Class: Inspec::Resources::AuditDaemon

Inherits:
Object
  • Object
show all
Extended by:
Forwardable
Defined in:
lib/resources/auditd.rb

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initializeAuditDaemon

Returns a new instance of AuditDaemon.



32
33
34
35
36
37
38
39
40
 
# File 'lib/resources/auditd.rb', line 32

def initialize
  @content = inspec.command('/sbin/auditctl -l').stdout.chomp
  @params = []

  if @content =~ /^LIST_RULES:/
    return skip_resource 'The version of audit is outdated. The `auditd` resource supports versions of audit >= 2.3.'
  end
  parse_content
end

Instance Attribute Details

#linesObject

Returns the value of attribute lines.



11
12
13
 
# File 'lib/resources/auditd.rb', line 11

def lines
  @lines
end

#paramsObject (readonly)

Returns the value of attribute params.



12
13
14
 
# File 'lib/resources/auditd.rb', line 12

def params
  @params
end

Instance Method Details

#file_rules_for(line) ⇒ Object 



142
143
144
145
146
147
148
149
150
151
152
153
154
 
# File 'lib/resources/auditd.rb', line 142

def file_rules_for(line)
  file = file_for(line)
  perms = permissions_for(line)
  key = key_for(line)

  @params.push(
    {
      'file' => file,
      'key' => key,
      'permissions' => perms,
    },
  )
end

#file_syscall_syntax_rules_for(line) ⇒ Object 



92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
 
# File 'lib/resources/auditd.rb', line 92

def file_syscall_syntax_rules_for(line)
  file = file_syscall_syntax_for(line)
  action, list = action_list_for(line)
  fields = rule_fields_for(line)
  key_field, fields_nokey = remove_key_from(fields)
  key = key_in(key_field.join(''))
  perms = perms_in(fields)

  @params.push(
    {
      'file' => file,
      'list' => list,
      'action' => action,
      'fields' => fields,
      'permissions' => perms,
      'key' => key,
      'fields_nokey' => fields_nokey,
    },
  )
end

#parse_contentObject 



75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
 
# File 'lib/resources/auditd.rb', line 75

def parse_content
  @lines = @content.lines.map(&:chomp)

  lines.each do |line|
    if is_file_syscall_syntax?(line)
      file_syscall_syntax_rules_for(line)
    end

    if is_syscall?(line)
      syscall_rules_for(line)

    elsif is_file?(line)
      file_rules_for(line)
    end
  end
end

#status(name = nil) ⇒ Object 



59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
 
# File 'lib/resources/auditd.rb', line 59

def status(name = nil)
  @status_content ||= inspec.command('/sbin/auditctl -s').stdout.chomp

  # See: https://github.com/inspec/inspec/issues/3113
  if @status_content =~ /^AUDIT_STATUS/
    @status_content = @status_content.gsub('AUDIT_STATUS: ', '')
                                     .tr(' ', "\n")
                                     .tr('=', ' ')
  end

  @status_params ||= Hash[@status_content.scan(/^([^ ]+) (.*)$/)]

  return @status_params[name] if name
  @status_params
end

#syscall_rules_for(line) ⇒ Object 



113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
 
# File 'lib/resources/auditd.rb', line 113

def syscall_rules_for(line)
  syscalls = syscalls_for(line)
  action, list = action_list_for(line)
  fields = rule_fields_for(line)
  key_field, fields_nokey = remove_key_from(fields)
  key = key_in(key_field.join(''))
  arch = arch_in(fields)
  path = path_in(fields)
  perms = perms_in(fields)
  exit_field = exit_in(fields)

  syscalls.each do |s|
    @params.push(
      {
        'syscall' => s,
        'list' => list,
        'action' => action,
        'fields' => fields,
        'key' => key,
        'arch' => arch,
        'path' => path,
        'permissions' => perms,
        'exit' => exit_field,
        'fields_nokey' => fields_nokey,
      },
    )
  end
end

#to_sObject 



156
157
158
 
# File 'lib/resources/auditd.rb', line 156

def to_s
  'Auditd Rules'
end