dgi_audit_log_parser 1.0.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: cfe0f22dffe2af8402075e859e53a3b5d4aa7ba5069203074c984ba5f000890e
4
+ data.tar.gz: 310826d4fecd470aa4e65ebd9c3d558850ec9f98081ac1d987b51e11090212ed
5
+ SHA512:
6
+ metadata.gz: 45ec4bc87fb328a731e3188107de52c43dac50c7e3dcf2bc657f66b6c0db87be6be89f2b3cf04b4d31e83a462b48c1c9360904f8609cb5f0f7ba367bceb2405b
7
+ data.tar.gz: 1cb65f9cf7ecdb4d4e482a4f03b32360117c10f5f6b44fb0b121ba69673ea82644ae18717c561f25133df57cce3738fc4d48b4220536b2aa65a5ea2bb459d916
@@ -0,0 +1,28 @@
1
+ name: Ruby
2
+
3
+ on:
4
+ push:
5
+ branches: [ "main" ]
6
+ pull_request:
7
+ branches: [ "main" ]
8
+
9
+ permissions:
10
+ contents: read
11
+
12
+ jobs:
13
+ test:
14
+
15
+ runs-on: ubuntu-latest
16
+ strategy:
17
+ matrix:
18
+ ruby-version: ['2.6', '2.7', '3.0']
19
+
20
+ steps:
21
+ - uses: actions/checkout@v3
22
+ - name: Set up Ruby
23
+ uses: ruby/setup-ruby@v1
24
+ with:
25
+ ruby-version: ${{ matrix.ruby-version }}
26
+ bundler-cache: true # runs 'bundle install' and caches installed gems automatically
27
+ - name: Run tests
28
+ run: bundle exec rake
data/.gitignore ADDED
@@ -0,0 +1,13 @@
1
+ /.bundle/
2
+ /.yardoc
3
+ /_yardoc/
4
+ /coverage/
5
+ /doc/
6
+ /pkg/
7
+ /spec/reports/
8
+ /tmp/
9
+ Gemfile.lock
10
+ test.rb
11
+
12
+ # rspec failure tracking
13
+ .rspec_status
data/.rspec ADDED
@@ -0,0 +1,3 @@
1
+ --format documentation
2
+ --color
3
+ --require spec_helper
data/Gemfile ADDED
@@ -0,0 +1,6 @@
1
+ source "https://rubygems.org"
2
+
3
+ git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
4
+
5
+ # Specify your gem's dependencies in audit_log_parser.gemspec
6
+ gemspec
data/LICENSE.txt ADDED
@@ -0,0 +1,21 @@
1
+ The MIT License (MIT)
2
+
3
+ Copyright (c) 2018 winebarrel
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in
13
+ all copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21
+ THE SOFTWARE.
data/README.md ADDED
@@ -0,0 +1,107 @@
1
+ # audit_log_parser
2
+
3
+ It is a library for parsing [linux's audit log](https://github.com/linux-audit/audit-documentation/wiki).
4
+
5
+ [![Gem Version](https://badge.fury.io/rb/dgi_audit_log_parser.svg)](https://badge.fury.io/rb/dgi_audit_log_parser)
6
+ [![](https://img.shields.io/badge/rubydoc-reference-blue.svg)](https://www.rubydoc.info/gems/dgi_audit_log_parser)
7
+
8
+ ## Installation
9
+
10
+ Add this line to your application's Gemfile:
11
+
12
+ ```ruby
13
+ gem 'dgi_audit_log_parser'
14
+ ```
15
+
16
+ And then execute:
17
+
18
+ $ bundle
19
+
20
+ Or install it yourself as:
21
+
22
+ $ gem install dgi_audit_log_parser
23
+
24
+ ## Usage
25
+
26
+ ```ruby
27
+ #!/usr/bin/env ruby
28
+ require 'audit_log_parser'
29
+ require 'pp'
30
+
31
+ audit_log1 = <<EOS
32
+ type=SYSCALL msg=audit(1364481363.243:24287): arch=c000003e syscall=2 success=no exit=-13 a0=7fffd19c5592 a1=0 a2=7fffd19c4b50 a3=a items=1 ppid=2686 pid=3538 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="cat" exe="/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="sshd_config"
33
+ EOS
34
+
35
+ pp AuditLogParser.parse_line(audit_log1)
36
+ #=> {"header"=>{"type"=>"SYSCALL", "msg"=>"audit(1364481363.243:24287)"},
37
+ # "body"=>
38
+ # {"arch"=>"c000003e",
39
+ # "syscall"=>"2",
40
+ # "success"=>"no",
41
+ # "exit"=>"-13",
42
+ # "a0"=>"7fffd19c5592",
43
+ # "a1"=>"0",
44
+ # "a2"=>"7fffd19c4b50",
45
+ # "a3"=>"a",
46
+ # "items"=>"1",
47
+ # "ppid"=>"2686",
48
+ # "pid"=>"3538",
49
+ # "auid"=>"500",
50
+ # "uid"=>"500",
51
+ # "gid"=>"500",
52
+ # "euid"=>"500",
53
+ # "suid"=>"500",
54
+ # "fsuid"=>"500",
55
+ # "egid"=>"500",
56
+ # "sgid"=>"500",
57
+ # "fsgid"=>"500",
58
+ # "tty"=>"pts0",
59
+ # "ses"=>"1",
60
+ # "comm"=>"\"cat\"",
61
+ # "exe"=>"\"/bin/cat\"",
62
+ # "subj"=>"unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
63
+ # "key"=>"\"sshd_config\""}}
64
+
65
+ audit_log2 = <<EOS
66
+ type=USER_AUTH msg=audit(1364475353.159:24270): user pid=3280 uid=500 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=failed'
67
+ EOS
68
+
69
+ pp AuditLogParser.parse_line(audit_log2)
70
+ #=> {"header"=>{"type"=>"USER_AUTH", "msg"=>"audit(1364475353.159:24270)"},
71
+ # "body"=>
72
+ # {"user pid"=>"3280",
73
+ # "uid"=>"500",
74
+ # "auid"=>"500",
75
+ # "ses"=>"1",
76
+ # "subj"=>"unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
77
+ # "msg"=>
78
+ # {"op"=>"PAM:authentication",
79
+ # "acct"=>"\"root\"",
80
+ # "exe"=>"\"/bin/su\"",
81
+ # "hostname"=>"?",
82
+ # "addr"=>"?",
83
+ # "terminal"=>"pts/0",
84
+ # "res"=>"failed"}}}
85
+
86
+ audit_log3 = <<EOS
87
+ type=PATH msg=audit(1364481363.243:24287): item=0 name="/etc/ssh/sshd_config" inode=409248 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
88
+ EOS
89
+
90
+ pp AuditLogParser.parse_line(audit_log3, flatten: true)
91
+ #=> {"header_type"=>"PATH",
92
+ # "header_msg"=>"audit(1364481363.243:24287)",
93
+ # "body_item"=>"0",
94
+ # "body_name"=>"\"/etc/ssh/sshd_config\"",
95
+ # "body_inode"=>"409248",
96
+ # "body_dev"=>"fd:00",
97
+ # "body_mode"=>"0100600",
98
+ # "body_ouid"=>"0",
99
+ # "body_ogid"=>"0",
100
+ # "body_rdev"=>"00:00",
101
+ # "body_obj"=>"system_u:object_r:etc_t:s0"}
102
+ ```
103
+
104
+ ## Related Links
105
+
106
+ * [7.6. Understanding Audit Log Files - Red Hat Customer Portal](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-understanding_audit_log_files)
107
+ * [SPEC Writing Good Events · linux-audit/audit-documentation Wiki](https://github.com/linux-audit/audit-documentation/wiki/SPEC-Writing-Good-Events)
data/Rakefile ADDED
@@ -0,0 +1,6 @@
1
+ require 'bundler/gem_tasks'
2
+ require 'rspec/core/rake_task'
3
+
4
+ RSpec::Core::RakeTask.new(:spec)
5
+
6
+ task :default => :spec
@@ -0,0 +1,29 @@
1
+
2
+ lib = File.expand_path('../lib', __FILE__)
3
+ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
4
+ require 'audit_log_parser/version'
5
+
6
+ Gem::Specification.new do |spec|
7
+ spec.name = 'dgi_audit_log_parser'
8
+ spec.version = AuditLogParser::VERSION
9
+ spec.authors = ['winebarrel', 'aeber']
10
+ spec.email = ['']
11
+
12
+ spec.summary = %q{It is a library for parsing.}
13
+ spec.description = %q{It is a library for parsing.}
14
+ spec.homepage = 'https://github.com/dg-i/audit_log_parser'
15
+ spec.license = 'MIT'
16
+
17
+ # Specify which files should be added to the gem when it is released.
18
+ # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
19
+ spec.files = Dir.chdir(File.expand_path('..', __FILE__)) do
20
+ `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
21
+ end
22
+ spec.bindir = 'exe'
23
+ spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
24
+ spec.require_paths = ['lib']
25
+
26
+ spec.add_development_dependency 'bundler'
27
+ spec.add_development_dependency 'rake'
28
+ spec.add_development_dependency 'rspec', '~> 3.0'
29
+ end
data/bin/console ADDED
@@ -0,0 +1,14 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ require "bundler/setup"
4
+ require "audit_log_parser"
5
+
6
+ # You can add fixtures and/or initialization code here to make experimenting
7
+ # with your gem easier. You can also use a different console, if you like.
8
+
9
+ # (If you use this, don't forget to add pry to your Gemfile!)
10
+ # require "pry"
11
+ # Pry.start
12
+
13
+ require "irb"
14
+ IRB.start(__FILE__)
data/bin/setup ADDED
@@ -0,0 +1,8 @@
1
+ #!/usr/bin/env bash
2
+ set -euo pipefail
3
+ IFS=$'\n\t'
4
+ set -vx
5
+
6
+ bundle install
7
+
8
+ # Do any other automated setup that you need to do here
@@ -0,0 +1,3 @@
1
+ class AuditLogParser
2
+ VERSION = '1.0.1'
3
+ end
@@ -0,0 +1,106 @@
1
+ require 'strscan'
2
+ require 'audit_log_parser/version'
3
+
4
+ class AuditLogParser
5
+ class Error < StandardError; end
6
+
7
+ def self.parse(src, flatten: false)
8
+ src.each_line.map do |line|
9
+ parse_line(line, flatten: flatten)
10
+ end
11
+ end
12
+
13
+ def self.parse_line(line, flatten: false)
14
+ line = line.strip
15
+
16
+ if line !~ /type=\w+ msg=audit\([\d.:]+\): */
17
+ raise Error, "Invalid audit log header: #{line.inspect}"
18
+ end
19
+
20
+ header, body = line.split(/\): */, 2)
21
+ header << ')'
22
+ header.sub!(/: *\z/, '')
23
+ header = parse_header(header)
24
+ unless body.empty?
25
+ body, enriched = body.split('\u001D', 2)
26
+ end
27
+ body = parse_body(body)
28
+ if enriched.nil?
29
+ result = {'header' => header, 'body' => body}
30
+ else
31
+ result = {'header' => header, 'body' => body, 'enriched'=>enriched.strip}
32
+ end
33
+ flatten ? flatten_hash(result) : result
34
+ end
35
+
36
+ def self.parse_header(header)
37
+ result = {}
38
+
39
+ header.split(' ').each do |kv|
40
+ key, value = kv.split('=', 2)
41
+ result[key] = value
42
+ end
43
+
44
+ result
45
+ end
46
+ private_class_method :parse_header
47
+
48
+ def self.parse_body(body)
49
+ if body.empty?
50
+ return {}
51
+ elsif !body.include?('=')
52
+ raise Error, "Invalid audit log body: #{body.inspect}"
53
+ end
54
+
55
+ result = {}
56
+ ss = StringScanner.new(body)
57
+
58
+ while key = ss.scan_until(/=/)
59
+ if key.include?(', ')
60
+ msg, key = key.split(', ', 2)
61
+ result['_message'] = msg.strip
62
+ end
63
+
64
+ key.chomp!('=').strip!
65
+ value = ss.getch
66
+
67
+ case value
68
+ when nil
69
+ break
70
+ when ' '
71
+ next
72
+ when '"'
73
+ value << ss.scan_until(/"/)
74
+ when "'"
75
+ nest = ss.scan_until(/'/)
76
+ nest.chomp!("'")
77
+ value = parse_body(nest)
78
+ else
79
+ value << ss.scan_until(/( |\z)/)
80
+ value.chomp!(' ')
81
+ end
82
+
83
+ result[key] = value
84
+ end
85
+
86
+ unless ss.rest.empty?
87
+ raise "must not happen: #{body}"
88
+ end
89
+
90
+ result
91
+ end
92
+ private_class_method :parse_body
93
+
94
+ def self.flatten_hash(h)
95
+ h.flat_map {|key, value|
96
+ if value.is_a?(Hash)
97
+ flatten_hash(value).map do |sub_key, sub_value|
98
+ ["#{key}_#{sub_key}", sub_value]
99
+ end
100
+ else
101
+ [[key, value]]
102
+ end
103
+ }.to_h
104
+ end
105
+ private_class_method :flatten_hash
106
+ end
metadata ADDED
@@ -0,0 +1,98 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: dgi_audit_log_parser
3
+ version: !ruby/object:Gem::Version
4
+ version: 1.0.1
5
+ platform: ruby
6
+ authors:
7
+ - winebarrel
8
+ - aeber
9
+ autorequire:
10
+ bindir: exe
11
+ cert_chain: []
12
+ date: 2023-10-17 00:00:00.000000000 Z
13
+ dependencies:
14
+ - !ruby/object:Gem::Dependency
15
+ name: bundler
16
+ requirement: !ruby/object:Gem::Requirement
17
+ requirements:
18
+ - - ">="
19
+ - !ruby/object:Gem::Version
20
+ version: '0'
21
+ type: :development
22
+ prerelease: false
23
+ version_requirements: !ruby/object:Gem::Requirement
24
+ requirements:
25
+ - - ">="
26
+ - !ruby/object:Gem::Version
27
+ version: '0'
28
+ - !ruby/object:Gem::Dependency
29
+ name: rake
30
+ requirement: !ruby/object:Gem::Requirement
31
+ requirements:
32
+ - - ">="
33
+ - !ruby/object:Gem::Version
34
+ version: '0'
35
+ type: :development
36
+ prerelease: false
37
+ version_requirements: !ruby/object:Gem::Requirement
38
+ requirements:
39
+ - - ">="
40
+ - !ruby/object:Gem::Version
41
+ version: '0'
42
+ - !ruby/object:Gem::Dependency
43
+ name: rspec
44
+ requirement: !ruby/object:Gem::Requirement
45
+ requirements:
46
+ - - "~>"
47
+ - !ruby/object:Gem::Version
48
+ version: '3.0'
49
+ type: :development
50
+ prerelease: false
51
+ version_requirements: !ruby/object:Gem::Requirement
52
+ requirements:
53
+ - - "~>"
54
+ - !ruby/object:Gem::Version
55
+ version: '3.0'
56
+ description: It is a library for parsing.
57
+ email:
58
+ - ''
59
+ executables: []
60
+ extensions: []
61
+ extra_rdoc_files: []
62
+ files:
63
+ - ".github/workflows/ruby.yml"
64
+ - ".gitignore"
65
+ - ".rspec"
66
+ - Gemfile
67
+ - LICENSE.txt
68
+ - README.md
69
+ - Rakefile
70
+ - audit_log_parser.gemspec
71
+ - bin/console
72
+ - bin/setup
73
+ - lib/audit_log_parser.rb
74
+ - lib/audit_log_parser/version.rb
75
+ homepage: https://github.com/dg-i/audit_log_parser
76
+ licenses:
77
+ - MIT
78
+ metadata: {}
79
+ post_install_message:
80
+ rdoc_options: []
81
+ require_paths:
82
+ - lib
83
+ required_ruby_version: !ruby/object:Gem::Requirement
84
+ requirements:
85
+ - - ">="
86
+ - !ruby/object:Gem::Version
87
+ version: '0'
88
+ required_rubygems_version: !ruby/object:Gem::Requirement
89
+ requirements:
90
+ - - ">="
91
+ - !ruby/object:Gem::Version
92
+ version: '0'
93
+ requirements: []
94
+ rubygems_version: 3.3.25
95
+ signing_key:
96
+ specification_version: 4
97
+ summary: It is a library for parsing.
98
+ test_files: []