class Inspec::Resources::AuditDaemon

Attributes

lines[RW]
params[R]

Public Class Methods

new() click to toggle source
# File lib/inspec/resources/auditd.rb, line 30
def initialize
  unless inspec.command("/sbin/auditctl").exist?
    raise Inspec::Exceptions::ResourceFailed,
          "Command `/sbin/auditctl` does not exist"
  end

  auditctl_cmd = "/sbin/auditctl -l"
  result = inspec.command(auditctl_cmd)

  if result.exit_status != 0
    raise Inspec::Exceptions::ResourceFailed,
          "Command `#{auditctl_cmd}` failed with error: #{result.stderr}"
  end

  @content = result.stdout
  @params = []

  if @content =~ /^LIST_RULES:/
    raise Inspec::Exceptions::ResourceFailed,
          "The version of audit is outdated." \
          "The `auditd` resource supports versions of audit >= 2.3."
  end
  parse_content
end

Public Instance Methods

file_rules_for(line) click to toggle source
# File lib/inspec/resources/auditd.rb, line 154
def file_rules_for(line)
  file = file_for(line)
  perms = permissions_for(line)
  key = key_for(line)

  @params.push(
    {
      "file" => file,
      "key" => key,
      "permissions" => perms,
    }
  )
end
file_syscall_syntax_rules_for(line) click to toggle source
# File lib/inspec/resources/auditd.rb, line 104
def file_syscall_syntax_rules_for(line)
  file = file_syscall_syntax_for(line)
  action, list = action_list_for(line)
  fields = rule_fields_for(line)
  key_field, fields_nokey = remove_key_from(fields)
  key = key_in(key_field.join(""))
  perms = perms_in(fields)

  @params.push(
    {
      "file" => file,
      "list" => list,
      "action" => action,
      "fields" => fields,
      "permissions" => perms,
      "key" => key,
      "fields_nokey" => fields_nokey,
    }
  )
end
parse_content() click to toggle source
# File lib/inspec/resources/auditd.rb, line 87
def parse_content
  @lines = @content.lines.map(&:chomp)

  lines.each do |line|
    if is_file_syscall_syntax?(line)
      file_syscall_syntax_rules_for(line)
    end

    if is_syscall?(line)
      syscall_rules_for(line)

    elsif is_file?(line)
      file_rules_for(line)
    end
  end
end
status(name = nil) click to toggle source
# File lib/inspec/resources/auditd.rb, line 70
def status(name = nil)
  @status_content ||= inspec.command("/sbin/auditctl -s").stdout.chomp

  # See: https://github.com/inspec/inspec/issues/3113
  if @status_content =~ /^AUDIT_STATUS/
    @status_content = @status_content.gsub("AUDIT_STATUS: ", "")
      .tr(" ", "\n")
      .tr("=", " ")
  end

  @status_params ||= Hash[@status_content.scan(/^([^ ]+) (.*)$/)]

  return @status_params[name] if name

  @status_params
end
syscall_rules_for(line) click to toggle source
# File lib/inspec/resources/auditd.rb, line 125
def syscall_rules_for(line)
  syscalls = syscalls_for(line)
  action, list = action_list_for(line)
  fields = rule_fields_for(line)
  key_field, fields_nokey = remove_key_from(fields)
  key = key_in(key_field.join(""))
  arch = arch_in(fields)
  path = path_in(fields)
  perms = perms_in(fields)
  exit_field = exit_in(fields)

  syscalls.each do |s|
    @params.push(
      {
        "syscall" => s,
        "list" => list,
        "action" => action,
        "fields" => fields,
        "key" => key,
        "arch" => arch,
        "path" => path,
        "permissions" => perms,
        "exit" => exit_field,
        "fields_nokey" => fields_nokey,
      }
    )
  end
end
to_s() click to toggle source
# File lib/inspec/resources/auditd.rb, line 168
def to_s
  "Auditd Rules"
end

Private Instance Methods

action_list_for(line) click to toggle source

Processes the line and returns a pair of entries reflecting the 'action' and 'list' items.

@return [Array]

# File lib/inspec/resources/auditd.rb, line 194
def action_list_for(line)
  action_list = line.scan(/-a ([^,]+),([^ ]+)\s?/).flatten

  # Actions and lists can be in either order
  valid_actions = %w{never always}

  [
    (action_list & valid_actions).first,
    (action_list - valid_actions).first,
  ]
end
arch_in(fields) click to toggle source
# File lib/inspec/resources/auditd.rb, line 226
def arch_in(fields)
  fields.each do |field|
    return field.match(/arch=(\S+)\s?/)[1] if field.start_with?("arch=")
  end
  nil
end
exit_in(fields) click to toggle source
# File lib/inspec/resources/auditd.rb, line 247
def exit_in(fields)
  fields.each do |field|
    return field.match(/exit=(\S+)\s?/)[1] if field.start_with?("exit=")
  end
  nil
end
file_for(line) click to toggle source
# File lib/inspec/resources/auditd.rb, line 210
def file_for(line)
  line.match(/-w ([^ ]+)\s?/)[1]
end
file_syscall_syntax_for(line) click to toggle source
# File lib/inspec/resources/auditd.rb, line 214
def file_syscall_syntax_for(line)
  line.match(/-F path=(\S+)\s?/)[1]
end
is_file?(line) click to toggle source
# File lib/inspec/resources/auditd.rb, line 178
def is_file?(line)
  line.match(/-w /)
end
is_file_syscall_syntax?(line) click to toggle source
# File lib/inspec/resources/auditd.rb, line 182
def is_file_syscall_syntax?(line)
  line.match(/-F path=/)
end
is_syscall?(line) click to toggle source
# File lib/inspec/resources/auditd.rb, line 174
def is_syscall?(line)
  line.match(/-S /)
end
key_for(line) click to toggle source
# File lib/inspec/resources/auditd.rb, line 206
def key_for(line)
  line.match(/-k ([^ ]+)\s?/)[1] if line.include?("-k ")
end
key_in(field) click to toggle source
# File lib/inspec/resources/auditd.rb, line 254
def key_in(field)
  _, v = field.split("=")
  v
end
path_in(fields) click to toggle source
# File lib/inspec/resources/auditd.rb, line 240
def path_in(fields)
  fields.each do |field|
    return field.match(/path=(\S+)\s?/)[1] if field.start_with?("path=")
  end
  nil
end
permissions_for(line) click to toggle source
# File lib/inspec/resources/auditd.rb, line 218
def permissions_for(line)
  line.match(/-p ([^ ]+)/)[1].scan(/\w/)
end
perms_in(fields) click to toggle source
# File lib/inspec/resources/auditd.rb, line 233
def perms_in(fields)
  fields.each do |field|
    return field.match(/perm=(\S+)\s?/)[1].scan(/\w/) if field.start_with?("perm=")
  end
  nil
end
remove_key_from(fields) click to toggle source
# File lib/inspec/resources/auditd.rb, line 259
def remove_key_from(fields)
  fields.partition { |x| x.start_with? "key" }
end
rule_fields_for(line) click to toggle source
# File lib/inspec/resources/auditd.rb, line 222
def rule_fields_for(line)
  line.gsub(/-[aS] [^ ]+ /, "").split("-F ").map { |l| l.split(" ") }.flatten
end
syscalls_for(line) click to toggle source
# File lib/inspec/resources/auditd.rb, line 186
def syscalls_for(line)
  line.scan(/-S ([^ ]+)\s?/).flatten.first.split(",")
end