Class: Inspec::Resources::AuditDaemon

Inherits:
Object
  • Object
show all
Extended by:
Forwardable
Defined in:
lib/resources/auditd.rb

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initializeAuditDaemon

Returns a new instance of AuditDaemon.



32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
 
# File 'lib/resources/auditd.rb', line 32

def initialize
  unless inspec.command('/sbin/auditctl').exist?
    raise Inspec::Exceptions::ResourceFailed,
          'Command `/sbin/auditctl` does not exist'
  end

  auditctl_cmd = '/sbin/auditctl -l'
  result = inspec.command(auditctl_cmd)

  if result.exit_status != 0
    raise Inspec::Exceptions::ResourceFailed,
          "Command `#{auditctl_cmd}` failed with error: #{result.stderr}"
  end

  @content = result.stdout
  @params = []

  if @content =~ /^LIST_RULES:/
    raise Inspec::Exceptions::RsourceFailed,
          'The version of audit is outdated.' \
          'The `auditd` resource supports versions of audit >= 2.3.'
  end
  parse_content
end

Instance Attribute Details

#linesObject

Returns the value of attribute lines.



11
12
13
 
# File 'lib/resources/auditd.rb', line 11

def lines
  @lines
end

#paramsObject (readonly)

Returns the value of attribute params.



12
13
14
 
# File 'lib/resources/auditd.rb', line 12

def params
  @params
end

Instance Method Details

#file_rules_for(line) ⇒ Object 



155
156
157
158
159
160
161
162
163
164
165
166
167
 
# File 'lib/resources/auditd.rb', line 155

def file_rules_for(line)
  file = file_for(line)
  perms = permissions_for(line)
  key = key_for(line)

  @params.push(
    {
      'file' => file,
      'key' => key,
      'permissions' => perms,
    },
  )
end

#file_syscall_syntax_rules_for(line) ⇒ Object 



105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
 
# File 'lib/resources/auditd.rb', line 105

def file_syscall_syntax_rules_for(line)
  file = file_syscall_syntax_for(line)
  action, list = action_list_for(line)
  fields = rule_fields_for(line)
  key_field, fields_nokey = remove_key_from(fields)
  key = key_in(key_field.join(''))
  perms = perms_in(fields)

  @params.push(
    {
      'file' => file,
      'list' => list,
      'action' => action,
      'fields' => fields,
      'permissions' => perms,
      'key' => key,
      'fields_nokey' => fields_nokey,
    },
  )
end

#parse_contentObject 



88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
 
# File 'lib/resources/auditd.rb', line 88

def parse_content
  @lines = @content.lines.map(&:chomp)

  lines.each do |line|
    if is_file_syscall_syntax?(line)
      file_syscall_syntax_rules_for(line)
    end

    if is_syscall?(line)
      syscall_rules_for(line)

    elsif is_file?(line)
      file_rules_for(line)
    end
  end
end

#status(name = nil) ⇒ Object 



72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
 
# File 'lib/resources/auditd.rb', line 72

def status(name = nil)
  @status_content ||= inspec.command('/sbin/auditctl -s').stdout.chomp

  # See: https://github.com/inspec/inspec/issues/3113
  if @status_content =~ /^AUDIT_STATUS/
    @status_content = @status_content.gsub('AUDIT_STATUS: ', '')
                                     .tr(' ', "\n")
                                     .tr('=', ' ')
  end

  @status_params ||= Hash[@status_content.scan(/^([^ ]+) (.*)$/)]

  return @status_params[name] if name
  @status_params
end

#syscall_rules_for(line) ⇒ Object 



126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
 
# File 'lib/resources/auditd.rb', line 126

def syscall_rules_for(line)
  syscalls = syscalls_for(line)
  action, list = action_list_for(line)
  fields = rule_fields_for(line)
  key_field, fields_nokey = remove_key_from(fields)
  key = key_in(key_field.join(''))
  arch = arch_in(fields)
  path = path_in(fields)
  perms = perms_in(fields)
  exit_field = exit_in(fields)

  syscalls.each do |s|
    @params.push(
      {
        'syscall' => s,
        'list' => list,
        'action' => action,
        'fields' => fields,
        'key' => key,
        'arch' => arch,
        'path' => path,
        'permissions' => perms,
        'exit' => exit_field,
        'fields_nokey' => fields_nokey,
      },
    )
  end
end

#to_sObject 



169
170
171
 
# File 'lib/resources/auditd.rb', line 169

def to_s
  'Auditd Rules'
end