mirror of
https://github.com/inspec/inspec
synced 2024-11-24 13:43:09 +00:00
a359399fa0
Moved 2 space examples 2 more spaces in. Don't be shy, show the world your code the way it was meant to be seen. Underscores in markdown must be escaped otherwise the world goes crooked. Signed-off-by: Franklin Webber <franklin@chef.io>
79 lines
2.5 KiB
Text
79 lines
2.5 KiB
Text
---
|
|
title: About the auditd Resource
|
|
platform: linux
|
|
---
|
|
|
|
# auditd
|
|
|
|
Use the `auditd` InSpec audit resource to test the rules for logging that exist on the system. The audit.rules file is typically located under /etc/audit/ and contains the list of rules that define what is captured in log files. These rules are output using the auditcl -l command. This resource supports versions of `audit` >= 2.3.
|
|
|
|
<br>
|
|
|
|
## Syntax
|
|
|
|
An `auditd` resource block declares one (or more) rules to be tested, and then what that rule should do:
|
|
|
|
describe auditd do
|
|
its('lines') { should include %r(-w /etc/ssh/sshd_config) }
|
|
end
|
|
|
|
or test that multiple individual rules are defined:
|
|
|
|
describe auditd do
|
|
its('lines') { should include %r(-a always,exit -F arch=.* -S init_module,delete_module -F key=modules) }
|
|
its('lines') { should include %r(-a always,exit -F arch=.* -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=.+) }
|
|
end
|
|
|
|
where each test must declare one (or more) rules to be tested.
|
|
|
|
<br>
|
|
|
|
## Examples
|
|
|
|
The following examples show how to use this InSpec audit resource.
|
|
|
|
### Test if a rule contains a matching element that is identified by a regular expression
|
|
|
|
For `audit` >= 2.3:
|
|
|
|
describe auditd do
|
|
its('lines') { should include %r(-a always,exit -F arch=.* -S chown.* -F auid>=1000 -F auid!=-1 -F key=perm_mod) }
|
|
end
|
|
|
|
### Query the audit daemon status
|
|
|
|
describe auditd.status('backlog') do
|
|
it { should cmp 0 }
|
|
end
|
|
|
|
### Query properties of rules targeting specific syscalls or files - uniq is used to handle multiple rules for the same syscall with redundant field values
|
|
|
|
describe auditd.syscall('open') do
|
|
its('action.uniq') { should eq ['always'] }
|
|
its('list.uniq') { should eq ['exit'] }
|
|
end
|
|
|
|
describe auditd.file('/etc/sudoers') do
|
|
its('permissions') { should include ['x'] }
|
|
end
|
|
|
|
The where accessor can be used to filter on fields. For example:
|
|
|
|
describe auditd.syscall('chown').where { arch == "b32" } do
|
|
its('action') { should eq ['always'] }
|
|
its('list') { should eq ['exit'] }
|
|
its('exit') { should include ['-EACCES'] }
|
|
its('exit') { should include ['-EPERM'] }
|
|
end
|
|
|
|
The key filter may be useful in evaluating rules with particular key values:
|
|
|
|
describe auditd.where { key == "privileged" } do
|
|
its('permissions') { should include ['x'] }
|
|
end
|
|
|
|
<br>
|
|
|
|
## Matchers
|
|
|
|
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|