skyler / rpms / scap-security-guide

Forked from rpms/scap-security-guide 3 years ago
Clone
Source Code
GIT

Blame SOURCES/scap-security-guide-0.1.41-fix_syscall_in_last_position.patch

c7 c7-alt c7-beta c8 c8-beta c8s
  1.   877cb5ca7778a0dbfebde3489032b8fed3356149
  2.   SOURCES
  3.   scap-security-guide-0.1.41-fix_syscall_in_last_position.patch
Blob History Raw
7629ac 
diff --git a/shared/templates/template_OVAL_audit_rules_path_syscall b/shared/templates/template_OVAL_audit_rules_path_syscall
7629ac 
index dcc1d7b0a2..2544099b8d 100644
7629ac 
--- a/shared/templates/template_OVAL_audit_rules_path_syscall
7629ac 
+++ b/shared/templates/template_OVAL_audit_rules_path_syscall
7629ac 
@@ -40,13 +40,14 @@
7629ac 
     </criteria>
7629ac 
   </definition>
7629ac
7629ac 
+
7629ac
7629ac 
   <constant_variable id="var_audit_rule_32bit_{{{ SYSCALL }}}_write_{{{ PATHID }}}_regex" version="1" datatype="string" comment="audit rule arch and syscal">
7629ac 
-      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path={{{ PATH }}})[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
7629ac 
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path={{{ PATH }}})[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
7629ac 
   </constant_variable>
7629ac
7629ac 
   <constant_variable id="var_audit_rule_64bit_{{{ SYSCALL }}}_write_{{{ PATHID }}}_regex" version="1" datatype="string" comment="audit rule arch and syscal">
7629ac 
-      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path={{{ PATH }}})[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
7629ac 
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path={{{ PATH }}})[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
7629ac 
   </constant_variable>
7629ac
7629ac
7629ac 
diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification
7629ac 
index 804c0d50b8..cbed460f00 100644
7629ac 
--- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification
7629ac 
+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification
7629ac 
@@ -46,12 +46,60 @@
7629ac 
     </criteria>
7629ac 
   </definition>
7629ac
7629ac 
+
7629ac 
+  <constant_variable id="var_32bit_arufm_{{{ NAME }}}_head" version="1" datatype="string" comment="audit rule arch and syscal">
7629ac 
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ NAME }}})(?:|(?:,[\S]+)+))[\s]+</value>
7629ac 
+  </constant_variable>
7629ac 
+  <constant_variable id="var_64bit_arufm_{{{ NAME }}}_head" version="1" datatype="string" comment="audit rule arch and syscal">
7629ac 
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ NAME }}})(?:|(?:,[\S]+)+))[\s]+</value>
7629ac 
+  </constant_variable>
7629ac 
+  <constant_variable id="var_arufm_{{{ NAME }}}_tail" version="1" datatype="string" comment="audit rule auid and key">
7629ac 
+    <value>[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
7629ac 
+  </constant_variable>
7629ac 
+
7629ac 
+
7629ac 
+  <local_variable id="var_32bit_arufm_eacces_{{{ NAME }}}_regex" version="1" datatype="string" comment="Expression to match 32bit {{{ NAME }}} EACCES syscall">
7629ac 
+    <concat>
7629ac 
+      <variable_component var_ref="var_32bit_arufm_{{{ NAME }}}_head" />
7629ac 
+      <literal_component>(?:-F\s+exit=-EACCES)</literal_component>
7629ac 
+      <variable_component var_ref="var_arufm_{{{ NAME }}}_tail" />
7629ac 
+    </concat>
7629ac 
+  </local_variable>
7629ac 
+
7629ac 
+
7629ac 
+  <local_variable id="var_32bit_arufm_eperm_{{{ NAME }}}_regex" version="1" datatype="string" comment="Expression to match 32bit {{{ NAME }}} EPERM EACCES syscall">
7629ac 
+    <concat>
7629ac 
+      <variable_component var_ref="var_32bit_arufm_{{{ NAME }}}_head" />
7629ac 
+      <literal_component>(?:-F\s+exit=-EPERM)</literal_component>
7629ac 
+      <variable_component var_ref="var_arufm_{{{ NAME }}}_tail" />
7629ac 
+    </concat>
7629ac 
+  </local_variable>
7629ac 
+
7629ac 
+
7629ac 
+  <local_variable id="var_64bit_arufm_eacces_{{{ NAME }}}_regex" version="1" datatype="string" comment="Expression to match 64bit {{{ NAME }}} EACCES syscall">
7629ac 
+    <concat>
7629ac 
+      <variable_component var_ref="var_64bit_arufm_{{{ NAME }}}_head" />
7629ac 
+      <literal_component>(?:-F\s+exit=-EACCES)</literal_component>
7629ac 
+      <variable_component var_ref="var_arufm_{{{ NAME }}}_tail" />
7629ac 
+    </concat>
7629ac 
+  </local_variable>
7629ac 
+
7629ac 
+
7629ac 
+  <local_variable id="var_64bit_arufm_eperm_{{{ NAME }}}_regex" version="1" datatype="string" comment="Expression to match 64bit {{{ NAME }}} EPERM syscall">
7629ac 
+    <concat>
7629ac 
+      <variable_component var_ref="var_64bit_arufm_{{{ NAME }}}_head" />
7629ac 
+      <literal_component>(?:-F\s+exit=-EPERM)</literal_component>
7629ac 
+      <variable_component var_ref="var_arufm_{{{ NAME }}}_tail" />
7629ac 
+    </concat>
7629ac 
+  </local_variable>
7629ac 
+
7629ac 
+
7629ac 
   <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eacces" id="test_32bit_arufm_eacces_{{{ NAME }}}_augenrules" version="1">
7629ac 
     <ind:object object_ref="object_32bit_arufm_eacces_{{{ NAME }}}_augenrules" />
7629ac 
   </ind:textfilecontent54_test>
7629ac 
   <ind:textfilecontent54_object id="object_32bit_arufm_eacces_{{{ NAME }}}_augenrules" version="1">
7629ac 
     <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
7629ac 
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
7629ac 
+    <ind:pattern operation="pattern match" var_ref="var_32bit_arufm_eacces_{{{ NAME }}}_regex" />
7629ac 
     <ind:instance datatype="int">1</ind:instance>
7629ac 
   </ind:textfilecontent54_object>
7629ac
7629ac 
@@ -60,7 +108,7 @@
7629ac 
   </ind:textfilecontent54_test>
7629ac 
   <ind:textfilecontent54_object id="object_32bit_arufm_eperm_{{{ NAME }}}_augenrules" version="1">
7629ac 
     <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
7629ac 
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
7629ac 
+    <ind:pattern operation="pattern match" var_ref="var_32bit_arufm_eperm_{{{ NAME }}}_regex" />
7629ac 
     <ind:instance datatype="int">1</ind:instance>
7629ac 
   </ind:textfilecontent54_object>
7629ac
7629ac 
@@ -69,7 +117,7 @@
7629ac 
   </ind:textfilecontent54_test>
7629ac 
   <ind:textfilecontent54_object id="object_64bit_arufm_eacces_{{{ NAME }}}_augenrules" version="1">
7629ac 
     <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
7629ac 
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
7629ac 
+    <ind:pattern operation="pattern match" var_ref="var_64bit_arufm_eacces_{{{ NAME }}}_regex" />
7629ac 
     <ind:instance datatype="int">1</ind:instance>
7629ac 
   </ind:textfilecontent54_object>
7629ac
7629ac 
@@ -78,7 +126,7 @@
7629ac 
   </ind:textfilecontent54_test>
7629ac 
   <ind:textfilecontent54_object id="object_64bit_arufm_eperm_{{{ NAME }}}_augenrules" version="1">
7629ac 
     <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
7629ac 
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
7629ac 
+    <ind:pattern operation="pattern match" var_ref="var_64bit_arufm_eperm_{{{ NAME }}}_regex" />
7629ac 
     <ind:instance datatype="int">1</ind:instance>
7629ac 
   </ind:textfilecontent54_object>
7629ac
7629ac 
@@ -87,7 +135,7 @@
7629ac 
   </ind:textfilecontent54_test>
7629ac 
   <ind:textfilecontent54_object id="object_32bit_arufm_eacces_{{{ NAME }}}_auditctl" version="1">
7629ac 
     <ind:filepath>/etc/audit/audit.rules</ind:filepath>
7629ac 
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
7629ac 
+    <ind:pattern operation="pattern match" var_ref="var_32bit_arufm_eacces_{{{ NAME }}}_regex" />
7629ac 
     <ind:instance datatype="int">1</ind:instance>
7629ac 
   </ind:textfilecontent54_object>
7629ac
7629ac 
@@ -96,7 +144,7 @@
7629ac 
   </ind:textfilecontent54_test>
7629ac 
   <ind:textfilecontent54_object id="object_32bit_arufm_eperm_{{{ NAME }}}_auditctl" version="1">
7629ac 
     <ind:filepath>/etc/audit/audit.rules</ind:filepath>
7629ac 
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
7629ac 
+    <ind:pattern operation="pattern match" var_ref="var_32bit_arufm_eperm_{{{ NAME }}}_regex" />
7629ac 
     <ind:instance datatype="int">1</ind:instance>
7629ac 
   </ind:textfilecontent54_object>
7629ac
7629ac 
@@ -105,7 +153,7 @@
7629ac 
   </ind:textfilecontent54_test>
7629ac 
   <ind:textfilecontent54_object id="object_64bit_arufm_eacces_{{{ NAME }}}_auditctl" version="1">
7629ac 
     <ind:filepath>/etc/audit/audit.rules</ind:filepath>
7629ac 
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
7629ac 
+    <ind:pattern operation="pattern match" var_ref="var_64bit_arufm_eacces_{{{ NAME }}}_regex" />
7629ac 
     <ind:instance datatype="int">1</ind:instance>
7629ac 
   </ind:textfilecontent54_object>
7629ac
7629ac 
@@ -114,7 +162,7 @@
7629ac 
   </ind:textfilecontent54_test>
7629ac 
   <ind:textfilecontent54_object id="object_64bit_arufm_eperm_{{{ NAME }}}_auditctl" version="1">
7629ac 
     <ind:filepath>/etc/audit/audit.rules</ind:filepath>
7629ac 
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
7629ac 
+    <ind:pattern operation="pattern match" var_ref="var_64bit_arufm_eperm_{{{ NAME }}}_regex" />
7629ac 
     <ind:instance datatype="int">1</ind:instance>
7629ac 
   </ind:textfilecontent54_object>
7629ac
7629ac 
diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat
7629ac 
index 7f1bf6f68f..01e155f016 100644
7629ac 
--- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat
7629ac 
+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat
7629ac 
@@ -51,10 +51,10 @@
7629ac
7629ac
7629ac 
   <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_o_creat_32bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
7629ac 
-      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*</value>
7629ac 
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+</value>
7629ac 
   </constant_variable>
7629ac 
   <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_o_creat_64bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
7629ac 
-      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*</value>
7629ac 
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+</value>
7629ac 
   </constant_variable>
7629ac 
   <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_o_creat_tail" version="1" datatype="string" comment="audit rule auid and key">
7629ac 
     <value>[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
7629ac 
diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write
7629ac 
index ce7d3c44c7..64f7277a60 100644
7629ac 
--- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write
7629ac 
+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write
7629ac 
@@ -51,10 +51,10 @@
7629ac
7629ac
7629ac 
   <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_o_trunc_32bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
7629ac 
-      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*</value>
7629ac 
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+</value>
7629ac 
   </constant_variable>
7629ac 
   <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_o_trunc_64bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
7629ac 
-      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*</value>
7629ac 
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+</value>
7629ac 
   </constant_variable>
7629ac 
   <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_o_trunc_tail" version="1" datatype="string" comment="audit rule auid and key">
7629ac 
     <value>[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
7629ac 
diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order
7629ac 
index 66a8ecf249..12da792d51 100644
7629ac 
--- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order
7629ac 
+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order
7629ac 
@@ -52,10 +52,10 @@
7629ac
7629ac
7629ac 
   <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_order_32bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
7629ac 
-      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*</value>
7629ac 
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+</value>
7629ac 
   </constant_variable>
7629ac 
   <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_order_64bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
7629ac 
-      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*</value>
7629ac 
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+</value>
7629ac 
   </constant_variable>
7629ac 
   <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_order_tail" version="1" datatype="string" comment="audit rule auid and key">
7629ac 
     <value>[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
7629ac 
@@ -84,7 +84,7 @@
7629ac 
   <local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_32bit_eacces_regex" version="1" datatype="string" comment="arches to audit">
7629ac 
     <concat>
7629ac 
       <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_32bit_head" />
7629ac 
-      <literal_component>(?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
7629ac 
+      <literal_component>(?:-F\s+exit=-EACCES)</literal_component>
7629ac 
       <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
7629ac 
     </concat>
7629ac 
   </local_variable>
7629ac 
@@ -107,7 +107,7 @@
7629ac 
   <local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_32bit_eperm_regex" version="1" datatype="string" comment="arches to audit">
7629ac 
     <concat>
7629ac 
       <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_32bit_head" />
7629ac 
-      <literal_component>(?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
7629ac 
+      <literal_component>(?:-F\s+exit=-EPERM)</literal_component>
7629ac 
       <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
7629ac 
     </concat>
7629ac 
   </local_variable>
7629ac 
@@ -130,7 +130,7 @@
7629ac 
   <local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_64bit_eacces_regex" version="1" datatype="string" comment="arches to audit">
7629ac 
     <concat>
7629ac 
       <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_64bit_head" />
7629ac 
-      <literal_component>(?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
7629ac 
+      <literal_component>(?:-F\s+exit=-EACCES)</literal_component>
7629ac 
       <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
7629ac 
     </concat>
7629ac 
   </local_variable>
7629ac 
@@ -153,7 +153,7 @@
7629ac 
   <local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_64bit_eperm_regex" version="1" datatype="string" comment="arches to audit">
7629ac 
     <concat>
7629ac 
       <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_64bit_head" />
7629ac 
-      <literal_component>(?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
7629ac 
+      <literal_component>(?:-F\s+exit=-EPERM)</literal_component>
7629ac 
       <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
7629ac 
     </concat>
7629ac 
   </local_variable>
7629ac 
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open/open_before_last.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open/open_before_last.pass.sh
7629ac 
new file mode 100644
7629ac 
index 0000000000..1f30447324
7629ac 
--- /dev/null
7629ac 
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open/open_before_last.pass.sh
7629ac 
@@ -0,0 +1,7 @@
7629ac 
+#!/bin/bash
7629ac 
+
7629ac 
+# profiles = xccdf_org.ssgproject.content_profile_ospp
7629ac 
+# remediation = none
7629ac 
+
7629ac 
+sed 's/openat,open_by_handle_at/open,open_by_handle_at/' ../audit_open.rules > /etc/audit/rules.d/open_o_creat.rules
7629ac 
+sed -i 's/ open,/ openat,/' /etc/audit/rules.d/open_o_creat.rules
7629ac 
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open/open_last.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open/open_last.pass.sh
7629ac 
new file mode 100644
7629ac 
index 0000000000..d3fdcf71a5
7629ac 
--- /dev/null
7629ac 
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open/open_last.pass.sh
7629ac 
@@ -0,0 +1,7 @@
7629ac 
+#!/bin/bash
7629ac 
+
7629ac 
+# profiles = xccdf_org.ssgproject.content_profile_ospp
7629ac 
+# remediation = none
7629ac 
+
7629ac 
+sed 's/_by_handle_at//' ../audit_open.rules > /etc/audit/rules.d/open_o_creat.rules
7629ac 
+sed -i 's/open,/open_by_handle_at,/' /etc/audit/rules.d/open_o_creat.rules
7629ac 
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_before_last.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_before_last.pass.sh
7629ac 
new file mode 100644
7629ac 
index 0000000000..acdec877ef
7629ac 
--- /dev/null
7629ac 
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_before_last.pass.sh
7629ac 
@@ -0,0 +1,7 @@
7629ac 
+#!/bin/bash
7629ac 
+
7629ac 
+# profiles = xccdf_org.ssgproject.content_profile_ospp
7629ac 
+# remediation = none
7629ac 
+
7629ac 
+sed 's/openat,open_by_handle_at/open,open_by_handle_at/' ../audit_open_o_creat.rules > /etc/audit/rules.d/open_o_creat.rules
7629ac 
+sed -i 's/ open,/ openat,/' /etc/audit/rules.d/open_o_creat.rules
7629ac 
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_last.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_last.pass.sh
7629ac 
new file mode 100644
7629ac 
index 0000000000..33a3ad88bf
7629ac 
--- /dev/null
7629ac 
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_last.pass.sh
7629ac 
@@ -0,0 +1,7 @@
7629ac 
+#!/bin/bash
7629ac 
+
7629ac 
+# profiles = xccdf_org.ssgproject.content_profile_ospp
7629ac 
+# remediation = none
7629ac 
+
7629ac 
+sed 's/_by_handle_at//' ../audit_open_o_creat.rules > /etc/audit/rules.d/open_o_creat.rules
7629ac 
+sed -i 's/open,/open_by_handle_at,/' /etc/audit/rules.d/open_o_creat.rules

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation