|
 |
575137 |
diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order
|
|
|
575137 |
index 8178c94e11..7329aa8b4e 100644
|
|
|
575137 |
--- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order
|
|
|
575137 |
+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order
|
|
|
575137 |
@@ -64,11 +64,6 @@
|
|
|
575137 |
<value>[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
|
|
|
575137 |
</constant_variable>
|
|
|
575137 |
|
|
|
575137 |
-
|
|
|
575137 |
- <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" version="1" datatype="string" comment="audit rule auid and key">
|
|
|
575137 |
- <value>(?:[^.]|\.\s)*</value>
|
|
|
575137 |
- </constant_variable>
|
|
|
575137 |
-
|
|
|
575137 |
|
|
|
575137 |
<local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_32bit_a20100_eacces_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
575137 |
<concat>
|
|
|
575137 |
@@ -183,13 +178,25 @@
|
|
|
575137 |
|
|
|
575137 |
<local_variable id="var_arufm_rule_order_32bit_{{{ SYSCALL }}}_eacces_augenrules_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
575137 |
<concat>
|
|
|
575137 |
+
|
|
|
575137 |
+ <literal_component>^</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a20100_eacces_augenrules" />
|
|
|
575137 |
+ <literal_component>$\n(^(?!</literal_component>
|
|
|
575137 |
<object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a20100_eacces_augenrules" />
|
|
|
575137 |
- <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
575137 |
+ <literal_component>|</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_nofilter_32bit_eacces_augenrules" />
|
|
|
575137 |
+ <literal_component>).*$\n)*^</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a201003_eacces_augenrules" />
|
|
|
575137 |
+ <literal_component>$\n(^(?!</literal_component>
|
|
|
575137 |
<object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a201003_eacces_augenrules" />
|
|
|
575137 |
- <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
575137 |
+ <literal_component>|</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a20100_eacces_augenrules" />
|
|
|
575137 |
+ <literal_component>).*$\n)*^</literal_component>
|
|
|
575137 |
<object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_nofilter_32bit_eacces_augenrules" />
|
|
|
575137 |
+ <literal_component>$</literal_component>
|
|
|
575137 |
</concat>
|
|
|
575137 |
</local_variable>
|
|
|
575137 |
+
|
|
|
575137 |
|
|
|
575137 |
comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_order_32bit_eacces_augenrules" version="1">
|
|
|
575137 |
<ind:object object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_eacces_augenrules" />
|
|
|
575137 |
@@ -222,13 +229,25 @@
|
|
|
575137 |
|
|
|
575137 |
<local_variable id="var_arufm_rule_order_32bit_{{{ SYSCALL }}}_eperm_augenrules_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
575137 |
<concat>
|
|
|
575137 |
+
|
|
|
575137 |
+ <literal_component>^</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a20100_eperm_augenrules" />
|
|
|
575137 |
+ <literal_component>$\n(^(?!</literal_component>
|
|
|
575137 |
<object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a20100_eperm_augenrules" />
|
|
|
575137 |
- <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
575137 |
+ <literal_component>|</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_nofilter_32bit_eperm_augenrules" />
|
|
|
575137 |
+ <literal_component>).*$\n)*^</literal_component>
|
|
|
575137 |
<object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a201003_eperm_augenrules" />
|
|
|
575137 |
- <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
575137 |
+ <literal_component>$\n(^(?!</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a201003_eperm_augenrules" />
|
|
|
575137 |
+ <literal_component>|</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a20100_eperm_augenrules" />
|
|
|
575137 |
+ <literal_component>).*$\n)*^</literal_component>
|
|
|
575137 |
<object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_nofilter_32bit_eperm_augenrules" />
|
|
|
575137 |
+ <literal_component>$</literal_component>
|
|
|
575137 |
</concat>
|
|
|
575137 |
</local_variable>
|
|
|
575137 |
+
|
|
|
575137 |
|
|
|
575137 |
comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_order_32bit_eperm_augenrules" version="1">
|
|
|
575137 |
<ind:object object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_eperm_augenrules" />
|
|
|
575137 |
@@ -261,13 +280,25 @@
|
|
|
575137 |
|
|
|
575137 |
<local_variable id="var_arufm_rule_order_64bit_{{{ SYSCALL }}}_eacces_augenrules_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
575137 |
<concat>
|
|
|
575137 |
+
|
|
|
575137 |
+ <literal_component>^</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a20100_eacces_augenrules" />
|
|
|
575137 |
+ <literal_component>$\n(^(?!</literal_component>
|
|
|
575137 |
<object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a20100_eacces_augenrules" />
|
|
|
575137 |
- <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
575137 |
+ <literal_component>|</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_nofilter_64bit_eacces_augenrules" />
|
|
|
575137 |
+ <literal_component>).*$\n)*^</literal_component>
|
|
|
575137 |
<object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a201003_eacces_augenrules" />
|
|
|
575137 |
- <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
575137 |
+ <literal_component>$\n(^(?!</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a201003_eacces_augenrules" />
|
|
|
575137 |
+ <literal_component>|</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a20100_eacces_augenrules" />
|
|
|
575137 |
+ <literal_component>).*$\n)*^</literal_component>
|
|
|
575137 |
<object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_nofilter_64bit_eacces_augenrules" />
|
|
|
575137 |
+ <literal_component>$</literal_component>
|
|
|
575137 |
</concat>
|
|
|
575137 |
</local_variable>
|
|
|
575137 |
+
|
|
|
575137 |
|
|
|
575137 |
comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_order_64bit_eacces_augenrules" version="1">
|
|
|
575137 |
<ind:object object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_eacces_augenrules" />
|
|
|
575137 |
@@ -300,13 +331,25 @@
|
|
|
575137 |
|
|
|
575137 |
<local_variable id="var_arufm_rule_order_64bit_{{{ SYSCALL }}}_eperm_augenrules_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
575137 |
<concat>
|
|
|
575137 |
+
|
|
|
575137 |
+ <literal_component>^</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a20100_eperm_augenrules" />
|
|
|
575137 |
+ <literal_component>$\n(^(?!</literal_component>
|
|
|
575137 |
<object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a20100_eperm_augenrules" />
|
|
|
575137 |
- <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
575137 |
+ <literal_component>|</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_nofilter_64bit_eperm_augenrules" />
|
|
|
575137 |
+ <literal_component>).*$\n)*^</literal_component>
|
|
|
575137 |
<object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a201003_eperm_augenrules" />
|
|
|
575137 |
- <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
575137 |
+ <literal_component>$\n(^(?!</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a201003_eperm_augenrules" />
|
|
|
575137 |
+ <literal_component>|</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a20100_eperm_augenrules" />
|
|
|
575137 |
+ <literal_component>).*$\n)*^</literal_component>
|
|
|
575137 |
<object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_nofilter_64bit_eperm_augenrules" />
|
|
|
575137 |
+ <literal_component>$</literal_component>
|
|
|
575137 |
</concat>
|
|
|
575137 |
</local_variable>
|
|
|
575137 |
+
|
|
|
575137 |
|
|
|
575137 |
comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_order_64bit_eperm_augenrules" version="1">
|
|
|
575137 |
<ind:object object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_eperm_augenrules" />
|
|
|
575137 |
@@ -339,13 +382,25 @@
|
|
|
575137 |
|
|
|
575137 |
<local_variable id="var_arufm_rule_order_32bit_{{{ SYSCALL }}}_auditctl_eacces_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
575137 |
<concat>
|
|
|
575137 |
+
|
|
|
575137 |
+ <literal_component>^</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a20100_eacces_auditctl" />
|
|
|
575137 |
+ <literal_component>$\n(^(?!</literal_component>
|
|
|
575137 |
<object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a20100_eacces_auditctl" />
|
|
|
575137 |
- <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
575137 |
+ <literal_component>|</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_nofilter_32bit_eacces_auditctl" />
|
|
|
575137 |
+ <literal_component>).*$\n)*^</literal_component>
|
|
|
575137 |
<object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a201003_eacces_auditctl" />
|
|
|
575137 |
- <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
575137 |
+ <literal_component>$\n(^(?!</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a201003_eacces_auditctl" />
|
|
|
575137 |
+ <literal_component>|</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a20100_eacces_auditctl" />
|
|
|
575137 |
+ <literal_component>).*$\n)*^</literal_component>
|
|
|
575137 |
<object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_nofilter_32bit_eacces_auditctl" />
|
|
|
575137 |
+ <literal_component>$</literal_component>
|
|
|
575137 |
</concat>
|
|
|
575137 |
</local_variable>
|
|
|
575137 |
+
|
|
|
575137 |
|
|
|
575137 |
comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_order_32bit_eacces_auditctl" version="1">
|
|
|
575137 |
<ind:object object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_eacces_auditctl" />
|
|
|
575137 |
@@ -379,13 +434,25 @@
|
|
|
575137 |
|
|
|
575137 |
<local_variable id="var_arufm_rule_order_32bit_{{{ SYSCALL }}}_auditctl_eperm_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
575137 |
<concat>
|
|
|
575137 |
+
|
|
|
575137 |
+ <literal_component>^</literal_component>
|
|
|
575137 |
<object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a20100_eperm_auditctl" />
|
|
|
575137 |
- <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
575137 |
+ <literal_component>$\n(^(?!</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a20100_eperm_auditctl" />
|
|
|
575137 |
+ <literal_component>|</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_nofilter_32bit_eperm_auditctl" />
|
|
|
575137 |
+ <literal_component>).*$\n)*^</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a201003_eperm_auditctl" />
|
|
|
575137 |
+ <literal_component>$\n(^(?!</literal_component>
|
|
|
575137 |
<object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a201003_eperm_auditctl" />
|
|
|
575137 |
- <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
575137 |
+ <literal_component>|</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a20100_eperm_auditctl" />
|
|
|
575137 |
+ <literal_component>).*$\n)*^</literal_component>
|
|
|
575137 |
<object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_nofilter_32bit_eperm_auditctl" />
|
|
|
575137 |
+ <literal_component>$</literal_component>
|
|
|
575137 |
</concat>
|
|
|
575137 |
</local_variable>
|
|
|
575137 |
+
|
|
|
575137 |
|
|
|
575137 |
comment="Test order of audit 32bit auditctl eperm rules order" id="test_arufm_{{{ SYSCALL }}}_order_32bit_eperm_auditctl" version="1">
|
|
|
575137 |
<ind:object object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_eperm_auditctl" />
|
|
|
575137 |
@@ -418,13 +485,25 @@
|
|
|
575137 |
|
|
|
575137 |
<local_variable id="var_arufm_{{{ SYSCALL }}}_order_64bit_auditctl_eacces_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
575137 |
<concat>
|
|
|
575137 |
+
|
|
|
575137 |
+ <literal_component>^</literal_component>
|
|
|
575137 |
<object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a20100_eacces_auditctl" />
|
|
|
575137 |
- <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
575137 |
+ <literal_component>$\n(^(?!</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a20100_eacces_auditctl" />
|
|
|
575137 |
+ <literal_component>|</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_nofilter_64bit_eacces_auditctl" />
|
|
|
575137 |
+ <literal_component>).*$\n)*^</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a201003_eacces_auditctl" />
|
|
|
575137 |
+ <literal_component>$\n(^(?!</literal_component>
|
|
|
575137 |
<object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a201003_eacces_auditctl" />
|
|
|
575137 |
- <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
575137 |
+ <literal_component>|</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a20100_eacces_auditctl" />
|
|
|
575137 |
+ <literal_component>).*$\n)*^</literal_component>
|
|
|
575137 |
<object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_nofilter_64bit_eacces_auditctl" />
|
|
|
575137 |
+ <literal_component>$</literal_component>
|
|
|
575137 |
</concat>
|
|
|
575137 |
</local_variable>
|
|
|
575137 |
+
|
|
|
575137 |
|
|
|
575137 |
comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_order_64bit_eacces_auditctl" version="1">
|
|
|
575137 |
<ind:object object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_eacces_auditctl" />
|
|
|
575137 |
@@ -457,13 +536,25 @@
|
|
|
575137 |
|
|
|
575137 |
<local_variable id="var_arufm_rule_order_64bit_{{{ SYSCALL }}}_auditctl_eperm_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
575137 |
<concat>
|
|
|
575137 |
+
|
|
|
575137 |
+ <literal_component>^</literal_component>
|
|
|
575137 |
<object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a20100_eperm_auditctl" />
|
|
|
575137 |
- <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
575137 |
+ <literal_component>$\n(^(?!</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a20100_eperm_auditctl" />
|
|
|
575137 |
+ <literal_component>|</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_nofilter_64bit_eperm_auditctl" />
|
|
|
575137 |
+ <literal_component>).*$\n)*^</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a201003_eperm_auditctl" />
|
|
|
575137 |
+ <literal_component>$\n(^(?!</literal_component>
|
|
|
575137 |
<object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a201003_eperm_auditctl" />
|
|
|
575137 |
- <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
575137 |
+ <literal_component>|</literal_component>
|
|
|
575137 |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a20100_eperm_auditctl" />
|
|
|
575137 |
+ <literal_component>).*$\n)*^</literal_component>
|
|
|
575137 |
<object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_nofilter_64bit_eperm_auditctl" />
|
|
|
575137 |
+ <literal_component>$</literal_component>
|
|
|
575137 |
</concat>
|
|
|
575137 |
</local_variable>
|
|
|
575137 |
+
|
|
|
575137 |
|
|
|
575137 |
comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_order_64bit_eperm_auditctl" version="1">
|
|
|
575137 |
<ind:object object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_eperm_auditctl" />
|