---
title: About the auditd_rules Resource
---

# auditd_rules

Use the `auditd_rules` InSpec audit resource to test the rules for logging that exist on the system. The `audit.rules` file is typically located under `/etc/audit/` and contains the list of rules that define what is captured in log files. This resource uses `auditctl` to query the run-time `auditd` rules setup, which may be different from `audit.rules`.


## Syntax

An `auditd_rules` resource block declares one (or more) rules to be tested, and then what that rule should do. The syntax depends on the version of `audit`:

For `audit` >= 2.3:

    describe auditd_rules do
      its('lines') { should contain_match(rule) }
    end

For `audit` < 2.3:

    describe audit_daemon_rules do
      its("LIST_RULES") {
        rule
      }
    end

For example:

    describe auditd_rules do
      its('LIST_RULES') { should eq [
        'exit,always syscall=rmdir,unlink',
        'exit,always auid=1001 (0x3e9) syscall=open',
        'exit,always watch=/etc/group perm=wa',
        'exit,always watch=/etc/passwd perm=wa',
        'exit,always watch=/etc/shadow perm=wa',
        'exit,always watch=/etc/sudoers perm=wa',
        'exit,always watch=/etc/secret_directory perm=r',
      ] }
    end

or test that individual rules are defined:

    describe auditd_rules do
      its('LIST_RULES') {
        should contain_match(/^exit,always watch=\/etc\/group perm=wa key=identity/)
      }
      its('LIST_RULES') {
        should contain_match(/^exit,always watch=\/etc\/passwd perm=wa key=identity/)
      }
      its('LIST_RULES') {
        should contain_match(/^exit,always watch=\/etc\/gshadow perm=wa key=identity/)
      }
      its('LIST_RULES') {
        should contain_match(/^exit,always watch=\/etc\/shadow perm=wa key=identity/)
      }
      its('LIST_RULES') {
        should contain_match(/^exit,always watch=\/etc\/security\/opasswd perm=wa key=identity/)
      }
    end

where each test must declare one (or more) rules to be tested.


## Matchers

This InSpec audit resource has the following matchers:

### be

<%= partial "/shared/matcher_be" %>

### cmp

<%= partial "/shared/matcher_cmp" %>

### eq

<%= partial "/shared/matcher_eq" %>

### include

<%= partial "/shared/matcher_include" %>

### match

<%= partial "/shared/matcher_match" %>

## Examples

The following examples show how to use this InSpec audit resource.

### Test if a rule contains a matching element that is identified by a regular expression

For `audit` >= 2.3:

    describe auditd_rules do
      its('lines') { should contain_match(%r{-w /etc/ssh/sshd_config/}) }
    end

For `audit` < 2.3:

    describe audit_daemon_rules do
      its("LIST_RULES") {
        should contain_match(/^exit,always arch=.*\
        key=time-change\
        syscall=adjtimex,settimeofday/)
      }
    end


### Query the audit daemon status

    describe auditd_rules.status('backlog') do
      it { should cmp 0 }
    end

### Query properties of rules targeting specific syscalls or files

    describe auditd_rules.syscall('open').action do
      it { should eq(['always']) }
    end

    describe auditd_rules.key('sshd_config') do
      its('permissions') { should contain_match(/x/) }
    end

Filters may be chained. For example:

    describe auditd_rules.syscall('open').action('always').list do
      it { should eq(['exit']) }
    end