Blob Blame History Raw
From add7cd5c5a99e7b7d546aa0296885d7da1806d5f Mon Sep 17 00:00:00 2001
From: Marek Haicman <mhaicman@redhat.com>
Date: Thu, 22 Feb 2018 22:49:54 +0100
Subject: [PATCH 1/2] Fix kernel module loading and unloading rules

Fixed rule descriptions to make more sense, and fixing remediation
of general rule to set auditing of both b32 and b64 syscalls on
64-bit systems.
---
 .../bash/audit_rules_kernel_module_loading.sh      |  10 +-
 .../audit_rules_kernel_module_loading_delete.sh    |   8 +-
 .../bash/audit_rules_kernel_module_loading_init.sh |   8 +-
 shared/xccdf/system/auditing.xml                   | 161 ++++++++++-----------
 4 files changed, 91 insertions(+), 96 deletions(-)

diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading.sh b/shared/fixes/bash/audit_rules_kernel_module_loading.sh
index 12d6dd0181..268da407f7 100644
--- a/shared/fixes/bash/audit_rules_kernel_module_loading.sh
+++ b/shared/fixes/bash/audit_rules_kernel_module_loading.sh
@@ -5,11 +5,11 @@
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system
-# Note: 32-bit kernel modules can't be loaded / unloaded on 64-bit kernel =>
-#       it's not required on a 64-bit system to check also for the presence
-#       of 32-bit's equivalent of the corresponding rule. Therefore for
-#       each system it's enought to check presence of system's native rule form.
-[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b64")
+# Note: 32-bit and 64-bit kernel syscall numbers not always line up =>
+#       it's required on a 64-bit system to check also for the presence
+#       of 32-bit's equivalent of the corresponding rule.
+#       (See `man 7 audit.rules` for details )
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
 
 for ARCH in "${RULE_ARCHS[@]}"
 do
diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh
index 59aadeeef8..131f1a2819 100644
--- a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh
+++ b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh
@@ -5,10 +5,10 @@
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system
-# If the system has a 32-bit processor, only the 32-bit rule is needed.
-# If the system has a 64-bit processor, both arch 32 and 64 need to be included in
-# the audit file because it is not possible to know if the computer will be booted
-# in 64 or 32 bit mode or for which architecture a binary is compiled.
+# Note: 32-bit and 64-bit kernel syscall numbers not always line up =>
+#       it's required on a 64-bit system to check also for the presence
+#       of 32-bit's equivalent of the corresponding rule.
+#       (See `man 7 audit.rules` for details )
 [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
 
 for ARCH in "${RULE_ARCHS[@]}"
diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh
index 04b06f9dee..c46a854068 100644
--- a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh
+++ b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh
@@ -5,10 +5,10 @@
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system
-# If the system has a 32-bit processor, only the 32-bit rule is needed.
-# If the system has a 64-bit processor, both arch 32 and 64 need to be included in
-# the audit file because it is not possible to know if the computer will be booted
-# in 64 or 32 bit mode or for which architecture a binary is compiled.
+# Note: 32-bit and 64-bit kernel syscall numbers not always line up =>
+#       it's required on a 64-bit system to check also for the presence
+#       of 32-bit's equivalent of the corresponding rule.
+#       (See `man 7 audit.rules` for details )
 [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
 
 for ARCH in "${RULE_ARCHS[@]}"
diff --git a/shared/xccdf/system/auditing.xml b/shared/xccdf/system/auditing.xml
index 85487ee417..b68820fe9b 100644
--- a/shared/xccdf/system/auditing.xml
+++ b/shared/xccdf/system/auditing.xml
@@ -113,7 +113,7 @@ to establish, correlate, and investigate the events leading up to an outage or a
 Ensuring the <tt>auditd</tt> service is active ensures audit records
 generated by the kernel are appropriately recorded.
 <br /><br />
-Additionally, a properly configured audit subsystem ensures that actions of 
+Additionally, a properly configured audit subsystem ensures that actions of
 individual system users can be uniquely traced to those users so they
 can be held accountable for their actions.
 </rationale>
@@ -727,7 +727,7 @@ with limited audit storage capacity.
 </rationale>
 <platform idref="cpe:/a:machine" />
 <ident cce="80541-6"/>
-<oval id="auditd_audispd_configure_remote_server" value="var_audispd_remote_server" /> 
+<oval id="auditd_audispd_configure_remote_server" value="var_audispd_remote_server" />
 <ref disa="1851" nist="" srg="SRG-OS-000342-GPOS-00133" stigid="030300"/>
 </Rule>
 
@@ -3401,42 +3401,40 @@ of what was executed on the system, as well as, for accountability purposes.</ra
 
 <Group id="audit_kernel_module_loading">
 <title>Record Information on Kernel Modules Loading and Unloading</title>
-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
-to read audit rules during daemon startup (the default), add the following lines to a file
-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-<pre>-w /usr/sbin/insmod -p x -k modules
--w /usr/sbin/rmmod -p x -k modules
--w /usr/sbin/modprobe -p x -k modules
--a always,exit -F arch=<i>ARCH</i> -S init_module,delete_module -F key=modules</pre>
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
-b64 as appropriate for your system:
-<pre>-w /usr/sbin/insmod -p x -k modules
+<description>To capture kernel module loading and unloading events, use following lines, setting ARCH to
+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
+<pre>
+-w /usr/sbin/insmod -p x -k modules
 -w /usr/sbin/rmmod -p x -k modules
 -w /usr/sbin/modprobe -p x -k modules
--a always,exit -F arch=<i>ARCH</i> -S init_module,delete_module -F key=modules</pre>
+-a always,exit -F arch=<i>ARCH</i> -S init_module,delete_module -F key=modules
+</pre>
+
+Place to add the lines depends on a way <tt>auditd</tt> daemon is configured. If it is configured
+to use the <tt>augenrules</tt> program (the default), add the lines to a file with suffix
+<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
+
+If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
+add the lines to file <tt>/etc/audit/audit.rules</tt>.
 </description>
 
 <Rule id="audit_rules_kernel_module_loading" severity="medium" prodtype="rhel7">
 <title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading</title>
-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
-to read audit rules during daemon startup (the default), add the following lines to a file
-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-<pre>-w /usr/sbin/insmod -p x -k modules
--w /usr/sbin/rmmod -p x -k modules
--w /usr/sbin/modprobe -p x -k modules
--a always,exit -F arch=<i>ARCH</i> -S init_module -S delete_module -k modules</pre>
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
-b64 as appropriate for your system:
-<pre>-w /usr/sbin/insmod -p x -k modules
+<description>To capture kernel module loading and unloading events, use following lines, setting ARCH to
+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
+<pre>
+-w /usr/sbin/insmod -p x -k modules
 -w /usr/sbin/rmmod -p x -k modules
 -w /usr/sbin/modprobe -p x -k modules
--a always,exit -F arch=<i>ARCH</i> -S init_module -S delete_module -k modules</pre>
+-a always,exit -F arch=<i>ARCH</i> -S init_module,delete_module -F key=modules
+</pre>
+
+Place to add the lines depends on a way <tt>auditd</tt> daemon is configured. If it is configured
+to use the <tt>augenrules</tt> program (the default), add the lines to a file with suffix
+<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
+
+If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
+add the lines to file <tt>/etc/audit/audit.rules</tt>.
 </description>
 <ocil>
 <audit-syscall-check-macro syscall="init_module" />
@@ -3452,22 +3450,22 @@ to have an audit trail of modules that have been introduced into the kernel.</ra
 </Rule>
 
 <Rule id="audit_rules_kernel_module_loading_init" severity="medium" prodtype="rhel7">
-<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - init_module</title>
-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
-to read audit rules during daemon startup (the default), add the following lines to a file
-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-<pre>-a always,exit -F arch=<i>ARCH</i> -S init_module -F key=modules</pre>
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
-b64 as appropriate for your system:
+<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading - init_module</title>
+<description>To capture kernel module loading events, use following line, setting ARCH to
+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
 <pre>-a always,exit -F arch=<i>ARCH</i> -S init_module -F key=modules</pre>
+
+Place to add the line depends on a way <tt>auditd</tt> daemon is configured. If it is configured
+to use the <tt>augenrules</tt> program (the default), add the line to a file with suffix
+<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
+
+If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
+add the line to file <tt>/etc/audit/audit.rules</tt>.
 </description>
 <ocil>
 <audit-syscall-check-macro syscall="init_module" />
 </ocil>
-<rationale>The addition/removal of kernel modules can be used to alter the behavior of
+<rationale>The addition of kernel modules can be used to alter the behavior of
 the kernel and potentially introduce malicious code into kernel space. It is important
 to have an audit trail of modules that have been introduced into the kernel.</rationale>
 <platform idref="cpe:/a:machine" />
@@ -3478,22 +3476,22 @@ to have an audit trail of modules that have been introduced into the kernel.</ra
 </Rule>
 
 <Rule id="audit_rules_kernel_module_loading_delete" severity="medium" prodtype="rhel7">
-<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - delete_module</title>
-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
-to read audit rules during daemon startup (the default), add the following lines to a file
-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-<pre>-a always,exit -F arch=<i>ARCH</i> -S delete_module -F key=modules</pre>
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
-b64 as appropriate for your system:
+<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Unloading - delete_module</title>
+<description>To capture kernel module unloading events, use following line, setting ARCH to
+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
 <pre>-a always,exit -F arch=<i>ARCH</i> -S delete_module -F key=modules</pre>
+
+Place to add the line depends on a way <tt>auditd</tt> daemon is configured. If it is configured
+to use the <tt>augenrules</tt> program (the default), add the line to a file with suffix
+<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
+
+If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
+add the line to file <tt>/etc/audit/audit.rules</tt>.
 </description>
 <ocil>
 <audit-syscall-check-macro syscall="delete_module" />
 </ocil>
-<rationale>The addition/removal of kernel modules can be used to alter the behavior of
+<rationale>The removal of kernel modules can be used to alter the behavior of
 the kernel and potentially introduce malicious code into kernel space. It is important
 to have an audit trail of modules that have been introduced into the kernel.</rationale>
 <platform idref="cpe:/a:machine" />
@@ -3504,23 +3502,22 @@ to have an audit trail of modules that have been introduced into the kernel.</ra
 </Rule>
 
 <Rule id="audit_rules_kernel_module_loading_insmod" severity="medium" prodtype="rhel7">
-<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - insmod</title>
-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
-to read audit rules during daemon startup (the default), add the following lines to a file
-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-<pre>-w /usr/sbin/insmod -p x -k modules</pre>
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
-b64 as appropriate for your system:
+<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading - insmod</title>
+<description>To capture invocation of insmod, utility used to insert modules into kernel,
+use the following line:
 <pre>-w /usr/sbin/insmod -p x -k modules</pre>
+Place to add the line depends on a way <tt>auditd</tt> daemon is configured. If it is configured
+to use the <tt>augenrules</tt> program (the default), add the line to a file with suffix
+<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
+
+If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
+add the line to file <tt>/etc/audit/audit.rules</tt>.
 </description>
 <ocil clause="there is not output">
 To verify that auditing is configured for system administrator actions, run the following command:
 <pre>$ sudo auditctl -l | grep "watch=/usr/sbin/insmod"</pre>
 </ocil>
-<rationale>The addition/removal of kernel modules can be used to alter the behavior of
+<rationale>The addition of kernel modules can be used to alter the behavior of
 the kernel and potentially introduce malicious code into kernel space. It is important
 to have an audit trail of modules that have been introduced into the kernel.</rationale>
 <platform idref="cpe:/a:machine" />
@@ -3531,23 +3528,22 @@ to have an audit trail of modules that have been introduced into the kernel.</ra
 </Rule>
 
 <Rule id="audit_rules_kernel_module_loading_rmmod" severity="medium" prodtype="rhel7">
-<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - rmmod</title>
-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
-to read audit rules during daemon startup (the default), add the following lines to a file
-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-<pre>-w /usr/sbin/rmmod -p x -k modules</pre>
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
-b64 as appropriate for your system:
+<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Unloading - rmmod</title>
+<description>To capture invocation of rmmod, utility used to remove modules from kernel,
+add the following line:
 <pre>-w /usr/sbin/rmmod -p x -k modules</pre>
+Place to add the line depends on a way <tt>auditd</tt> daemon is configured. If it is configured
+to use the <tt>augenrules</tt> program (the default), add the line to a file with suffix
+<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
+
+If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
+add the line to file <tt>/etc/audit/audit.rules</tt>.
 </description>
 <ocil clause="there is not output">
 To verify that auditing is configured for system administrator actions, run the following command:
 <pre>$ sudo auditctl -l | grep "watch=/usr/sbin/rmmod"</pre>
 </ocil>
-<rationale>The addition/removal of kernel modules can be used to alter the behavior of
+<rationale>The removal of kernel modules can be used to alter the behavior of
 the kernel and potentially introduce malicious code into kernel space. It is important
 to have an audit trail of modules that have been introduced into the kernel.</rationale>
 <platform idref="cpe:/a:machine" />
@@ -3559,16 +3555,15 @@ to have an audit trail of modules that have been introduced into the kernel.</ra
 
 <Rule id="audit_rules_kernel_module_loading_modprobe" severity="medium" prodtype="rhel7">
 <title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - modprobe</title>
-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
-to read audit rules during daemon startup (the default), add the following lines to a file
-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-<pre>-w /usr/sbin/modprobe -p x -k modules</pre>
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
-b64 as appropriate for your system:
+<description>To capture invocation of modprobe, utility used to insert / remove modules from kernel,
+add the following line:
 <pre>-w /usr/sbin/modprobe -p x -k modules</pre>
+Place to add the line depends on a way <tt>auditd</tt> daemon is configured. If it is configured
+to use the <tt>augenrules</tt> program (the default), add the line to a file with suffix
+<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
+
+If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
+add the line to file <tt>/etc/audit/audit.rules</tt>.
 </description>
 <ocil clause="there is not output">
 To verify that auditing is configured for system administrator actions, run the following command:

From 2a9d3771707c7db41861dbf3ca03c8a455481ba8 Mon Sep 17 00:00:00 2001
From: Marek Haicman <mhaicman@redhat.com>
Date: Thu, 22 Feb 2018 23:13:29 +0100
Subject: [PATCH 2/2] Add basic tests for kernel module loading and unloading
 rules

---
 .../rule_audit_rules_kernel_module_loading/default.fail.sh         | 7 +++++++
 .../rule_audit_rules_kernel_module_loading_delete/default.fail.sh  | 7 +++++++
 .../rule_audit_rules_kernel_module_loading_init/default.fail.sh    | 7 +++++++
 .../rule_audit_rules_kernel_module_loading_insmod/default.fail.sh  | 7 +++++++
 .../default.fail.sh                                                | 7 +++++++
 .../rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh   | 7 +++++++
 6 files changed, 42 insertions(+)
 create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh
 create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh
 create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh
 create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh
 create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh
 create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh

diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh
new file mode 100644
index 0000000000..48457258e5
--- /dev/null
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S
+# remediation = bash
+
+rm -f /etc/audit/rules.d/*
+> /etc/audit/audit.rules
+true
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh
new file mode 100644
index 0000000000..12fe012776
--- /dev/null
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
+# remediation = bash
+
+rm -f /etc/audit/rules.d/*
+> /etc/audit/audit.rules
+true
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh
new file mode 100644
index 0000000000..12fe012776
--- /dev/null
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
+# remediation = bash
+
+rm -f /etc/audit/rules.d/*
+> /etc/audit/audit.rules
+true
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh
new file mode 100644
index 0000000000..12fe012776
--- /dev/null
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
+# remediation = bash
+
+rm -f /etc/audit/rules.d/*
+> /etc/audit/audit.rules
+true
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh
new file mode 100644
index 0000000000..12fe012776
--- /dev/null
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
+# remediation = bash
+
+rm -f /etc/audit/rules.d/*
+> /etc/audit/audit.rules
+true
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh
new file mode 100644
index 0000000000..12fe012776
--- /dev/null
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
+# remediation = bash
+
+rm -f /etc/audit/rules.d/*
+> /etc/audit/audit.rules
+true