audit_log_parser 0.1.1 → 0.1.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +22 -0
- data/lib/audit_log_parser/version.rb +1 -1
- data/lib/audit_log_parser.rb +18 -8
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 77c3c23042dff6f9c55204353b0e9e2a3fc88811aa45d6c02c753353b403e23e
|
4
|
+
data.tar.gz: c3656fa52aee2a9b29810418481eac53c477ceb66b1c62dac3c980e6e478b536
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7457ce7a75b15c6e6c0e8557d0991588a6c871c8b806cbe7e4d3a2d89a419035d33f5c7f3c80d7c381dab5c024fa1840608f9b9f4d75fd7647118b8da53b46ac
|
7
|
+
data.tar.gz: 92ac94104d6fbfd9d4cd136f7d373618db5dc9df3f7b819cf7e183e52ba191f25ff9c1fab659e468065792a835c6148a299b4f2b4791a016a24a2d12cef2f4fa
|
data/README.md
CHANGED
@@ -82,4 +82,26 @@ pp AuditLogParser.parse_line(audit_log2)
|
|
82
82
|
# "addr"=>"?",
|
83
83
|
# "terminal"=>"pts/0",
|
84
84
|
# "res"=>"failed"}}}
|
85
|
+
|
86
|
+
audit_log3 = <<EOS
|
87
|
+
type=PATH msg=audit(1364481363.243:24287): item=0 name="/etc/ssh/sshd_config" inode=409248 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
|
88
|
+
EOS
|
89
|
+
|
90
|
+
pp AuditLogParser.parse_line(audit_log3, flatten: true)
|
91
|
+
#=> {"header_type"=>"PATH",
|
92
|
+
# "header_msg"=>"audit(1364481363.243:24287)",
|
93
|
+
# "body_item"=>"0",
|
94
|
+
# "body_name"=>"\"/etc/ssh/sshd_config\"",
|
95
|
+
# "body_inode"=>"409248",
|
96
|
+
# "body_dev"=>"fd:00",
|
97
|
+
# "body_mode"=>"0100600",
|
98
|
+
# "body_ouid"=>"0",
|
99
|
+
# "body_ogid"=>"0",
|
100
|
+
# "body_rdev"=>"00:00",
|
101
|
+
# "body_obj"=>"system_u:object_r:etc_t:s0"}
|
85
102
|
```
|
103
|
+
|
104
|
+
## Related Links
|
105
|
+
|
106
|
+
* [7.6. Understanding Audit Log Files - Red Hat Customer Portal](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-understanding_audit_log_files)
|
107
|
+
* [SPEC Writing Good Events · linux-audit/audit-documentation Wiki](https://github.com/linux-audit/audit-documentation/wiki/SPEC-Writing-Good-Events)
|
data/lib/audit_log_parser.rb
CHANGED
@@ -4,13 +4,13 @@ require 'audit_log_parser/version'
|
|
4
4
|
class AuditLogParser
|
5
5
|
class Error < StandardError; end
|
6
6
|
|
7
|
-
def self.parse(src)
|
7
|
+
def self.parse(src, flatten: false)
|
8
8
|
src.each_line.map do |line|
|
9
|
-
parse_line(line)
|
9
|
+
parse_line(line, flatten: flatten)
|
10
10
|
end
|
11
11
|
end
|
12
12
|
|
13
|
-
def self.parse_line(line)
|
13
|
+
def self.parse_line(line, flatten: false)
|
14
14
|
line = line.strip
|
15
15
|
|
16
16
|
if line !~ /type=\w+ msg=audit\([\d.:]+\): /
|
@@ -21,11 +21,8 @@ class AuditLogParser
|
|
21
21
|
header.chomp!(': ')
|
22
22
|
header = parse_header(header)
|
23
23
|
body = parse_body(body)
|
24
|
-
|
25
|
-
|
26
|
-
'header' => header,
|
27
|
-
'body' => body,
|
28
|
-
}
|
24
|
+
result = {'header' => header, 'body' => body}
|
25
|
+
flatten ? flatten_hash(result) : result
|
29
26
|
end
|
30
27
|
|
31
28
|
def self.parse_header(header)
|
@@ -83,4 +80,17 @@ class AuditLogParser
|
|
83
80
|
result
|
84
81
|
end
|
85
82
|
private_class_method :parse_body
|
83
|
+
|
84
|
+
def self.flatten_hash(h)
|
85
|
+
h.flat_map {|key, value|
|
86
|
+
if value.is_a?(Hash)
|
87
|
+
flatten_hash(value).map do |sub_key, sub_value|
|
88
|
+
["#{key}_#{sub_key}", sub_value]
|
89
|
+
end
|
90
|
+
else
|
91
|
+
[[key, value]]
|
92
|
+
end
|
93
|
+
}.to_h
|
94
|
+
end
|
95
|
+
private_class_method :flatten_hash
|
86
96
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: audit_log_parser
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- winebarrel
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2018-11-
|
11
|
+
date: 2018-11-08 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|