utils.unix.audit_rule_parser module

class utils.unix.audit_rule_parser.AuditRuleParser(syscalls, arches, auids=None, actions=None)

Bases: object

add_rule(rule)

Add a rule to the parser and parse it.

Parameters: rule (str): The audit rule to add and parse.

check_missing_syscalls_and_auids()

Check for missing syscalls, auids, and actions in the parsed rules.

Returns: tuple: A dictionary of missing syscalls, a dictionary of missing auids, and a dictionary of missing actions.

get_value(key, rule_index=0)

Get the value of a specific component from a parsed rule.

Parameters: key (str): The component key to retrieve (e.g., ‘arch’, ‘syscalls’). rule_index (int): The index of the rule in the parsed data.

Returns: str or list: The value of the requested component or None if not found.

normalize_auid_value(auid)

Normalize the auid value. Treat ‘unset’, ‘-1’, and ‘4294967295’ as equivalent.

Parameters: auid (str): The auid value to normalize.

Returns: str: The normalized auid value.

parse_rule(rule)

Parse an audit rule to extract its components.

Parameters: rule (str): The audit rule to parse.

Returns: dict: A dictionary containing the parsed components of the rule.