Class: Inspec::Resources::AuditDaemonRules

Inherits:

Object

• Object
• Inspec::Resources::AuditDaemonRules

Extended by:

Forwardable

Defined in:

lib/resources/auditd_rules.rb

Overview

rubocop:disable Metrics/ClassLength

Instance Attribute Summary

• #lines ⇒ Object

  Returns the value of attribute lines.

• #rules ⇒ Object

  Returns the value of attribute rules.

Instance Method Summary

• #file(name) ⇒ Object
• #initialize ⇒ AuditDaemonRules constructor

  A new instance of AuditDaemonRules.

• #key(name) ⇒ Object

  both files and syscalls have ‘key` identifiers.

• #LIST_RULES ⇒ Object

  non-legacy instances are not asked for ‘its(’LIST_RULES’)‘ rubocop:disable Style/MethodName.

• #parse_content ⇒ Object
• #status(name = nil) ⇒ Object
• #syscall(name) ⇒ Object
• #to_s ⇒ Object

Constructor Details

#initialize ⇒ AuditDaemonRules

Returns a new instance of AuditDaemonRules.

# File 'lib/resources/auditd_rules.rb', line 78

def initialize
  @content = inspec.command('/sbin/auditctl -l').stdout.chomp

  if @content =~ /^LIST_RULES:/
    # do not warn on centos 5
    unless inspec.os[:name] == 'centos' && inspec.os[:release].to_i == 5
      warn '[WARN] this version of auditd is outdated. Updating it allows for using more precise matchers.'
    end
    @legacy = AuditdRulesLegacy.new(@content)
  else
    parse_content
  end
end

Instance Attribute Details

#lines ⇒ Object

Returns the value of attribute lines.

# File 'lib/resources/auditd_rules.rb', line 51

def lines
  @lines
end

#rules ⇒ Object

Returns the value of attribute rules.

# File 'lib/resources/auditd_rules.rb', line 51

def rules
  @rules
end

Instance Method Details

#file(name) ⇒ Object

# File 'lib/resources/auditd_rules.rb', line 140

def file(name)
  select_name(:file, name)
end

#key(name) ⇒ Object

both files and syscalls have ‘key` identifiers

# File 'lib/resources/auditd_rules.rb', line 145

def key(name)
  res = rules.values.flatten.find_all { |rule| rule[:key] == name }
  FilterArray.new(res)
end

#LIST_RULES ⇒ Object

non-legacy instances are not asked for ‘its(’LIST_RULES’)‘ rubocop:disable Style/MethodName

# File 'lib/resources/auditd_rules.rb', line 94

def LIST_RULES
  return @legacy.LIST_RULES if @legacy
  raise 'Using legacy auditd_rules LIST_RULES interface with non-legacy audit package. Please use the new syntax.'
end

#parse_content ⇒ Object

# File 'lib/resources/auditd_rules.rb', line 109

def parse_content
  @rules = {
    syscalls: [],
    files: [],
  }
  @lines = @content.lines.map(&:chomp)

  lines.each do |line|
    if is_syscall?(line)
      syscalls = get_syscalls line
      action, list = get_action_list line
      fields, opts = get_fields line

      # create a 'flatter' structure because sanity
      syscalls.each do |s|
        @rules[:syscalls] << { syscall: s, list: list, action: action, fields: fields }.merge(opts)
      end
    elsif is_file?(line)
      file = get_file line
      perms = get_permissions line
      key = get_key line

      @rules[:files] << { file: file, key: key, permissions: perms }
    end
  end
end

#status(name = nil) ⇒ Object

# File 'lib/resources/auditd_rules.rb', line 99

def status(name = nil)
  return @legacy.status(name) if @legacy

  @status_content ||= inspec.command('/sbin/auditctl -s').stdout.chomp
  @status_params ||= Hash[@status_content.scan(/^([^ ]+) (.*)$/)]

  return @status_params[name] if name
  @status_params
end

#syscall(name) ⇒ Object

# File 'lib/resources/auditd_rules.rb', line 136

def syscall(name)
  select_name(:syscall, name)
end

#to_s ⇒ Object

# File 'lib/resources/auditd_rules.rb', line 150

def to_s
  'Audit Daemon Rules'
end