inspec/lib/resources/auditd.rb

# encoding: utf-8

require 'forwardable'
require 'utils/filter_array'
require 'utils/filter'
require 'utils/parser'

module Inspec::Resources
  class AuditDaemon < Inspec.resource(1)
    extend Forwardable
    attr_accessor :lines
    attr_reader :params

    name 'auditd'
    supports platform: 'unix'
    desc 'Use the auditd InSpec audit resource to test the rules for logging that exist on the system. The audit.rules file is typically located under /etc/audit/ and contains the list of rules that define what is captured in log files. These rules are output using the auditcl -l command.'
    example "
      describe auditd.syscall('chown').where {arch == 'b32'} do
        its('action') { should eq ['always'] }
        its('list') { should eq ['exit'] }
      end

      describe auditd.where {key == 'privileged'} do
        its('permissions') { should include ['x'] }
      end

      describe auditd do
        its('lines') { should include %r(-w /etc/ssh/sshd_config) }
      end
    "

    def initialize
      unless inspec.command('/sbin/auditctl').exist?
        raise Inspec::Exceptions::ResourceFailed,
              'Command `/sbin/auditctl` does not exist'
      end

      auditctl_cmd = '/sbin/auditctl -l'
      result = inspec.command(auditctl_cmd)

      if result.exit_status != 0
        raise Inspec::Exceptions::ResourceFailed,
              "Command `#{auditctl_cmd}` failed with error: #{result.stderr}"
      end

      @content = result.stdout
      @params = []

      if @content =~ /^LIST_RULES:/
        raise Inspec::Exceptions::RsourceFailed,
              'The version of audit is outdated.' \
              'The `auditd` resource supports versions of audit >= 2.3.'
      end
      parse_content
    end

    filter = FilterTable.create
    filter.register_column(:file,         field: 'file')
          .register_column(:list,         field: 'list')
          .register_column(:action,       field: 'action')
          .register_column(:fields,       field: 'fields')
          .register_column(:fields_nokey, field: 'fields_nokey')
          .register_column(:syscall,      field: 'syscall')
          .register_column(:key,          field: 'key')
          .register_column(:arch,         field: 'arch')
          .register_column(:path,         field: 'path')
          .register_column(:permissions,  field: 'permissions')
          .register_column(:exit,         field: 'exit')

    filter.install_filter_methods_on_resource(self, :params)

    def status(name = nil)
      @status_content ||= inspec.command('/sbin/auditctl -s').stdout.chomp

      # See: https://github.com/inspec/inspec/issues/3113
      if @status_content =~ /^AUDIT_STATUS/
        @status_content = @status_content.gsub('AUDIT_STATUS: ', '')
                                         .tr(' ', "\n")
                                         .tr('=', ' ')
      end

      @status_params ||= Hash[@status_content.scan(/^([^ ]+) (.*)$/)]

      return @status_params[name] if name
      @status_params
    end

    def parse_content
      @lines = @content.lines.map(&:chomp)

      lines.each do |line|
        if is_file_syscall_syntax?(line)
          file_syscall_syntax_rules_for(line)
        end

        if is_syscall?(line)
          syscall_rules_for(line)

        elsif is_file?(line)
          file_rules_for(line)
        end
      end
    end

    def file_syscall_syntax_rules_for(line)
      file = file_syscall_syntax_for(line)
      action, list = action_list_for(line)
      fields = rule_fields_for(line)
      key_field, fields_nokey = remove_key_from(fields)
      key = key_in(key_field.join(''))
      perms = perms_in(fields)

      @params.push(
        {
          'file' => file,
          'list' => list,
          'action' => action,
          'fields' => fields,
          'permissions' => perms,
          'key' => key,
          'fields_nokey' => fields_nokey,
        },
      )
    end

    def syscall_rules_for(line)
      syscalls = syscalls_for(line)
      action, list = action_list_for(line)
      fields = rule_fields_for(line)
      key_field, fields_nokey = remove_key_from(fields)
      key = key_in(key_field.join(''))
      arch = arch_in(fields)
      path = path_in(fields)
      perms = perms_in(fields)
      exit_field = exit_in(fields)

      syscalls.each do |s|
        @params.push(
          {
            'syscall' => s,
            'list' => list,
            'action' => action,
            'fields' => fields,
            'key' => key,
            'arch' => arch,
            'path' => path,
            'permissions' => perms,
            'exit' => exit_field,
            'fields_nokey' => fields_nokey,
          },
        )
      end
    end

    def file_rules_for(line)
      file = file_for(line)
      perms = permissions_for(line)
      key = key_for(line)

      @params.push(
        {
          'file' => file,
          'key' => key,
          'permissions' => perms,
        },
      )
    end

    def to_s
      'Auditd Rules'
    end

    private

    def is_syscall?(line)
      line.match(/-S /)
    end

    def is_file?(line)
      line.match(/-w /)
    end

    def is_file_syscall_syntax?(line)
      line.match(/-F path=/)
    end

    def syscalls_for(line)
      line.scan(/-S ([^ ]+)\s?/).flatten.first.split(',')
    end

    def action_list_for(line)
      line.scan(/-a ([^,]+),([^ ]+)\s?/).flatten
    end

    def key_for(line)
      line.match(/-k ([^ ]+)\s?/)[1] if line.include?('-k ')
    end

    def file_for(line)
      line.match(/-w ([^ ]+)\s?/)[1]
    end

    def file_syscall_syntax_for(line)
      line.match(/-F path=(\S+)\s?/)[1]
    end

    def permissions_for(line)
      line.match(/-p ([^ ]+)/)[1].scan(/\w/)
    end

    def rule_fields_for(line)
      line.gsub(/-[aS] [^ ]+ /, '').split('-F ').map { |l| l.split(' ') }.flatten
    end

    def arch_in(fields)
      fields.each do |field|
        return field.match(/arch=(\S+)\s?/)[1] if field.start_with?('arch=')
      end
      nil
    end

    def perms_in(fields)
      fields.each do |field|
        return field.match(/perm=(\S+)\s?/)[1].scan(/\w/) if field.start_with?('perm=')
      end
      nil
    end

    def path_in(fields)
      fields.each do |field|
        return field.match(/path=(\S+)\s?/)[1] if field.start_with?('path=')
      end
      nil
    end

    def exit_in(fields)
      fields.each do |field|
        return field.match(/exit=(\S+)\s?/)[1] if field.start_with?('exit=')
      end
      nil
    end

    def key_in(field)
      _, v = field.split('=')
      v
    end

    def remove_key_from(fields)
      fields.partition { |x| x.start_with? 'key' }
    end
  end
end
auditd resource: test active auditd configuration against the audit daemon (#2133) * Added auditd resource and documentation. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Added unit tests for auditd resource and updated auditd_rules_test to match new entries in auditctl Signed-off-by: Jennifer Burns <jburns@mitre.org> * Removed all legacy code for audit < 2.3. Removed parens to create consistency. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Updated method names and removed unnecessary content based on review Signed-off-by: Jennifer Burns <jburns@mitre.org> 2017-09-18 19:47:18 +00:00			`# encoding: utf-8`

			`require 'forwardable'`
			`require 'utils/filter_array'`
			`require 'utils/filter'`
			`require 'utils/parser'`

			`module Inspec::Resources`
			`class AuditDaemon < Inspec.resource(1)`
			`extend Forwardable`
			`attr_accessor :lines`
			`attr_reader :params`

			`name 'auditd'`
Add correct `supports platform` to resources. (#2674) * Add correct `supports platform` to resources. Signed-off-by: Miah Johnson <miah@chia-pet.org> * Remove 'os_family' and update platforms to specify what they did. Signed-off-by: Miah Johnson <miah@chia-pet.org> * Add esx and cisco to generic resources. Signed-off-by: Jared Quick <jquick@chef.io> 2018-02-19 14:26:49 +00:00			`supports platform: 'unix'`
auditd resource: test active auditd configuration against the audit daemon (#2133) * Added auditd resource and documentation. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Added unit tests for auditd resource and updated auditd_rules_test to match new entries in auditctl Signed-off-by: Jennifer Burns <jburns@mitre.org> * Removed all legacy code for audit < 2.3. Removed parens to create consistency. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Updated method names and removed unnecessary content based on review Signed-off-by: Jennifer Burns <jburns@mitre.org> 2017-09-18 19:47:18 +00:00			`desc 'Use the auditd InSpec audit resource to test the rules for logging that exist on the system. The audit.rules file is typically located under /etc/audit/ and contains the list of rules that define what is captured in log files. These rules are output using the auditcl -l command.'`
			`example "`
			`describe auditd.syscall('chown').where {arch == 'b32'} do`
			`its('action') { should eq ['always'] }`
			`its('list') { should eq ['exit'] }`
			`end`

			`describe auditd.where {key == 'privileged'} do`
			`its('permissions') { should include ['x'] }`
			`end`

			`describe auditd do`
			`its('lines') { should include %r(-w /etc/ssh/sshd_config) }`
			`end`
			`"`

			`def initialize`
auditd resource: Add handling for sudo/no command (#3151) Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> 2018-06-21 01:27:53 +00:00			`unless inspec.command('/sbin/auditctl').exist?`
			`raise Inspec::Exceptions::ResourceFailed,`
			'Command `/sbin/auditctl` does not exist'
			`end`

			`auditctl_cmd = '/sbin/auditctl -l'`
			`result = inspec.command(auditctl_cmd)`

			`if result.exit_status != 0`
			`raise Inspec::Exceptions::ResourceFailed,`
			"Command `#{auditctl_cmd}` failed with error: #{result.stderr}"
			`end`

			`@content = result.stdout`
auditd resource: test active auditd configuration against the audit daemon (#2133) * Added auditd resource and documentation. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Added unit tests for auditd resource and updated auditd_rules_test to match new entries in auditctl Signed-off-by: Jennifer Burns <jburns@mitre.org> * Removed all legacy code for audit < 2.3. Removed parens to create consistency. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Updated method names and removed unnecessary content based on review Signed-off-by: Jennifer Burns <jburns@mitre.org> 2017-09-18 19:47:18 +00:00			`@params = []`

			`if @content =~ /^LIST_RULES:/`
auditd resource: Add handling for sudo/no command (#3151) Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> 2018-06-21 01:27:53 +00:00			`raise Inspec::Exceptions::RsourceFailed,`
			`'The version of audit is outdated.' \`
			'The `auditd` resource supports versions of audit >= 2.3.'
auditd resource: test active auditd configuration against the audit daemon (#2133) * Added auditd resource and documentation. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Added unit tests for auditd resource and updated auditd_rules_test to match new entries in auditctl Signed-off-by: Jennifer Burns <jburns@mitre.org> * Removed all legacy code for audit < 2.3. Removed parens to create consistency. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Updated method names and removed unnecessary content based on review Signed-off-by: Jennifer Burns <jburns@mitre.org> 2017-09-18 19:47:18 +00:00			`end`
			`parse_content`
			`end`

			`filter = FilterTable.create`
Update core resources with filtertable API changes (#3117) * Search and replace filtertable methods to use new names, and rely on automatic methods * Remove spurious exists? matchers - see https://relishapp.com/rspec/rspec-expectations/docs/built-in-matchers/exist-matcher * Revert removing exists? - we'll do it on a separate PR * Gah, didn't save before resolving conflict * Add back name column on aws cloudtrail trails Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> 2018-06-26 19:14:21 +00:00			`filter.register_column(:file, field: 'file')`
			`.register_column(:list, field: 'list')`
			`.register_column(:action, field: 'action')`
			`.register_column(:fields, field: 'fields')`
			`.register_column(:fields_nokey, field: 'fields_nokey')`
			`.register_column(:syscall, field: 'syscall')`
			`.register_column(:key, field: 'key')`
			`.register_column(:arch, field: 'arch')`
			`.register_column(:path, field: 'path')`
			`.register_column(:permissions, field: 'permissions')`
			`.register_column(:exit, field: 'exit')`
auditd resource: test active auditd configuration against the audit daemon (#2133) * Added auditd resource and documentation. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Added unit tests for auditd resource and updated auditd_rules_test to match new entries in auditctl Signed-off-by: Jennifer Burns <jburns@mitre.org> * Removed all legacy code for audit < 2.3. Removed parens to create consistency. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Updated method names and removed unnecessary content based on review Signed-off-by: Jennifer Burns <jburns@mitre.org> 2017-09-18 19:47:18 +00:00
Update core resources with filtertable API changes (#3117) * Search and replace filtertable methods to use new names, and rely on automatic methods * Remove spurious exists? matchers - see https://relishapp.com/rspec/rspec-expectations/docs/built-in-matchers/exist-matcher * Revert removing exists? - we'll do it on a separate PR * Gah, didn't save before resolving conflict * Add back name column on aws cloudtrail trails Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> 2018-06-26 19:14:21 +00:00			`filter.install_filter_methods_on_resource(self, :params)`
auditd resource: test active auditd configuration against the audit daemon (#2133) * Added auditd resource and documentation. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Added unit tests for auditd resource and updated auditd_rules_test to match new entries in auditctl Signed-off-by: Jennifer Burns <jburns@mitre.org> * Removed all legacy code for audit < 2.3. Removed parens to create consistency. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Updated method names and removed unnecessary content based on review Signed-off-by: Jennifer Burns <jburns@mitre.org> 2017-09-18 19:47:18 +00:00
			`def status(name = nil)`
			`@status_content \|\|= inspec.command('/sbin/auditctl -s').stdout.chomp`
Translate `auditd -s` RHEL output to match CentOS (#3114) This translates the output of `auditctl -s` on RHEL to match CentOS. This is based on the details from issue #3113. I could not find a test box that would give me the output to match what was reported. Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> 2018-06-11 12:12:44 +00:00
			`# See: https://github.com/inspec/inspec/issues/3113`
			`if @status_content =~ /^AUDIT_STATUS/`
			`@status_content = @status_content.gsub('AUDIT_STATUS: ', '')`
			`.tr(' ', "\n")`
			`.tr('=', ' ')`
			`end`

auditd resource: test active auditd configuration against the audit daemon (#2133) * Added auditd resource and documentation. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Added unit tests for auditd resource and updated auditd_rules_test to match new entries in auditctl Signed-off-by: Jennifer Burns <jburns@mitre.org> * Removed all legacy code for audit < 2.3. Removed parens to create consistency. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Updated method names and removed unnecessary content based on review Signed-off-by: Jennifer Burns <jburns@mitre.org> 2017-09-18 19:47:18 +00:00			`@status_params \|\|= Hash[@status_content.scan(/^([^ ]+) (.*)$/)]`

			`return @status_params[name] if name`
			`@status_params`
			`end`

			`def parse_content`
			`@lines = @content.lines.map(&:chomp)`

			`lines.each do \|line\|`
			`if is_file_syscall_syntax?(line)`
			`file_syscall_syntax_rules_for(line)`
			`end`

			`if is_syscall?(line)`
			`syscall_rules_for(line)`

			`elsif is_file?(line)`
			`file_rules_for(line)`
			`end`
			`end`
			`end`

			`def file_syscall_syntax_rules_for(line)`
			`file = file_syscall_syntax_for(line)`
			`action, list = action_list_for(line)`
			`fields = rule_fields_for(line)`
			`key_field, fields_nokey = remove_key_from(fields)`
			`key = key_in(key_field.join(''))`
			`perms = perms_in(fields)`

			`@params.push(`
			`{`
			`'file' => file,`
			`'list' => list,`
			`'action' => action,`
			`'fields' => fields,`
			`'permissions' => perms,`
			`'key' => key,`
			`'fields_nokey' => fields_nokey,`
Bump Rubocop to 0.49.1 (#2323) * Bump Rubocop to 0.49.1 This change bumps Rubocop to 0.49.1. There have been a lot of changes since 0.39.0 and this PR is hopefully a nice compromise of turning off certain cops and updating our codebase to take advantage of new Ruby 2.3 methods and operators. Signed-off-by: Adam Leff <adam@leff.co> * Set end-of-line format to line-feed only, avoid Windows-related CRLF issues Signed-off-by: Adam Leff <adam@leff.co> 2017-11-21 07:49:41 +00:00			`},`
			`)`
auditd resource: test active auditd configuration against the audit daemon (#2133) * Added auditd resource and documentation. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Added unit tests for auditd resource and updated auditd_rules_test to match new entries in auditctl Signed-off-by: Jennifer Burns <jburns@mitre.org> * Removed all legacy code for audit < 2.3. Removed parens to create consistency. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Updated method names and removed unnecessary content based on review Signed-off-by: Jennifer Burns <jburns@mitre.org> 2017-09-18 19:47:18 +00:00			`end`

			`def syscall_rules_for(line)`
			`syscalls = syscalls_for(line)`
			`action, list = action_list_for(line)`
			`fields = rule_fields_for(line)`
			`key_field, fields_nokey = remove_key_from(fields)`
			`key = key_in(key_field.join(''))`
			`arch = arch_in(fields)`
			`path = path_in(fields)`
			`perms = perms_in(fields)`
			`exit_field = exit_in(fields)`

			`syscalls.each do \|s\|`
			`@params.push(`
			`{`
			`'syscall' => s,`
			`'list' => list,`
			`'action' => action,`
			`'fields' => fields,`
			`'key' => key,`
			`'arch' => arch,`
			`'path' => path,`
			`'permissions' => perms,`
			`'exit' => exit_field,`
			`'fields_nokey' => fields_nokey,`
Bump Rubocop to 0.49.1 (#2323) * Bump Rubocop to 0.49.1 This change bumps Rubocop to 0.49.1. There have been a lot of changes since 0.39.0 and this PR is hopefully a nice compromise of turning off certain cops and updating our codebase to take advantage of new Ruby 2.3 methods and operators. Signed-off-by: Adam Leff <adam@leff.co> * Set end-of-line format to line-feed only, avoid Windows-related CRLF issues Signed-off-by: Adam Leff <adam@leff.co> 2017-11-21 07:49:41 +00:00			`},`
			`)`
auditd resource: test active auditd configuration against the audit daemon (#2133) * Added auditd resource and documentation. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Added unit tests for auditd resource and updated auditd_rules_test to match new entries in auditctl Signed-off-by: Jennifer Burns <jburns@mitre.org> * Removed all legacy code for audit < 2.3. Removed parens to create consistency. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Updated method names and removed unnecessary content based on review Signed-off-by: Jennifer Burns <jburns@mitre.org> 2017-09-18 19:47:18 +00:00			`end`
			`end`

			`def file_rules_for(line)`
			`file = file_for(line)`
			`perms = permissions_for(line)`
			`key = key_for(line)`

			`@params.push(`
			`{`
			`'file' => file,`
			`'key' => key,`
			`'permissions' => perms,`
Bump Rubocop to 0.49.1 (#2323) * Bump Rubocop to 0.49.1 This change bumps Rubocop to 0.49.1. There have been a lot of changes since 0.39.0 and this PR is hopefully a nice compromise of turning off certain cops and updating our codebase to take advantage of new Ruby 2.3 methods and operators. Signed-off-by: Adam Leff <adam@leff.co> * Set end-of-line format to line-feed only, avoid Windows-related CRLF issues Signed-off-by: Adam Leff <adam@leff.co> 2017-11-21 07:49:41 +00:00			`},`
			`)`
auditd resource: test active auditd configuration against the audit daemon (#2133) * Added auditd resource and documentation. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Added unit tests for auditd resource and updated auditd_rules_test to match new entries in auditctl Signed-off-by: Jennifer Burns <jburns@mitre.org> * Removed all legacy code for audit < 2.3. Removed parens to create consistency. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Updated method names and removed unnecessary content based on review Signed-off-by: Jennifer Burns <jburns@mitre.org> 2017-09-18 19:47:18 +00:00			`end`

			`def to_s`
			`'Auditd Rules'`
			`end`

			`private`

			`def is_syscall?(line)`
			`line.match(/-S /)`
			`end`

			`def is_file?(line)`
			`line.match(/-w /)`
			`end`

			`def is_file_syscall_syntax?(line)`
			`line.match(/-F path=/)`
			`end`

			`def syscalls_for(line)`
			`line.scan(/-S ([^ ]+)\s?/).flatten.first.split(',')`
			`end`

			`def action_list_for(line)`
			`line.scan(/-a ([^,]+),([^ ]+)\s?/).flatten`
			`end`

			`def key_for(line)`
			`line.match(/-k ([^ ]+)\s?/)[1] if line.include?('-k ')`
			`end`

			`def file_for(line)`
			`line.match(/-w ([^ ]+)\s?/)[1]`
			`end`

			`def file_syscall_syntax_for(line)`
			`line.match(/-F path=(\S+)\s?/)[1]`
			`end`

			`def permissions_for(line)`
			`line.match(/-p ([^ ]+)/)[1].scan(/\w/)`
			`end`

			`def rule_fields_for(line)`
			`line.gsub(/-[aS] [^ ]+ /, '').split('-F ').map { \|l\| l.split(' ') }.flatten`
			`end`

			`def arch_in(fields)`
			`fields.each do \|field\|`
			`return field.match(/arch=(\S+)\s?/)[1] if field.start_with?('arch=')`
			`end`
			`nil`
			`end`

			`def perms_in(fields)`
			`fields.each do \|field\|`
			`return field.match(/perm=(\S+)\s?/)[1].scan(/\w/) if field.start_with?('perm=')`
			`end`
			`nil`
			`end`

			`def path_in(fields)`
			`fields.each do \|field\|`
			`return field.match(/path=(\S+)\s?/)[1] if field.start_with?('path=')`
			`end`
			`nil`
			`end`

			`def exit_in(fields)`
			`fields.each do \|field\|`
			`return field.match(/exit=(\S+)\s?/)[1] if field.start_with?('exit=')`
			`end`
			`nil`
			`end`

			`def key_in(field)`
			`_, v = field.split('=')`
			`v`
			`end`

			`def remove_key_from(fields)`
			`fields.partition { \|x\| x.start_with? 'key' }`
			`end`
			`end`
			`end`