Created a rules class to contain the rule generation logic.

May need to create a second class for the elastalert rules which contains the elastalert/templates/config.yaml.erb boilerplate

lib/helpers/rules.rb

@@ -0,0 +1,52 @@
+require_relative './print.rb'
+class Rules
+
+  # Generate audit and alerting rules
+
+  # @type current valid values are ['elastalert', 'auditbeat']
+  def self.generate_rules(type, mod)
+    rules = []
+    if type == 'elastalert'
+      mod.goals.keys.each do |key|
+        case key
+        when 'read_file'
+        when 'write_file'
+        when 'access_account'
+        else
+        end
+      end
+    elsif type == 'auditbeat'
+      mod.goals.keys.each do |key|
+        case key
+        when 'read_file'
+          # Generate auditbeat read_file rules based on paths
+          read_files = mod.goals[key]
+          read_files.each do |path|
+            rules << greedy_auditbeat_rule(path, 'r')
+          end
+        when 'write_file'
+          # TODO: do something
+          read_files = mod.goals[key]
+          read_files.each do |path|
+            rules << greedy_auditbeat_rule(path, 'w')
+          end
+        when 'access_account'
+        else
+          Print.err('Unknown goal type')
+          raise
+        end
+      end
+    else
+      Print.err("Error, no valid rule type specified")
+      raise
+    end
+    rules.join("\n")
+  end
+
+  # Generates a greedy read or write rule for auditbeat (e.g. /home/user/file_name resolves to /home)
+  def self.greedy_auditbeat_rule(path, r_w)
+    base_path = path.split('/')[0..1].join('/') + '/'
+    key = base_path.gsub(/[^A-Za-z0-9\-\_]/, '')
+    "-w #{base_path} -p -#{r_w} -k #{key}"
+  end
+end

lib/output/project_files_creator.rb

@@ -1,5 +1,6 @@
 require 'erb'
 require_relative '../helpers/constants.rb'
+require_relative '../helpers/rules.rb'
 require_relative 'xml_scenario_generator.rb'
 require_relative 'xml_marker_generator.rb'
 require_relative 'ctfd_generator.rb'
@@ -109,11 +110,18 @@ class ProjectFilesCreator
         end
       end
 
-      # Create auto-grading rules file from goals for each VM
-      rules_file = "#{path}/modules/auditbeat/files/secgen_rules_file.yaml"
-      Print.std "Creating Autograding rules file: #{rules_file}"
-      template_based_file_write(GRADING_RULES_TEMPLATE_FILE , rules_file)
-      # TODO: Need to create elastalert audit rules.yaml also
+      # Create auto-grading config files
+
+      # auditbeat_rules_file = "#{path}/modules/auditbeat/files/secgen_rules_file.yaml"   -- TODO: Add me back in once the rules look correct
+      @rule_type = 'auditbeat'
+      auditbeat_rules_file = "#{path}/auditbeat_rules_file.yaml"
+      Print.std "Creating client side auditing rules: #{auditbeat_rules_file}"
+      template_based_file_write(GRADING_RULES_TEMPLATE_FILE, auditbeat_rules_file)
+
+      @rule_type = 'elastalert'
+      elastalert_rules_file = "#{path}/elastalert_rules_file.yaml"
+      Print.std "Creating server side alerting rules: #{auditbeat_rules_file}"
+      template_based_file_write(GRADING_RULES_TEMPLATE_FILE, elastalert_rules_file)
 
     end
 

lib/templates/goal_rules.erb

@@ -1,14 +1,6 @@
+<% require './lib/helpers/rules'-%>
 <% @currently_processing_system.module_selections.each do |module_selection| -%>
-<%   if module_selection.goals != [] -%>
-<%     if module_selection.goals['read_file'] -%>
-<%        module_selection.goals['read_file'].each do |rf_path| -%>
-<%=         "-w #{rf_path} -p -r -k #{module_selection.get_unique_rule_id(@options[:prefix], @currently_processing_system.name, 'rf', rf_path)}" %>
-<%        end -%>
-<%     end -%>
-<%#     if module_selection.goals['access_account'] -%>
-<%#        module_selection.goals['access_account'].each do |aa_value| -%>
-<%#=         ""-%>
-<%#        end -%>
-<%#     end -%>
+<%   if module_selection.goals != {} -%>
+<%=     Rules.generate_rules(@rule_type, module_selection) %>
 <%   end -%>
 <% end -%>

modules/utilities/unix/logging/elastalert/templates/config.yaml.erb

@@ -5,7 +5,7 @@ rules_folder: /opt/elastalert/rules/
 # How often ElastAlert will query Elasticsearch
 # The unit can be anything from weeks to seconds
 run_every:
-  seconds: 2
+  seconds: 1
 
 # ElastAlert will buffer results from the most recent
 # period of time, in case some log sources are not in real time