example.rb +13 -13
data/examples/meta-profile/inspec.yml +13 -13
data/examples/profile-attribute.yml +2 -2
data/examples/profile-attribute/README.md +14 -14
data/examples/profile-attribute/controls/example.rb +11 -11
data/examples/profile-attribute/inspec.yml +8 -8
data/examples/profile-sensitive/README.md +29 -29
data/examples/profile-sensitive/controls/sensitive-failures.rb +9 -9
data/examples/profile-sensitive/controls/sensitive.rb +9 -9
data/examples/profile-sensitive/inspec.yml +8 -8
data/examples/profile/README.md +48 -48
data/examples/profile/controls/example.rb +23 -23
data/examples/profile/controls/gordon.rb +36 -36
data/examples/profile/controls/meta.rb +34 -34
data/examples/profile/inspec.yml +10 -10
data/examples/profile/libraries/gordon_config.rb +53 -53
data/inspec.gemspec +47 -47
data/lib/bundles/README.md +3 -3
data/lib/bundles/inspec-artifact.rb +7 -7
data/lib/bundles/inspec-artifact/README.md +1 -1
data/lib/bundles/inspec-artifact/cli.rb +277 -277
data/lib/bundles/inspec-compliance.rb +16 -16
data/lib/bundles/inspec-compliance/.kitchen.yml +20 -20
data/lib/bundles/inspec-compliance/README.md +185 -185
data/lib/bundles/inspec-compliance/api.rb +316 -316
data/lib/bundles/inspec-compliance/api/login.rb +152 -152
data/lib/bundles/inspec-compliance/bootstrap.sh +41 -41
data/lib/bundles/inspec-compliance/cli.rb +277 -277
data/lib/bundles/inspec-compliance/configuration.rb +103 -103
data/lib/bundles/inspec-compliance/http.rb +86 -86
data/lib/bundles/inspec-compliance/support.rb +36 -36
data/lib/bundles/inspec-compliance/target.rb +98 -98
data/lib/bundles/inspec-compliance/test/integration/default/cli.rb +93 -93
data/lib/bundles/inspec-habitat.rb +12 -12
data/lib/bundles/inspec-habitat/cli.rb +36 -36
data/lib/bundles/inspec-habitat/log.rb +10 -10
data/lib/bundles/inspec-habitat/profile.rb +390 -390
data/lib/bundles/inspec-init.rb +8 -8
data/lib/bundles/inspec-init/README.md +31 -31
data/lib/bundles/inspec-init/cli.rb +97 -97
data/lib/bundles/inspec-init/templates/profile/README.md +3 -3
data/lib/bundles/inspec-init/templates/profile/controls/example.rb +19 -19
data/lib/bundles/inspec-init/templates/profile/inspec.yml +8 -8
data/lib/bundles/inspec-supermarket.rb +13 -13
data/lib/bundles/inspec-supermarket/README.md +45 -45
data/lib/bundles/inspec-supermarket/api.rb +84 -84
data/lib/bundles/inspec-supermarket/cli.rb +65 -65
data/lib/bundles/inspec-supermarket/target.rb +34 -34
data/lib/fetchers/git.rb +163 -163
data/lib/fetchers/local.rb +74 -74
data/lib/fetchers/mock.rb +35 -35
data/lib/fetchers/url.rb +204 -204
data/lib/inspec.rb +24 -24
data/lib/inspec/archive/tar.rb +29 -29
data/lib/inspec/archive/zip.rb +19 -19
data/lib/inspec/backend.rb +92 -92
data/lib/inspec/base_cli.rb +324 -322
data/lib/inspec/cached_fetcher.rb +66 -66
data/lib/inspec/cli.rb +298 -298
data/lib/inspec/completions/bash.sh.erb +45 -45
data/lib/inspec/completions/fish.sh.erb +34 -34
data/lib/inspec/completions/zsh.sh.erb +61 -61
data/lib/inspec/control_eval_context.rb +179 -179
data/lib/inspec/dependencies/cache.rb +72 -72
data/lib/inspec/dependencies/dependency_set.rb +92 -92
data/lib/inspec/dependencies/lockfile.rb +115 -115
data/lib/inspec/dependencies/requirement.rb +123 -123
data/lib/inspec/dependencies/resolver.rb +86 -86
data/lib/inspec/describe.rb +27 -27
data/lib/inspec/dsl.rb +66 -66
data/lib/inspec/dsl_shared.rb +33 -33
data/lib/inspec/env_printer.rb +157 -157
data/lib/inspec/errors.rb +13 -13
data/lib/inspec/exceptions.rb +12 -12
data/lib/inspec/expect.rb +45 -45
data/lib/inspec/fetcher.rb +45 -45
data/lib/inspec/file_provider.rb +275 -275
data/lib/inspec/formatters.rb +3 -3
data/lib/inspec/formatters/base.rb +208 -208
data/lib/inspec/formatters/json_rspec.rb +20 -20
data/lib/inspec/formatters/show_progress.rb +12 -12
data/lib/inspec/library_eval_context.rb +58 -58
data/lib/inspec/log.rb +11 -11
data/lib/inspec/metadata.rb +253 -253
data/lib/inspec/method_source.rb +24 -24
data/lib/inspec/objects.rb +14 -14
data/lib/inspec/objects/attribute.rb +65 -65
data/lib/inspec/objects/control.rb +61 -61
data/lib/inspec/objects/describe.rb +92 -92
data/lib/inspec/objects/each_loop.rb +36 -36
data/lib/inspec/objects/list.rb +15 -15
data/lib/inspec/objects/or_test.rb +40 -40
data/lib/inspec/objects/ruby_helper.rb +15 -15
data/lib/inspec/objects/tag.rb +27 -27
data/lib/inspec/objects/test.rb +87 -87
data/lib/inspec/objects/value.rb +27 -27
data/lib/inspec/plugins.rb +60 -60
data/lib/inspec/plugins/cli.rb +24 -24
data/lib/inspec/plugins/fetcher.rb +86 -86
data/lib/inspec/plugins/resource.rb +132 -132
data/lib/inspec/plugins/secret.rb +15 -15
data/lib/inspec/plugins/source_reader.rb +40 -40
data/lib/inspec/polyfill.rb +12 -12
data/lib/inspec/profile.rb +510 -510
data/lib/inspec/profile_context.rb +207 -207
data/lib/inspec/profile_vendor.rb +66 -66
data/lib/inspec/reporters.rb +50 -33
data/lib/inspec/reporters/base.rb +24 -23
data/lib/inspec/reporters/cli.rb +395 -395
data/lib/inspec/reporters/json.rb +134 -132
data/lib/inspec/reporters/json_min.rb +48 -44
data/lib/inspec/reporters/junit.rb +77 -77
data/lib/inspec/require_loader.rb +33 -33
data/lib/inspec/resource.rb +176 -176
data/lib/inspec/rule.rb +266 -266
data/lib/inspec/runner.rb +340 -337
data/lib/inspec/runner_mock.rb +41 -41
data/lib/inspec/runner_rspec.rb +163 -185
data/lib/inspec/runtime_profile.rb +26 -26
data/lib/inspec/schema.rb +186 -186
data/lib/inspec/secrets.rb +19 -19
data/lib/inspec/secrets/yaml.rb +30 -30
data/lib/inspec/shell.rb +223 -223
data/lib/inspec/shell_detector.rb +90 -90
data/lib/inspec/source_reader.rb +29 -29
data/lib/inspec/version.rb +8 -8
data/lib/matchers/matchers.rb +397 -397
data/lib/resources/aide_conf.rb +160 -160
data/lib/resources/apache.rb +49 -49
data/lib/resources/apache_conf.rb +158 -158
data/lib/resources/apt.rb +150 -150
data/lib/resources/audit_policy.rb +64 -64
data/lib/resources/auditd.rb +233 -233
data/lib/resources/auditd_conf.rb +56 -56
data/lib/resources/auditd_rules.rb +205 -205
data/lib/resources/bash.rb +36 -36
data/lib/resources/bond.rb +69 -69
data/lib/resources/bridge.rb +123 -123
data/lib/resources/command.rb +69 -69
data/lib/resources/cpan.rb +60 -60
data/lib/resources/cran.rb +66 -66
data/lib/resources/crontab.rb +169 -169
data/lib/resources/csv.rb +58 -58
data/lib/resources/dh_params.rb +83 -83
data/lib/resources/directory.rb +25 -25
data/lib/resources/docker.rb +239 -239
data/lib/resources/docker_container.rb +92 -92
data/lib/resources/docker_image.rb +86 -86
data/lib/resources/docker_object.rb +57 -57
data/lib/resources/docker_service.rb +94 -94
data/lib/resources/elasticsearch.rb +168 -168
data/lib/resources/etc_fstab.rb +102 -102
data/lib/resources/etc_group.rb +157 -157
data/lib/resources/etc_hosts.rb +81 -81
data/lib/resources/etc_hosts_allow_deny.rb +122 -122
data/lib/resources/file.rb +298 -298
data/lib/resources/filesystem.rb +31 -31
data/lib/resources/firewalld.rb +144 -144
data/lib/resources/gem.rb +71 -71
data/lib/resources/groups.rb +213 -213
data/lib/resources/grub_conf.rb +237 -237
data/lib/resources/host.rb +300 -300
data/lib/resources/http.rb +252 -252
data/lib/resources/iis_app.rb +103 -103
data/lib/resources/iis_site.rb +147 -147
data/lib/resources/inetd_conf.rb +63 -63
data/lib/resources/ini.rb +29 -29
data/lib/resources/interface.rb +130 -130
data/lib/resources/iptables.rb +70 -70
data/lib/resources/json.rb +115 -115
data/lib/resources/kernel_module.rb +110 -110
data/lib/resources/kernel_parameter.rb +58 -58
data/lib/resources/key_rsa.rb +67 -67
data/lib/resources/limits_conf.rb +56 -56
data/lib/resources/login_def.rb +67 -67
data/lib/resources/mount.rb +90 -90
data/lib/resources/mssql_session.rb +103 -103
data/lib/resources/mysql.rb +82 -82
data/lib/resources/mysql_conf.rb +133 -133
data/lib/resources/mysql_session.rb +72 -72
data/lib/resources/nginx.rb +97 -97
data/lib/resources/nginx_conf.rb +228 -228
data/lib/resources/npm.rb +48 -48
data/lib/resources/ntp_conf.rb +59 -59
data/lib/resources/oneget.rb +72 -72
data/lib/resources/oracledb_session.rb +140 -140
data/lib/resources/os.rb +46 -46
data/lib/resources/os_env.rb +76 -76
data/lib/resources/package.rb +357 -357
data/lib/resources/packages.rb +112 -112
data/lib/resources/parse_config.rb +116 -116
data/lib/resources/passwd.rb +96 -96
data/lib/resources/pip.rb +89 -89
data/lib/resources/platform.rb +112 -112
data/lib/resources/port.rb +771 -771
data/lib/resources/postgres.rb +132 -132
data/lib/resources/postgres_conf.rb +122 -122
data/lib/resources/postgres_hba_conf.rb +101 -101
data/lib/resources/postgres_ident_conf.rb +79 -79
data/lib/resources/postgres_session.rb +72 -72
data/lib/resources/powershell.rb +58 -58
data/lib/resources/processes.rb +204 -204
data/lib/resources/rabbitmq_conf.rb +53 -53
data/lib/resources/registry_key.rb +296 -296
data/lib/resources/security_policy.rb +181 -181
data/lib/resources/service.rb +784 -784
data/lib/resources/shadow.rb +141 -141
data/lib/resources/ssh_conf.rb +102 -102
data/lib/resources/ssl.rb +99 -99
data/lib/resources/sys_info.rb +26 -26
data/lib/resources/toml.rb +32 -32
data/lib/resources/users.rb +652 -652
data/lib/resources/vbscript.rb +70 -70
data/lib/resources/virtualization.rb +251 -251
data/lib/resources/windows_feature.rb +85 -85
data/lib/resources/windows_hotfix.rb +35 -35
data/lib/resources/windows_task.rb +106 -106
data/lib/resources/wmi.rb +114 -114
data/lib/resources/x509_certificate.rb +143 -143
data/lib/resources/xinetd.rb +112 -112
data/lib/resources/xml.rb +45 -45
data/lib/resources/yaml.rb +45 -45
data/lib/resources/yum.rb +181 -181
data/lib/resources/zfs_dataset.rb +60 -60
data/lib/resources/zfs_pool.rb +49 -49
data/lib/source_readers/flat.rb +39 -39
data/lib/source_readers/inspec.rb +75 -75
data/lib/utils/command_wrapper.rb +27 -27
data/lib/utils/convert.rb +12 -12
data/lib/utils/database_helpers.rb +77 -77
data/lib/utils/erlang_parser.rb +192 -192
data/lib/utils/filter.rb +272 -272
data/lib/utils/filter_array.rb +27 -27
data/lib/utils/find_files.rb +44 -44
data/lib/utils/hash.rb +41 -41
data/lib/utils/json_log.rb +18 -18
data/lib/utils/latest_version.rb +22 -22
data/lib/utils/modulator.rb +12 -12
data/lib/utils/nginx_parser.rb +85 -85
data/lib/utils/object_traversal.rb +49 -49
data/lib/utils/parser.rb +274 -274
data/lib/utils/plugin_registry.rb +93 -93
data/lib/utils/simpleconfig.rb +132 -132
data/lib/utils/spdx.rb +13 -13
data/lib/utils/spdx.txt +343 -343
metadata +2 -2

data/lib/resources/security_policy.rb CHANGED

@@ -1,181 +1,181 @@
-# encoding: utf-8
-# author: Christoph Hartmann
-# author: Dominik Richter
-#
-# Security Configuration and Analysis
-#
-# Export local security policy:
-# secedit /export /cfg secpol.cfg
-#
-# @link http://www.microsoft.com/en-us/download/details.aspx?id=25250
-#
-# In Windows, some security options are managed differently that the local GPO
-# All local GPO parameters can be examined via Registry, but not all security
-# parameters. Therefore we need a combination of Registry and secedit output
-require 'hashie'
-module Inspec::Resources
-  # known and supported MS privilege rights
-  # @see https://technet.microsoft.com/en-us/library/dd277311.aspx
-  # @see https://msdn.microsoft.com/en-us/library/windows/desktop/bb530716(v=vs.85).aspx
-  MS_PRIVILEGES_RIGHTS = [
-    'SeNetworkLogonRight',
-    'SeBackupPrivilege',
-    'SeChangeNotifyPrivilege',
-    'SeSystemtimePrivilege',
-    'SeCreatePagefilePrivilege',
-    'SeDebugPrivilege',
-    'SeRemoteShutdownPrivilege',
-    'SeAuditPrivilege',
-    'SeIncreaseQuotaPrivilege',
-    'SeIncreaseBasePriorityPrivilege',
-    'SeLoadDriverPrivilege',
-    'SeBatchLogonRight',
-    'SeServiceLogonRight',
-    'SeInteractiveLogonRight',
-    'SeSecurityPrivilege',
-    'SeSystemEnvironmentPrivilege',
-    'SeProfileSingleProcessPrivilege',
-    'SeSystemProfilePrivilege',
-    'SeAssignPrimaryTokenPrivilege',
-    'SeRestorePrivilege',
-    'SeShutdownPrivilege',
-    'SeTakeOwnershipPrivilege',
-    'SeUndockPrivilege',
-    'SeManageVolumePrivilege',
-    'SeRemoteInteractiveLogonRight',
-    'SeImpersonatePrivilege',
-    'SeCreateGlobalPrivilege',
-    'SeIncreaseWorking',
-    'SeTimeZonePrivilege',
-    'SeCreateSymbolicLinkPrivilege',
-    'SeDenyNetworkLogonRight', # Deny access to this computer from the network
-    'SeDenyInteractiveLogonRight', # Deny logon locally
-    'SeDenyBatchLogonRight', # Deny logon as a batch job
-    'SeDenyServiceLogonRight', # Deny logon as a service
-    'SeTcbPrivilege',
-    'SeMachineAccountPrivilege',
-    'SeCreateTokenPrivilege',
-    'SeCreatePermanentPrivilege',
-    'SeEnableDelegationPrivilege',
-    'SeLockMemoryPrivilege',
-    'SeSyncAgentPrivilege',
-    'SeUnsolicitedInputPrivilege',
-    'SeTrustedCredManAccessPrivilege',
-    'SeRelabelPrivilege', # the privilege to change a Windows integrity label (new to Windows Vista)
-    'SeDenyRemoteInteractiveLogonRight', # Deny logon through Terminal Services
-  ].freeze
-  class SecurityPolicy < Inspec.resource(1)
-    name 'security_policy'
-    desc 'Use the security_policy InSpec audit resource to test security policies on the Microsoft Windows platform.'
-    example "
-      describe security_policy do
-        its('SeNetworkLogonRight') { should include 'S-1-5-11' }
-      end
-      describe security_policy(translate_sid: true) do
-        its('SeNetworkLogonRight') { should include 'NT AUTHORITY\\Authenticated Users' }
-      end
-    "
-    def initialize(opts = {})
-      @translate_sid = opts[:translate_sid] || false
-    end
-    def content
-      read_content
-    end
-    def params(*opts)
-      opts.inject(read_params) do |res, nxt|
-        res.respond_to?(:key) ? res[nxt] : nil
-      end
-    end
-    def method_missing(name)
-      params = read_params
-      return nil if params.nil?
-      # deep search for hash key
-      params.extend Hashie::Extensions::DeepFind
-      res = params.deep_find(name.to_s)
-      # return an empty array if configuration does not include rights configuration
-      return [] if res.nil? && MS_PRIVILEGES_RIGHTS.include?(name.to_s)
-      res
-    end
-    def to_s
-      'Security Policy'
-    end
-    private
-    def read_content
-      return @content if defined?(@content)
-      # using process pid to prevent any race conditions with multiple runners
-      export_file = "win_secpol-#{Process.pid}.cfg"
-      # export the security policy
-      cmd = inspec.command("secedit /export /cfg #{export_file}")
-      return nil if cmd.exit_status.to_i != 0
-      # store file content
-      cmd = inspec.command("Get-Content #{export_file}")
-      return skip_resource "Can't read security policy" if cmd.exit_status.to_i != 0
-      @content = cmd.stdout
-    ensure
-      # delete temp file
-      inspec.command("Remove-Item #{export_file}").exit_status.to_i
-    end
-    def read_params
-      return @params if defined?(@params)
-      return @params = {} if read_content.nil?
-      conf = SimpleConfig.new(
-        @content,
-        assignment_regex: /^\s*(.*)=\s*(\S*)\s*$/,
-      )
-      @params = convert_hash(conf.params)
-    end
-    # extracts the values, this methods detects:
-    # numbers and SIDs and optimizes them for further usage
-    def extract_value(val)
-      if val =~ /^\d+$/
-        val.to_i
-      # special handling for SID array
-      elsif val =~ /[,]{0,1}\*\S/
-        if @translate_sid
-          val.split(',').map { |v|
-            object_name = inspec.command("(New-Object System.Security.Principal.SecurityIdentifier(\"#{v.sub('*S', 'S')}\")).Translate( [System.Security.Principal.NTAccount]).Value").stdout.to_s.strip
-            object_name.empty? || object_name.nil? ? v.sub('*S', 'S') : object_name
-          }
-        else
-          val.split(',').map { |v|
-            v.sub('*S', 'S')
-          }
-        end
-      # special handling for string values with "
-      elsif !(m = /^\"(.*)\"$/.match(val)).nil?
-        m[1]
-      else
-        val
-      end
-    end
-    def convert_hash(hash)
-      new_hash = {}
-      hash.each do |k, v|
-        v.is_a?(Hash) ? value = convert_hash(v) : value = extract_value(v)
-        new_hash[k.strip] = value
-      end
-      new_hash
-    end
-  end
-end
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+#
+# Security Configuration and Analysis
+#
+# Export local security policy:
+# secedit /export /cfg secpol.cfg
+#
+# @link http://www.microsoft.com/en-us/download/details.aspx?id=25250
+#
+# In Windows, some security options are managed differently that the local GPO
+# All local GPO parameters can be examined via Registry, but not all security
+# parameters. Therefore we need a combination of Registry and secedit output
+require 'hashie'
+module Inspec::Resources
+  # known and supported MS privilege rights
+  # @see https://technet.microsoft.com/en-us/library/dd277311.aspx
+  # @see https://msdn.microsoft.com/en-us/library/windows/desktop/bb530716(v=vs.85).aspx
+  MS_PRIVILEGES_RIGHTS = [
+    'SeNetworkLogonRight',
+    'SeBackupPrivilege',
+    'SeChangeNotifyPrivilege',
+    'SeSystemtimePrivilege',
+    'SeCreatePagefilePrivilege',
+    'SeDebugPrivilege',
+    'SeRemoteShutdownPrivilege',
+    'SeAuditPrivilege',
+    'SeIncreaseQuotaPrivilege',
+    'SeIncreaseBasePriorityPrivilege',
+    'SeLoadDriverPrivilege',
+    'SeBatchLogonRight',
+    'SeServiceLogonRight',
+    'SeInteractiveLogonRight',
+    'SeSecurityPrivilege',
+    'SeSystemEnvironmentPrivilege',
+    'SeProfileSingleProcessPrivilege',
+    'SeSystemProfilePrivilege',
+    'SeAssignPrimaryTokenPrivilege',
+    'SeRestorePrivilege',
+    'SeShutdownPrivilege',
+    'SeTakeOwnershipPrivilege',
+    'SeUndockPrivilege',
+    'SeManageVolumePrivilege',
+    'SeRemoteInteractiveLogonRight',
+    'SeImpersonatePrivilege',
+    'SeCreateGlobalPrivilege',
+    'SeIncreaseWorking',
+    'SeTimeZonePrivilege',
+    'SeCreateSymbolicLinkPrivilege',
+    'SeDenyNetworkLogonRight', # Deny access to this computer from the network
+    'SeDenyInteractiveLogonRight', # Deny logon locally
+    'SeDenyBatchLogonRight', # Deny logon as a batch job
+    'SeDenyServiceLogonRight', # Deny logon as a service
+    'SeTcbPrivilege',
+    'SeMachineAccountPrivilege',
+    'SeCreateTokenPrivilege',
+    'SeCreatePermanentPrivilege',
+    'SeEnableDelegationPrivilege',
+    'SeLockMemoryPrivilege',
+    'SeSyncAgentPrivilege',
+    'SeUnsolicitedInputPrivilege',
+    'SeTrustedCredManAccessPrivilege',
+    'SeRelabelPrivilege', # the privilege to change a Windows integrity label (new to Windows Vista)
+    'SeDenyRemoteInteractiveLogonRight', # Deny logon through Terminal Services
+  ].freeze
+  class SecurityPolicy < Inspec.resource(1)
+    name 'security_policy'
+    desc 'Use the security_policy InSpec audit resource to test security policies on the Microsoft Windows platform.'
+    example "
+      describe security_policy do
+        its('SeNetworkLogonRight') { should include 'S-1-5-11' }
+      end
+      describe security_policy(translate_sid: true) do
+        its('SeNetworkLogonRight') { should include 'NT AUTHORITY\\Authenticated Users' }
+      end
+    "
+    def initialize(opts = {})
+      @translate_sid = opts[:translate_sid] || false
+    end
+    def content
+      read_content
+    end
+    def params(*opts)
+      opts.inject(read_params) do |res, nxt|
+        res.respond_to?(:key) ? res[nxt] : nil
+      end
+    end
+    def method_missing(name)
+      params = read_params
+      return nil if params.nil?
+      # deep search for hash key
+      params.extend Hashie::Extensions::DeepFind
+      res = params.deep_find(name.to_s)
+      # return an empty array if configuration does not include rights configuration
+      return [] if res.nil? && MS_PRIVILEGES_RIGHTS.include?(name.to_s)
+      res
+    end
+    def to_s
+      'Security Policy'
+    end
+    private
+    def read_content
+      return @content if defined?(@content)
+      # using process pid to prevent any race conditions with multiple runners
+      export_file = "win_secpol-#{Process.pid}.cfg"
+      # export the security policy
+      cmd = inspec.command("secedit /export /cfg #{export_file}")
+      return nil if cmd.exit_status.to_i != 0
+      # store file content
+      cmd = inspec.command("Get-Content #{export_file}")
+      return skip_resource "Can't read security policy" if cmd.exit_status.to_i != 0
+      @content = cmd.stdout
+    ensure
+      # delete temp file
+      inspec.command("Remove-Item #{export_file}").exit_status.to_i
+    end
+    def read_params
+      return @params if defined?(@params)
+      return @params = {} if read_content.nil?
+      conf = SimpleConfig.new(
+        @content,
+        assignment_regex: /^\s*(.*)=\s*(\S*)\s*$/,
+      )
+      @params = convert_hash(conf.params)
+    end
+    # extracts the values, this methods detects:
+    # numbers and SIDs and optimizes them for further usage
+    def extract_value(val)
+      if val =~ /^\d+$/
+        val.to_i
+      # special handling for SID array
+      elsif val =~ /[,]{0,1}\*\S/
+        if @translate_sid
+          val.split(',').map { |v|
+            object_name = inspec.command("(New-Object System.Security.Principal.SecurityIdentifier(\"#{v.sub('*S', 'S')}\")).Translate( [System.Security.Principal.NTAccount]).Value").stdout.to_s.strip
+            object_name.empty? || object_name.nil? ? v.sub('*S', 'S') : object_name
+          }
+        else
+          val.split(',').map { |v|
+            v.sub('*S', 'S')
+          }
+        end
+      # special handling for string values with "
+      elsif !(m = /^\"(.*)\"$/.match(val)).nil?
+        m[1]
+      else
+        val
+      end
+    end
+    def convert_hash(hash)
+      new_hash = {}
+      hash.each do |k, v|
+        v.is_a?(Hash) ? value = convert_hash(v) : value = extract_value(v)
+        new_hash[k.strip] = value
+      end
+      new_hash
+    end
+  end
+end

data/lib/resources/service.rb CHANGED

@@ -1,784 +1,784 @@
-# encoding: utf-8
-# author: Christoph Hartmann
-# author: Dominik Richter
-# author: Stephan Renatus
-require 'hashie'
-module Inspec::Resources
-  class Runlevels < Hash
-    attr_accessor :owner
-    def self.from_hash(owner, hash = {}, filter = nil)
-      res = Runlevels.new(owner)
-      filter = filter.first if filter.is_a?(Array) && filter.length <= 1
-      ks = case filter
-           when nil
-             hash.keys
-           when Regexp
-             hash.keys.find_all { |x| x.to_s =~ filter }
-           when Array
-             f = filter.map(&:to_s)
-             hash.keys.find_all { |x| f.include?(x.to_s) }
-           when Numeric
-             hash.keys.include?(filter) ? [filter] : []
-           else
-             hash.keys.find_all { |x| x == filter }
-           end
-      ks.each { |k| res[k] = hash[k] }
-      res
-    end
-    def initialize(owner, default = false)
-      @owner = owner
-      super(default)
-    end
-    def filter(f)
-      Runlevels.from_hash(owner, self, f)
-    end
-    # Check if all runlevels are enabled
-    #
-    # @return [boolean] true if all runlevels are enabled
-    def enabled?
-      values.all?
-    end
-    # Check if all runlevels are disabled
-    #
-    # @return [boolean] true if all runlevels are disabled
-    def disabled?
-      values.none?
-    end
-    def to_s
-      "#{owner} runlevels #{keys.join(', ')}"
-    end
-  end
-  # We detect the init system for each operating system, based on the operating
-  # system.
-  #
-  # Fedora 15 : systemd
-  # RedHat 7 : systemd
-  # Ubuntu 15.04 : systemd
-  # Ubuntu < 15.04 : upstart
-  #
-  # TODO: extend the logic to detect the running init system, independently of OS
-  class Service < Inspec.resource(1)
-    name 'service'
-    desc 'Use the service InSpec audit resource to test if the named service is installed, running and/or enabled.'
-    example "
-      describe service('service_name') do
-        it { should be_installed }
-        it { should be_enabled }
-        it { should be_running }
-        its('type') { should be 'systemd' }
-        its ('startmode') { should be 'Auto'}
-      end
-      describe service('service_name').runlevels(3, 5) do
-        it { should be_enabled }
-      end
-      describe service('service_name').params do
-        its('UnitFileState') { should eq 'enabled' }
-      end
-    "
-    attr_reader :service_ctl
-    def initialize(service_name, service_ctl = nil)
-      @service_name = service_name
-      @service_mgmt = nil
-      @service_ctl ||= service_ctl
-      @cache = nil
-      @service_mgmt = select_service_mgmt
-      return skip_resource 'The `service` resource is not supported on your OS yet.' if @service_mgmt.nil?
-    end
-    def select_service_mgmt # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength
-      os = inspec.os
-      platform = os[:name]
-      # Ubuntu
-      # @see: https://wiki.ubuntu.com/SystemdForUpstartUsers
-      # Ubuntu 15.04 : Systemd
-      #   Systemd runs with PID 1 as /sbin/init.
-      #   Upstart runs with PID 1 as /sbin/upstart.
-      # Ubuntu < 15.04 : Upstart
-      # Upstart runs with PID 1 as /sbin/init.
-      # Systemd runs with PID 1 as /lib/systemd/systemd.
-      if %w{ubuntu}.include?(platform)
-        version = os[:release].to_f
-        if version < 15.04
-          Upstart.new(inspec, service_ctl)
-        else
-          Systemd.new(inspec, service_ctl)
-        end
-      elsif %w{linuxmint}.include?(platform)
-        version = os[:release].to_f
-        if version < 18
-          Upstart.new(inspec, service_ctl)
-        else
-          Systemd.new(inspec, service_ctl)
-        end
-      elsif %w{debian}.include?(platform)
-        version = os[:release].to_i
-        if version > 7
-          Systemd.new(inspec, service_ctl)
-        else
-          SysV.new(inspec, service_ctl || '/usr/sbin/service')
-        end
-      elsif %w{redhat fedora centos oracle}.include?(platform)
-        version = os[:release].to_i
-        if (%w{redhat centos oracle}.include?(platform) && version >= 7) || (platform == 'fedora' && version >= 15)
-          Systemd.new(inspec, service_ctl)
-        else
-          SysV.new(inspec, service_ctl || '/sbin/service')
-        end
-      elsif %w{wrlinux}.include?(platform)
-        SysV.new(inspec, service_ctl)
-      elsif %w{mac_os_x}.include?(platform)
-        LaunchCtl.new(inspec, service_ctl)
-      elsif os.windows?
-        WindowsSrv.new(inspec)
-      elsif %w{freebsd}.include?(platform)
-        BSDInit.new(inspec, service_ctl)
-      elsif %w{arch}.include?(platform)
-        Systemd.new(inspec, service_ctl)
-      elsif %w{coreos}.include?(platform)
-        Systemd.new(inspec, service_ctl)
-      elsif %w{suse opensuse}.include?(platform)
-        if os[:release].to_i >= 12
-          Systemd.new(inspec, service_ctl)
-        else
-          SysV.new(inspec, service_ctl || '/sbin/service')
-        end
-      elsif %w{aix}.include?(platform)
-        SrcMstr.new(inspec)
-      elsif %w{amazon}.include?(platform)
-        Upstart.new(inspec, service_ctl)
-      elsif os.solaris?
-        Svcs.new(inspec)
-      end
-    end
-    def info
-      return nil if @service_mgmt.nil?
-      @cache ||= @service_mgmt.info(@service_name)
-    end
-    # verifies if the service is enabled
-    def enabled?(_level = nil)
-      return false if info.nil?
-      info[:enabled]
-    end
-    def params
-      return {} if info.nil?
-      Hashie::Mash.new(info[:params] || {})
-    end
-    # verifies the service is registered
-    def installed?(_name = nil, _version = nil)
-      return false if info.nil?
-      info[:installed]
-    end
-    # verifies the service is currently running
-    def running?(_under = nil)
-      return false if info.nil?
-      info[:running]
-    end
-    # get all runlevels that are available and their configuration
-    def runlevels(*args)
-      return Runlevels.new(self) if info.nil? or info[:runlevels].nil?
-      Runlevels.from_hash(self, info[:runlevels], args)
-    end
-    # returns the service type from info
-    def type
-      return nil if info.nil?
-      info[:type]
-    end
-    # returns the service name from info
-    def name
-      return @service_name if info.nil?
-      info[:name]
-    end
-    # returns the service description from info
-    def description
-      return nil if info.nil?
-      info[:description]
-    end
-    # returns the service start up mode from info
-    def startmode
-      return nil if info.nil?
-      info[:startmode]
-    end
-    def to_s
-      "Service #{@service_name}"
-    end
-    private :info
-  end
-  class ServiceManager
-    attr_reader :inspec, :service_ctl
-    def initialize(inspec, service_ctl = nil)
-      @inspec = inspec
-      @service_ctl ||= service_ctl
-    end
-  end
-  # @see: http://www.freedesktop.org/software/systemd/man/systemctl.html
-  # @see: http://www.freedesktop.org/software/systemd/man/systemd-system.conf.html
-  class Systemd < ServiceManager
-    def initialize(inspec, service_ctl = nil)
-      @service_ctl = service_ctl || 'systemctl'
-      super
-    end
-    def is_enabled?(service_name)
-      result = inspec.command("#{service_ctl} is-enabled #{service_name} --quiet")
-      return true if result.exit_status == 0
-      # Some systems may not have a `.service` file for a particular service
-      # which causes the `systemctl is-enabled` check to fail despite the
-      # service being enabled. In that event we fallback to `sysv_service`.
-      if result.stderr =~ /Failed to get.*No such file or directory/
-        return inspec.sysv_service(service_name).enabled?
-      end
-      false
-    end
-    def is_active?(service_name)
-      inspec.command("#{service_ctl} is-active #{service_name} --quiet").exit_status == 0
-    end
-    def info(service_name)
-      cmd = inspec.command("#{service_ctl} show --all #{service_name}")
-      return nil if cmd.exit_status.to_i != 0
-      # parse data
-      params = SimpleConfig.new(
-        cmd.stdout.chomp,
-        assignment_regex: /^\s*([^=]*?)\s*=\s*(.*?)\s*$/,
-        multiple_values: false,
-      ).params
-      # LoadState values eg. loaded, not-found
-      installed = params['LoadState'] == 'loaded'
-      {
-        name: params['Id'],
-        description: params['Description'],
-        installed: installed,
-        running: is_active?(service_name),
-        enabled: is_enabled?(service_name),
-        type: 'systemd',
-        params: params,
-      }
-    end
-  end
-  # AIX services
-  class SrcMstr < ServiceManager
-    attr_reader :name
-    def info(service_name)
-      @name = service_name
-      running = status?
-      return nil if running.nil?
-      {
-        name: service_name,
-        description: nil,
-        installed: true,
-        running: running,
-        enabled: enabled?,
-        type: 'srcmstr',
-      }
-    end
-    private
-    def status?
-      status_cmd = inspec.command("lssrc -s #{@name}")
-      return nil if status_cmd.exit_status.to_i != 0
-      status_cmd.stdout.split(/\n/).last.chomp =~ /active$/ ? true : false
-    end
-    def enabled?
-      enabled_rc_tcpip? || enabled_inittab?
-    end
-    def enabled_rc_tcpip?
-      inspec.command(
-        "grep -v ^# /etc/rc.tcpip | grep 'start ' | grep -Eq '(/{0,1}| )#{name} '",
-      ).exit_status == 0
-    end
-    def enabled_inittab?
-      inspec.command("lsitab #{name}").exit_status == 0
-    end
-  end
-  # @see: http://upstart.ubuntu.com
-  class Upstart < ServiceManager
-    def initialize(service_name, service_ctl = nil)
-      @service_ctl = service_ctl || 'initctl'
-      super
-    end
-    def info(service_name)
-      # get the status of upstart service
-      status = inspec.command("#{service_ctl} status #{service_name}")
-      # fallback for systemv services, those are not handled via `initctl`
-      return SysV.new(inspec).info(service_name) if status.exit_status.to_i != 0 || status.stdout == ''
-      # @see: http://upstart.ubuntu.com/cookbook/#job-states
-      # grep for running to indicate the service is there
-      running = !status.stdout[%r{start/running}].nil?
-      {
-        name: service_name,
-        description: nil,
-        installed: true,
-        running: running,
-        enabled: info_enabled(service_name),
-        type: 'upstart',
-      }
-    end
-    private
-    def info_enabled(service_name)
-      # check if a service is enabled
-      config = inspec.file("/etc/init/#{service_name}.conf").content
-      # disregard if the config does not exist
-      return nil if config.nil?
-      !config.match(/^\s*start on/).nil?
-    end
-    def version
-      @version ||= begin
-        out = inspec.command("#{service_ctl} --version").stdout
-        Gem::Version.new(out[/\(upstart ([^\)]+)\)/, 1])
-      end
-    end
-  end
-  class SysV < ServiceManager
-    RUNLEVELS = { 0=>false, 1=>false, 2=>false, 3=>false, 4=>false, 5=>false, 6=>false }.freeze
-    def initialize(service_name, service_ctl = nil)
-      @service_ctl = service_ctl || 'service'
-      super
-    end
-    def info(service_name)
-      # check if service is installed
-      # read all available services via ls /etc/init.d/
-      srvlist = inspec.command('ls -1 /etc/init.d/')
-      return nil if srvlist.exit_status != 0
-      # check if the service is in list
-      service = srvlist.stdout.split("\n").select { |srv| srv == service_name }
-      # abort if we could not find any service
-      return nil if service.empty?
-      # read all enabled services from runlevel
-      # on rhel via: 'chkconfig --list', is not installed by default
-      # bash: for i in `find /etc/rc*.d -name S*`; do basename $i | sed -r 's/^S[0-9]+//'; done | sort | uniq
-      enabled_services_cmd = inspec.command('find /etc/rc*.d /etc/init.d/rc*.d -name "S*"').stdout
-      service_line = %r{rc(?<runlevel>[0-6])\.d/S[^/]*?#{Regexp.escape service_name}$}
-      all_services = enabled_services_cmd.split("\n").map { |line|
-        service_line.match(line)
-      }.compact
-      enabled = !all_services.empty?
-      # Determine a list of runlevels which this service is activated for
-      runlevels = RUNLEVELS.dup
-      all_services.each { |x| runlevels[x[:runlevel].to_i] = true }
-      # check if service is really running
-      # service throws an exit code if the service is not installed or
-      # not enabled
-      cmd = inspec.command("#{service_ctl} #{service_name} status")
-      running = cmd.exit_status == 0
-      {
-        name: service_name,
-        description: nil,
-        installed: true,
-        running: running,
-        enabled: enabled,
-        runlevels: runlevels,
-        type: 'sysv',
-      }
-    end
-  end
-  # @see: https://www.freebsd.org/doc/en/articles/linux-users/startup.html
-  # @see: https://www.freebsd.org/cgi/man.cgi?query=rc.conf&sektion=5
-  class BSDInit < ServiceManager
-    def initialize(service_name, service_ctl = nil)
-      @service_ctl = service_ctl || 'service'
-      super
-    end
-    def info(service_name)
-      # check if service is enabled
-      # services are enabled in /etc/rc.conf and /etc/defaults/rc.conf
-      # via #{service_name}_enable="YES"
-      # service SERVICE status returns the following result if not activated:
-      #   Cannot 'status' sshd. Set sshd_enable to YES in /etc/rc.conf or use 'onestatus' instead of 'status'.
-      # gather all enabled services
-      cmd = inspec.command("#{service_ctl} -e")
-      return nil if cmd.exit_status != 0
-      # search for the service
-      srv = /(^.*#{service_name}$)/.match(cmd.stdout)
-      return nil if srv.nil? || srv[0].nil?
-      enabled = true
-      # check if the service is running
-      # if the service is not available or not running, we always get an error code
-      cmd = inspec.command("#{service_ctl} #{service_name} onestatus")
-      running = cmd.exit_status == 0
-      {
-        name: service_name,
-        description: nil,
-        installed: true,
-        running: running,
-        enabled: enabled,
-        type: 'bsd-init',
-      }
-    end
-  end
-  class Runit < ServiceManager
-    def initialize(service_name, service_ctl = nil)
-      @service_ctl = service_ctl || 'sv'
-      super
-    end
-    # rubocop:disable Style/DoubleNegation
-    def info(service_name)
-      # get the status of runit service
-      cmd = inspec.command("#{service_ctl} status #{service_name}")
-      # return nil unless cmd.exit_status == 0 # NOTE(sr) why do we do this?
-      installed = cmd.exit_status == 0
-      running = installed && !!(cmd.stdout =~ /^run:/)
-      enabled = installed && (running || !!(cmd.stdout =~ /normally up/) || !!(cmd.stdout =~ /want up/))
-      {
-        name: service_name,
-        description: nil,
-        installed: installed,
-        running: running,
-        enabled: enabled,
-        type: 'runit',
-      }
-    end
-  end
-  # MacOS / Darwin
-  # new launctl on macos 10.10
-  class LaunchCtl < ServiceManager
-    def initialize(service_name, service_ctl = nil)
-      @service_ctl = service_ctl || 'launchctl'
-      super
-    end
-    def info(service_name)
-      # get the status of upstart service
-      cmd = inspec.command("#{service_ctl} list")
-      return nil if cmd.exit_status != 0
-      # search for the service
-      srv = /(^.*#{service_name}.*)/.match(cmd.stdout)
-      return nil if srv.nil? || srv[0].nil?
-      # extract values from service
-      parsed_srv = /^(?<pid>[0-9-]+)\t(?<exit>[0-9]+)\t(?<name>\S*)$/.match(srv[0])
-      enabled = !parsed_srv['name'].nil? # it's in the list
-      # check if the service is running
-      pid = parsed_srv['pid']
-      running = pid != '-'
-      # extract service label
-      srv = parsed_srv['name'] || service_name
-      {
-        name: srv,
-        description: nil,
-        installed: true,
-        running: running,
-        enabled: enabled,
-        type: 'darwin',
-      }
-    end
-  end
-  # Determine the service state from Windows
-  # Uses Powershell to retrieve the information
-  class WindowsSrv < ServiceManager
-    # Determine service details
-    # PS: Get-Service -Name 'dhcp'| Select-Object -Property Name, DisplayName, Status | ConvertTo-Json
-    # {
-    #     "Name":  "dhcp",
-    #     "DisplayName":  "DHCP Client",
-    #     "Status":  4
-    # }
-    #
-    # Until StartMode is not added to Get-Service, we need to do a workaround
-    # @see: https://connect.microsoft.com/PowerShell/feedback/details/424948/i-would-like-to-see-the-property-starttype-added-to-get-services
-    # Also see: https://msdn.microsoft.com/en-us/library/aa384896(v=vs.85).aspx
-    # Use the following powershell to determine the start mode
-    # PS: Get-WmiObject -Class Win32_Service | Where-Object {$_.Name -eq $name -or $_.DisplayName -eq $name} | Select-Object -Prop
-    # erty Name, StartMode, State, Status | ConvertTo-Json
-    # {
-    #     "Name":  "Dhcp",
-    #     "StartMode":  "Auto",
-    #     "State":  "Running",
-    #     "Status":  "OK"
-    # }
-    #
-    # Windows Services have the following status code:
-    # @see: https://msdn.microsoft.com/en-us/library/windows/desktop/ms685996(v=vs.85).aspx
-    # - 1: Stopped
-    # - 2: Starting
-    # - 3: Stopping
-    # - 4: Running
-    # - 5: Continue Pending
-    # - 6: Pause Pending
-    # - 7: Paused
-    def info(service_name)
-      cmd = inspec.command("New-Object -Type PSObject | Add-Member -MemberType NoteProperty -Name Service -Value (Get-Service -Name '#{service_name}'| Select-Object -Property Name, DisplayName, Status) -PassThru | Add-Member -MemberType NoteProperty -Name WMI -Value (Get-WmiObject -Class Win32_Service | Where-Object {$_.Name -eq '#{service_name}' -or $_.DisplayName -eq '#{service_name}'} | Select-Object -Property StartMode) -PassThru | ConvertTo-Json")
-      # cannot rely on exit code for now, successful command returns exit code 1
-      # return nil if cmd.exit_status != 0
-      # try to parse json
-      begin
-        service = JSON.parse(cmd.stdout)
-      rescue JSON::ParserError => _e
-        return nil
-      end
-      # check that we got a response
-      return nil if service.nil? || service['Service'].nil?
-      {
-        name: service['Service']['Name'],
-        description: service['Service']['DisplayName'],
-        installed: true,
-        running: service_running?(service),
-        enabled: service_enabled?(service),
-        startmode: service['WMI']['StartMode'],
-        type: 'windows',
-      }
-    end
-    private
-    # detect if service is enabled
-    def service_enabled?(service)
-      !service['WMI'].nil? &&
-        !service['WMI']['StartMode'].nil? &&
-        (service['WMI']['StartMode'] == 'Auto' ||
-        service['WMI']['StartMode'] == 'Manual')
-    end
-    # detect if service is running
-    def service_running?(service)
-      !service['Service']['Status'].nil? && service['Service']['Status'] == 4
-    end
-  end
-  # Solaris services
-  class Svcs < ServiceManager
-    def initialize(service_name, service_ctl = nil)
-      @service_ctl = service_ctl || 'svcs'
-      super
-    end
-    def info(service_name)
-      # get the status of runit service
-      cmd = inspec.command("#{service_ctl} -l #{service_name}")
-      return nil if cmd.exit_status != 0
-      params = SimpleConfig.new(
-        cmd.stdout.chomp,
-        assignment_regex: /^(\w+)\s*(.*)$/,
-        multiple_values: false,
-      ).params
-      installed = cmd.exit_status == 0
-      running = installed && (params['state'] == 'online')
-      enabled = installed && (params['enabled'] == 'true')
-      {
-        name: service_name,
-        description: params['name'],
-        installed: installed,
-        running: running,
-        enabled: enabled,
-        type: 'svcs',
-      }
-    end
-  end
-  # specific resources for specific service managers
-  class SystemdService < Service
-    name 'systemd_service'
-    desc 'Use the systemd_service InSpec audit resource to test if the named service (controlled by systemd) is installed, running and/or enabled.'
-    example "
-      # to override service mgmt auto-detection
-      describe systemd_service('service_name') do
-        it { should be_installed }
-        it { should be_enabled }
-        it { should be_running }
-      end
-      # to set a non-standard systemctl path
-      describe systemd_service('service_name', '/path/to/systemctl') do
-        it { should be_running }
-      end
-    "
-    def select_service_mgmt
-      Systemd.new(inspec, service_ctl)
-    end
-  end
-  class UpstartService < Service
-    name 'upstart_service'
-    desc 'Use the upstart_service InSpec audit resource to test if the named service (controlled by upstart) is installed, running and/or enabled.'
-    example "
-      # to override service mgmt auto-detection
-      describe upstart_service('service_name') do
-        it { should be_installed }
-        it { should be_enabled }
-        it { should be_running }
-      end
-      # to set a non-standard initctl path
-      describe upstart_service('service_name', '/path/to/initctl') do
-        it { should be_running }
-      end
-    "
-    def select_service_mgmt
-      Upstart.new(inspec, service_ctl)
-    end
-  end
-  class SysVService < Service
-    name 'sysv_service'
-    desc 'Use the sysv_service InSpec audit resource to test if the named service (controlled by SysV) is installed, running and/or enabled.'
-    example "
-      # to override service mgmt auto-detection
-      describe sysv_service('service_name') do
-        it { should be_installed }
-        it { should be_enabled }
-        it { should be_running }
-      end
-      # to set a non-standard service path
-      describe sysv_service('service_name', '/path/to/service') do
-        it { should be_running }
-      end
-    "
-    def select_service_mgmt
-      SysV.new(inspec, service_ctl)
-    end
-  end
-  class BSDService < Service
-    name 'bsd_service'
-    desc 'Use the bsd_service InSpec audit resource to test if the named service (controlled by BSD init) is installed, running and/or enabled.'
-    example "
-      # to override service mgmt auto-detection
-      describe bsd_service('service_name') do
-        it { should be_installed }
-        it { should be_enabled }
-        it { should be_running }
-      end
-      # to set a non-standard service path
-      describe bsd_service('service_name', '/path/to/service') do
-        it { should be_running }
-      end
-    "
-    def select_service_mgmt
-      BSDInit.new(inspec, service_ctl)
-    end
-  end
-  class LaunchdService < Service
-    name 'launchd_service'
-    desc 'Use the launchd_service InSpec audit resource to test if the named service (controlled by launchd) is installed, running and/or enabled.'
-    example "
-      # to override service mgmt auto-detection
-      describe launchd_service('service_name') do
-        it { should be_installed }
-        it { should be_enabled }
-        it { should be_running }
-      end
-      # to set a non-standard launchctl path
-      describe launchd_service('service_name', '/path/to/launchctl') do
-        it { should be_running }
-      end
-    "
-    def select_service_mgmt
-      LaunchCtl.new(inspec, service_ctl)
-    end
-  end
-  class RunitService < Service
-    name 'runit_service'
-    desc 'Use the runit_service InSpec audit resource to test if the named service (controlled by runit) is installed, running and/or enabled.'
-    example "
-      # to override service mgmt auto-detection
-      describe runit_service('service_name') do
-        it { should be_installed }
-        it { should be_enabled }
-        it { should be_running }
-      end
-      # to set a non-standard sv path
-      describe runit_service('service_name', '/path/to/sv') do
-        it { should be_running }
-      end
-    "
-    def select_service_mgmt
-      Runit.new(inspec, service_ctl)
-    end
-  end
-end
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+# author: Stephan Renatus
+require 'hashie'
+module Inspec::Resources
+  class Runlevels < Hash
+    attr_accessor :owner
+    def self.from_hash(owner, hash = {}, filter = nil)
+      res = Runlevels.new(owner)
+      filter = filter.first if filter.is_a?(Array) && filter.length <= 1
+      ks = case filter
+           when nil
+             hash.keys
+           when Regexp
+             hash.keys.find_all { |x| x.to_s =~ filter }
+           when Array
+             f = filter.map(&:to_s)
+             hash.keys.find_all { |x| f.include?(x.to_s) }
+           when Numeric
+             hash.keys.include?(filter) ? [filter] : []
+           else
+             hash.keys.find_all { |x| x == filter }
+           end
+      ks.each { |k| res[k] = hash[k] }
+      res
+    end
+    def initialize(owner, default = false)
+      @owner = owner
+      super(default)
+    end
+    def filter(f)
+      Runlevels.from_hash(owner, self, f)
+    end
+    # Check if all runlevels are enabled
+    #
+    # @return [boolean] true if all runlevels are enabled
+    def enabled?
+      values.all?
+    end
+    # Check if all runlevels are disabled
+    #
+    # @return [boolean] true if all runlevels are disabled
+    def disabled?
+      values.none?
+    end
+    def to_s
+      "#{owner} runlevels #{keys.join(', ')}"
+    end
+  end
+  # We detect the init system for each operating system, based on the operating
+  # system.
+  #
+  # Fedora 15 : systemd
+  # RedHat 7 : systemd
+  # Ubuntu 15.04 : systemd
+  # Ubuntu < 15.04 : upstart
+  #
+  # TODO: extend the logic to detect the running init system, independently of OS
+  class Service < Inspec.resource(1)
+    name 'service'
+    desc 'Use the service InSpec audit resource to test if the named service is installed, running and/or enabled.'
+    example "
+      describe service('service_name') do
+        it { should be_installed }
+        it { should be_enabled }
+        it { should be_running }
+        its('type') { should be 'systemd' }
+        its ('startmode') { should be 'Auto'}
+      end
+      describe service('service_name').runlevels(3, 5) do
+        it { should be_enabled }
+      end
+      describe service('service_name').params do
+        its('UnitFileState') { should eq 'enabled' }
+      end
+    "
+    attr_reader :service_ctl
+    def initialize(service_name, service_ctl = nil)
+      @service_name = service_name
+      @service_mgmt = nil
+      @service_ctl ||= service_ctl
+      @cache = nil
+      @service_mgmt = select_service_mgmt
+      return skip_resource 'The `service` resource is not supported on your OS yet.' if @service_mgmt.nil?
+    end
+    def select_service_mgmt # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength
+      os = inspec.os
+      platform = os[:name]
+      # Ubuntu
+      # @see: https://wiki.ubuntu.com/SystemdForUpstartUsers
+      # Ubuntu 15.04 : Systemd
+      #   Systemd runs with PID 1 as /sbin/init.
+      #   Upstart runs with PID 1 as /sbin/upstart.
+      # Ubuntu < 15.04 : Upstart
+      # Upstart runs with PID 1 as /sbin/init.
+      # Systemd runs with PID 1 as /lib/systemd/systemd.
+      if %w{ubuntu}.include?(platform)
+        version = os[:release].to_f
+        if version < 15.04
+          Upstart.new(inspec, service_ctl)
+        else
+          Systemd.new(inspec, service_ctl)
+        end
+      elsif %w{linuxmint}.include?(platform)
+        version = os[:release].to_f
+        if version < 18
+          Upstart.new(inspec, service_ctl)
+        else
+          Systemd.new(inspec, service_ctl)
+        end
+      elsif %w{debian}.include?(platform)
+        version = os[:release].to_i
+        if version > 7
+          Systemd.new(inspec, service_ctl)
+        else
+          SysV.new(inspec, service_ctl || '/usr/sbin/service')
+        end
+      elsif %w{redhat fedora centos oracle}.include?(platform)
+        version = os[:release].to_i
+        if (%w{redhat centos oracle}.include?(platform) && version >= 7) || (platform == 'fedora' && version >= 15)
+          Systemd.new(inspec, service_ctl)
+        else
+          SysV.new(inspec, service_ctl || '/sbin/service')
+        end
+      elsif %w{wrlinux}.include?(platform)
+        SysV.new(inspec, service_ctl)
+      elsif %w{mac_os_x}.include?(platform)
+        LaunchCtl.new(inspec, service_ctl)
+      elsif os.windows?
+        WindowsSrv.new(inspec)
+      elsif %w{freebsd}.include?(platform)
+        BSDInit.new(inspec, service_ctl)
+      elsif %w{arch}.include?(platform)
+        Systemd.new(inspec, service_ctl)
+      elsif %w{coreos}.include?(platform)
+        Systemd.new(inspec, service_ctl)
+      elsif %w{suse opensuse}.include?(platform)
+        if os[:release].to_i >= 12
+          Systemd.new(inspec, service_ctl)
+        else
+          SysV.new(inspec, service_ctl || '/sbin/service')
+        end
+      elsif %w{aix}.include?(platform)
+        SrcMstr.new(inspec)
+      elsif %w{amazon}.include?(platform)
+        Upstart.new(inspec, service_ctl)
+      elsif os.solaris?
+        Svcs.new(inspec)
+      end
+    end
+    def info
+      return nil if @service_mgmt.nil?
+      @cache ||= @service_mgmt.info(@service_name)
+    end
+    # verifies if the service is enabled
+    def enabled?(_level = nil)
+      return false if info.nil?
+      info[:enabled]
+    end
+    def params
+      return {} if info.nil?
+      Hashie::Mash.new(info[:params] || {})
+    end
+    # verifies the service is registered
+    def installed?(_name = nil, _version = nil)
+      return false if info.nil?
+      info[:installed]
+    end
+    # verifies the service is currently running
+    def running?(_under = nil)
+      return false if info.nil?
+      info[:running]
+    end
+    # get all runlevels that are available and their configuration
+    def runlevels(*args)
+      return Runlevels.new(self) if info.nil? or info[:runlevels].nil?
+      Runlevels.from_hash(self, info[:runlevels], args)
+    end
+    # returns the service type from info
+    def type
+      return nil if info.nil?
+      info[:type]
+    end
+    # returns the service name from info
+    def name
+      return @service_name if info.nil?
+      info[:name]
+    end
+    # returns the service description from info
+    def description
+      return nil if info.nil?
+      info[:description]
+    end
+    # returns the service start up mode from info
+    def startmode
+      return nil if info.nil?
+      info[:startmode]
+    end
+    def to_s
+      "Service #{@service_name}"
+    end
+    private :info
+  end
+  class ServiceManager
+    attr_reader :inspec, :service_ctl
+    def initialize(inspec, service_ctl = nil)
+      @inspec = inspec
+      @service_ctl ||= service_ctl
+    end
+  end
+  # @see: http://www.freedesktop.org/software/systemd/man/systemctl.html
+  # @see: http://www.freedesktop.org/software/systemd/man/systemd-system.conf.html
+  class Systemd < ServiceManager
+    def initialize(inspec, service_ctl = nil)
+      @service_ctl = service_ctl || 'systemctl'
+      super
+    end
+    def is_enabled?(service_name)
+      result = inspec.command("#{service_ctl} is-enabled #{service_name} --quiet")
+      return true if result.exit_status == 0
+      # Some systems may not have a `.service` file for a particular service
+      # which causes the `systemctl is-enabled` check to fail despite the
+      # service being enabled. In that event we fallback to `sysv_service`.
+      if result.stderr =~ /Failed to get.*No such file or directory/
+        return inspec.sysv_service(service_name).enabled?
+      end
+      false
+    end
+    def is_active?(service_name)
+      inspec.command("#{service_ctl} is-active #{service_name} --quiet").exit_status == 0
+    end
+    def info(service_name)
+      cmd = inspec.command("#{service_ctl} show --all #{service_name}")
+      return nil if cmd.exit_status.to_i != 0
+      # parse data
+      params = SimpleConfig.new(
+        cmd.stdout.chomp,
+        assignment_regex: /^\s*([^=]*?)\s*=\s*(.*?)\s*$/,
+        multiple_values: false,
+      ).params
+      # LoadState values eg. loaded, not-found
+      installed = params['LoadState'] == 'loaded'
+      {
+        name: params['Id'],
+        description: params['Description'],
+        installed: installed,
+        running: is_active?(service_name),
+        enabled: is_enabled?(service_name),
+        type: 'systemd',
+        params: params,
+      }
+    end
+  end
+  # AIX services
+  class SrcMstr < ServiceManager
+    attr_reader :name
+    def info(service_name)
+      @name = service_name
+      running = status?
+      return nil if running.nil?
+      {
+        name: service_name,
+        description: nil,
+        installed: true,
+        running: running,
+        enabled: enabled?,
+        type: 'srcmstr',
+      }
+    end
+    private
+    def status?
+      status_cmd = inspec.command("lssrc -s #{@name}")
+      return nil if status_cmd.exit_status.to_i != 0
+      status_cmd.stdout.split(/\n/).last.chomp =~ /active$/ ? true : false
+    end
+    def enabled?
+      enabled_rc_tcpip? || enabled_inittab?
+    end
+    def enabled_rc_tcpip?
+      inspec.command(
+        "grep -v ^# /etc/rc.tcpip | grep 'start ' | grep -Eq '(/{0,1}| )#{name} '",
+      ).exit_status == 0
+    end
+    def enabled_inittab?
+      inspec.command("lsitab #{name}").exit_status == 0
+    end
+  end
+  # @see: http://upstart.ubuntu.com
+  class Upstart < ServiceManager
+    def initialize(service_name, service_ctl = nil)
+      @service_ctl = service_ctl || 'initctl'
+      super
+    end
+    def info(service_name)
+      # get the status of upstart service
+      status = inspec.command("#{service_ctl} status #{service_name}")
+      # fallback for systemv services, those are not handled via `initctl`
+      return SysV.new(inspec).info(service_name) if status.exit_status.to_i != 0 || status.stdout == ''
+      # @see: http://upstart.ubuntu.com/cookbook/#job-states
+      # grep for running to indicate the service is there
+      running = !status.stdout[%r{start/running}].nil?
+      {
+        name: service_name,
+        description: nil,
+        installed: true,
+        running: running,
+        enabled: info_enabled(service_name),
+        type: 'upstart',
+      }
+    end
+    private
+    def info_enabled(service_name)
+      # check if a service is enabled
+      config = inspec.file("/etc/init/#{service_name}.conf").content
+      # disregard if the config does not exist
+      return nil if config.nil?
+      !config.match(/^\s*start on/).nil?
+    end
+    def version
+      @version ||= begin
+        out = inspec.command("#{service_ctl} --version").stdout
+        Gem::Version.new(out[/\(upstart ([^\)]+)\)/, 1])
+      end
+    end
+  end
+  class SysV < ServiceManager
+    RUNLEVELS = { 0=>false, 1=>false, 2=>false, 3=>false, 4=>false, 5=>false, 6=>false }.freeze
+    def initialize(service_name, service_ctl = nil)
+      @service_ctl = service_ctl || 'service'
+      super
+    end
+    def info(service_name)
+      # check if service is installed
+      # read all available services via ls /etc/init.d/
+      srvlist = inspec.command('ls -1 /etc/init.d/')
+      return nil if srvlist.exit_status != 0
+      # check if the service is in list
+      service = srvlist.stdout.split("\n").select { |srv| srv == service_name }
+      # abort if we could not find any service
+      return nil if service.empty?
+      # read all enabled services from runlevel
+      # on rhel via: 'chkconfig --list', is not installed by default
+      # bash: for i in `find /etc/rc*.d -name S*`; do basename $i | sed -r 's/^S[0-9]+//'; done | sort | uniq
+      enabled_services_cmd = inspec.command('find /etc/rc*.d /etc/init.d/rc*.d -name "S*"').stdout
+      service_line = %r{rc(?<runlevel>[0-6])\.d/S[^/]*?#{Regexp.escape service_name}$}
+      all_services = enabled_services_cmd.split("\n").map { |line|
+        service_line.match(line)
+      }.compact
+      enabled = !all_services.empty?
+      # Determine a list of runlevels which this service is activated for
+      runlevels = RUNLEVELS.dup
+      all_services.each { |x| runlevels[x[:runlevel].to_i] = true }
+      # check if service is really running
+      # service throws an exit code if the service is not installed or
+      # not enabled
+      cmd = inspec.command("#{service_ctl} #{service_name} status")
+      running = cmd.exit_status == 0
+      {
+        name: service_name,
+        description: nil,
+        installed: true,
+        running: running,
+        enabled: enabled,
+        runlevels: runlevels,
+        type: 'sysv',
+      }
+    end
+  end
+  # @see: https://www.freebsd.org/doc/en/articles/linux-users/startup.html
+  # @see: https://www.freebsd.org/cgi/man.cgi?query=rc.conf&sektion=5
+  class BSDInit < ServiceManager
+    def initialize(service_name, service_ctl = nil)
+      @service_ctl = service_ctl || 'service'
+      super
+    end
+    def info(service_name)
+      # check if service is enabled
+      # services are enabled in /etc/rc.conf and /etc/defaults/rc.conf
+      # via #{service_name}_enable="YES"
+      # service SERVICE status returns the following result if not activated:
+      #   Cannot 'status' sshd. Set sshd_enable to YES in /etc/rc.conf or use 'onestatus' instead of 'status'.
+      # gather all enabled services
+      cmd = inspec.command("#{service_ctl} -e")
+      return nil if cmd.exit_status != 0
+      # search for the service
+      srv = /(^.*#{service_name}$)/.match(cmd.stdout)
+      return nil if srv.nil? || srv[0].nil?
+      enabled = true
+      # check if the service is running
+      # if the service is not available or not running, we always get an error code
+      cmd = inspec.command("#{service_ctl} #{service_name} onestatus")
+      running = cmd.exit_status == 0
+      {
+        name: service_name,
+        description: nil,
+        installed: true,
+        running: running,
+        enabled: enabled,
+        type: 'bsd-init',
+      }
+    end
+  end
+  class Runit < ServiceManager
+    def initialize(service_name, service_ctl = nil)
+      @service_ctl = service_ctl || 'sv'
+      super
+    end
+    # rubocop:disable Style/DoubleNegation
+    def info(service_name)
+      # get the status of runit service
+      cmd = inspec.command("#{service_ctl} status #{service_name}")
+      # return nil unless cmd.exit_status == 0 # NOTE(sr) why do we do this?
+      installed = cmd.exit_status == 0
+      running = installed && !!(cmd.stdout =~ /^run:/)
+      enabled = installed && (running || !!(cmd.stdout =~ /normally up/) || !!(cmd.stdout =~ /want up/))
+      {
+        name: service_name,
+        description: nil,
+        installed: installed,
+        running: running,
+        enabled: enabled,
+        type: 'runit',
+      }
+    end
+  end
+  # MacOS / Darwin
+  # new launctl on macos 10.10
+  class LaunchCtl < ServiceManager
+    def initialize(service_name, service_ctl = nil)
+      @service_ctl = service_ctl || 'launchctl'
+      super
+    end
+    def info(service_name)
+      # get the status of upstart service
+      cmd = inspec.command("#{service_ctl} list")
+      return nil if cmd.exit_status != 0
+      # search for the service
+      srv = /(^.*#{service_name}.*)/.match(cmd.stdout)
+      return nil if srv.nil? || srv[0].nil?
+      # extract values from service
+      parsed_srv = /^(?<pid>[0-9-]+)\t(?<exit>[0-9]+)\t(?<name>\S*)$/.match(srv[0])
+      enabled = !parsed_srv['name'].nil? # it's in the list
+      # check if the service is running
+      pid = parsed_srv['pid']
+      running = pid != '-'
+      # extract service label
+      srv = parsed_srv['name'] || service_name
+      {
+        name: srv,
+        description: nil,
+        installed: true,
+        running: running,
+        enabled: enabled,
+        type: 'darwin',
+      }
+    end
+  end
+  # Determine the service state from Windows
+  # Uses Powershell to retrieve the information
+  class WindowsSrv < ServiceManager
+    # Determine service details
+    # PS: Get-Service -Name 'dhcp'| Select-Object -Property Name, DisplayName, Status | ConvertTo-Json
+    # {
+    #     "Name":  "dhcp",
+    #     "DisplayName":  "DHCP Client",
+    #     "Status":  4
+    # }
+    #
+    # Until StartMode is not added to Get-Service, we need to do a workaround
+    # @see: https://connect.microsoft.com/PowerShell/feedback/details/424948/i-would-like-to-see-the-property-starttype-added-to-get-services
+    # Also see: https://msdn.microsoft.com/en-us/library/aa384896(v=vs.85).aspx
+    # Use the following powershell to determine the start mode
+    # PS: Get-WmiObject -Class Win32_Service | Where-Object {$_.Name -eq $name -or $_.DisplayName -eq $name} | Select-Object -Prop
+    # erty Name, StartMode, State, Status | ConvertTo-Json
+    # {
+    #     "Name":  "Dhcp",
+    #     "StartMode":  "Auto",
+    #     "State":  "Running",
+    #     "Status":  "OK"
+    # }
+    #
+    # Windows Services have the following status code:
+    # @see: https://msdn.microsoft.com/en-us/library/windows/desktop/ms685996(v=vs.85).aspx
+    # - 1: Stopped
+    # - 2: Starting
+    # - 3: Stopping
+    # - 4: Running
+    # - 5: Continue Pending
+    # - 6: Pause Pending
+    # - 7: Paused
+    def info(service_name)
+      cmd = inspec.command("New-Object -Type PSObject | Add-Member -MemberType NoteProperty -Name Service -Value (Get-Service -Name '#{service_name}'| Select-Object -Property Name, DisplayName, Status) -PassThru | Add-Member -MemberType NoteProperty -Name WMI -Value (Get-WmiObject -Class Win32_Service | Where-Object {$_.Name -eq '#{service_name}' -or $_.DisplayName -eq '#{service_name}'} | Select-Object -Property StartMode) -PassThru | ConvertTo-Json")
+      # cannot rely on exit code for now, successful command returns exit code 1
+      # return nil if cmd.exit_status != 0
+      # try to parse json
+      begin
+        service = JSON.parse(cmd.stdout)
+      rescue JSON::ParserError => _e
+        return nil
+      end
+      # check that we got a response
+      return nil if service.nil? || service['Service'].nil?
+      {
+        name: service['Service']['Name'],
+        description: service['Service']['DisplayName'],
+        installed: true,
+        running: service_running?(service),
+        enabled: service_enabled?(service),
+        startmode: service['WMI']['StartMode'],
+        type: 'windows',
+      }
+    end
+    private
+    # detect if service is enabled
+    def service_enabled?(service)
+      !service['WMI'].nil? &&
+        !service['WMI']['StartMode'].nil? &&
+        (service['WMI']['StartMode'] == 'Auto' ||
+        service['WMI']['StartMode'] == 'Manual')
+    end
+    # detect if service is running
+    def service_running?(service)
+      !service['Service']['Status'].nil? && service['Service']['Status'] == 4
+    end
+  end
+  # Solaris services
+  class Svcs < ServiceManager
+    def initialize(service_name, service_ctl = nil)
+      @service_ctl = service_ctl || 'svcs'
+      super
+    end
+    def info(service_name)
+      # get the status of runit service
+      cmd = inspec.command("#{service_ctl} -l #{service_name}")
+      return nil if cmd.exit_status != 0
+      params = SimpleConfig.new(
+        cmd.stdout.chomp,
+        assignment_regex: /^(\w+)\s*(.*)$/,
+        multiple_values: false,
+      ).params
+      installed = cmd.exit_status == 0
+      running = installed && (params['state'] == 'online')
+      enabled = installed && (params['enabled'] == 'true')
+      {
+        name: service_name,
+        description: params['name'],
+        installed: installed,
+        running: running,
+        enabled: enabled,
+        type: 'svcs',
+      }
+    end
+  end
+  # specific resources for specific service managers
+  class SystemdService < Service
+    name 'systemd_service'
+    desc 'Use the systemd_service InSpec audit resource to test if the named service (controlled by systemd) is installed, running and/or enabled.'
+    example "
+      # to override service mgmt auto-detection
+      describe systemd_service('service_name') do
+        it { should be_installed }
+        it { should be_enabled }
+        it { should be_running }
+      end
+      # to set a non-standard systemctl path
+      describe systemd_service('service_name', '/path/to/systemctl') do
+        it { should be_running }
+      end
+    "
+    def select_service_mgmt
+      Systemd.new(inspec, service_ctl)
+    end
+  end
+  class UpstartService < Service
+    name 'upstart_service'
+    desc 'Use the upstart_service InSpec audit resource to test if the named service (controlled by upstart) is installed, running and/or enabled.'
+    example "
+      # to override service mgmt auto-detection
+      describe upstart_service('service_name') do
+        it { should be_installed }
+        it { should be_enabled }
+        it { should be_running }
+      end
+      # to set a non-standard initctl path
+      describe upstart_service('service_name', '/path/to/initctl') do
+        it { should be_running }
+      end
+    "
+    def select_service_mgmt
+      Upstart.new(inspec, service_ctl)
+    end
+  end
+  class SysVService < Service
+    name 'sysv_service'
+    desc 'Use the sysv_service InSpec audit resource to test if the named service (controlled by SysV) is installed, running and/or enabled.'
+    example "
+      # to override service mgmt auto-detection
+      describe sysv_service('service_name') do
+        it { should be_installed }
+        it { should be_enabled }
+        it { should be_running }
+      end
+      # to set a non-standard service path
+      describe sysv_service('service_name', '/path/to/service') do
+        it { should be_running }
+      end
+    "
+    def select_service_mgmt
+      SysV.new(inspec, service_ctl)
+    end
+  end
+  class BSDService < Service
+    name 'bsd_service'
+    desc 'Use the bsd_service InSpec audit resource to test if the named service (controlled by BSD init) is installed, running and/or enabled.'
+    example "
+      # to override service mgmt auto-detection
+      describe bsd_service('service_name') do
+        it { should be_installed }
+        it { should be_enabled }
+        it { should be_running }
+      end
+      # to set a non-standard service path
+      describe bsd_service('service_name', '/path/to/service') do
+        it { should be_running }
+      end
+    "
+    def select_service_mgmt
+      BSDInit.new(inspec, service_ctl)
+    end
+  end
+  class LaunchdService < Service
+    name 'launchd_service'
+    desc 'Use the launchd_service InSpec audit resource to test if the named service (controlled by launchd) is installed, running and/or enabled.'
+    example "
+      # to override service mgmt auto-detection
+      describe launchd_service('service_name') do
+        it { should be_installed }
+        it { should be_enabled }
+        it { should be_running }
+      end
+      # to set a non-standard launchctl path
+      describe launchd_service('service_name', '/path/to/launchctl') do
+        it { should be_running }
+      end
+    "
+    def select_service_mgmt
+      LaunchCtl.new(inspec, service_ctl)
+    end
+  end
+  class RunitService < Service
+    name 'runit_service'
+    desc 'Use the runit_service InSpec audit resource to test if the named service (controlled by runit) is installed, running and/or enabled.'
+    example "
+      # to override service mgmt auto-detection
+      describe runit_service('service_name') do
+        it { should be_installed }
+        it { should be_enabled }
+        it { should be_running }
+      end
+      # to set a non-standard sv path
+      describe runit_service('service_name', '/path/to/sv') do
+        it { should be_running }
+      end
+    "
+    def select_service_mgmt
+      Runit.new(inspec, service_ctl)
+    end
+  end
+end