Blob Blame History Raw
diff --git a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_creat.xml b/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_creat.xml
new file mode 100644
index 0000000000..3eb97c1234
--- /dev/null
+++ b/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_creat.xml
@@ -0,0 +1,200 @@
+<def-group>
+  <definition class="compliance" id="audit_rules_unsuccessful_file_modification_open_o_creat" version="1">
+    <metadata>
+      <title>Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - open o_creat</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 7</platform>
+        <platform>multi_platform_fedora</platform>
+      </affected>
+      <description>Audit rules about the information on the unsuccessful use of open O_CREAT is enabled.</description>
+    </metadata>
+
+    <criteria operator="OR">
+
+      <!-- Test the augenrules case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
+        <criterion comment="Verify audit rule open 32bit a2&amp;0100 eacces augenrules exists" test_ref="test_arufm_open_o_creat_32bit_a20100_eacces_augenrules" />
+        <criterion comment="Verify audit rule open 32bit a2&amp;0100 eperm augenrules exists" test_ref="test_arufm_open_o_creat_32bit_a20100_eperm_augenrules" />
+
+        <criteria operator="OR">
+          <!-- System either isn't 64-bit => we just check presence of the 32-bit version of the EACCES / EPERM rules-->
+          <extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
+          <!-- Or system is 64-bit => in that case we also need to verify the presence of 64-bit versions of the rules -->
+          <criteria operator="AND">
+            <criterion comment="Verify audit rule open 64bit a2&amp;0100 eacces augenrules exists" test_ref="test_arufm_open_o_creat_64bit_a20100_eacces_augenrules" />
+            <criterion comment="Verify audit rule open 64bit a2&amp;0100 eperm augenrules exists" test_ref="test_arufm_open_o_creat_64bit_a20100_eperm_augenrules" />
+          </criteria>
+        </criteria>
+      </criteria>
+
+      <!-- OR test the auditctl case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
+        <criterion comment="Verify audit rule open 32bit a2&amp;0100 eacces auditctl exists" test_ref="test_arufm_open_o_creat_32bit_a20100_eacces_auditctl" />
+        <criterion comment="Verify audit rule open 32bit a2&amp;0100 eperm auditctl exists" test_ref="test_arufm_open_o_creat_32bit_a20100_eperm_auditctl" />
+
+        <criteria operator="OR">
+          <!-- System either isn't 64-bit => we just check presence of the 32-bit version of the EACCES / EPERM rules -->
+          <extend_definition comment="64-bit_system" definition_ref="system_info_architecture_64bit" negate="true" />
+          <!-- Or system is 64-bit => in that case we also need to verify the presence of 64-bit versions of the rules -->
+          <criteria operator="AND">
+            <criterion comment="Verify audit rule open 64bit a2&amp;0100 eacces auditctl exists" test_ref="test_arufm_open_o_creat_64bit_a20100_eacces_auditctl" />
+            <criterion comment="Verify audit rule open 64bit a2&amp;0100 eperm auditctl exists" test_ref="test_arufm_open_o_creat_64bit_a20100_eperm_auditctl" />
+
+          </criteria>
+        </criteria>
+      </criteria>
+
+    </criteria>
+  </definition>
+
+  <!-- General rule boiler plate -->
+  <constant_variable id="var_audit_rule_open_o_creat_32bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*</value>
+  </constant_variable>
+  <constant_variable id="var_audit_rule_open_o_creat_64bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*</value>
+  </constant_variable>
+  <constant_variable id="var_audit_rule_open_o_creat_tail" version="1" datatype="string" comment="audit rule auid and key">
+    <value>[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
+  </constant_variable>
+
+  <!-- Regex to match anything between targeted rules -->
+  <constant_variable id="var_audit_rule_open_o_creat_separator_regex" version="1" datatype="string" comment="audit rule auid and key">
+    <value>(?:[^.]|\.\s)*</value>
+  </constant_variable>
+
+  <!-- 32bit EACCES rules -->
+  <local_variable id="var_audit_rule_open_o_creat_32bit_a20100_eacces_regex" version="1" datatype="string" comment="Expression to match 32bit open O_CREAT EACCES syscall">
+    <concat>
+      <variable_component var_ref="var_audit_rule_open_o_creat_32bit_head" />
+      <literal_component>(?:-F\s+a2&amp;0100)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
+      <variable_component var_ref="var_audit_rule_open_o_creat_tail" />
+    </concat>
+  </local_variable>
+
+  <!-- 32bit EPERM rules -->
+  <local_variable id="var_audit_rule_open_o_creat_32bit_a20100_eperm_regex" version="1" datatype="string" comment="Expression to match 32bit open O_CREAT EPERM syscall">
+    <concat>
+      <variable_component var_ref="var_audit_rule_open_o_creat_32bit_head" />
+      <literal_component>(?:-F\s+a2&amp;0100)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
+      <variable_component var_ref="var_audit_rule_open_o_creat_tail" />
+    </concat>
+  </local_variable>
+
+  <!-- 64bit EACCES rules -->
+  <local_variable id="var_audit_rule_open_o_creat_64bit_a20100_eacces_regex" version="1" datatype="string" comment="Expression to match 64bit open O_CREAT EACCES syscall">
+    <concat>
+      <variable_component var_ref="var_audit_rule_open_o_creat_64bit_head" />
+      <literal_component>(?:-F\s+a2&amp;0100)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
+      <variable_component var_ref="var_audit_rule_open_o_creat_tail" />
+    </concat>
+  </local_variable>
+
+  <!-- 64bit EPERM rules -->
+  <local_variable id="var_audit_rule_open_o_creat_64bit_a20100_eperm_regex" version="1" datatype="string" comment="Expression to match 32bit open O_CREAT EPERM syscall">
+    <concat>
+      <variable_component var_ref="var_audit_rule_open_o_creat_64bit_head" />
+      <literal_component>(?:-F\s+a2&amp;0100)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
+      <variable_component var_ref="var_audit_rule_open_o_creat_tail" />
+    </concat>
+  </local_variable>
+
+
+  <!-- 32bit EACCES augenrules objects -->
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+ comment="defined audit rule must exist" id="test_arufm_open_o_creat_32bit_a20100_eacces_augenrules" version="1">
+    <ind:object object_ref="object_arufm_open_o_creat_32bit_a20100_eacces_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arufm_open_o_creat_32bit_a20100_eacces_augenrules" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_creat_32bit_a20100_eacces_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+
+  <!-- 32bit EPERM augenrules objects -->
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+ comment="defined audit rule must exist" id="test_arufm_open_o_creat_32bit_a20100_eperm_augenrules" version="1">
+    <ind:object object_ref="object_arufm_open_o_creat_32bit_a20100_eperm_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arufm_open_o_creat_32bit_a20100_eperm_augenrules" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_creat_32bit_a20100_eperm_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+
+  <!-- 64bit EACCES augenrules objects -->
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+ comment="defined audit rule must exist" id="test_arufm_open_o_creat_64bit_a20100_eacces_augenrules" version="1">
+    <ind:object object_ref="object_arufm_open_o_creat_64bit_a20100_eacces_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arufm_open_o_creat_64bit_a20100_eacces_augenrules" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_creat_64bit_a20100_eacces_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+
+  <!-- 64bit EPERM augenrules objects -->
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+ comment="defined audit rule must exist" id="test_arufm_open_o_creat_64bit_a20100_eperm_augenrules" version="1">
+    <ind:object object_ref="object_arufm_open_o_creat_64bit_a20100_eperm_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arufm_open_o_creat_64bit_a20100_eperm_augenrules" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_creat_64bit_a20100_eperm_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+
+  <!-- 32bit EACCES auditctl objects -->
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+ comment="defined audit rule must exist" id="test_arufm_open_o_creat_32bit_a20100_eacces_auditctl" version="1">
+    <ind:object object_ref="object_arufm_open_o_creat_32bit_a20100_eacces_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arufm_open_o_creat_32bit_a20100_eacces_auditctl" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_creat_32bit_a20100_eacces_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+
+  <!-- 32bit EPERM auditctl objects -->
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+ comment="defined audit rule must exist" id="test_arufm_open_o_creat_32bit_a20100_eperm_auditctl" version="1">
+    <ind:object object_ref="object_arufm_open_o_creat_32bit_a20100_eperm_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arufm_open_o_creat_32bit_a20100_eperm_auditctl" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_creat_32bit_a20100_eperm_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+
+  <!-- 64bit EACCES auditctl objects -->
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+ comment="defined audit rule must exist" id="test_arufm_open_o_creat_64bit_a20100_eacces_auditctl" version="1">
+    <ind:object object_ref="object_arufm_open_o_creat_64bit_a20100_eacces_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arufm_open_o_creat_64bit_a20100_eacces_auditctl" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_creat_64bit_a20100_eacces_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+
+  <!-- 64bit EPERM auditctl objects -->
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+ comment="defined audit rule must exist" id="test_arufm_open_o_creat_64bit_a20100_eperm_auditctl" version="1">
+    <ind:object object_ref="object_arufm_open_o_creat_64bit_a20100_eperm_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arufm_open_o_creat_64bit_a20100_eperm_auditctl" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_creat_64bit_a20100_eperm_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat.rule
new file mode 100644
index 0000000000..c879183de2
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat.rule
@@ -0,0 +1,54 @@
+documentation_complete: true
+
+prodtype: rhel7,fedora
+
+title: 'Record Unauthorized Creation Attempts to Files (unsuccessful) - open O_CREAT'
+
+
+description: |-
+    The audit system should collect unauthorized file accesses for
+    all users and root. The <tt>open</tt> syscall can be used to create new files
+    when O_CREAT flag is specified.
+    The following auidt rules will asure that unsuccessful attempts to create a
+    file via <tt>open</tt> syscall are collected.
+    If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>
+    program to read audit rules during daemon startup (the default), add the
+    rules below to a file with suffix <tt>.rules</tt> in the directory
+    <tt>/etc/audit/rules.d</tt>.
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+    utility to read audit rules during daemon startup, add the rules below to
+    <tt>/etc/audit/audit.rules</tt> file.
+    <pre>
+    -a always,exit -F arch=b32 -S open -F a2&amp;0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    -a always,exit -F arch=b32 -S open -F a2&amp;0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    </pre>
+    If the system is 64 bit then also add the following lines:
+    <pre>
+    -a always,exit -F arch=b64 -S open -F a2&amp;0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    -a always,exit -F arch=b64 -S open -F a2&amp;0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    </pre>
+
+rationale: |-
+    Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
+    these events could serve as evidence of potential system compromise.
+
+severity: medium
+
+references:
+    cis: 5.2.10
+    cui: 3.1.7
+    disa: 172,2884
+    hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
+    nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5
+    ospp@rhel7: FAU_GEN.1.1.c
+    pcidss: Req-10.2.4,Req-10.2.1
+    srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172
+
+{{{ complete_ocil_entry_audit_syscall(syscall="open") }}}
+
+warnings:
+    - general: |-
+        Note that these rules can be configured in a
+        number of ways while still achieving the desired effect. Here the system calls
+        have been placed independent of other system calls. Grouping these system
+        calls with others as identifying earlier in this guide is more efficient.
diff --git a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_trunc_write.xml b/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_trunc_write.xml
new file mode 100644
index 0000000000..49540d8d4c
--- /dev/null
+++ b/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_trunc_write.xml
@@ -0,0 +1,200 @@
+<def-group>
+  <definition class="compliance" id="audit_rules_unsuccessful_file_modification_open_o_trunc_write" version="1">
+    <metadata>
+      <title>Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - open o_trunc</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 7</platform>
+        <platform>multi_platform_fedora</platform>
+      </affected>
+      <description>Audit rules about the information on the unsuccessful use of open O_TRUNC is enabled.</description>
+    </metadata>
+
+    <criteria operator="OR">
+
+      <!-- Test the augenrules case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
+        <criterion comment="Verify audit rule open 32bit a2&amp;01003 eacces augenrules exists" test_ref="test_arufm_open_o_trunc_32bit_a201003_eacces_augenrules" />
+        <criterion comment="Verify audit rule open 32bit a2&amp;01003 eperm augenrules exists" test_ref="test_arufm_open_o_trunc_32bit_a201003_eperm_augenrules" />
+
+        <criteria operator="OR">
+          <!-- System either isn't 64-bit => we just check presence of the 32-bit version of the EACCES / EPERM rules-->
+          <extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
+          <!-- Or system is 64-bit => in that case we also need to verify the presence of 64-bit versions of the rules -->
+          <criteria operator="AND">
+            <criterion comment="Verify audit rule open 64bit a2&amp;01003 eacces augenrules exists" test_ref="test_arufm_open_o_trunc_64bit_a201003_eacces_augenrules" />
+            <criterion comment="Verify audit rule open 64bit a2&amp;01003 eperm augenrules exists" test_ref="test_arufm_open_o_trunc_64bit_a201003_eperm_augenrules" />
+          </criteria>
+        </criteria>
+      </criteria>
+
+      <!-- OR test the auditctl case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
+        <criterion comment="Verify audit rule open 32bit a2&amp;01003 eacces auditctl exists" test_ref="test_arufm_open_o_trunc_32bit_a201003_eacces_auditctl" />
+        <criterion comment="Verify audit rule open 32bit a2&amp;01003 eperm auditctl exists" test_ref="test_arufm_open_o_trunc_32bit_a201003_eperm_auditctl" />
+
+        <criteria operator="OR">
+          <!-- System either isn't 64-bit => we just check presence of the 32-bit version of the EACCES / EPERM rules -->
+          <extend_definition comment="64-bit_system" definition_ref="system_info_architecture_64bit" negate="true" />
+          <!-- Or system is 64-bit => in that case we also need to verify the presence of 64-bit versions of the rules -->
+          <criteria operator="AND">
+            <criterion comment="Verify audit rule open 64bit a2&amp;01003 eacces auditctl exists" test_ref="test_arufm_open_o_trunc_64bit_a201003_eacces_auditctl" />
+            <criterion comment="Verify audit rule open 64bit a2&amp;01003 eperm auditctl exists" test_ref="test_arufm_open_o_trunc_64bit_a201003_eperm_auditctl" />
+
+          </criteria>
+        </criteria>
+      </criteria>
+
+    </criteria>
+  </definition>
+
+  <!-- General rule boiler plate -->
+  <constant_variable id="var_audit_rule_open_o_trunc_32bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*</value>
+  </constant_variable>
+  <constant_variable id="var_audit_rule_open_o_trunc_64bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*</value>
+  </constant_variable>
+  <constant_variable id="var_audit_rule_open_o_trunc_tail" version="1" datatype="string" comment="audit rule auid and key">
+    <value>[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
+  </constant_variable>
+
+  <!-- Regex to match anything between targeted rules -->
+  <constant_variable id="var_audit_rule_open_o_trunc_separator_regex" version="1" datatype="string" comment="audit rule auid and key">
+    <value>(?:[^.]|\.\s)*</value>
+  </constant_variable>
+
+  <!-- 32bit EACCES rules -->
+  <local_variable id="var_audit_rule_open_o_trunc_32bit_a201003_eacces_regex" version="1" datatype="string" comment="Expression to match 32bit open O_TRUNC EACCES syscall">
+    <concat>
+      <variable_component var_ref="var_audit_rule_open_o_trunc_32bit_head" />
+      <literal_component>(?:-F\s+a2&amp;01003)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
+      <variable_component var_ref="var_audit_rule_open_o_trunc_tail" />
+    </concat>
+  </local_variable>
+
+  <!-- 32bit EPERM rules -->
+  <local_variable id="var_audit_rule_open_o_trunc_32bit_a201003_eperm_regex" version="1" datatype="string" comment="Expression to match 32bit open O_TRUNC EPERM EACCES syscall">
+    <concat>
+      <variable_component var_ref="var_audit_rule_open_o_trunc_32bit_head" />
+      <literal_component>(?:-F\s+a2&amp;01003)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
+      <variable_component var_ref="var_audit_rule_open_o_trunc_tail" />
+    </concat>
+  </local_variable>
+
+  <!-- 64bit EACCES rules -->
+  <local_variable id="var_audit_rule_open_o_trunc_64bit_a201003_eacces_regex" version="1" datatype="string" comment="Expression to match 64bit open O_TRUNC EACCES syscall">
+    <concat>
+      <variable_component var_ref="var_audit_rule_open_o_trunc_64bit_head" />
+      <literal_component>(?:-F\s+a2&amp;01003)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
+      <variable_component var_ref="var_audit_rule_open_o_trunc_tail" />
+    </concat>
+  </local_variable>
+
+  <!-- 64bit EPERM rules -->
+  <local_variable id="var_audit_rule_open_o_trunc_64bit_a201003_eperm_regex" version="1" datatype="string" comment="Expression to match 64bit open O_TRUNC EPERM syscall">
+    <concat>
+      <variable_component var_ref="var_audit_rule_open_o_trunc_64bit_head" />
+      <literal_component>(?:-F\s+a2&amp;01003)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
+      <variable_component var_ref="var_audit_rule_open_o_trunc_tail" />
+    </concat>
+  </local_variable>
+
+
+  <!-- 32bit EACCES augenrules objects -->
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+ comment="defined audit rule must exist" id="test_arufm_open_o_trunc_32bit_a201003_eacces_augenrules" version="1">
+    <ind:object object_ref="object_arufm_open_o_trunc_32bit_a201003_eacces_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arufm_open_o_trunc_32bit_a201003_eacces_augenrules" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_trunc_32bit_a201003_eacces_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+
+  <!-- 32bit EPERM augenrules objects -->
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+ comment="defined audit rule must exist" id="test_arufm_open_o_trunc_32bit_a201003_eperm_augenrules" version="1">
+    <ind:object object_ref="object_arufm_open_o_trunc_32bit_a201003_eperm_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arufm_open_o_trunc_32bit_a201003_eperm_augenrules" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_trunc_32bit_a201003_eperm_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+
+  <!-- 64bit EACCES augenrules objects -->
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+ comment="defined audit rule must exist" id="test_arufm_open_o_trunc_64bit_a201003_eacces_augenrules" version="1">
+    <ind:object object_ref="object_arufm_open_o_trunc_64bit_a201003_eacces_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arufm_open_o_trunc_64bit_a201003_eacces_augenrules" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_trunc_64bit_a201003_eacces_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+
+  <!-- 64bit EPERM augenrules objects -->
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+ comment="defined audit rule must exist" id="test_arufm_open_o_trunc_64bit_a201003_eperm_augenrules" version="1">
+    <ind:object object_ref="object_arufm_open_o_trunc_64bit_a201003_eperm_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arufm_open_o_trunc_64bit_a201003_eperm_augenrules" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_trunc_64bit_a201003_eperm_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+
+  <!-- 32bit EACCES auditctl objects -->
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+ comment="defined audit rule must exist" id="test_arufm_open_o_trunc_32bit_a201003_eacces_auditctl" version="1">
+    <ind:object object_ref="object_arufm_open_o_trunc_32bit_a201003_eacces_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arufm_open_o_trunc_32bit_a201003_eacces_auditctl" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_trunc_32bit_a201003_eacces_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+
+  <!-- 32bit EPERM auditctl objects -->
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+ comment="defined audit rule must exist" id="test_arufm_open_o_trunc_32bit_a201003_eperm_auditctl" version="1">
+    <ind:object object_ref="object_arufm_open_o_trunc_32bit_a201003_eperm_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arufm_open_o_trunc_32bit_a201003_eperm_auditctl" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_trunc_32bit_a201003_eperm_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+
+  <!-- 64bit EACCES auditctl objects -->
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+ comment="defined audit rule must exist" id="test_arufm_open_o_trunc_64bit_a201003_eacces_auditctl" version="1">
+    <ind:object object_ref="object_arufm_open_o_trunc_64bit_a201003_eacces_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arufm_open_o_trunc_64bit_a201003_eacces_auditctl" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_trunc_64bit_a201003_eacces_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+
+  <!-- 64bit EPERM auditctl objects -->
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+ comment="defined audit rule must exist" id="test_arufm_open_o_trunc_64bit_a201003_eperm_auditctl" version="1">
+    <ind:object object_ref="object_arufm_open_o_trunc_64bit_a201003_eperm_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arufm_open_o_trunc_64bit_a201003_eperm_auditctl" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_trunc_64bit_a201003_eperm_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write.rule
new file mode 100644
index 0000000000..8525b31bb1
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write.rule
@@ -0,0 +1,53 @@
+documentation_complete: true
+
+prodtype: rhel7,fedora
+
+title: 'Record Unauthorized Modification Attempts to Files (unsuccessful) - open O_TRUNC'
+
+description: |-
+    The audit system should collect detailed unauthorized file accesses for
+    all users and root. The <tt>open</tt> syscall can be used to modify files
+    if called for write operation of with O_TRUNC flag.
+    The following auidt rules will asure that unsuccessful attempts to modify a
+    file via <tt>open</tt> syscall are collected.
+    If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>
+    program to read audit rules during daemon startup (the default), add the
+    rules below to a file with suffix <tt>.rules</tt> in the directory
+    <tt>/etc/audit/rules.d</tt>.
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+    utility to read audit rules during daemon startup, add the rules below to
+    <tt>/etc/audit/audit.rules</tt> file.
+    <pre>
+    -a always,exit -F arch=b32 -S open -F a2&amp;01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    -a always,exit -F arch=b32 -S open -F a2&amp;01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    </pre>
+    If the system is 64 bit then also add the following lines:
+    <pre>
+    -a always,exit -F arch=b64 -S open -F a2&amp;01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    -a always,exit -F arch=b64 -S open -F a2&amp;01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    </pre>
+
+rationale: |-
+    Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
+    these events could serve as evidence of potential system compromise.
+
+severity: medium
+
+references:
+    cis: 5.2.10
+    cui: 3.1.7
+    disa: 172,2884
+    hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
+    nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5
+    ospp@rhel7: FAU_GEN.1.1.c
+    pcidss: Req-10.2.4,Req-10.2.1
+    srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172
+
+{{{ complete_ocil_entry_audit_syscall(syscall="open") }}}
+
+warnings:
+    - general: |-
+        Note that these rules can be configured in a
+        number of ways while still achieving the desired effect. Here the system calls
+        have been placed independent of other system calls. Grouping these system
+        calls with others as identifying earlier in this guide is more efficient.
diff --git a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_rule_order.xml b/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_rule_order.xml
new file mode 100644
index 0000000000..780fdf60d4
--- /dev/null
+++ b/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_rule_order.xml
@@ -0,0 +1,474 @@
+<def-group>
+  <definition class="compliance" id="audit_rules_unsuccessful_file_modification_open_rule_order" version="1">
+    <metadata>
+      <title>Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 7</platform>
+        <platform>multi_platform_fedora</platform>
+      </affected>
+      <description>Audit rules about the information on the unsuccessful use of open is configured in the proper rule order.</description>
+
+    </metadata>
+
+    <criteria operator="OR">
+
+      <!-- Test the augenrules case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
+        <criterion comment="audit augenrules 32-bit" test_ref="test_arufm_open_order_32bit_eacces_augenrules" />
+        <criterion comment="audit augenrules 32-bit" test_ref="test_arufm_open_order_32bit_eperm_augenrules" />
+
+        <criteria operator="OR">
+          <!-- System either isn't 64-bit => we just check presence of the 32-bit version of the EACCES / EPERM rules-->
+          <extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
+          <!-- Or system is 64-bit => in that case we also need to verify the presence of 64-bit versions of the rules -->
+          <criteria operator="AND">
+            <criterion comment="audit augenrules 64-bit" test_ref="test_arufm_open_order_64bit_eacces_augenrules" />
+            <criterion comment="audit augenrules 64-bit" test_ref="test_arufm_open_order_64bit_eperm_augenrules" />
+          </criteria>
+        </criteria>
+      </criteria>
+
+      <!-- OR test the auditctl case -->
+      <criteria operator="AND">
+        <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
+        <criterion comment="audit augenrules 32-bit" test_ref="test_arufm_open_order_32bit_eacces_auditctl" />
+        <criterion comment="audit augenrules 32-bit" test_ref="test_arufm_open_order_32bit_eperm_auditctl" />
+
+        <criteria operator="OR">
+          <!-- System either isn't 64-bit => we just check presence of the 32-bit version of the EACCES / EPERM rules -->
+          <extend_definition comment="64-bit_system" definition_ref="system_info_architecture_64bit" negate="true" />
+          <!-- Or system is 64-bit => in that case we also need to verify the presence of 64-bit versions of the rules -->
+          <criteria operator="AND">
+            <criterion comment="audit augenrules 32-bit" test_ref="test_arufm_open_order_64bit_eacces_auditctl" />
+            <criterion comment="audit augenrules 32-bit" test_ref="test_arufm_open_order_64bit_eperm_auditctl" />
+
+          </criteria>
+        </criteria>
+      </criteria>
+
+    </criteria>
+  </definition>
+
+  <!-- General rule boiler plate -->
+  <constant_variable id="var_audit_rule_open_order_32bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*</value>
+  </constant_variable>
+  <constant_variable id="var_audit_rule_open_order_64bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*</value>
+  </constant_variable>
+  <constant_variable id="var_audit_rule_open_order_tail" version="1" datatype="string" comment="audit rule auid and key">
+    <value>[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
+  </constant_variable>
+
+  <!-- Regex to match anything between targeted rules -->
+  <constant_variable id="var_audit_rule_open_order_separator_regex" version="1" datatype="string" comment="audit rule auid and key">
+    <value>(?:[^.]|\.\s)*</value>
+  </constant_variable>
+
+  <!-- 32bit EACCES rules -->
+  <local_variable id="var_audit_rule_open_order_32bit_a20100_eacces_regex" version="1" datatype="string" comment="arches to audit">
+    <concat>
+      <variable_component var_ref="var_audit_rule_open_order_32bit_head" />
+      <literal_component>(?:-F\s+a2&amp;0100)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
+      <variable_component var_ref="var_audit_rule_open_order_tail" />
+    </concat>
+  </local_variable>
+  <local_variable id="var_audit_rule_open_order_32bit_a201003_eacces_regex" version="1" datatype="string" comment="arches to audit">
+    <concat>
+      <variable_component var_ref="var_audit_rule_open_order_32bit_head" />
+      <literal_component>(?:-F\s+a2&amp;01003)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
+      <variable_component var_ref="var_audit_rule_open_order_tail" />
+    </concat>
+  </local_variable>
+  <local_variable id="var_audit_rule_open_order_32bit_eacces_regex" version="1" datatype="string" comment="arches to audit">
+    <concat>
+      <variable_component var_ref="var_audit_rule_open_order_32bit_head" />
+      <literal_component>(?!.*-F\s+a2&amp;)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
+      <variable_component var_ref="var_audit_rule_open_order_tail" />
+    </concat>
+  </local_variable>
+
+  <!-- 32bit EPERM rules -->
+  <local_variable id="var_audit_rule_open_order_32bit_a20100_eperm_regex" version="1" datatype="string" comment="arches to audit">
+    <concat>
+      <variable_component var_ref="var_audit_rule_open_order_32bit_head" />
+      <literal_component>(?:-F\s+a2&amp;0100)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
+      <variable_component var_ref="var_audit_rule_open_order_tail" />
+    </concat>
+  </local_variable>
+  <local_variable id="var_audit_rule_open_order_32bit_a201003_eperm_regex" version="1" datatype="string" comment="arches to audit">
+    <concat>
+      <variable_component var_ref="var_audit_rule_open_order_32bit_head" />
+      <literal_component>(?:-F\s+a2&amp;01003)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
+      <variable_component var_ref="var_audit_rule_open_order_tail" />
+    </concat>
+  </local_variable>
+  <local_variable id="var_audit_rule_open_order_32bit_eperm_regex" version="1" datatype="string" comment="arches to audit">
+    <concat>
+      <variable_component var_ref="var_audit_rule_open_order_32bit_head" />
+      <literal_component>(?!.*-F\s+a2&amp;)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
+      <variable_component var_ref="var_audit_rule_open_order_tail" />
+    </concat>
+  </local_variable>
+
+  <!-- 64bit EACCES rules -->
+  <local_variable id="var_audit_rule_open_order_64bit_a20100_eacces_regex" version="1" datatype="string" comment="arches to audit">
+    <concat>
+      <variable_component var_ref="var_audit_rule_open_order_64bit_head" />
+      <literal_component>(?:-F\s+a2&amp;0100)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
+      <variable_component var_ref="var_audit_rule_open_order_tail" />
+    </concat>
+  </local_variable>
+  <local_variable id="var_audit_rule_open_order_64bit_a201003_eacces_regex" version="1" datatype="string" comment="arches to audit">
+    <concat>
+      <variable_component var_ref="var_audit_rule_open_order_64bit_head" />
+      <literal_component>(?:-F\s+a2&amp;01003)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
+      <variable_component var_ref="var_audit_rule_open_order_tail" />
+    </concat>
+  </local_variable>
+  <local_variable id="var_audit_rule_open_order_64bit_eacces_regex" version="1" datatype="string" comment="arches to audit">
+    <concat>
+      <variable_component var_ref="var_audit_rule_open_order_64bit_head" />
+      <literal_component>(?!.*-F\s+a2&amp;)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
+      <variable_component var_ref="var_audit_rule_open_order_tail" />
+    </concat>
+  </local_variable>
+
+  <!-- 64bit EPERM rules -->
+  <local_variable id="var_audit_rule_open_order_64bit_a20100_eperm_regex" version="1" datatype="string" comment="arches to audit">
+    <concat>
+      <variable_component var_ref="var_audit_rule_open_order_64bit_head" />
+      <literal_component>(?:-F\s+a2&amp;0100)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
+      <variable_component var_ref="var_audit_rule_open_order_tail" />
+    </concat>
+  </local_variable>
+  <local_variable id="var_audit_rule_open_order_64bit_a201003_eperm_regex" version="1" datatype="string" comment="arches to audit">
+    <concat>
+      <variable_component var_ref="var_audit_rule_open_order_64bit_head" />
+      <literal_component>(?:-F\s+a2&amp;01003)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
+      <variable_component var_ref="var_audit_rule_open_order_tail" />
+    </concat>
+  </local_variable>
+  <local_variable id="var_audit_rule_open_order_64bit_eperm_regex" version="1" datatype="string" comment="arches to audit">
+    <concat>
+      <variable_component var_ref="var_audit_rule_open_order_64bit_head" />
+      <literal_component>(?!.*-F\s+a2&amp;)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
+      <variable_component var_ref="var_audit_rule_open_order_tail" />
+    </concat>
+  </local_variable>
+
+
+  <!-- 32bit EACCES augenrules objects -->
+  <ind:textfilecontent54_object id="object_arufm_open_order_32bit_a20100_eacces_augenrules" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_32bit_a20100_eacces_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_arufm_open_order_32bit_a201003_eacces_augenrules" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_32bit_a201003_eacces_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_arufm_open_order_nofilter_32bit_eacces_augenrules" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_32bit_eacces_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <local_variable id="var_arufm_open_order_32bit_eacces_augenrules_regex" version="1" datatype="string" comment="arches to audit">
+    <concat>
+      <object_component item_field="text" object_ref="object_arufm_open_order_32bit_a20100_eacces_augenrules" />
+      <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
+      <object_component item_field="text" object_ref="object_arufm_open_order_32bit_a201003_eacces_augenrules" />
+      <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
+      <object_component item_field="text" object_ref="object_arufm_open_order_nofilter_32bit_eacces_augenrules" />
+    </concat>
+  </local_variable>
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+ comment="defined audit rule must exist" id="test_arufm_open_order_32bit_eacces_augenrules" version="1">
+    <ind:object object_ref="object_arufm_open_order_32bit_eacces_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arufm_open_order_32bit_eacces_augenrules" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_arufm_open_order_32bit_eacces_augenrules_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+
+  <!-- 32bit EPERM augenrules objects -->
+  <ind:textfilecontent54_object id="object_arufm_open_order_32bit_a20100_eperm_augenrules" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_32bit_a20100_eperm_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_arufm_open_order_32bit_a201003_eperm_augenrules" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_32bit_a201003_eperm_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_arufm_open_order_nofilter_32bit_eperm_augenrules" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_32bit_eperm_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <local_variable id="var_arufm_open_order_32bit_open_eperm_augenrules_regex" version="1" datatype="string" comment="arches to audit">
+    <concat>
+      <object_component item_field="text" object_ref="object_arufm_open_order_32bit_a20100_eperm_augenrules" />
+      <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
+      <object_component item_field="text" object_ref="object_arufm_open_order_32bit_a201003_eperm_augenrules" />
+      <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
+      <object_component item_field="text" object_ref="object_arufm_open_order_nofilter_32bit_eperm_augenrules" />
+    </concat>
+  </local_variable>
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+ comment="defined audit rule must exist" id="test_arufm_open_order_32bit_eperm_augenrules" version="1">
+    <ind:object object_ref="object_arufm_open_order_32bit_eperm_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arufm_open_order_32bit_eperm_augenrules" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_arufm_open_order_32bit_open_eperm_augenrules_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+
+  <!-- 64bit EACCES augenrules objects -->
+  <ind:textfilecontent54_object id="object_arufm_open_order_64bit_a20100_eacces_augenrules" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_64bit_a20100_eacces_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_arufm_open_order_64bit_a201003_eacces_augenrules" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_64bit_a201003_eacces_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_arufm_open_order_nofilter_64bit_eacces_augenrules" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_64bit_eacces_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <local_variable id="var_arufm_open_order_64bit_eacces_augenrules_regex" version="1" datatype="string" comment="arches to audit">
+    <concat>
+      <object_component item_field="text" object_ref="object_arufm_open_order_64bit_a20100_eacces_augenrules" />
+      <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
+      <object_component item_field="text" object_ref="object_arufm_open_order_64bit_a201003_eacces_augenrules" />
+      <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
+      <object_component item_field="text" object_ref="object_arufm_open_order_nofilter_64bit_eacces_augenrules" />
+    </concat>
+  </local_variable>
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+ comment="defined audit rule must exist" id="test_arufm_open_order_64bit_eacces_augenrules" version="1">
+    <ind:object object_ref="object_arufm_open_order_64bit_eacces_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arufm_open_order_64bit_eacces_augenrules" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_arufm_open_order_64bit_eacces_augenrules_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+
+  <!-- 64bit EPERM augenrules objects -->
+  <ind:textfilecontent54_object id="object_arufm_open_order_64bit_a20100_eperm_augenrules" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_64bit_a20100_eperm_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_arufm_open_order_64bit_a201003_eperm_augenrules" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_64bit_a201003_eperm_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_arufm_open_order_nofilter_64bit_eperm_augenrules" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_64bit_eperm_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <local_variable id="var_arufm_open_order_64bit_open_eperm_augenrules_regex" version="1" datatype="string" comment="arches to audit">
+    <concat>
+      <object_component item_field="text" object_ref="object_arufm_open_order_64bit_a20100_eperm_augenrules" />
+      <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
+      <object_component item_field="text" object_ref="object_arufm_open_order_64bit_a201003_eperm_augenrules" />
+      <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
+      <object_component item_field="text" object_ref="object_arufm_open_order_nofilter_64bit_eperm_augenrules" />
+    </concat>
+  </local_variable>
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+ comment="defined audit rule must exist" id="test_arufm_open_order_64bit_eperm_augenrules" version="1">
+    <ind:object object_ref="object_arufm_open_order_64bit_eperm_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arufm_open_order_64bit_eperm_augenrules" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_arufm_open_order_64bit_open_eperm_augenrules_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+
+  <!-- 32bit EACCES auditctl objects -->
+  <ind:textfilecontent54_object id="object_arufm_open_order_32bit_a20100_eacces_auditctl" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_32bit_a20100_eacces_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_arufm_open_order_32bit_a201003_eacces_auditctl" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_32bit_a201003_eacces_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_arufm_open_order_nofilter_32bit_eacces_auditctl" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_32bit_eacces_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <local_variable id="var_arufm_open_order_32bit_auditctl_eacces_regex" version="1" datatype="string" comment="arches to audit">
+    <concat>
+      <object_component item_field="text" object_ref="object_arufm_open_order_32bit_a20100_eacces_auditctl" />
+      <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
+      <object_component item_field="text" object_ref="object_arufm_open_order_32bit_a201003_eacces_auditctl" />
+      <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
+      <object_component item_field="text" object_ref="object_arufm_open_order_nofilter_32bit_eacces_auditctl" />
+    </concat>
+  </local_variable>
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+ comment="defined audit rule must exist" id="test_arufm_open_order_32bit_eacces_auditctl" version="1">
+    <ind:object object_ref="object_arufm_open_order_32bit_eacces_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arufm_open_order_32bit_eacces_auditctl" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_arufm_open_order_32bit_auditctl_eacces_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+
+  <!-- 32bit EPERM auditctl objects -->
+  <ind:textfilecontent54_object id="object_arufm_open_order_32bit_a20100_eperm_auditctl" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_32bit_a20100_eperm_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_arufm_open_order_32bit_a201003_eperm_auditctl" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_32bit_a201003_eperm_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_arufm_open_order_nofilter_32bit_eperm_auditctl" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_32bit_eperm_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <!-- compose 32bit EPERM rule order -->
+  <local_variable id="var_arufm_open_order_32bit_open_auditctl_eperm_regex" version="1" datatype="string" comment="arches to audit">
+    <concat>
+      <object_component item_field="text" object_ref="object_arufm_open_order_32bit_a20100_eperm_auditctl" />
+      <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
+      <object_component item_field="text" object_ref="object_arufm_open_order_32bit_a201003_eperm_auditctl" />
+      <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
+      <object_component item_field="text" object_ref="object_arufm_open_order_nofilter_32bit_eperm_auditctl" />
+    </concat>
+  </local_variable>
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+ comment="Test order of audit 32bit auditctl eperm rules order" id="test_arufm_open_order_32bit_eperm_auditctl" version="1">
+    <ind:object object_ref="object_arufm_open_order_32bit_eperm_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arufm_open_order_32bit_eperm_auditctl" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_arufm_open_order_32bit_open_auditctl_eperm_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+
+  <!-- 64bit EACCES auditctl objects -->
+  <ind:textfilecontent54_object id="object_arufm_open_order_64bit_a20100_eacces_auditctl" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_64bit_a20100_eacces_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_arufm_open_order_64bit_a201003_eacces_auditctl" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_64bit_a201003_eacces_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_arufm_open_order_nofilter_64bit_eacces_auditctl" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_64bit_eacces_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <local_variable id="var_arufm_open_order_64bit_auditctl_eacces_regex" version="1" datatype="string" comment="arches to audit">
+    <concat>
+      <object_component item_field="text" object_ref="object_arufm_open_order_64bit_a20100_eacces_auditctl" />
+      <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
+      <object_component item_field="text" object_ref="object_arufm_open_order_64bit_a201003_eacces_auditctl" />
+      <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
+      <object_component item_field="text" object_ref="object_arufm_open_order_nofilter_64bit_eacces_auditctl" />
+    </concat>
+  </local_variable>
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+ comment="defined audit rule must exist" id="test_arufm_open_order_64bit_eacces_auditctl" version="1">
+    <ind:object object_ref="object_arufm_open_order_64bit_eacces_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arufm_open_order_64bit_eacces_auditctl" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_arufm_open_order_64bit_auditctl_eacces_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+
+  <!-- 64bit EPERM auditctl objects -->
+  <ind:textfilecontent54_object id="object_arufm_open_order_64bit_a20100_eperm_auditctl" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_64bit_a20100_eperm_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_arufm_open_order_64bit_a201003_eperm_auditctl" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_64bit_a201003_eperm_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_arufm_open_order_nofilter_64bit_eperm_auditctl" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_64bit_eperm_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <local_variable id="var_arufm_open_order_64bit_open_auditctl_eperm_regex" version="1" datatype="string" comment="arches to audit">
+    <concat>
+      <object_component item_field="text" object_ref="object_arufm_open_order_64bit_a20100_eperm_auditctl" />
+      <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
+      <object_component item_field="text" object_ref="object_arufm_open_order_64bit_a201003_eperm_auditctl" />
+      <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
+      <object_component item_field="text" object_ref="object_arufm_open_order_nofilter_64bit_eperm_auditctl" />
+    </concat>
+  </local_variable>
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+ comment="defined audit rule must exist" id="test_arufm_open_order_64bit_eperm_auditctl" version="1">
+    <ind:object object_ref="object_arufm_open_order_64bit_eperm_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_arufm_open_order_64bit_eperm_auditctl" version="1">
+    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_arufm_open_order_64bit_open_auditctl_eperm_regex" />
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order.rule
new file mode 100644
index 0000000000..60a1b9de12
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order.rule
@@ -0,0 +1,64 @@
+documentation_complete: true
+
+prodtype: rhel7,fedora
+
+title: 'Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly'
+
+description: |-
+    The audit system should collect detailed unauthorized file
+    accesses for all users and root.
+    To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
+    of files via <tt>open</tt> syscall the audit rules collecting these events need to be in certain order.
+    The more specific rules need to come before the less specific rules. The reason for that is that more
+    specific rules cover a subset of events covered in the less specific rules, thus, they need to come
+    before to not be overshadowed by less specific rules, which match a bigger set of events.
+    Make sure that rules for unsuccessful calls of <tt>open</tt> syscall are in the order shown below.
+    If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>
+    program to read audit rules during daemon startup (the default), check the order of
+    rules below in a file with suffix <tt>.rules</tt> in the directory
+    <tt>/etc/audit/rules.d</tt>.
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+    utility to read audit rules during daemon startup, check the order of rules below in
+    <tt>/etc/audit/audit.rules</tt> file.
+    <pre>
+    -a always,exit -F arch=b32 -S open -F a2&amp;0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    -a always,exit -F arch=b32 -S open -F a2&amp;0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    -a always,exit -F arch=b32 -S open -F a2&amp;01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    -a always,exit -F arch=b32 -S open -F a2&amp;01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+    -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+    </pre>
+    If the system is 64 bit then also add the following lines:
+    <pre>
+    -a always,exit -F arch=b64 -S open -F a2&amp;0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    -a always,exit -F arch=b64 -S open -F a2&amp;0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    -a always,exit -F arch=b64 -S open -F a2&amp;01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    -a always,exit -F arch=b64 -S open -F a2&amp;01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+    -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+    </pre>
+
+rationale: |-
+    Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
+    these events could serve as evidence of potential system compromise.
+
+severity: medium
+
+references:
+    cis: 5.2.10
+    cui: 3.1.7
+    disa: 172,2884
+    hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
+    nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5
+    ospp@rhel7: FAU_GEN.1.1.c
+    pcidss: Req-10.2.4,Req-10.2.1
+    srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172
+
+{{{ complete_ocil_entry_audit_syscall(syscall="open") }}}
+
+warnings:
+    - general: |-
+        Note that these rules can be configured in a
+        number of ways while still achieving the desired effect. Here the system calls
+        have been placed independent of other system calls. Grouping these system
+        calls with others as identifying earlier in this guide is more efficient.
diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification
index 555375c757..36e255c28a 100644
--- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification
+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification
@@ -51,7 +51,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_32bit_arufm_eacces_{{{ NAME }}}_augenrules" version="1">
     <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&amp;)[\s]+(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
@@ -60,7 +60,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_32bit_arufm_eperm_{{{ NAME }}}_augenrules" version="1">
     <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&amp;)[\s]+(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
@@ -69,7 +69,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_64bit_arufm_eacces_{{{ NAME }}}_augenrules" version="1">
     <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&amp;)[\s]+(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
@@ -78,7 +78,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_64bit_arufm_eperm_{{{ NAME }}}_augenrules" version="1">
     <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&amp;)[\s]+(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
@@ -87,7 +87,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_32bit_arufm_eacces_{{{ NAME }}}_auditctl" version="1">
     <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&amp;)[\s]+(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
@@ -96,7 +96,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_32bit_arufm_eperm_{{{ NAME }}}_auditctl" version="1">
     <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&amp;)[\s]+(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
@@ -105,7 +105,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_64bit_arufm_eacces_{{{ NAME }}}_auditctl" version="1">
     <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&amp;)[\s]+(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
@@ -114,7 +114,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_64bit_arufm_eperm_{{{ NAME }}}_auditctl" version="1">
     <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&amp;)[\s]+(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>