class Inspec::Resources::LinuxAuditSystem
def enabled?
The be_enabled matcher checks if the auditing is enabled.
def enabled? auditctl_cmd = inspec.command("#{auditctl_utility} -s | grep enabled") raise Inspec::Exceptions::ResourceFailed, "Executing #{auditctl_utility} -s | grep enabled failed: #{auditctl_cmd.stderr}" if auditctl_cmd.exit_status.to_i != 0 # Sample stdout: enabled 1 auditctl_enabled_status = auditctl_cmd.stdout.strip.split auditctl_enabled_status[1].to_i == 1 end
def find_auditctl_or_error
def find_auditctl_or_error %w{/usr/sbin/auditctl /sbin/auditctl auditctl}.each do |cmd| return cmd if inspec.command(cmd).exist? end raise Inspec::Exceptions::ResourceFailed, "Could not find `auditctl`. This resource requires `auditctl` utility to be available on the system." end
def initialize
def initialize skip_resource "The `linux_audit_system` resource is not yet available on your OS." unless inspec.os.linux? @auditctl_utility = find_auditctl_or_error end
def rules
The rules property returns the array of audit rules obtained on auditctl -l.
def rules auditctl_cmd = inspec.command("#{auditctl_utility} -l") raise Inspec::Exceptions::ResourceFailed, "Executing #{auditctl_utility} -l: #{auditctl_cmd.stderr}" if auditctl_cmd.exit_status.to_i != 0 auditctl_cmd.stdout.strip.split("\n") end
def running?
The be_running matcher checks if the audit daemon is running.
def running? auditctl_cmd = inspec.command("#{auditctl_utility} -s | grep pid") raise Inspec::Exceptions::ResourceFailed, "Executing #{auditctl_utility} -s | grep enabled failed: #{auditctl_cmd.stderr}" if auditctl_cmd.exit_status.to_i != 0 # Sample stdout: pid 682462 auditctl_running_status = auditctl_cmd.stdout.strip.split !auditctl_running_status[1].nil? && auditctl_running_status[1].to_i != 0 end
def to_s
def to_s "linux_audit_system" end