Blob Blame History Raw
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml
index 5784e5ad8f..a80c7dab8c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml
@@ -10,11 +10,11 @@ description: |-
     to use the <tt>augenrules</tt> program to read audit rules during daemon
     startup (the default), add the following lines to a file with suffix
     <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    <pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify</pre>
+    <pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following lines to
     <tt>/etc/audit/audit.rules</tt> file:
-    <pre>-a always,exit -F arch=b64 -S open -F a1&amp;03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify</pre>
+    <pre>-a always,exit -F arch=b64 -S open -F a1&amp;03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
 
 rationale: |-
     Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
@@ -36,4 +36,4 @@ warnings:
         number of ways while still achieving the desired effect. Here the system calls
         have been placed independent of other system calls. Grouping system calls related
         to the same event is more efficient. See the following example:
-        <pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify</pre>
+        <pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml
index 81841900f0..6181ad50f1 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml
@@ -10,11 +10,11 @@ description: |-
     to use the <tt>augenrules</tt> program to read audit rules during daemon
     startup (the default), add the following lines to a file with suffix
     <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    <pre>-a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify</pre>
+    <pre>-a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following lines to
     <tt>/etc/audit/audit.rules</tt> file:
-    <pre>-a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify</pre>
+    <pre>-a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
 
 rationale: |-
     Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
@@ -36,4 +36,4 @@ warnings:
         number of ways while still achieving the desired effect. Here the system calls
         have been placed independent of other system calls. Grouping system calls related
         to the same event is more efficient. See the following example:
-        <pre>-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify</pre>
+        <pre>-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml
index 3515398d50..9a69643a34 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml
@@ -10,11 +10,11 @@ description: |-
     to use the <tt>augenrules</tt> program to read audit rules during daemon
     startup (the default), add the following lines to a file with suffix
     <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    <pre>-a always,exit -F arch=b32 -S openat -F a2&amp;03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify</pre>
+    <pre>-a always,exit -F arch=b32 -S openat -F a2&amp;03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following lines to
     <tt>/etc/audit/audit.rules</tt> file:
-    <pre>-a always,exit -F arch=b64 -S openat -F a2&amp;03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify</pre>
+    <pre>-a always,exit -F arch=b64 -S openat -F a2&amp;03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
 
 rationale: |-
     Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
@@ -36,4 +36,4 @@ warnings:
         number of ways while still achieving the desired effect. Here the system calls
         have been placed independent of other system calls. Grouping system calls related
         to the same event is more efficient. See the following example:
-        <pre>-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify</pre>
+        <pre>-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml
index deb20d24c5..630b03b1b4 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml
@@ -10,11 +10,11 @@ description: |-
     to use the <tt>augenrules</tt> program to read audit rules during daemon
     startup (the default), add the following lines to a file with suffix
     <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    <pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
+    <pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following lines to
     <tt>/etc/audit/audit.rules</tt> file:
-    <pre>-a always,exit -F arch=b64 -S open -F a1&amp;03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
+    <pre>-a always,exit -F arch=b64 -S open -F a1&amp;03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
 
 rationale: |-
     Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
@@ -36,4 +36,4 @@ warnings:
         number of ways while still achieving the desired effect. Here the system calls
         have been placed independent of other system calls. Grouping system calls related
         to the same event is more efficient. See the following example:
-        <pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
+        <pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml
index d65c9171e4..f1b9fbcd17 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml
@@ -10,11 +10,11 @@ description: |-
     to use the <tt>augenrules</tt> program to read audit rules during daemon
     startup (the default), add the following lines to a file with suffix
     <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    <pre>-a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
+    <pre>-a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following lines to
     <tt>/etc/audit/audit.rules</tt> file:
-    <pre>-a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
+    <pre>-a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
 
 rationale: |-
     Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
@@ -36,4 +36,4 @@ warnings:
         number of ways while still achieving the desired effect. Here the system calls
         have been placed independent of other system calls. Grouping system calls related
         to the same event is more efficient. See the following example:
-        <pre>-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
+        <pre>-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml
index da910036b2..5460009264 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml
@@ -10,11 +10,11 @@ description: |-
     to use the <tt>augenrules</tt> program to read audit rules during daemon
     startup (the default), add the following lines to a file with suffix
     <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    <pre>-a always,exit -F arch=b32 -S openat -F a2&amp;03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
+    <pre>-a always,exit -F arch=b32 -S openat -F a2&amp;03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following lines to
     <tt>/etc/audit/audit.rules</tt> file:
-    <pre>-a always,exit -F arch=b64 -S openat -F a2&amp;03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
+    <pre>-a always,exit -F arch=b64 -S openat -F a2&amp;03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
 
 rationale: |-
     Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
@@ -36,4 +36,4 @@ warnings:
         number of ways while still achieving the desired effect. Here the system calls
         have been placed independent of other system calls. Grouping system calls related
         to the same event is more efficient. See the following example:
-        <pre>-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
+        <pre>-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
diff --git a/shared/templates/create_audit_rules_path_syscall.py b/shared/templates/create_audit_rules_path_syscall.py
index 9ab984491e..4164f7b44f 100644
--- a/shared/templates/create_audit_rules_path_syscall.py
+++ b/shared/templates/create_audit_rules_path_syscall.py
@@ -26,6 +26,29 @@ def generate(self, target, args):
                 },
                 "./oval/audit_rules_{0}_{1}.xml", pathid, syscall
             )
+
+        elif target == "bash":
+            self.file_from_template(
+                "./template_BASH_audit_rules_path_syscall",
+                {
+                    "PATH":     path,
+                    "SYSCALL":  syscall,
+                    "POS":      pos
+                },
+                "./bash/audit_rules_{0}_{1}.sh", pathid, syscall
+            )
+
+        elif target == "ansible":
+            self.file_from_template(
+                "./template_ANSIBLE_audit_rules_path_syscall",
+                {
+                    "PATH":     path,
+                    "SYSCALL":  syscall,
+                    "POS":      pos
+                },
+                "./ansible/audit_rules_{0}_{1}.yml", pathid, syscall
+            )
+
         else:
             raise UnknownTargetError(target)
 
diff --git a/shared/templates/template_ANSIBLE_audit_rules_path_syscall b/shared/templates/template_ANSIBLE_audit_rules_path_syscall
new file mode 100644
index 0000000000..4a27e0f521
--- /dev/null
+++ b/shared/templates/template_ANSIBLE_audit_rules_path_syscall
@@ -0,0 +1,76 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+#
+# What architecture are we on?
+#
+- name: Set architecture for audit {{{ SYSCALL }}} tasks
+  set_fact:
+    audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
+
+#
+# Inserts/replaces the rule in /etc/audit/rules.d
+#
+- name: Search /etc/audit/rules.d for other DAC audit rules
+  find:
+    paths: "/etc/audit/rules.d"
+    recurse: no
+    contains: ".*{{{ SYSCALL }}}(,[\\S]+)?[\\s]+-F[\\s]+{{{ POS }}}&03[\\s]+-F[\\s]+path={{{ PATH }}}.*"
+    patterns: "*.rules"
+  register: find_{{{ SYSCALL }}}
+
+- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as the recipient for the rule
+  set_fact:
+    all_files:
+      - /etc/audit/rules.d/modify.rules
+  when: find_{{{ SYSCALL }}}.matched == 0
+
+- name: Use matched file as the recipient for the rule
+  set_fact:
+    all_files:
+      - "{{ find_{{{ SYSCALL }}}.files | map(attribute='path') | list | first }}"
+  when: find_{{{ SYSCALL }}}.matched > 0
+
+- name: Inserts/replaces the {{{ SYSCALL }}} rule in rules.d when on x86
+  lineinfile:
+    path: "{{ all_files[0] }}"
+    line: "{{ item }}"
+    create: yes
+    regexp: "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+"
+  with_items:
+    - "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify"
+
+- name: Inserts/replaces the {{{ SYSCALL }}} rule in rules.d when on x86_64
+  lineinfile:
+    path: "{{ all_files[0] }}"
+    line: "{{ item }}"
+    create: yes
+    regexp: "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+"
+  with_items:
+    - "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify"
+  when: audit_arch == 'b64'
+#   
+# Inserts/replaces the rule in /etc/audit/audit.rules
+#
+- name: Inserts/replaces the {{{ SYSCALL }}} rule in /etc/audit/audit.rules when on x86
+  lineinfile:
+    line: "{{ item }}"
+    state: present
+    dest: /etc/audit/audit.rules
+    regexp: "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+"
+  with_items:
+    - "-a always,exit -F arch=b32 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify"
+
+- name: Inserts/replaces the {{{ SYSCALL }}} rule in audit.rules when on x86_64
+  lineinfile:
+    line: "{{ item }}"
+    state: present
+    dest: /etc/audit/audit.rules
+    create: yes
+    regexp: "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=[\\S]+"
+  with_items:
+    - "-a always,exit -F arch=b64 -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify"
+  when: audit_arch == 'b64'
diff --git a/shared/templates/template_BASH_audit_rules_path_syscall b/shared/templates/template_BASH_audit_rules_path_syscall
new file mode 100644
index 0000000000..c3d31aade9
--- /dev/null
+++ b/shared/templates/template_BASH_audit_rules_path_syscall
@@ -0,0 +1,18 @@
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+	PATTERN="-a always,exit -F arch=$ARCH -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}}.*"
+	GROUP="modify"
+	FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ SYSCALL }}} -F {{{ POS }}}&03 -F path={{{ PATH }}} -F auid>={{{ auid }}} -F auid!=unset -F key=modify"
+	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+	fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+done
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh
index a9a4207877..8db9eab037 100644
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh
@@ -1,7 +1,6 @@
 #!/bin/bash
 
 # profiles = xccdf_org.ssgproject.content_profile_ospp
-# remediation = none
 
 # Use auditctl in RHEL7
 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh
index 0eabbe097c..532ecedb88 100644
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh
@@ -1,7 +1,6 @@
 #!/bin/bash
 
 # profiles = xccdf_org.ssgproject.content_profile_ospp
-# remediation = none
 
 # Use auditctl in RHEL7
 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh
index 6e17de9c20..72254d5c5c 100644
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh
@@ -1,7 +1,6 @@
 #!/bin/bash
 
 # profiles = xccdf_org.ssgproject.content_profile_ospp
-# remediation = none
 
 echo "-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
 echo "-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh
index 7b7b6bc76d..d4e169dcc6 100644
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh
@@ -1,7 +1,6 @@
 #!/bin/bash
 
 # profiles = xccdf_org.ssgproject.content_profile_ospp
-# remediation = none
 
 echo "-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/password -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
 echo "-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_correct_rule.pass.sh
index 472b62ee57..409e96ad73 100644
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_correct_rule.pass.sh
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_correct_rule.pass.sh
@@ -1,7 +1,6 @@
 #!/bin/bash
 
 # profiles = xccdf_org.ssgproject.content_profile_ospp
-# remediation = none
 
 # Use auditctl in RHEL7
 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_multiple_syscalls.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_multiple_syscalls.pass.sh
index 595a97ab22..9aca34dd42 100644
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_multiple_syscalls.pass.sh
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_multiple_syscalls.pass.sh
@@ -1,7 +1,6 @@
 #!/bin/bash
 
 # profiles = xccdf_org.ssgproject.content_profile_ospp
-# remediation = none
 
 # Use auditctl in RHEL7
 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_wrong_dir.fail.sh
index 6ef86ff816..b8c14e63f8 100644
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_wrong_dir.fail.sh
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_wrong_dir.fail.sh
@@ -1,7 +1,6 @@
 #!/bin/bash
 
 # profiles = xccdf_org.ssgproject.content_profile_ospp
-# remediation = none
 
 # Use auditctl in RHEL7
 sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_correct_rule.pass.sh
index 8c4aaaac25..a6c4c8814f 100644
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_correct_rule.pass.sh
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_correct_rule.pass.sh
@@ -1,7 +1,6 @@
 #!/bin/bash
 
 # profiles = xccdf_org.ssgproject.content_profile_ospp
-# remediation = none
 
 echo "-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
 echo "-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_escaped_gt.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_escaped_gt.fail.sh
index 28ee5ffd9d..7b7f1fd5c9 100644
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_escaped_gt.fail.sh
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_escaped_gt.fail.sh
@@ -1,7 +1,6 @@
 #!/bin/bash
 
 # profiles = xccdf_org.ssgproject.content_profile_ospp
-# remediation = none
 
 echo "-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
 echo "-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_wrong_dir.fail.sh
index 9c9ac0fad4..0747c40b70 100644
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_wrong_dir.fail.sh
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_wrong_dir.fail.sh
@@ -1,7 +1,6 @@
 #!/bin/bash
 
 # profiles = xccdf_org.ssgproject.content_profile_ospp
-# remediation = none
 
 echo "-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/password -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
 echo "-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules