class Terrafying::Components::Auditd

Public Class Methods

fluentd_conf(role, tags = []) click to toggle source
# File lib/terrafying/components/auditd.rb, line 6
def self.fluentd_conf(role, tags = [])
  new.fluentd_conf(role, tags)
end

Public Instance Methods

allow_assume(role) click to toggle source
# File lib/terrafying/components/auditd.rb, line 58
def allow_assume(role)
  {
    Effect: 'Allow',
    Action: ['sts:AssumeRole'],
    Resource: [role]
  }
end
allow_describe_instances() click to toggle source
# File lib/terrafying/components/auditd.rb, line 50
def allow_describe_instances
  {
    Effect: 'Allow',
    Action: %w[ec2:DescribeInstances ec2:DescribeTags ec2:DescribeRouteTables],
    Resource: ['*']
  }
end
custom_tags(tags) click to toggle source
# File lib/terrafying/components/auditd.rb, line 28
def custom_tags(tags)
  tags.map { |t| [t, wrap_tag(t)] }.to_h
end
default_tags() click to toggle source
# File lib/terrafying/components/auditd.rb, line 37
def default_tags
  {
    name: 'tagset_name',
    instance_id: 'instance_id',
    instance_type: 'instance_type',
    private_ip: 'private_ip',
    az: 'availability_zone',
    vpc_id: 'vpc_id',
    ami_id: 'image_id',
    account_id: 'account_id'
  }
end
ec2_filter(tags) click to toggle source
# File lib/terrafying/components/auditd.rb, line 106
      def ec2_filter(tags)
        file_of(
          '20_auditd_filter_ec2',
          <<~EC2_FILTER
            <filter auditd>
              @type ec2_metadata
              metadata_refresh_seconds 300
              <record>
                #{map_tags(tags)}
              </record>
            </filter>
          EC2_FILTER
        )
      end
file_of(name, content) click to toggle source
# File lib/terrafying/components/auditd.rb, line 66
def file_of(name, content)
  {
    path: "/etc/fluentd/conf.d/#{name}.conf",
    mode: 0o644,
    contents: content
  }
end
fluentd_conf(role, tags) click to toggle source
# File lib/terrafying/components/auditd.rb, line 10
def fluentd_conf(role, tags)
  tags = default_tags.merge(
    custom_tags(tags)
  )

  {
    files: [
      systemd_input,
      ec2_filter(tags),
      s3_output(role)
    ],
    iam_policy_statements: [
      allow_describe_instances,
      allow_assume(role)
    ]
  }
end
map_tags(tags) click to toggle source
# File lib/terrafying/components/auditd.rb, line 121
def map_tags(tags)
  tags.map { |k, v| "#{k} ${#{v}}" }
      .reduce { |out, e| +out << "\n    #{e}" }
end
s3_output(audit_role) click to toggle source
# File lib/terrafying/components/auditd.rb, line 126
      def s3_output(audit_role)
        file_of(
          '30_auditd_output_s3',
          <<~S3_OUTPUT
            <match auditd>
              @type s3
              <assume_role_credentials>
                role_arn #{audit_role}
                role_session_name "auditd-logging-\#{Socket.gethostname}"
              </assume_role_credentials>
              auto_create_bucket false
              s3_bucket uswitch-auditd-logs
              s3_region eu-west-1
              acl bucket-owner-full-control
              path auditd/%Y/%m/%d/
              s3_object_key_format "\%{path}\%{time_slice}_\#{Socket.gethostname}.\%{file_extension}"
              <buffer time>
                @type file
                path /fluent/var/s3
                timekey 300 # 5 minute partitions
                timekey_wait 0s
                timekey_use_utc true
              </buffer>
              <format>
                @type json
              </format>
            </match>
          S3_OUTPUT
        )
      end
systemd_input() click to toggle source
# File lib/terrafying/components/auditd.rb, line 74
      def systemd_input
        file_of(
          '10_auditd_input_systemd',
          <<~'SYSTEMD_INPUT'
            <source>
              @type systemd
              tag auditd
              filters [{ "_TRANSPORT": "audit" }, { "_COMM": "sshd" }]
              path /fluentd/log/journal
              read_from_head false
              <storage>
                @type local
                persistent false
                path /fluentd/var/audit.pos
              </storage>
              <entry>
                field_map {
                  "MESSAGE": "log",
                  "_PID": ["process", "pid"],
                  "_CMDLINE": "process",
                  "_COMM": "cmd",
                  "_AUDIT_SESSION": "audit_session",
                  "_AUDIT_LOGINUID": "audit_loginuid"
                }
                fields_strip_underscores true
                fields_lowercase true
              </entry>
            </source>
          SYSTEMD_INPUT
        )
      end
wrap_tag(t) click to toggle source
# File lib/terrafying/components/auditd.rb, line 32
def wrap_tag(t)
  t = "tagset_#{t}" unless t.to_s.start_with? 'tagset_'
  t.downcase
end