Class: Inspec::Resources::AuditDaemon

Inherits:
Object
  • Object
show all
Extended by:
Forwardable
Defined in:
lib/inspec/resources/auditd.rb

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initializeAuditDaemon

Returns a new instance of AuditDaemon.



30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
 
# File 'lib/inspec/resources/auditd.rb', line 30

def initialize
  @auditctl_cmd_str = inspec.os.name.eql?("alpine") ? "/usr/sbin/auditctl" : "/sbin/auditctl"
  unless inspec.command(@auditctl_cmd_str).exist?
    raise Inspec::Exceptions::ResourceFailed,
          "Command `#{@auditctl_cmd_str}` does not exist"
  end

  auditctl_cmd = "#{@auditctl_cmd_str} -l"
  result = inspec.command(auditctl_cmd)

  if result.exit_status != 0
    raise Inspec::Exceptions::ResourceFailed,
          "Command `#{auditctl_cmd}` failed with error: #{result.stderr}"
  end

  @content = result.stdout
  @params = []

  if @content =~ /^LIST_RULES:/
    raise Inspec::Exceptions::ResourceFailed,
          "The version of audit is outdated." \
          "The `auditd` resource supports versions of audit >= 2.3."
  end
  parse_content
end

Instance Attribute Details

#linesObject

Returns the value of attribute lines.



9
10
11
 
# File 'lib/inspec/resources/auditd.rb', line 9

def lines
  @lines
end

#paramsObject (readonly)

Returns the value of attribute params.



10
11
12
 
# File 'lib/inspec/resources/auditd.rb', line 10

def params
  @params
end

Instance Method Details

#file_rules_for(line) ⇒ Object 



155
156
157
158
159
160
161
162
163
164
165
166
167
 
# File 'lib/inspec/resources/auditd.rb', line 155

def file_rules_for(line)
  file = file_for(line)
  perms = permissions_for(line)
  key = key_for(line)

  @params.push(
    {
      "file" => file,
      "key" => key,
      "permissions" => perms,
    }
  )
end

#file_syscall_syntax_rules_for(line) ⇒ Object 



105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
 
# File 'lib/inspec/resources/auditd.rb', line 105

def file_syscall_syntax_rules_for(line)
  file = file_syscall_syntax_for(line)
  action, list = action_list_for(line)
  fields = rule_fields_for(line)
  key_field, fields_nokey = remove_key_from(fields)
  key = key_in(key_field.join(""))
  perms = perms_in(fields)

  @params.push(
    {
      "file" => file,
      "list" => list,
      "action" => action,
      "fields" => fields,
      "permissions" => perms,
      "key" => key,
      "fields_nokey" => fields_nokey,
    }
  )
end

#parse_contentObject 



88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
 
# File 'lib/inspec/resources/auditd.rb', line 88

def parse_content
  @lines = @content.lines.map(&:chomp)

  lines.each do |line|
    if is_file_syscall_syntax?(line)
      file_syscall_syntax_rules_for(line)
    end

    if is_syscall?(line)
      syscall_rules_for(line)

    elsif is_file?(line)
      file_rules_for(line)
    end
  end
end

#status(name = nil) ⇒ Object 



71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
 
# File 'lib/inspec/resources/auditd.rb', line 71

def status(name = nil)
  @status_content ||= inspec.command("#{@auditctl_cmd_str} -s").stdout.chomp

  # See: https://github.com/inspec/inspec/issues/3113
  if @status_content =~ /^AUDIT_STATUS/
    @status_content = @status_content.gsub("AUDIT_STATUS: ", "")
      .tr(" ", "\n")
      .tr("=", " ")
  end

  @status_params ||= Hash[@status_content.scan(/^([^ ]+) (.*)$/)]

  return @status_params[name] if name

  @status_params
end

#syscall_rules_for(line) ⇒ Object 



126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
 
# File 'lib/inspec/resources/auditd.rb', line 126

def syscall_rules_for(line)
  syscalls = syscalls_for(line)
  action, list = action_list_for(line)
  fields = rule_fields_for(line)
  key_field, fields_nokey = remove_key_from(fields)
  key = key_in(key_field.join(""))
  arch = arch_in(fields)
  path = path_in(fields)
  perms = perms_in(fields)
  exit_field = exit_in(fields)

  syscalls.each do |s|
    @params.push(
      {
        "syscall" => s,
        "list" => list,
        "action" => action,
        "fields" => fields,
        "key" => key,
        "arch" => arch,
        "path" => path,
        "permissions" => perms,
        "exit" => exit_field,
        "fields_nokey" => fields_nokey,
      }
    )
  end
end

#to_sObject 



169
170
171
 
# File 'lib/inspec/resources/auditd.rb', line 169

def to_s
  "Auditd Rules"
end