class Terrafying::Components::Auditd
Public Class Methods
fluentd_conf(role, tags = [])
click to toggle source
# File lib/terrafying/components/auditd.rb, line 6 def self.fluentd_conf(role, tags = []) new.fluentd_conf(role, tags) end
Public Instance Methods
allow_assume(role)
click to toggle source
# File lib/terrafying/components/auditd.rb, line 58 def allow_assume(role) { Effect: 'Allow', Action: ['sts:AssumeRole'], Resource: [role] } end
allow_describe_instances()
click to toggle source
# File lib/terrafying/components/auditd.rb, line 50 def allow_describe_instances { Effect: 'Allow', Action: %w[ec2:DescribeInstances ec2:DescribeTags ec2:DescribeRouteTables], Resource: ['*'] } end
ec2_filter(tags)
click to toggle source
# File lib/terrafying/components/auditd.rb, line 106 def ec2_filter(tags) file_of( '20_auditd_filter_ec2', <<~EC2_FILTER <filter auditd> @type ec2_metadata metadata_refresh_seconds 300 <record> #{map_tags(tags)} </record> </filter> EC2_FILTER ) end
file_of(name, content)
click to toggle source
# File lib/terrafying/components/auditd.rb, line 66 def file_of(name, content) { path: "/etc/fluentd/conf.d/#{name}.conf", mode: 0o644, contents: content } end
fluentd_conf(role, tags)
click to toggle source
# File lib/terrafying/components/auditd.rb, line 10 def fluentd_conf(role, tags) tags = default_tags.merge( custom_tags(tags) ) { files: [ systemd_input, ec2_filter(tags), s3_output(role) ], iam_policy_statements: [ allow_describe_instances, allow_assume(role) ] } end
s3_output(audit_role)
click to toggle source
# File lib/terrafying/components/auditd.rb, line 126 def s3_output(audit_role) file_of( '30_auditd_output_s3', <<~S3_OUTPUT <match auditd> @type s3 <assume_role_credentials> role_arn #{audit_role} role_session_name "auditd-logging-\#{Socket.gethostname}" </assume_role_credentials> auto_create_bucket false s3_bucket uswitch-auditd-logs s3_region eu-west-1 acl bucket-owner-full-control path auditd/%Y/%m/%d/ s3_object_key_format "\%{path}\%{time_slice}_\#{Socket.gethostname}.\%{file_extension}" <buffer time> @type file path /fluent/var/s3 timekey 300 # 5 minute partitions timekey_wait 0s timekey_use_utc true </buffer> <format> @type json </format> </match> S3_OUTPUT ) end
systemd_input()
click to toggle source
# File lib/terrafying/components/auditd.rb, line 74 def systemd_input file_of( '10_auditd_input_systemd', <<~'SYSTEMD_INPUT' <source> @type systemd tag auditd filters [{ "_TRANSPORT": "audit" }, { "_COMM": "sshd" }] path /fluentd/log/journal read_from_head false <storage> @type local persistent false path /fluentd/var/audit.pos </storage> <entry> field_map { "MESSAGE": "log", "_PID": ["process", "pid"], "_CMDLINE": "process", "_COMM": "cmd", "_AUDIT_SESSION": "audit_session", "_AUDIT_LOGINUID": "audit_loginuid" } fields_strip_underscores true fields_lowercase true </entry> </source> SYSTEMD_INPUT ) end
wrap_tag(t)
click to toggle source
# File lib/terrafying/components/auditd.rb, line 32 def wrap_tag(t) t = "tagset_#{t}" unless t.to_s.start_with? 'tagset_' t.downcase end