audit_log_parser 0.1.0 → 0.1.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +23 -2
- data/lib/audit_log_parser/version.rb +1 -1
- data/lib/audit_log_parser.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 44f1c148dffdd203d11a2d99dabf9f4a6c61a1d054a88d445a0da9f5e35cca65
|
4
|
+
data.tar.gz: c2abf7e7037a5dab5fabbaaf2226c5e70ee57b3804a116cfc61a2a9186a8a9a4
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ce9037c3ac30c6853f173159bb062a9994bb88e056fc1605e0698ab87a2658cb7a8c1b8fda332715b102d24292dad4e4e422f8e8da6709d098c97d64d56d0594
|
7
|
+
data.tar.gz: 83610302f7adb5450abf919fbf6363127739bd7128ea6c7ab4c5373557ca9a7ac9f2cfe9d714e869a7f0f7f194156a4e80c8c1198a8c5cab8b09ac5bcd3d86aa
|
data/README.md
CHANGED
@@ -28,11 +28,11 @@ Or install it yourself as:
|
|
28
28
|
require 'audit_log_parser'
|
29
29
|
require 'pp'
|
30
30
|
|
31
|
-
|
31
|
+
audit_log1 = <<EOS
|
32
32
|
type=SYSCALL msg=audit(1364481363.243:24287): arch=c000003e syscall=2 success=no exit=-13 a0=7fffd19c5592 a1=0 a2=7fffd19c4b50 a3=a items=1 ppid=2686 pid=3538 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="cat" exe="/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="sshd_config"
|
33
33
|
EOS
|
34
34
|
|
35
|
-
pp AuditLogParser.
|
35
|
+
pp AuditLogParser.parse_line(audit_log1)
|
36
36
|
#=> {"header"=>{"type"=>"SYSCALL", "msg"=>"audit(1364481363.243:24287)"},
|
37
37
|
# "body"=>
|
38
38
|
# {"arch"=>"c000003e",
|
@@ -61,4 +61,25 @@ pp AuditLogParser.parse(data)
|
|
61
61
|
# "exe"=>"\"/bin/cat\"",
|
62
62
|
# "subj"=>"unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
|
63
63
|
# "key"=>"\"sshd_config\""}}
|
64
|
+
|
65
|
+
audit_log2 = <<EOS
|
66
|
+
type=USER_AUTH msg=audit(1364475353.159:24270): user pid=3280 uid=500 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=failed'
|
67
|
+
EOS
|
68
|
+
|
69
|
+
pp AuditLogParser.parse_line(audit_log2)
|
70
|
+
#=> {"header"=>{"type"=>"USER_AUTH", "msg"=>"audit(1364475353.159:24270)"},
|
71
|
+
# "body"=>
|
72
|
+
# {"user pid"=>"3280",
|
73
|
+
# "uid"=>"500",
|
74
|
+
# "auid"=>"500",
|
75
|
+
# "ses"=>"1",
|
76
|
+
# "subj"=>"unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
|
77
|
+
# "msg"=>
|
78
|
+
# {"op"=>"PAM:authentication",
|
79
|
+
# "acct"=>"\"root\"",
|
80
|
+
# "exe"=>"\"/bin/su\"",
|
81
|
+
# "hostname"=>"?",
|
82
|
+
# "addr"=>"?",
|
83
|
+
# "terminal"=>"pts/0",
|
84
|
+
# "res"=>"failed"}}}
|
64
85
|
```
|
data/lib/audit_log_parser.rb
CHANGED