Class: Inspec::Resources::LinuxAuditSystem

Inherits:

Object

• Object
• Inspec::Resources::LinuxAuditSystem

Defined in:

lib/inspec/resources/linux_audit_system.rb

Instance Attribute Summary

• #auditctl_utility ⇒ Object readonly

  Returns the value of attribute auditctl_utility.

Instance Method Summary

• #enabled? ⇒ Boolean

  The be_enabled matcher checks if the auditing is enabled.

• #initialize ⇒ LinuxAuditSystem constructor

  Resource initialization.

• #rules ⇒ Object

  The rules property returns the array of audit rules obtained on auditctl -l.

• #running? ⇒ Boolean

  The be_running matcher checks if the audit daemon is running.

• #to_s ⇒ Object

  Resource appearance in test reports.

Constructor Details

#initialize ⇒ LinuxAuditSystem

Resource initialization.

# File 'lib/inspec/resources/linux_audit_system.rb', line 26

def initialize
  skip_resource "The `linux_audit_system` resource is not yet available on your OS." unless inspec.os.linux?
  @auditctl_utility = find_auditctl_or_error
end

Instance Attribute Details

#auditctl_utility ⇒ Object (readonly)

Returns the value of attribute auditctl_utility.

# File 'lib/inspec/resources/linux_audit_system.rb', line 23

def auditctl_utility
  @auditctl_utility
end

Instance Method Details

#enabled? ⇒ Boolean

The be_enabled matcher checks if the auditing is enabled. The enabled flag 1 indicates that the auditing is enabled.

Returns:

• (Boolean)

Raises:

• (Inspec::Exceptions::ResourceFailed)

# File 'lib/inspec/resources/linux_audit_system.rb', line 38

def enabled?
  auditctl_cmd = inspec.command("#{auditctl_utility} -s | grep enabled")

  raise Inspec::Exceptions::ResourceFailed, "Executing #{auditctl_utility} -s | grep enabled failed: #{auditctl_cmd.stderr}" if auditctl_cmd.exit_status.to_i != 0

  # Sample stdout: enabled 1
  auditctl_enabled_status = auditctl_cmd.stdout.strip.split
  auditctl_enabled_status[1].to_i == 1
end

#rules ⇒ Object

The rules property returns the array of audit rules obtained on auditctl -l. The auditctl -l list all rules, 1 per line.

Raises:

• (Inspec::Exceptions::ResourceFailed)

# File 'lib/inspec/resources/linux_audit_system.rb', line 62

def rules
  auditctl_cmd = inspec.command("#{auditctl_utility} -l")

  raise Inspec::Exceptions::ResourceFailed, "Executing #{auditctl_utility} -l: #{auditctl_cmd.stderr}" if auditctl_cmd.exit_status.to_i != 0

  auditctl_cmd.stdout.strip.split("\n")
end

#running? ⇒ Boolean

The be_running matcher checks if the audit daemon is running. A pid of 0 indicates that the audit daemon is not running.

Returns:

• (Boolean)

Raises:

• (Inspec::Exceptions::ResourceFailed)

# File 'lib/inspec/resources/linux_audit_system.rb', line 50

def running?
  auditctl_cmd = inspec.command("#{auditctl_utility} -s | grep pid")

  raise Inspec::Exceptions::ResourceFailed, "Executing #{auditctl_utility} -s | grep enabled failed: #{auditctl_cmd.stderr}" if auditctl_cmd.exit_status.to_i != 0

  # Sample stdout: pid 682462
  auditctl_running_status = auditctl_cmd.stdout.strip.split
  !auditctl_running_status[1].nil? && auditctl_running_status[1].to_i != 0
end

#to_s ⇒ Object

Resource appearance in test reports.

# File 'lib/inspec/resources/linux_audit_system.rb', line 32

def to_s
  "linux_audit_system"
end