audit_log_parser 0.1.1 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 44f1c148dffdd203d11a2d99dabf9f4a6c61a1d054a88d445a0da9f5e35cca65
4
- data.tar.gz: c2abf7e7037a5dab5fabbaaf2226c5e70ee57b3804a116cfc61a2a9186a8a9a4
3
+ metadata.gz: 77c3c23042dff6f9c55204353b0e9e2a3fc88811aa45d6c02c753353b403e23e
4
+ data.tar.gz: c3656fa52aee2a9b29810418481eac53c477ceb66b1c62dac3c980e6e478b536
5
5
  SHA512:
6
- metadata.gz: ce9037c3ac30c6853f173159bb062a9994bb88e056fc1605e0698ab87a2658cb7a8c1b8fda332715b102d24292dad4e4e422f8e8da6709d098c97d64d56d0594
7
- data.tar.gz: 83610302f7adb5450abf919fbf6363127739bd7128ea6c7ab4c5373557ca9a7ac9f2cfe9d714e869a7f0f7f194156a4e80c8c1198a8c5cab8b09ac5bcd3d86aa
6
+ metadata.gz: 7457ce7a75b15c6e6c0e8557d0991588a6c871c8b806cbe7e4d3a2d89a419035d33f5c7f3c80d7c381dab5c024fa1840608f9b9f4d75fd7647118b8da53b46ac
7
+ data.tar.gz: 92ac94104d6fbfd9d4cd136f7d373618db5dc9df3f7b819cf7e183e52ba191f25ff9c1fab659e468065792a835c6148a299b4f2b4791a016a24a2d12cef2f4fa
data/README.md CHANGED
@@ -82,4 +82,26 @@ pp AuditLogParser.parse_line(audit_log2)
82
82
  # "addr"=>"?",
83
83
  # "terminal"=>"pts/0",
84
84
  # "res"=>"failed"}}}
85
+
86
+ audit_log3 = <<EOS
87
+ type=PATH msg=audit(1364481363.243:24287): item=0 name="/etc/ssh/sshd_config" inode=409248 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
88
+ EOS
89
+
90
+ pp AuditLogParser.parse_line(audit_log3, flatten: true)
91
+ #=> {"header_type"=>"PATH",
92
+ # "header_msg"=>"audit(1364481363.243:24287)",
93
+ # "body_item"=>"0",
94
+ # "body_name"=>"\"/etc/ssh/sshd_config\"",
95
+ # "body_inode"=>"409248",
96
+ # "body_dev"=>"fd:00",
97
+ # "body_mode"=>"0100600",
98
+ # "body_ouid"=>"0",
99
+ # "body_ogid"=>"0",
100
+ # "body_rdev"=>"00:00",
101
+ # "body_obj"=>"system_u:object_r:etc_t:s0"}
85
102
  ```
103
+
104
+ ## Related Links
105
+
106
+ * [7.6. Understanding Audit Log Files - Red Hat Customer Portal](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-understanding_audit_log_files)
107
+ * [SPEC Writing Good Events · linux-audit/audit-documentation Wiki](https://github.com/linux-audit/audit-documentation/wiki/SPEC-Writing-Good-Events)
@@ -1,3 +1,3 @@
1
1
  class AuditLogParser
2
- VERSION = '0.1.1'
2
+ VERSION = '0.1.2'
3
3
  end
@@ -4,13 +4,13 @@ require 'audit_log_parser/version'
4
4
  class AuditLogParser
5
5
  class Error < StandardError; end
6
6
 
7
- def self.parse(src)
7
+ def self.parse(src, flatten: false)
8
8
  src.each_line.map do |line|
9
- parse_line(line)
9
+ parse_line(line, flatten: flatten)
10
10
  end
11
11
  end
12
12
 
13
- def self.parse_line(line)
13
+ def self.parse_line(line, flatten: false)
14
14
  line = line.strip
15
15
 
16
16
  if line !~ /type=\w+ msg=audit\([\d.:]+\): /
@@ -21,11 +21,8 @@ class AuditLogParser
21
21
  header.chomp!(': ')
22
22
  header = parse_header(header)
23
23
  body = parse_body(body)
24
-
25
- {
26
- 'header' => header,
27
- 'body' => body,
28
- }
24
+ result = {'header' => header, 'body' => body}
25
+ flatten ? flatten_hash(result) : result
29
26
  end
30
27
 
31
28
  def self.parse_header(header)
@@ -83,4 +80,17 @@ class AuditLogParser
83
80
  result
84
81
  end
85
82
  private_class_method :parse_body
83
+
84
+ def self.flatten_hash(h)
85
+ h.flat_map {|key, value|
86
+ if value.is_a?(Hash)
87
+ flatten_hash(value).map do |sub_key, sub_value|
88
+ ["#{key}_#{sub_key}", sub_value]
89
+ end
90
+ else
91
+ [[key, value]]
92
+ end
93
+ }.to_h
94
+ end
95
+ private_class_method :flatten_hash
86
96
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: audit_log_parser
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.1
4
+ version: 0.1.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - winebarrel
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2018-11-03 00:00:00.000000000 Z
11
+ date: 2018-11-08 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler