class Inspec::Resources::AuditDaemon
Attributes
lines[RW]
params[R]
Public Class Methods
new()
click to toggle source
# File lib/inspec/resources/auditd.rb, line 30 def initialize unless inspec.command("/sbin/auditctl").exist? raise Inspec::Exceptions::ResourceFailed, "Command `/sbin/auditctl` does not exist" end auditctl_cmd = "/sbin/auditctl -l" result = inspec.command(auditctl_cmd) if result.exit_status != 0 raise Inspec::Exceptions::ResourceFailed, "Command `#{auditctl_cmd}` failed with error: #{result.stderr}" end @content = result.stdout @params = [] if @content =~ /^LIST_RULES:/ raise Inspec::Exceptions::ResourceFailed, "The version of audit is outdated." \ "The `auditd` resource supports versions of audit >= 2.3." end parse_content end
Public Instance Methods
file_rules_for(line)
click to toggle source
# File lib/inspec/resources/auditd.rb, line 154 def file_rules_for(line) file = file_for(line) perms = permissions_for(line) key = key_for(line) @params.push( { "file" => file, "key" => key, "permissions" => perms, } ) end
file_syscall_syntax_rules_for(line)
click to toggle source
# File lib/inspec/resources/auditd.rb, line 104 def file_syscall_syntax_rules_for(line) file = file_syscall_syntax_for(line) action, list = action_list_for(line) fields = rule_fields_for(line) key_field, fields_nokey = remove_key_from(fields) key = key_in(key_field.join("")) perms = perms_in(fields) @params.push( { "file" => file, "list" => list, "action" => action, "fields" => fields, "permissions" => perms, "key" => key, "fields_nokey" => fields_nokey, } ) end
parse_content()
click to toggle source
# File lib/inspec/resources/auditd.rb, line 87 def parse_content @lines = @content.lines.map(&:chomp) lines.each do |line| if is_file_syscall_syntax?(line) file_syscall_syntax_rules_for(line) end if is_syscall?(line) syscall_rules_for(line) elsif is_file?(line) file_rules_for(line) end end end
status(name = nil)
click to toggle source
# File lib/inspec/resources/auditd.rb, line 70 def status(name = nil) @status_content ||= inspec.command("/sbin/auditctl -s").stdout.chomp # See: https://github.com/inspec/inspec/issues/3113 if @status_content =~ /^AUDIT_STATUS/ @status_content = @status_content.gsub("AUDIT_STATUS: ", "") .tr(" ", "\n") .tr("=", " ") end @status_params ||= Hash[@status_content.scan(/^([^ ]+) (.*)$/)] return @status_params[name] if name @status_params end
syscall_rules_for(line)
click to toggle source
# File lib/inspec/resources/auditd.rb, line 125 def syscall_rules_for(line) syscalls = syscalls_for(line) action, list = action_list_for(line) fields = rule_fields_for(line) key_field, fields_nokey = remove_key_from(fields) key = key_in(key_field.join("")) arch = arch_in(fields) path = path_in(fields) perms = perms_in(fields) exit_field = exit_in(fields) syscalls.each do |s| @params.push( { "syscall" => s, "list" => list, "action" => action, "fields" => fields, "key" => key, "arch" => arch, "path" => path, "permissions" => perms, "exit" => exit_field, "fields_nokey" => fields_nokey, } ) end end
to_s()
click to toggle source
# File lib/inspec/resources/auditd.rb, line 168 def to_s "Auditd Rules" end
Private Instance Methods
action_list_for(line)
click to toggle source
Processes
the line and returns a pair of entries reflecting the 'action' and 'list' items.
@return [Array]
# File lib/inspec/resources/auditd.rb, line 194 def action_list_for(line) action_list = line.scan(/-a ([^,]+),([^ ]+)\s?/).flatten # Actions and lists can be in either order valid_actions = %w{never always} [ (action_list & valid_actions).first, (action_list - valid_actions).first, ] end
arch_in(fields)
click to toggle source
# File lib/inspec/resources/auditd.rb, line 226 def arch_in(fields) fields.each do |field| return field.match(/arch=(\S+)\s?/)[1] if field.start_with?("arch=") end nil end
exit_in(fields)
click to toggle source
# File lib/inspec/resources/auditd.rb, line 247 def exit_in(fields) fields.each do |field| return field.match(/exit=(\S+)\s?/)[1] if field.start_with?("exit=") end nil end
file_for(line)
click to toggle source
# File lib/inspec/resources/auditd.rb, line 210 def file_for(line) line.match(/-w ([^ ]+)\s?/)[1] end
file_syscall_syntax_for(line)
click to toggle source
# File lib/inspec/resources/auditd.rb, line 214 def file_syscall_syntax_for(line) line.match(/-F path=(\S+)\s?/)[1] end
is_file?(line)
click to toggle source
# File lib/inspec/resources/auditd.rb, line 178 def is_file?(line) line.match(/-w /) end
is_file_syscall_syntax?(line)
click to toggle source
# File lib/inspec/resources/auditd.rb, line 182 def is_file_syscall_syntax?(line) line.match(/-F path=/) end
is_syscall?(line)
click to toggle source
# File lib/inspec/resources/auditd.rb, line 174 def is_syscall?(line) line.match(/-S /) end
key_for(line)
click to toggle source
# File lib/inspec/resources/auditd.rb, line 206 def key_for(line) line.match(/-k ([^ ]+)\s?/)[1] if line.include?("-k ") end
key_in(field)
click to toggle source
# File lib/inspec/resources/auditd.rb, line 254 def key_in(field) _, v = field.split("=") v end
path_in(fields)
click to toggle source
# File lib/inspec/resources/auditd.rb, line 240 def path_in(fields) fields.each do |field| return field.match(/path=(\S+)\s?/)[1] if field.start_with?("path=") end nil end
permissions_for(line)
click to toggle source
# File lib/inspec/resources/auditd.rb, line 218 def permissions_for(line) line.match(/-p ([^ ]+)/)[1].scan(/\w/) end
perms_in(fields)
click to toggle source
# File lib/inspec/resources/auditd.rb, line 233 def perms_in(fields) fields.each do |field| return field.match(/perm=(\S+)\s?/)[1].scan(/\w/) if field.start_with?("perm=") end nil end
remove_key_from(fields)
click to toggle source
# File lib/inspec/resources/auditd.rb, line 259 def remove_key_from(fields) fields.partition { |x| x.start_with? "key" } end
rule_fields_for(line)
click to toggle source
# File lib/inspec/resources/auditd.rb, line 222 def rule_fields_for(line) line.gsub(/-[aS] [^ ]+ /, "").split("-F ").map { |l| l.split(" ") }.flatten end
syscalls_for(line)
click to toggle source
# File lib/inspec/resources/auditd.rb, line 186 def syscalls_for(line) line.scan(/-S ([^ ]+)\s?/).flatten.first.split(",") end