Fix auditd resource processing of action and list (#4665)

Fix auditd resource processing of action and list
2024-09-21 06:51:56 +00:00 · 2020-02-13 15:12:47 -05:00 · 2020-02-13 15:12:47 -05:00 · 03d394a51b
commit 03d394a51b
parent a4a7c4ed25 21edc712bd
3 changed files with 31 additions and 3 deletions
--- a/lib/inspec/resources/auditd.rb
+++ b/lib/inspec/resources/auditd.rb
@ -187,8 +187,20 @@ module Inspec::Resources
      line.scan(/-S ([^ ]+)\s?/).flatten.first.split(",")
    end

+    # Processes the line and returns a pair of entries reflecting the 'action'
+    # and 'list' items.
+    #
+    # @return [Array[String,String]]
    def action_list_for(line)
-      line.scan(/-a ([^,]+),([^ ]+)\s?/).flatten
+      action_list = line.scan(/-a ([^,]+),([^ ]+)\s?/).flatten
+
+      # Actions and lists can be in either order
+      valid_actions = %w{never always}
+
+      [
+        (action_list & valid_actions).first,
+        (action_list - valid_actions).first,
+      ]
    end

    def key_for(line)
--- a/test/fixtures/cmd/auditctl
+++ b/test/fixtures/cmd/auditctl
@ -2,7 +2,7 @@
 -a always,exit -F arch=b32 -S open,openat -F exit=-EPERM -F key=access
 -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=500 f24!=0 -F key=perm_mod
 -a always,exit -S all -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged
-a always,exit -S all -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged
+-a exit,always -S all -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged
 -w /etc/ssh/sshd_config -p rwxa -k CFG_sshd_config
 -w /etc/sudoers -p wa
 -w /etc/private-keys -p x
--- a/test/unit/resources/auditd_test.rb
+++ b/test/unit/resources/auditd_test.rb
@ -10,13 +10,29 @@ describe "Inspec::Resources::AuditDaemon" do
      "-a always,exit -F arch=b32 -S open,openat -F exit=-EPERM -F key=access",
      "-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=500 f24!=0 -F key=perm_mod",
      "-a always,exit -S all -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged",
-      "-a always,exit -S all -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged",
+      # Reversed for action_list validation
+      "-a exit,always -S all -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged",
      "-w /etc/ssh/sshd_config -p rwxa -k CFG_sshd_config",
      "-w /etc/sudoers -p wa",
      "-w /etc/private-keys -p x",
    ]
  end

+  it "auditd action_list processing" do
+    resource = MockLoader.new(:centos7).load_resource("auditd")
+
+    list_items = []
+    action_items = []
+
+    resource.params.each do |param|
+      list_items << param["list"] if param["list"]
+      action_items << param["action"] if param["action"]
+    end
+
+    list_items.uniq.must_equal ["exit"]
+    action_items.uniq.must_equal ["always"]
+  end
+
  it "auditd syscall interface" do
    resource = MockLoader.new(:centos7).load_resource("auditd")
    _(resource.send("syscall", "open").send("params")).must_equal [