AuditCtl - command auditctl xxx

This module contains the following parsers:

AuditRules - command auditctl -l

AuditStatus - command auditctl -s

class insights.parsers.auditctl.AuditRules(context, extra_bad_lines=None)[source]

Bases: CommandParser, list

Class for parsing the auditctl -l command. All lines are stored in a list.

Typical output of the command is:

-w /etc/selinux -p wa -k MAC-policy
-a always,exit -F arch=b32 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access
-a always,exit -F arch=b64 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access
-a always,exit -F arch=b32 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access
-a always,exit -F arch=b64 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access
-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access
-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access
-a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access
-a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access

Examples

>>> type(audit_rules)
<class 'insights.parsers.auditctl.AuditRules'>
>>> len(audit_rules)
9
>>> '-w /etc/selinux -p wa -k MAC-policy' in audit_rules
True
Raises:

SkipComponent -- When there are not rules.

parse_content(content)[source]

This method must be implemented by classes based on this class.

class insights.parsers.auditctl.AuditStatus(context, extra_bad_lines=None)[source]

Bases: CommandParser, dict

Module for parsing the output of the auditctl -s command.

Typical output on RHEL6 looks like:

AUDIT_STATUS: enabled=1 flag=1 pid=1483 rate_limit=0 backlog_limit=8192 lost=3 backlog=0

, while on RHEL7 and later, the output changes to:

enabled 1
failure 1
pid 947
rate_limit 0
backlog_limit 320
lost 0
backlog 0
loginuid_immutable 0 unlocked

Example

>>> type(auds)
<class 'insights.parsers.auditctl.AuditStatus'>
>>> "enabled" in auds
True
>>> auds['enabled']
1
parse_content(content)[source]

This method must be implemented by classes based on this class.