mirror of
https://github.com/inspec/inspec
synced 2024-12-04 02:19:50 +00:00
ec18dce62b
* Added auditd resource and documentation. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Added unit tests for auditd resource and updated auditd_rules_test to match new entries in auditctl Signed-off-by: Jennifer Burns <jburns@mitre.org> * Removed all legacy code for audit < 2.3. Removed parens to create consistency. Signed-off-by: Jennifer Burns <jburns@mitre.org> * Updated method names and removed unnecessary content based on review Signed-off-by: Jennifer Burns <jburns@mitre.org>
106 lines
4.7 KiB
Ruby
106 lines
4.7 KiB
Ruby
# encoding: utf-8
|
|
# author: Christoph Hartmann
|
|
# author: Dominik Richter
|
|
|
|
require 'helper'
|
|
require 'inspec/resource'
|
|
|
|
describe 'Inspec::Resources::AuditDaemonRules' do
|
|
it 'auditd_rules interface' do
|
|
resource = MockLoader.new(:centos7).load_resource('auditd_rules')
|
|
_(resource.send('lines')).must_equal [
|
|
'-a always,exit -F arch=b64 -S open,openat -F exit=-EACCES -F key=access',
|
|
'-a always,exit -F arch=b32 -S open,openat -F exit=-EPERM -F key=access',
|
|
'-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=500 f24!=0 -F key=perm_mod',
|
|
'-a always,exit -S all -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged',
|
|
'-a always,exit -S all -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged',
|
|
'-w /etc/ssh/sshd_config -p rwxa -k CFG_sshd_config',
|
|
'-w /etc/sudoers -p wa',
|
|
'-w /etc/private-keys -p x',
|
|
]
|
|
end
|
|
|
|
it 'auditd_rules syscall interface' do
|
|
resource = MockLoader.new(:centos7).load_resource('auditd_rules')
|
|
_(resource.send('syscall', 'open').send('rules')).must_equal [
|
|
{:syscall=>"open", :list=>"exit", :action=>"always", :fields=>["arch=b64", "exit=-EACCES", "key=access"], :arch=>"b64", :exit=>"-EACCES", :key=>"access"},
|
|
{:syscall=>"open", :list=>"exit", :action=>"always", :fields=>["arch=b32", "exit=-EPERM", "key=access"], :arch=>"b32", :exit=>"-EPERM", :key=>"access"}
|
|
]
|
|
end
|
|
|
|
it 'auditd_rules syscall query chaining' do
|
|
resource = MockLoader.new(:centos7).load_resource('auditd_rules')
|
|
_(resource.send('syscall', 'open').field('key', 'access').send('rules')).must_equal [
|
|
{:syscall=>"open", :list=>"exit", :action=>"always", :fields=>["arch=b64", "exit=-EACCES", "key=access"], :arch=>"b64", :exit=>"-EACCES", :key=>"access"},
|
|
{:syscall=>"open", :list=>"exit", :action=>"always", :fields=>["arch=b32", "exit=-EPERM", "key=access"], :arch=>"b32", :exit=>"-EPERM", :key=>"access"}
|
|
]
|
|
end
|
|
|
|
it 'auditd_rules syscall query chaining with short syntax' do
|
|
resource = MockLoader.new(:centos7).load_resource('auditd_rules')
|
|
_(resource.send('syscall', 'open').key('access').list('exit').send('rules')).must_equal [
|
|
{:syscall=>"open", :list=>"exit", :action=>"always", :fields=>["arch=b64", "exit=-EACCES", "key=access"], :arch=>"b64", :exit=>"-EACCES", :key=>"access"},
|
|
{:syscall=>"open", :list=>"exit", :action=>"always", :fields=>["arch=b32", "exit=-EPERM", "key=access"], :arch=>"b32", :exit=>"-EPERM", :key=>"access"}
|
|
]
|
|
end
|
|
|
|
it 'check auditd_rules syscall query chaining empty results' do
|
|
resource = MockLoader.new(:centos7).load_resource('auditd_rules')
|
|
_(resource.send('syscall', 'open').field('key', 'access').field('foo', 'bar').send('rules')).must_equal []
|
|
end
|
|
|
|
|
|
it 'check auditd_rules file interface' do
|
|
resource = MockLoader.new(:centos7).load_resource('auditd_rules')
|
|
_(resource.send('file', '/etc/ssh/sshd_config').send('rules')).must_equal [
|
|
{ file: '/etc/ssh/sshd_config', key: 'CFG_sshd_config', permissions: 'rwxa'},
|
|
]
|
|
end
|
|
|
|
it 'check auditd_rules key interface' do
|
|
resource = MockLoader.new(:centos7).load_resource('auditd_rules')
|
|
_(resource.send('key', 'CFG_sshd_config').send('rules')).must_equal [
|
|
{ file: '/etc/ssh/sshd_config', key: 'CFG_sshd_config', permissions: 'rwxa'},
|
|
]
|
|
end
|
|
|
|
it 'check auditd_rules file interface with no keys' do
|
|
resource = MockLoader.new(:centos7).load_resource('auditd_rules')
|
|
_(resource.send('file', '/etc/private-keys').send('rules')).must_equal [
|
|
{ file: '/etc/private-keys', key: nil, permissions: 'x'},
|
|
]
|
|
end
|
|
|
|
it 'check auditd_rules status interface' do
|
|
resource = MockLoader.new(:centos7).load_resource('auditd_rules')
|
|
_(resource.send('status')).must_equal({
|
|
'enabled' => '1',
|
|
'flag' => '2',
|
|
'pid' => '547',
|
|
'rate_limit' => '0',
|
|
'backlog_limit' => '8192',
|
|
'lost' => '0',
|
|
'backlog' => '0',
|
|
'loginuid_immutable' => '0 unlocked',
|
|
})
|
|
end
|
|
|
|
it 'check auditd_rules status interface querying a key' do
|
|
resource = MockLoader.new(:centos7).load_resource('auditd_rules')
|
|
_(resource.send('status', 'enabled')).must_equal('1')
|
|
end
|
|
|
|
# TODO(sr) figure out how to feed resource the legacy auditctl mock cmd output
|
|
# it 'check legacy audit policy parsing' do
|
|
# resource = MockLoader.new(:undefined).load_resource('auditd_rules')
|
|
# _(resource.send('LIST_RULES')).must_equal [
|
|
# 'exit,always syscall=rmdir,unlink',
|
|
# 'exit,always auid=1001 (0x3e9) syscall=open',
|
|
# 'exit,always watch=/etc/group perm=wa',
|
|
# 'exit,always watch=/etc/passwd perm=wa',
|
|
# 'exit,always watch=/etc/shadow perm=wa',
|
|
# 'exit,always watch=/etc/sudoers perm=wa',
|
|
# 'exit,always watch=/etc/secret_directory perm=r',
|
|
# ]
|
|
# end
|
|
end
|