inspec/lib/resources/auditd_rules.rb

# encoding: utf-8
# copyright: 2015, Vulcano Security GmbH
# author: Christoph Hartmann
# author: Dominik Richter
# license: All rights reserved

class AuditDaemonRules < Inspec.resource(1)
  name 'auditd_rules'
  desc 'Use the auditd_rules InSpec audit resource to test the rules for logging that exist on the system. The audit.rules file is typically located under /etc/audit/ and contains the list of rules that define what is captured in log files.'
  example "
    describe auditd_rules do
      its('LIST_RULES') {should contain_match(/^exit,always arch=.* key=time-change syscall=adjtimex,settimeofday/) }
      its('LIST_RULES') {should contain_match(/^exit,always arch=.* key=time-change syscall=stime,settimeofday,adjtimex/) }
      its('LIST_RULES') {should contain_match(/^exit,always arch=.* key=time-change syscall=clock_settime/)}
      its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/localtime perm=wa key=time-change/)}
    end
  "

  def initialize
    @content = inspec.command('/sbin/auditctl -l').stdout.chomp

    @opts = {
      assignment_re: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/,
      multiple_values: true,
    }
  end

  def params
    @params ||= SimpleConfig.new(@content, @opts).params
  end

  def method_missing(name)
    params[name.to_s]
  end

  def status(name)
    @status_opts = {
      assignment_re: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/,
      multiple_values: false,
    }
    @status_content ||= inspec.command('/sbin/auditctl -s').stdout.chomp
    @status_params = SimpleConfig.new(@status_content, @status_opts).params

    status = @status_params['AUDIT_STATUS']
    return nil if status.nil?

    items = Hash[status.scan(/([^=]+)=(\w*)\s*/)]
    items[name]
  end

  def to_s
    'Audit Daemon Rules'
  end
end
feature: resources for audit daemon 2015-07-26 20:44:01 +00:00			`# encoding: utf-8`
			`# copyright: 2015, Vulcano Security GmbH`
add author header 2015-10-06 16:55:44 +00:00			`# author: Christoph Hartmann`
			`# author: Dominik Richter`
feature: resources for audit daemon 2015-07-26 20:44:01 +00:00			`# license: All rights reserved`

rename vulcanosec -> inspec 2015-10-26 03:04:18 +00:00			`class AuditDaemonRules < Inspec.resource(1)`
simplify auditd name 2015-10-26 10:10:30 +00:00			`name 'auditd_rules'`
add inline documentation 2015-11-27 13:02:38 +00:00			`desc 'Use the auditd_rules InSpec audit resource to test the rules for logging that exist on the system. The audit.rules file is typically located under /etc/audit/ and contains the list of rules that define what is captured in log files.'`
			`example "`
			`describe auditd_rules do`
			`its('LIST_RULES') {should contain_match(/^exit,always arch=.* key=time-change syscall=adjtimex,settimeofday/) }`
			`its('LIST_RULES') {should contain_match(/^exit,always arch=.* key=time-change syscall=stime,settimeofday,adjtimex/) }`
			`its('LIST_RULES') {should contain_match(/^exit,always arch=.* key=time-change syscall=clock_settime/)}`
			`its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/localtime perm=wa key=time-change/)}`
			`end`
			`"`
feature: resources for audit daemon 2015-07-26 20:44:01 +00:00
			`def initialize`
rename vulcanosec -> inspec 2015-10-26 03:04:18 +00:00			`@content = inspec.command('/sbin/auditctl -l').stdout.chomp`
feature: resources for audit daemon 2015-07-26 20:44:01 +00:00
			`@opts = {`
			`assignment_re: /^\s([^:]?)\s:\s(.?)\s$/,`
wrap up core resource linting Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-09-09 16:52:27 +00:00			`multiple_values: true,`
feature: resources for audit daemon 2015-07-26 20:44:01 +00:00			`}`
migrate all of audit Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-28 23:04:52 +00:00			`end`

			`def params`
			`@params \|\|= SimpleConfig.new(@content, @opts).params`
feature: resources for audit daemon 2015-07-26 20:44:01 +00:00			`end`

harmonize method definition style 2015-09-03 18:43:58 +00:00			`def method_missing(name)`
migrate all of audit Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-28 23:04:52 +00:00			`params[name.to_s]`
feature: resources for audit daemon 2015-07-26 20:44:01 +00:00			`end`

harmonize method definition style 2015-09-03 18:43:58 +00:00			`def status(name)`
feature: resources for audit daemon 2015-07-26 20:44:01 +00:00			`@status_opts = {`
			`assignment_re: /^\s([^:]?)\s:\s(.?)\s$/,`
wrap up core resource linting Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-09-09 16:52:27 +00:00			`multiple_values: false,`
feature: resources for audit daemon 2015-07-26 20:44:01 +00:00			`}`
rename vulcanosec -> inspec 2015-10-26 03:04:18 +00:00			`@status_content \|\|= inspec.command('/sbin/auditctl -s').stdout.chomp`
feature: resources for audit daemon 2015-07-26 20:44:01 +00:00			`@status_params = SimpleConfig.new(@status_content, @status_opts).params`
wrap up core resource linting Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-09-09 16:52:27 +00:00
use single quotes 2015-09-03 18:35:23 +00:00			`status = @status_params['AUDIT_STATUS']`
wrap up core resource linting Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-09-09 16:52:27 +00:00			`return nil if status.nil?`
feature: resources for audit daemon 2015-07-26 20:44:01 +00:00
			`items = Hash[status.scan(/([^=]+)=(\w)\s/)]`
remove redundant return 2015-09-03 18:45:37 +00:00			`items[name]`
feature: resources for audit daemon 2015-07-26 20:44:01 +00:00			`end`

			`def to_s`
migrate all of audit Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-28 23:04:52 +00:00			`'Audit Daemon Rules'`
feature: resources for audit daemon 2015-07-26 20:44:01 +00:00			`end`
			`end`