audit_log_parser 0.1.1 → 0.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 44f1c148dffdd203d11a2d99dabf9f4a6c61a1d054a88d445a0da9f5e35cca65
-  data.tar.gz: c2abf7e7037a5dab5fabbaaf2226c5e70ee57b3804a116cfc61a2a9186a8a9a4
+  metadata.gz: 77c3c23042dff6f9c55204353b0e9e2a3fc88811aa45d6c02c753353b403e23e
+  data.tar.gz: c3656fa52aee2a9b29810418481eac53c477ceb66b1c62dac3c980e6e478b536
 SHA512:
-  metadata.gz: ce9037c3ac30c6853f173159bb062a9994bb88e056fc1605e0698ab87a2658cb7a8c1b8fda332715b102d24292dad4e4e422f8e8da6709d098c97d64d56d0594
-  data.tar.gz: 83610302f7adb5450abf919fbf6363127739bd7128ea6c7ab4c5373557ca9a7ac9f2cfe9d714e869a7f0f7f194156a4e80c8c1198a8c5cab8b09ac5bcd3d86aa
+  metadata.gz: 7457ce7a75b15c6e6c0e8557d0991588a6c871c8b806cbe7e4d3a2d89a419035d33f5c7f3c80d7c381dab5c024fa1840608f9b9f4d75fd7647118b8da53b46ac
+  data.tar.gz: 92ac94104d6fbfd9d4cd136f7d373618db5dc9df3f7b819cf7e183e52ba191f25ff9c1fab659e468065792a835c6148a299b4f2b4791a016a24a2d12cef2f4fa

data/README.md

@@ -82,4 +82,26 @@ pp AuditLogParser.parse_line(audit_log2)
 #        "addr"=>"?",
 #        "terminal"=>"pts/0",
 #        "res"=>"failed"}}}
+
+audit_log3 = <<EOS
+type=PATH msg=audit(1364481363.243:24287): item=0 name="/etc/ssh/sshd_config" inode=409248 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
+EOS
+
+pp AuditLogParser.parse_line(audit_log3, flatten: true)
+#=> {"header_type"=>"PATH",
+#    "header_msg"=>"audit(1364481363.243:24287)",
+#    "body_item"=>"0",
+#    "body_name"=>"\"/etc/ssh/sshd_config\"",
+#    "body_inode"=>"409248",
+#    "body_dev"=>"fd:00",
+#    "body_mode"=>"0100600",
+#    "body_ouid"=>"0",
+#    "body_ogid"=>"0",
+#    "body_rdev"=>"00:00",
+#    "body_obj"=>"system_u:object_r:etc_t:s0"}
 ```
+
+## Related Links
+
+* [7.6. Understanding Audit Log Files - Red Hat Customer Portal](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-understanding_audit_log_files)
+* [SPEC Writing Good Events · linux-audit/audit-documentation Wiki](https://github.com/linux-audit/audit-documentation/wiki/SPEC-Writing-Good-Events)

data/lib/audit_log_parser/version.rb

@@ -1,3 +1,3 @@
 class AuditLogParser
-  VERSION = '0.1.1'
+  VERSION = '0.1.2'
 end

data/lib/audit_log_parser.rb

@@ -4,13 +4,13 @@ require 'audit_log_parser/version'
 class AuditLogParser
   class Error < StandardError; end
 
-  def self.parse(src)
+  def self.parse(src, flatten: false)
     src.each_line.map do |line|
-      parse_line(line)
+      parse_line(line, flatten: flatten)
     end
   end
 
-  def self.parse_line(line)
+  def self.parse_line(line, flatten: false)
     line = line.strip
 
     if line !~ /type=\w+ msg=audit\([\d.:]+\): /
@@ -21,11 +21,8 @@ class AuditLogParser
     header.chomp!(': ')
     header = parse_header(header)
     body = parse_body(body)
-
-    {
-      'header' => header,
-      'body' => body,
-    }
+    result = {'header' => header, 'body' => body}
+    flatten ? flatten_hash(result) : result
   end
 
   def self.parse_header(header)
@@ -83,4 +80,17 @@ class AuditLogParser
     result
   end
   private_class_method :parse_body
+
+  def self.flatten_hash(h)
+    h.flat_map {|key, value|
+      if value.is_a?(Hash)
+        flatten_hash(value).map do |sub_key, sub_value|
+          ["#{key}_#{sub_key}", sub_value]
+        end
+      else
+        [[key, value]]
+      end
+    }.to_h
+  end
+  private_class_method :flatten_hash
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: audit_log_parser
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.2
 platform: ruby
 authors:
 - winebarrel
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-11-03 00:00:00.000000000 Z
+date: 2018-11-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler