inspec/docs/resources/auditd.md.erb

---
title: About the auditd Resource
platform: linux
---

# auditd

Use the `auditd` Chef InSpec audit resource to test the rules for logging that exist on the system. The audit.rules file is typically located under /etc/audit/ and contains the list of rules that define what is captured in log files. These rules are output using the auditctl -l command. This resource supports versions of `audit` >= 2.3.

<br>

## Availability

### Installation

This resource is distributed along with Chef InSpec itself. You can use it automatically.

### Version

This resource first became available in v1.38.8 of InSpec.

## Syntax

An `auditd` resource block declares one (or more) rules to be tested, and then what that rule should do:

    describe auditd do
      its('lines') { should include %r(-w /etc/ssh/sshd_config) }
    end

or test that multiple individual rules are defined:

    describe auditd do
      its('lines') { should include %r(-a always,exit -F arch=.* -S init_module,delete_module -F key=modules) }
      its('lines') { should include %r(-a always,exit -F arch=.* -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=.+) }
    end

where each test must declare one (or more) rules to be tested.

<br>

## Examples

The following examples show how to use this Chef InSpec audit resource.

### Test if a rule contains a matching element that is identified by a regular expression

For `audit` >= 2.3:

    describe auditd do
      its('lines') { should include %r(-a always,exit -F arch=.* -S chown.* -F auid>=1000 -F auid!=-1 -F key=perm_mod) }
    end

### Query the audit daemon status

    describe auditd.status('backlog') do
      it { should cmp 0 }
    end

### Query properties of rules targeting specific syscalls or files - uniq is used to handle multiple rules for the same syscall with redundant field values

    describe auditd.syscall('open') do
      its('action.uniq') { should eq ['always'] }
      its('list.uniq') { should eq ['exit'] }
    end

    describe auditd.file('/etc/sudoers') do
      its('permissions') { should include ['x'] }
    end

The where accessor can be used to filter on fields. For example:

    describe auditd.syscall('chown').where { arch == "b32" } do
      its('action') { should eq ['always'] }
      its('list') { should eq ['exit'] }
      its('exit') { should include ['-EACCES'] }
      its('exit') { should include ['-EPERM'] }
    end

The key filter may be useful in evaluating rules with particular key values:

    describe auditd.where { key == "privileged" } do
      its('permissions') { should include ['x'] }
    end

<br>

## Matchers

For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
auditd resource: test active auditd configuration against the audit daemon (#2133) * Added auditd resource and documentation. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Added unit tests for auditd resource and updated auditd_rules_test to match new entries in auditctl Signed-off-by: Jennifer Burns <jburns@mitre.org> * Removed all legacy code for audit < 2.3. Removed parens to create consistency. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Updated method names and removed unnecessary content based on review Signed-off-by: Jennifer Burns <jburns@mitre.org> 2017-09-18 19:47:18 +00:00			`---`
			`title: About the auditd Resource`
Add `platform` tags and remove trailing whitespace (#2654) Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> 2018-02-16 00:28:15 +00:00			`platform: linux`
auditd resource: test active auditd configuration against the audit daemon (#2133) * Added auditd resource and documentation. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Added unit tests for auditd resource and updated auditd_rules_test to match new entries in auditctl Signed-off-by: Jennifer Burns <jburns@mitre.org> * Removed all legacy code for audit < 2.3. Removed parens to create consistency. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Updated method names and removed unnecessary content based on review Signed-off-by: Jennifer Burns <jburns@mitre.org> 2017-09-18 19:47:18 +00:00			`---`

			`# auditd`

Update software name from InSpec to Chef Inspec Signed-off-by: IanMadd <maddaus@protonmail.com> 2019-04-26 18:24:29 +00:00			Use the `auditd` Chef InSpec audit resource to test the rules for logging that exist on the system. The audit.rules file is typically located under /etc/audit/ and contains the list of rules that define what is captured in log files. These rules are output using the auditctl -l command. This resource supports versions of `audit` >= 2.3.
auditd resource: test active auditd configuration against the audit daemon (#2133) * Added auditd resource and documentation. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Added unit tests for auditd resource and updated auditd_rules_test to match new entries in auditctl Signed-off-by: Jennifer Burns <jburns@mitre.org> * Removed all legacy code for audit < 2.3. Removed parens to create consistency. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Updated method names and removed unnecessary content based on review Signed-off-by: Jennifer Burns <jburns@mitre.org> 2017-09-18 19:47:18 +00:00
Resource documentation update (#2207) Light formatting changes, change order of example and matchers, slight color changes Signed-off-by: hannah-radish <hmaddy@chef.io> 2017-10-03 21:35:10 +00:00			`<br>`

Clean injection of Availability section (#3206) Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> 2018-08-09 12:34:49 +00:00			`## Availability`

			`### Installation`

Update software name from InSpec to Chef Inspec Signed-off-by: IanMadd <maddaus@protonmail.com> 2019-04-26 18:24:29 +00:00			`This resource is distributed along with Chef InSpec itself. You can use it automatically.`
Clean injection of Availability section (#3206) Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> 2018-08-09 12:34:49 +00:00
			`### Version`

			`This resource first became available in v1.38.8 of InSpec.`

auditd resource: test active auditd configuration against the audit daemon (#2133) * Added auditd resource and documentation. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Added unit tests for auditd resource and updated auditd_rules_test to match new entries in auditctl Signed-off-by: Jennifer Burns <jburns@mitre.org> * Removed all legacy code for audit < 2.3. Removed parens to create consistency. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Updated method names and removed unnecessary content based on review Signed-off-by: Jennifer Burns <jburns@mitre.org> 2017-09-18 19:47:18 +00:00			`## Syntax`

			An `auditd` resource block declares one (or more) rules to be tested, and then what that rule should do:

			`describe auditd do`
			`its('lines') { should include %r(-w /etc/ssh/sshd_config) }`
			`end`

			`or test that multiple individual rules are defined:`

			`describe auditd do`
			`its('lines') { should include %r(-a always,exit -F arch=.* -S init_module,delete_module -F key=modules) }`
			`its('lines') { should include %r(-a always,exit -F arch=.* -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=.+) }`
			`end`

			`where each test must declare one (or more) rules to be tested.`

Resource documentation update (#2207) Light formatting changes, change order of example and matchers, slight color changes Signed-off-by: hannah-radish <hmaddy@chef.io> 2017-10-03 21:35:10 +00:00			`<br>`
auditd resource: test active auditd configuration against the audit daemon (#2133) * Added auditd resource and documentation. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Added unit tests for auditd resource and updated auditd_rules_test to match new entries in auditctl Signed-off-by: Jennifer Burns <jburns@mitre.org> * Removed all legacy code for audit < 2.3. Removed parens to create consistency. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Updated method names and removed unnecessary content based on review Signed-off-by: Jennifer Burns <jburns@mitre.org> 2017-09-18 19:47:18 +00:00
			`## Examples`

Update software name from InSpec to Chef Inspec Signed-off-by: IanMadd <maddaus@protonmail.com> 2019-04-26 18:24:29 +00:00			`The following examples show how to use this Chef InSpec audit resource.`
auditd resource: test active auditd configuration against the audit daemon (#2133) * Added auditd resource and documentation. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Added unit tests for auditd resource and updated auditd_rules_test to match new entries in auditctl Signed-off-by: Jennifer Burns <jburns@mitre.org> * Removed all legacy code for audit < 2.3. Removed parens to create consistency. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Updated method names and removed unnecessary content based on review Signed-off-by: Jennifer Burns <jburns@mitre.org> 2017-09-18 19:47:18 +00:00
			`### Test if a rule contains a matching element that is identified by a regular expression`

			For `audit` >= 2.3:

			`describe auditd do`
			`its('lines') { should include %r(-a always,exit -F arch=.* -S chown.* -F auid>=1000 -F auid!=-1 -F key=perm_mod) }`
			`end`

			`### Query the audit daemon status`

			`describe auditd.status('backlog') do`
			`it { should cmp 0 }`
			`end`

			`### Query properties of rules targeting specific syscalls or files - uniq is used to handle multiple rules for the same syscall with redundant field values`

			`describe auditd.syscall('open') do`
			`its('action.uniq') { should eq ['always'] }`
			`its('list.uniq') { should eq ['exit'] }`
			`end`

			`describe auditd.file('/etc/sudoers') do`
			`its('permissions') { should include ['x'] }`
			`end`

			`The where accessor can be used to filter on fields. For example:`

			`describe auditd.syscall('chown').where { arch == "b32" } do`
			`its('action') { should eq ['always'] }`
			`its('list') { should eq ['exit'] }`
			`its('exit') { should include ['-EACCES'] }`
			`its('exit') { should include ['-EPERM'] }`
			`end`

			`The key filter may be useful in evaluating rules with particular key values:`

Fixes partially indented blocks and unescaped underscores (#2731) Moved 2 space examples 2 more spaces in. Don't be shy, show the world your code the way it was meant to be seen. Underscores in markdown must be escaped otherwise the world goes crooked. Signed-off-by: Franklin Webber <franklin@chef.io> 2018-02-26 16:11:06 +00:00			`describe auditd.where { key == "privileged" } do`
			`its('permissions') { should include ['x'] }`
			`end`
Resource documentation update (#2207) Light formatting changes, change order of example and matchers, slight color changes Signed-off-by: hannah-radish <hmaddy@chef.io> 2017-10-03 21:35:10 +00:00
			`<br>`

			`## Matchers`

Add one comma in all docs & deletes two repeated sentences. (#2658) Signed-off-by: kagarmoe <kgarmoe@chef.io> 2018-02-16 03:07:18 +00:00			`For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).`