diff --git a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_creat.xml b/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_creat.xml new file mode 100644 index 0000000000..3eb97c1234 --- /dev/null +++ b/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_creat.xml @@ -0,0 +1,200 @@ + + + + Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - open o_creat + + Red Hat Enterprise Linux 7 + multi_platform_fedora + + Audit rules about the information on the unsuccessful use of open O_CREAT is enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]* + + + [\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:[^.]|\.\s)* + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat.rule new file mode 100644 index 0000000000..c879183de2 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat.rule @@ -0,0 +1,54 @@ +documentation_complete: true + +prodtype: rhel7,fedora + +title: 'Record Unauthorized Creation Attempts to Files (unsuccessful) - open O_CREAT' + + +description: |- + The audit system should collect unauthorized file accesses for + all users and root. The open syscall can be used to create new files + when O_CREAT flag is specified. + The following auidt rules will asure that unsuccessful attempts to create a + file via open syscall are collected. + If the auditd daemon is configured to use the augenrules + program to read audit rules during daemon startup (the default), add the + rules below to a file with suffix .rules in the directory + /etc/audit/rules.d. + If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the rules below to + /etc/audit/audit.rules file. +
+    -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    
+ If the system is 64 bit then also add the following lines: +
+    -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    
+ +rationale: |- + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing + these events could serve as evidence of potential system compromise. + +severity: medium + +references: + cis: 5.2.10 + cui: 3.1.7 + disa: 172,2884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 + ospp@rhel7: FAU_GEN.1.1.c + pcidss: Req-10.2.4,Req-10.2.1 + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 + +{{{ complete_ocil_entry_audit_syscall(syscall="open") }}} + +warnings: + - general: |- + Note that these rules can be configured in a + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. diff --git a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_trunc_write.xml b/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_trunc_write.xml new file mode 100644 index 0000000000..49540d8d4c --- /dev/null +++ b/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_trunc_write.xml @@ -0,0 +1,200 @@ + + + + Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - open o_trunc + + Red Hat Enterprise Linux 7 + multi_platform_fedora + + Audit rules about the information on the unsuccessful use of open O_TRUNC is enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]* + + + [\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:[^.]|\.\s)* + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write.rule new file mode 100644 index 0000000000..8525b31bb1 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write.rule @@ -0,0 +1,53 @@ +documentation_complete: true + +prodtype: rhel7,fedora + +title: 'Record Unauthorized Modification Attempts to Files (unsuccessful) - open O_TRUNC' + +description: |- + The audit system should collect detailed unauthorized file accesses for + all users and root. The open syscall can be used to modify files + if called for write operation of with O_TRUNC flag. + The following auidt rules will asure that unsuccessful attempts to modify a + file via open syscall are collected. + If the auditd daemon is configured to use the augenrules + program to read audit rules during daemon startup (the default), add the + rules below to a file with suffix .rules in the directory + /etc/audit/rules.d. + If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the rules below to + /etc/audit/audit.rules file. +
+    -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    
+ If the system is 64 bit then also add the following lines: +
+    -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    
+ +rationale: |- + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing + these events could serve as evidence of potential system compromise. + +severity: medium + +references: + cis: 5.2.10 + cui: 3.1.7 + disa: 172,2884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 + ospp@rhel7: FAU_GEN.1.1.c + pcidss: Req-10.2.4,Req-10.2.1 + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 + +{{{ complete_ocil_entry_audit_syscall(syscall="open") }}} + +warnings: + - general: |- + Note that these rules can be configured in a + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. diff --git a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_rule_order.xml b/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_rule_order.xml new file mode 100644 index 0000000000..780fdf60d4 --- /dev/null +++ b/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_rule_order.xml @@ -0,0 +1,474 @@ + + + + Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly + + Red Hat Enterprise Linux 7 + multi_platform_fedora + + Audit rules about the information on the unsuccessful use of open is configured in the proper rule order. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]* + + + [\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:[^.]|\.\s)* + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order.rule new file mode 100644 index 0000000000..60a1b9de12 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order.rule @@ -0,0 +1,64 @@ +documentation_complete: true + +prodtype: rhel7,fedora + +title: 'Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly' + +description: |- + The audit system should collect detailed unauthorized file + accesses for all users and root. + To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access + of files via open syscall the audit rules collecting these events need to be in certain order. + The more specific rules need to come before the less specific rules. The reason for that is that more + specific rules cover a subset of events covered in the less specific rules, thus, they need to come + before to not be overshadowed by less specific rules, which match a bigger set of events. + Make sure that rules for unsuccessful calls of open syscall are in the order shown below. + If the auditd daemon is configured to use the augenrules + program to read audit rules during daemon startup (the default), check the order of + rules below in a file with suffix .rules in the directory + /etc/audit/rules.d. + If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, check the order of rules below in + /etc/audit/audit.rules file. +
+    -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+    -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+    
+ If the system is 64 bit then also add the following lines: +
+    -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+    -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+    
+ +rationale: |- + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing + these events could serve as evidence of potential system compromise. + +severity: medium + +references: + cis: 5.2.10 + cui: 3.1.7 + disa: 172,2884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 + ospp@rhel7: FAU_GEN.1.1.c + pcidss: Req-10.2.4,Req-10.2.1 + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 + +{{{ complete_ocil_entry_audit_syscall(syscall="open") }}} + +warnings: + - general: |- + Note that these rules can be configured in a + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification index 555375c757..36e255c28a 100644 --- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification +++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification @@ -51,7 +51,7 @@ /etc/audit/rules\.d/.*\.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]+(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 @@ -60,7 +60,7 @@ /etc/audit/rules\.d/.*\.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]+(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 @@ -69,7 +69,7 @@ /etc/audit/rules\.d/.*\.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]+(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 @@ -78,7 +78,7 @@ /etc/audit/rules\.d/.*\.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]+(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 @@ -87,7 +87,7 @@ /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]+(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 @@ -96,7 +96,7 @@ /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]+(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 @@ -105,7 +105,7 @@ /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]+(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 @@ -114,7 +114,7 @@ /etc/audit/audit.rules - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]+(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1