Blame SOURCES/scap-security-guide-0.1.41-template_watch_path.patch

28bffe
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open.rule
28bffe
new file mode 100644
28bffe
index 0000000000..c69567f1c7
28bffe
--- /dev/null
28bffe
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open.rule
28bffe
@@ -0,0 +1,36 @@
28bffe
+documentation_complete: true
28bffe
+
28bffe
+prodtype: rhel7,fedora
28bffe
+
28bffe
+title: 'Record Events that Modify User/Group Information via open syscall - /etc/group'
28bffe
+
28bffe
+description: |-
28bffe
+    The audit system should collect write events to /etc/group file for all users and root.
28bffe
+    If the <tt>auditd</tt> daemon is configured
28bffe
+    to use the <tt>augenrules</tt> program to read audit rules during daemon
28bffe
+    startup (the default), add the following lines to a file with suffix
28bffe
+    <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
28bffe
+    
-a always,exit -F arch=b32 -S open -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
28bffe
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
28bffe
+    utility to read audit rules during daemon startup, add the following lines to
28bffe
+    <tt>/etc/audit/audit.rules</tt> file:
28bffe
+    
-a always,exit -F arch=b64 -S open -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
28bffe
+
28bffe
+rationale: |-
28bffe
+    Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
28bffe
+    Auditing these events could serve as evidence of potential system compromise.
28bffe
+
28bffe
+severity: medium
28bffe
+
28bffe
+references:
28bffe
+    ospp@rhel7: FAU_GEN.1.1.c
28bffe
+
28bffe
+{{{ complete_ocil_entry_audit_syscall(syscall="open") }}}
28bffe
+
28bffe
+warnings:
28bffe
+    - general: |-
28bffe
+        Note that these rules can be configured in a
28bffe
+        number of ways while still achieving the desired effect. Here the system calls
28bffe
+        have been placed independent of other system calls. Grouping system calls related
28bffe
+        to the same event is more efficient. See the following example:
28bffe
+        
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
28bffe
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at.rule
28bffe
new file mode 100644
28bffe
index 0000000000..c33354b287
28bffe
--- /dev/null
28bffe
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at.rule
28bffe
@@ -0,0 +1,36 @@
28bffe
+documentation_complete: true
28bffe
+
28bffe
+prodtype: rhel7,fedora
28bffe
+
28bffe
+title: 'Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group'
28bffe
+
28bffe
+description: |-
28bffe
+    The audit system should collect write events to /etc/group file for all group and root.
28bffe
+    If the <tt>auditd</tt> daemon is configured
28bffe
+    to use the <tt>augenrules</tt> program to read audit rules during daemon
28bffe
+    startup (the default), add the following lines to a file with suffix
28bffe
+    <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
28bffe
+    
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
28bffe
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
28bffe
+    utility to read audit rules during daemon startup, add the following lines to
28bffe
+    <tt>/etc/audit/audit.rules</tt> file:
28bffe
+    
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
28bffe
+
28bffe
+rationale: |-
28bffe
+    Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
28bffe
+    Auditing these events could serve as evidence of potential system compromise.
28bffe
+
28bffe
+severity: medium
28bffe
+
28bffe
+references:
28bffe
+    ospp@rhel7: FAU_GEN.1.1.c
28bffe
+
28bffe
+{{{ complete_ocil_entry_audit_syscall(syscall="open_by_handle_at") }}}
28bffe
+
28bffe
+warnings:
28bffe
+    - general: |-
28bffe
+        Note that these rules can be configured in a
28bffe
+        number of ways while still achieving the desired effect. Here the system calls
28bffe
+        have been placed independent of other system calls. Grouping system calls related
28bffe
+        to the same event is more efficient. See the following example:
28bffe
+        
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
28bffe
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat.rule
28bffe
new file mode 100644
28bffe
index 0000000000..61bde4d6e9
28bffe
--- /dev/null
28bffe
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat.rule
28bffe
@@ -0,0 +1,36 @@
28bffe
+documentation_complete: true
28bffe
+
28bffe
+prodtype: rhel7,fedora
28bffe
+
28bffe
+title: 'Record Events that Modify User/Group Information via openat syscall - /etc/group'
28bffe
+
28bffe
+description: |-
28bffe
+    The audit system should collect write events to /etc/group file for all users and root.
28bffe
+    If the <tt>auditd</tt> daemon is configured
28bffe
+    to use the <tt>augenrules</tt> program to read audit rules during daemon
28bffe
+    startup (the default), add the following lines to a file with suffix
28bffe
+    <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
28bffe
+    
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
28bffe
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
28bffe
+    utility to read audit rules during daemon startup, add the following lines to
28bffe
+    <tt>/etc/audit/audit.rules</tt> file:
28bffe
+    
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
28bffe
+
28bffe
+rationale: |-
28bffe
+    Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
28bffe
+    Auditing these events could serve as evidence of potential system compromise.
28bffe
+
28bffe
+severity: medium
28bffe
+
28bffe
+references:
28bffe
+    ospp@rhel7: FAU_GEN.1.1.c
28bffe
+
28bffe
+{{{ complete_ocil_entry_audit_syscall(syscall="openat") }}}
28bffe
+
28bffe
+warnings:
28bffe
+    - general: |-
28bffe
+        Note that these rules can be configured in a
28bffe
+        number of ways while still achieving the desired effect. Here the system calls
28bffe
+        have been placed independent of other system calls. Grouping system calls related
28bffe
+        to the same event is more efficient. See the following example:
28bffe
+        
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
28bffe
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at.rule
28bffe
new file mode 100644
28bffe
index 0000000000..0f91bb7d58
28bffe
--- /dev/null
28bffe
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at.rule
28bffe
@@ -0,0 +1,36 @@
28bffe
+documentation_complete: true
28bffe
+
28bffe
+prodtype: rhel7,fedora
28bffe
+
28bffe
+title: 'Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd'
28bffe
+
28bffe
+description: |-
28bffe
+    The audit system should collect write events to /etc/passwd file for all users and root.
28bffe
+    If the <tt>auditd</tt> daemon is configured
28bffe
+    to use the <tt>augenrules</tt> program to read audit rules during daemon
28bffe
+    startup (the default), add the following lines to a file with suffix
28bffe
+    <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
28bffe
+    
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
28bffe
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
28bffe
+    utility to read audit rules during daemon startup, add the following lines to
28bffe
+    <tt>/etc/audit/audit.rules</tt> file:
28bffe
+    
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
28bffe
+
28bffe
+rationale: |-
28bffe
+    Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
28bffe
+    Auditing these events could serve as evidence of potential system compromise.
28bffe
+
28bffe
+severity: medium
28bffe
+
28bffe
+references:
28bffe
+    ospp@rhel7: FAU_GEN.1.1.c
28bffe
+
28bffe
+{{{ complete_ocil_entry_audit_syscall(syscall="open_by_handle_at") }}}
28bffe
+
28bffe
+warnings:
28bffe
+    - general: |-
28bffe
+        Note that these rules can be configured in a
28bffe
+        number of ways while still achieving the desired effect. Here the system calls
28bffe
+        have been placed independent of other system calls. Grouping system calls related
28bffe
+        to the same event is more efficient. See the following example:
28bffe
+        
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
28bffe
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat.rule
28bffe
new file mode 100644
28bffe
index 0000000000..f1fab2b945
28bffe
--- /dev/null
28bffe
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat.rule
28bffe
@@ -0,0 +1,36 @@
28bffe
+documentation_complete: true
28bffe
+
28bffe
+prodtype: rhel7,fedora
28bffe
+
28bffe
+title: 'Record Events that Modify User/Group Information via openat syscall - /etc/passwd'
28bffe
+
28bffe
+description: |-
28bffe
+    The audit system should collect write events to /etc/passwd file for all users and root.
28bffe
+    If the <tt>auditd</tt> daemon is configured
28bffe
+    to use the <tt>augenrules</tt> program to read audit rules during daemon
28bffe
+    startup (the default), add the following lines to a file with suffix
28bffe
+    <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
28bffe
+    
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
28bffe
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
28bffe
+    utility to read audit rules during daemon startup, add the following lines to
28bffe
+    <tt>/etc/audit/audit.rules</tt> file:
28bffe
+    
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
28bffe
+
28bffe
+rationale: |-
28bffe
+    Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
28bffe
+    Auditing these events could serve as evidence of potential system compromise.
28bffe
+
28bffe
+severity: medium
28bffe
+
28bffe
+references:
28bffe
+    ospp@rhel7: FAU_GEN.1.1.c
28bffe
+
28bffe
+{{{ complete_ocil_entry_audit_syscall(syscall="openat") }}}
28bffe
+
28bffe
+warnings:
28bffe
+    - general: |-
28bffe
+        Note that these rules can be configured in a
28bffe
+        number of ways while still achieving the desired effect. Here the system calls
28bffe
+        have been placed independent of other system calls. Grouping system calls related
28bffe
+        to the same event is more efficient. See the following example:
28bffe
+        
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
28bffe
diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile
28bffe
index 343ac9eb3c..68f4e38bc8 100644
28bffe
--- a/rhel7/profiles/ospp42.profile
28bffe
+++ b/rhel7/profiles/ospp42.profile
28bffe
@@ -171,3 +171,8 @@ selections:
28bffe
     - audit_rules_kernel_module_loading_rmmod
28bffe
     - security_patches_up_to_date
28bffe
     - audit_rules_etc_passwd_open
28bffe
+    - audit_rules_etc_passwd_openat
28bffe
+    - audit_rules_etc_passwd_open_by_handle_at
28bffe
+    - audit_rules_etc_group_open
28bffe
+    - audit_rules_etc_group_openat
28bffe
+    - audit_rules_etc_group_open_by_handle_at
28bffe
diff --git a/shared/templates/create_audit_rules_path_syscall.py b/shared/templates/create_audit_rules_path_syscall.py
28bffe
new file mode 100644
28bffe
index 0000000000..0283bf439c
28bffe
--- /dev/null
28bffe
+++ b/shared/templates/create_audit_rules_path_syscall.py
28bffe
@@ -0,0 +1,33 @@
28bffe
+#!/usr/bin/python2
28bffe
+
28bffe
+#
28bffe
+# create_audit_rules_path_syscall_detailed.py
28bffe
+#        generate template-based checks for changes to a path via syscalls 
28bffe
+
28bffe
+
28bffe
+from template_common import FilesGenerator, UnknownTargetError
28bffe
+
28bffe
+import re
28bffe
+
28bffe
+class AuditRulesPathSyscallGenerator(FilesGenerator):
28bffe
+    def generate(self, target, args):
28bffe
+        path,syscall = args[0:2]
28bffe
+        pathid = re.sub('[-\./]', '_', path)
28bffe
+        # remove root slash made into '_'
28bffe
+        pathid = pathid[1:]
28bffe
+        if target == "oval":
28bffe
+            self.file_from_template(
28bffe
+                "./template_OVAL_audit_rules_path_syscall",
28bffe
+                {
28bffe
+                    "PATH":	path,
28bffe
+                    "PATHID":	pathid,
28bffe
+                    "SYSCALL":	syscall
28bffe
+                },
28bffe
+                "./oval/audit_rules_{0}_{1}.xml", pathid, syscall
28bffe
+            )
28bffe
+        else:
28bffe
+            raise UnknownTargetError(target)
28bffe
+
28bffe
+    def csv_format(self):
28bffe
+        return("CSV should contains lines of the format: " +
28bffe
+               "PATH,SYSCALL")
28bffe
diff --git a/shared/templates/csv/audit_rules_path_syscall.csv b/shared/templates/csv/audit_rules_path_syscall.csv
28bffe
new file mode 100644
28bffe
index 0000000000..015f02f58d
28bffe
--- /dev/null
28bffe
+++ b/shared/templates/csv/audit_rules_path_syscall.csv
28bffe
@@ -0,0 +1,11 @@
28bffe
+# format:
28bffe
+# <path>,<syscall>
28bffe
+# - path is the absolute path to watch
28bffe
+# - syscall is the syscall to wath the path for
28bffe
+
28bffe
+/etc/passwd,open
28bffe
+/etc/passwd,openat
28bffe
+/etc/passwd,open_by_handle_at
28bffe
+/etc/group,open
28bffe
+/etc/group,openat
28bffe
+/etc/group,open_by_handle_at
28bffe
diff --git a/shared/checks/oval/audit_rules_etc_passwd_open.xml b/shared/templates/template_OVAL_audit_rules_path_syscall
28bffe
similarity index 52%
28bffe
rename from shared/checks/oval/audit_rules_etc_passwd_open.xml
28bffe
rename to shared/templates/template_OVAL_audit_rules_path_syscall
28bffe
index fd5c3efb28..dcc1d7b0a2 100644
28bffe
--- a/shared/checks/oval/audit_rules_etc_passwd_open.xml
28bffe
+++ b/shared/templates/template_OVAL_audit_rules_path_syscall
28bffe
@@ -1,12 +1,12 @@
28bffe
 <def-group>
28bffe
-  <definition class="compliance" id="audit_rules_etc_passwd_open" version="1">
28bffe
+  <definition class="compliance" id="audit_rules_{{{ PATHID }}}_{{{ SYSCALL }}}" version="1">
28bffe
     <metadata>
28bffe
-      <title>Ensure auditd Collects Write Events to /etc/passwd</title>
28bffe
+      <title>Ensure auditd Collects Write Events to {{{ PATH }}}</title>
28bffe
       <affected family="unix">
28bffe
         <platform>Red Hat Enterprise Linux 7</platform>
28bffe
         <platform>multi_platform_fedora</platform>
28bffe
       </affected>
28bffe
-      <description>Audit rules about the write events to /etc/passwd</description>
28bffe
+      <description>Audit rules about the write events to {{{ PATH }}}</description>
28bffe
     </metadata>
28bffe
 
28bffe
     <criteria operator="OR">
28bffe
@@ -14,26 +14,26 @@
28bffe
       
28bffe
       <criteria operator="AND">
28bffe
         <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
28bffe
-        <criterion comment="audit rule to record write events to /etc/passwd" test_ref="test_audit_rules_etc_passwd_open_32bit_augenrules" />
28bffe
+        <criterion comment="audit rule to record write events to {{{ PATH }}}" test_ref="test_audit_rules_{{{ PATHID }}}_{{{ SYSCALL }}}_32bit_augenrules" />
28bffe
 
28bffe
         <criteria operator="OR">
28bffe
           
28bffe
           <extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
28bffe
           
28bffe
-          <criterion comment="audit rule to record write events to /etc/passwd" test_ref="test_audit_rules_etc_passwd_open_64bit_augenrules" />
28bffe
+          <criterion comment="audit rule to record write events to {{{ PATH }}}" test_ref="test_audit_rules_{{{ PATHID }}}_{{{ SYSCALL }}}_64bit_augenrules" />
28bffe
         </criteria>
28bffe
       </criteria>
28bffe
 
28bffe
       
28bffe
       <criteria operator="AND">
28bffe
         <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
28bffe
-        <criterion comment="audit rule to record write events to /etc/passwd" test_ref="test_audit_rules_etc_passwd_open_32bit_auditctl" />
28bffe
+        <criterion comment="audit rule to record write events to {{{ PATH }}}" test_ref="test_audit_rules_{{{ PATHID }}}_{{{ SYSCALL }}}_32bit_auditctl" />
28bffe
 
28bffe
         <criteria operator="OR">
28bffe
           
28bffe
           <extend_definition comment="64-bit_system" definition_ref="system_info_architecture_64bit" negate="true" />
28bffe
           
28bffe
-          <criterion comment="audit rule to record write events to /etc/passwd" test_ref="test_audit_rules_etc_passwd_open_64bit_auditctl" />
28bffe
+          <criterion comment="audit rule to record write events to {{{ PATH }}}" test_ref="test_audit_rules_{{{ PATHID }}}_{{{ SYSCALL }}}_64bit_auditctl" />
28bffe
         </criteria>
28bffe
       </criteria>
28bffe
 
28bffe
@@ -41,55 +41,55 @@
28bffe
   </definition>
28bffe
 
28bffe
   
28bffe
-  <constant_variable id="var_audit_rule_32bit_open_write_etc_passwd_regex" version="1" datatype="string" comment="audit rule arch and syscal">
28bffe
-      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
28bffe
+  <constant_variable id="var_audit_rule_32bit_{{{ SYSCALL }}}_write_{{{ PATHID }}}_regex" version="1" datatype="string" comment="audit rule arch and syscal">
28bffe
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path={{{ PATH }}})[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
28bffe
   </constant_variable>
28bffe
 
28bffe
-  <constant_variable id="var_audit_rule_64bit_open_write_etc_passwd_regex" version="1" datatype="string" comment="audit rule arch and syscal">
28bffe
-      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
28bffe
+  <constant_variable id="var_audit_rule_64bit_{{{ SYSCALL }}}_write_{{{ PATHID }}}_regex" version="1" datatype="string" comment="audit rule arch and syscal">
28bffe
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path={{{ PATH }}})[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
28bffe
   </constant_variable>
28bffe
 
28bffe
-  
28bffe
+  
28bffe
   
28bffe
- comment="defined audit rule must exist" id="test_audit_rules_etc_passwd_open_32bit_augenrules" version="1">
28bffe
-    <ind:object object_ref="object_audit_rules_etc_passwd_open_32bit_augenrules" />
28bffe
+ comment="defined audit rule must exist" id="test_audit_rules_{{{ PATHID }}}_{{{ SYSCALL }}}_32bit_augenrules" version="1">
28bffe
+    <ind:object object_ref="object_audit_rules_{{{ PATHID }}}_{{{ SYSCALL }}}_32bit_augenrules" />
28bffe
   </ind:textfilecontent54_test>
28bffe
-  <ind:textfilecontent54_object id="object_audit_rules_etc_passwd_open_32bit_augenrules" version="1">
28bffe
+  <ind:textfilecontent54_object id="object_audit_rules_{{{ PATHID }}}_{{{ SYSCALL }}}_32bit_augenrules" version="1">
28bffe
     <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
28bffe
-    <ind:pattern operation="pattern match" var_ref="var_audit_rule_32bit_open_write_etc_passwd_regex" />
28bffe
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_32bit_{{{ SYSCALL }}}_write_{{{ PATHID }}}_regex" />
28bffe
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
28bffe
   </ind:textfilecontent54_object>
28bffe
 
28bffe
   
28bffe
- comment="defined audit rule must exist" id="test_audit_rules_etc_passwd_open_64bit_augenrules" version="1">
28bffe
-    <ind:object object_ref="object_audit_rules_etc_passwd_open_64bit_augenrules" />
28bffe
+ comment="defined audit rule must exist" id="test_audit_rules_{{{ PATHID }}}_{{{ SYSCALL }}}_64bit_augenrules" version="1">
28bffe
+    <ind:object object_ref="object_audit_rules_{{{ PATHID }}}_{{{ SYSCALL }}}_64bit_augenrules" />
28bffe
   </ind:textfilecontent54_test>
28bffe
-  <ind:textfilecontent54_object id="object_audit_rules_etc_passwd_open_64bit_augenrules" version="1">
28bffe
+  <ind:textfilecontent54_object id="object_audit_rules_{{{ PATHID }}}_{{{ SYSCALL }}}_64bit_augenrules" version="1">
28bffe
     <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
28bffe
-    <ind:pattern operation="pattern match" var_ref="var_audit_rule_64bit_open_write_etc_passwd_regex" />
28bffe
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_64bit_{{{ SYSCALL }}}_write_{{{ PATHID }}}_regex" />
28bffe
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
28bffe
   </ind:textfilecontent54_object>
28bffe
 
28bffe
 
28bffe
 
28bffe
-  
28bffe
+  
28bffe
   
28bffe
- comment="defined audit rule must exist" id="test_audit_rules_etc_passwd_open_32bit_auditctl" version="1">
28bffe
-    <ind:object object_ref="object_audit_rules_etc_passwd_open_32bit_auditctl" />
28bffe
+ comment="defined audit rule must exist" id="test_audit_rules_{{{ PATHID }}}_{{{ SYSCALL }}}_32bit_auditctl" version="1">
28bffe
+    <ind:object object_ref="object_audit_rules_{{{ PATHID }}}_{{{ SYSCALL }}}_32bit_auditctl" />
28bffe
   </ind:textfilecontent54_test>
28bffe
-  <ind:textfilecontent54_object id="object_audit_rules_etc_passwd_open_32bit_auditctl" version="1">
28bffe
+  <ind:textfilecontent54_object id="object_audit_rules_{{{ PATHID }}}_{{{ SYSCALL }}}_32bit_auditctl" version="1">
28bffe
     <ind:filepath>/etc/audit/audit.rules</ind:filepath>
28bffe
-    <ind:pattern operation="pattern match" var_ref="var_audit_rule_32bit_open_write_etc_passwd_regex" />
28bffe
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_32bit_{{{ SYSCALL }}}_write_{{{ PATHID }}}_regex" />
28bffe
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
28bffe
   </ind:textfilecontent54_object>
28bffe
 
28bffe
   
28bffe
- comment="defined audit rule must exist" id="test_audit_rules_etc_passwd_open_64bit_auditctl" version="1">
28bffe
-    <ind:object object_ref="object_audit_rules_etc_passwd_open_64bit_auditctl" />
28bffe
+ comment="defined audit rule must exist" id="test_audit_rules_{{{ PATHID }}}_{{{ SYSCALL }}}_64bit_auditctl" version="1">
28bffe
+    <ind:object object_ref="object_audit_rules_{{{ PATHID }}}_{{{ SYSCALL }}}_64bit_auditctl" />
28bffe
   </ind:textfilecontent54_test>
28bffe
-  <ind:textfilecontent54_object id="object_audit_rules_etc_passwd_open_64bit_auditctl" version="1">
28bffe
+  <ind:textfilecontent54_object id="object_audit_rules_{{{ PATHID }}}_{{{ SYSCALL }}}_64bit_auditctl" version="1">
28bffe
     <ind:filepath>/etc/audit/audit.rules</ind:filepath>
28bffe
-    <ind:pattern operation="pattern match" var_ref="var_audit_rule_64bit_open_write_etc_passwd_regex" />
28bffe
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_64bit_{{{ SYSCALL }}}_write_{{{ PATHID }}}_regex" />
28bffe
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
28bffe
   </ind:textfilecontent54_object>
28bffe
 
28bffe
diff --git a/shared/templates/template_common.py b/shared/templates/template_common.py
28bffe
index b0fdf5fcc9..c8930ee05c 100644
28bffe
--- a/shared/templates/template_common.py
28bffe
+++ b/shared/templates/template_common.py
28bffe
@@ -78,14 +78,15 @@ def get_template_filename(self, filename):
28bffe
         raise TemplateNotFoundError(filename, paths)
28bffe
 
28bffe
     def file_from_template(self, template_filename, constants,
28bffe
-                           filename_format, filename_value):
28bffe
+                           filename_format, filename_value, *extra_filename_args):
28bffe
         """
28bffe
         Load template, fill constant and create new file
28bffe
         """
28bffe
 
28bffe
         template_filepath = self.get_template_filename(template_filename)
28bffe
+        format_args = (filename_value,) + extra_filename_args
28bffe
         output_filepath = os.path.join(
28bffe
-            self.output_dir, filename_format.format(filename_value)
28bffe
+            self.output_dir, filename_format.format(*format_args)
28bffe
         )
28bffe
 
28bffe
         if self.action == ActionType.INPUT: