-
Notifications
You must be signed in to change notification settings - Fork 1.2k
/
Copy pathaudit_check.go
103 lines (87 loc) · 2.56 KB
/
audit_check.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
// Unless explicitly stated otherwise all files in this repository are licensed
// under the Apache License Version 2.0.
// This product includes software developed at Datadog (https://www.datadoghq.com/).
// Copyright 2016-present Datadog, Inc.
package checks
import (
"context"
"fmt"
"os"
"github.com/DataDog/datadog-agent/pkg/compliance"
"github.com/DataDog/datadog-agent/pkg/compliance/checks/env"
"github.com/DataDog/datadog-agent/pkg/compliance/eval"
"github.com/DataDog/datadog-agent/pkg/util/log"
"github.com/elastic/go-libaudit/rule"
)
var auditReportedFields = []string{
compliance.AuditFieldPath,
compliance.AuditFieldEnabled,
compliance.AuditFieldPermissions,
}
func resolveAudit(_ context.Context, e env.Env, ruleID string, res compliance.ResourceCommon, rego bool) (resolved, error) {
if res.Audit == nil {
return nil, fmt.Errorf("%s: expecting audit resource in audit check", ruleID)
}
audit := res.Audit
client := e.AuditClient()
if client == nil {
return nil, fmt.Errorf("audit client not configured")
}
path, err := resolvePath(e, audit.Path)
if err != nil {
return nil, err
}
normPath := e.NormalizeToHostRoot(path)
if _, err := os.Stat(normPath); err != nil && os.IsNotExist(err) {
return nil, fmt.Errorf("%s: audit resource path does not exist", ruleID)
}
paths := []string{path}
log.Debugf("%s: evaluating audit rules", ruleID)
auditRules, err := client.GetFileWatchRules()
if err != nil {
return nil, err
}
var instances []eval.Instance
for _, auditRule := range auditRules {
for _, path := range paths {
if auditRule.Path != path {
continue
}
log.Debugf("%s: audit check - match %s", ruleID, path)
auditPermissions := auditPermissionsString(auditRule)
instances = append(instances, newResolvedInstance(
eval.NewInstance(
eval.VarMap{
compliance.AuditFieldPath: path,
compliance.AuditFieldEnabled: true,
compliance.AuditFieldPermissions: auditPermissions,
},
nil,
eval.RegoInputMap{
"path": path,
"enabled": true,
"permissions": auditPermissions,
},
),
auditRule.Path, "audit"),
)
}
}
return newResolvedIterator(newInstanceIterator(instances)), nil
}
func auditPermissionsString(r *rule.FileWatchRule) string {
permissions := ""
for _, p := range r.Permissions {
switch p {
case rule.ReadAccessType:
permissions += "r"
case rule.WriteAccessType:
permissions += "w"
case rule.ExecuteAccessType:
permissions += "e"
case rule.AttributeChangeAccessType:
permissions += "a"
}
}
return permissions
}