AuditCtl - command auditctl xxx
This module contains the following parsers:
AuditRules - command auditctl -l
AuditStatus - command auditctl -s
- class insights.parsers.auditctl.AuditRules(context, extra_bad_lines=None)[source]
Bases:
CommandParser
,list
Class for parsing the auditctl -l command. All lines are stored in a list.
Typical output of the command is:
-w /etc/selinux -p wa -k MAC-policy -a always,exit -F arch=b32 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access -a always,exit -F arch=b64 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access -a always,exit -F arch=b32 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access -a always,exit -F arch=b64 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access -a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access -a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access -a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access -a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access
Examples
>>> type(audit_rules) <class 'insights.parsers.auditctl.AuditRules'> >>> len(audit_rules) 9 >>> '-w /etc/selinux -p wa -k MAC-policy' in audit_rules True
- Raises:
SkipComponent -- When there are not rules.
- class insights.parsers.auditctl.AuditStatus(context, extra_bad_lines=None)[source]
Bases:
CommandParser
,dict
Module for parsing the output of the
auditctl -s
command.Typical output on RHEL6 looks like:
AUDIT_STATUS: enabled=1 flag=1 pid=1483 rate_limit=0 backlog_limit=8192 lost=3 backlog=0
, while on RHEL7 and later, the output changes to:
enabled 1 failure 1 pid 947 rate_limit 0 backlog_limit 320 lost 0 backlog 0 loginuid_immutable 0 unlocked
Example
>>> type(auds) <class 'insights.parsers.auditctl.AuditStatus'> >>> "enabled" in auds True >>> auds['enabled'] 1