diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat.rule new file mode 100644 index 0000000000..91fcecd155 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat.rule @@ -0,0 +1,55 @@ +documentation_complete: true + +prodtype: rhel7,fedora + +title: 'Record Unauthorized Creation Attempts to Files - open_by_handle_at O_CREAT' + + +description: |- + The audit system should collect unauthorized file accesses for + all users and root. The open_by_handle_at syscall can be used to create new files + when O_CREAT flag is specified. + The following auidt rules will asure that unsuccessful attempts to create a + file via open_by_handle_at syscall are collected. + If the auditd daemon is configured to use the augenrules + program to read audit rules during daemon startup (the default), add the + rules below to a file with suffix .rules in the directory + /etc/audit/rules.d. + If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the rules below to + /etc/audit/audit.rules file. + 
+    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+
+ If the system is 64 bit then also add the following lines: + 
+    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+
+ +rationale: |- + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing + these events could serve as evidence of potential system compromise. + +severity: medium + +references: + cis: 5.2.10 + cui: 3.1.7 + disa: 172,2884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 + ospp@rhel7: FAU_GEN.1.1.c + pcidss: Req-10.2.4,Req-10.2.1 + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 + +{{{ complete_ocil_entry_audit_syscall(syscall="open_by_handle_at") }}} + +warnings: + - general: |- + Note that these rules can be configured in a + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: + 
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write.rule new file mode 100644 index 0000000000..06e96678f2 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write.rule @@ -0,0 +1,54 @@ +documentation_complete: true + +prodtype: rhel7,fedora + +title: 'Record Unauthorized Modification Attempts to Files - open_by_handle_at O_TRUNC' + +description: |- + The audit system should collect detailed unauthorized file accesses for + all users and root. The open_by_handle_at syscall can be used to modify files + if called for write operation of with O_TRUNC flag. + The following auidt rules will asure that unsuccessful attempts to modify a + file via open_by_handle_at syscall are collected. + If the auditd daemon is configured to use the augenrules + program to read audit rules during daemon startup (the default), add the + rules below to a file with suffix .rules in the directory + /etc/audit/rules.d. + If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the rules below to + /etc/audit/audit.rules file. + 
+    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+
+ If the system is 64 bit then also add the following lines: + 
+    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+
+ +rationale: |- + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing + these events could serve as evidence of potential system compromise. + +severity: medium + +references: + cis: 5.2.10 + cui: 3.1.7 + disa: 172,2884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 + ospp@rhel7: FAU_GEN.1.1.c + pcidss: Req-10.2.4,Req-10.2.1 + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 + +{{{ complete_ocil_entry_audit_syscall(syscall="open_by_handle_at") }}} + +warnings: + - general: |- + Note that these rules can be configured in a + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: + 
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order.rule new file mode 100644 index 0000000000..0ecd5fff2f --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order.rule @@ -0,0 +1,58 @@ +documentation_complete: true + +prodtype: rhel7,fedora + +title: 'Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly' + +description: |- + The audit system should collect detailed unauthorized file + accesses for all users and root. + To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access + of files via open_by_handle_at syscall the audit rules collecting these events need to be in certain order. + The more specific rules need to come before the less specific rules. The reason for that is that more + specific rules cover a subset of events covered in the less specific rules, thus, they need to come + before to not be overshadowed by less specific rules, which match a bigger set of events. + Make sure that rules for unsuccessful calls of open_by_handle_at syscall are in the order shown below. + If the auditd daemon is configured to use the augenrules + program to read audit rules during daemon startup (the default), check the order of + rules below in a file with suffix .rules in the directory + /etc/audit/rules.d. + If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, check the order of rules below in + /etc/audit/audit.rules file. + 
+    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+    -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+
+ If the system is 64 bit then also add the following lines: + 
+    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+    -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+
+ +rationale: |- + The more specific rules cover a subset of events covered by the less specific rules. + By ordering them from more specific to less specific, it is assured that the less specific + rule will not catch events better recorded by the more specific rule. + +severity: medium + +references: + cis: 5.2.10 + cui: 3.1.7 + disa: 172,2884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 + ospp@rhel7: FAU_GEN.1.1.c + pcidss: Req-10.2.4,Req-10.2.1 + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 + +{{{ complete_ocil_entry_audit_syscall(syscall="open_by_handle_at") }}} diff --git a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_creat.xml deleted file mode 100644 index 3eb97c1234..0000000000 --- a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_creat.xml +++ /dev/null @@ -1,200 +0,0 @@ - - - - Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - open o_creat - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - Audit rules about the information on the unsuccessful use of open O_CREAT is enabled. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]* - - - ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]* - - - [\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - - - - - (?:[^.]|\.\s)* - - - - - - - (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) - - - - - - - - - (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) - - - - - - - - - (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) - - - - - - - - - (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) - - - - - - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat.rule index c879183de2..a78f614c8f 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat.rule +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat.rule @@ -2,7 +2,7 @@ documentation_complete: true prodtype: rhel7,fedora -title: 'Record Unauthorized Creation Attempts to Files (unsuccessful) - open O_CREAT' +title: 'Record Unauthorized Creation Attempts to Files - open O_CREAT' description: |- @@ -50,5 +50,6 @@ warnings: - general: |- Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. + have been placed independent of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: + 
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
diff --git a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_trunc_write.xml deleted file mode 100644 index 49540d8d4c..0000000000 --- a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_trunc_write.xml +++ /dev/null @@ -1,200 +0,0 @@ - - - - Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - open o_trunc - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - Audit rules about the information on the unsuccessful use of open O_TRUNC is enabled. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]* - - - ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]* - - - [\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - - - - - (?:[^.]|\.\s)* - - - - - - - (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) - - - - - - - - - (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) - - - - - - - - - (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) - - - - - - - - - (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) - - - - - - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write.rule index 8525b31bb1..bf5bae97c5 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write.rule +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write.rule @@ -2,7 +2,7 @@ documentation_complete: true prodtype: rhel7,fedora -title: 'Record Unauthorized Modification Attempts to Files (unsuccessful) - open O_TRUNC' +title: 'Record Unauthorized Modification Attempts to Files - open O_TRUNC' description: |- The audit system should collect detailed unauthorized file accesses for @@ -49,5 +49,6 @@ warnings: - general: |- Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. + have been placed independent of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: + 
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
diff --git a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_rule_order.xml deleted file mode 100644 index 780fdf60d4..0000000000 --- a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_rule_order.xml +++ /dev/null @@ -1,474 +0,0 @@ - - - - Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly - - Red Hat Enterprise Linux 7 - multi_platform_fedora - - Audit rules about the information on the unsuccessful use of open is configured in the proper rule order. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]* - - - ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]* - - - [\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - - - - - (?:[^.]|\.\s)* - - - - - - - (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) - - - - - - - (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) - - - - - - - (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EACCES) - - - - - - - - - (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) - - - - - - - (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) - - - - - - - (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EPERM) - - - - - - - - - (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) - - - - - - - (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) - - - - - - - (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EACCES) - - - - - - - - - (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) - - - - - - - (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) - - - - - - - (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EPERM) - - - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - - - - - - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - - - - - - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - - - - - - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - - - - - - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - - - - - - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - - - - - - - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - - - - - - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - - - - - - - - - - - - - - /etc/audit/rules\.d/.*\.rules - - 1 - - - diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order.rule index 60a1b9de12..0c6949e27d 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order.rule +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order.rule @@ -39,8 +39,9 @@ description: |- rationale: |- - Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing - these events could serve as evidence of potential system compromise. + The more specific rules cover a subset of events covered by the less specific rules. + By ordering them from more specific to less specific, it is assured that the less specific + rule will not catch events better recorded by the more specific rule. severity: medium @@ -55,10 +56,3 @@ references: srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 {{{ complete_ocil_entry_audit_syscall(syscall="open") }}} - -warnings: - - general: |- - Note that these rules can be configured in a - number of ways while still achieving the desired effect. Here the system calls - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat.rule new file mode 100644 index 0000000000..7470e2f80d --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat.rule @@ -0,0 +1,55 @@ +documentation_complete: true + +prodtype: rhel7,fedora + +title: 'Record Unauthorized Creation Attempts to Files - openat O_CREAT' + + +description: |- + The audit system should collect unauthorized file accesses for + all users and root. The openat syscall can be used to create new files + when O_CREAT flag is specified. + The following auidt rules will asure that unsuccessful attempts to create a + file via openat syscall are collected. + If the auditd daemon is configured to use the augenrules + program to read audit rules during daemon startup (the default), add the + rules below to a file with suffix .rules in the directory + /etc/audit/rules.d. + If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the rules below to + /etc/audit/audit.rules file. + 
+    -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+
+ If the system is 64 bit then also add the following lines: + 
+    -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+
+ +rationale: |- + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing + these events could serve as evidence of potential system compromise. + +severity: medium + +references: + cis: 5.2.10 + cui: 3.1.7 + disa: 172,2884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 + ospp@rhel7: FAU_GEN.1.1.c + pcidss: Req-10.2.4,Req-10.2.1 + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 + +{{{ complete_ocil_entry_audit_syscall(syscall="openat") }}} + +warnings: + - general: |- + Note that these rules can be configured in a + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: + 
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write.rule new file mode 100644 index 0000000000..8ee69927d8 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write.rule @@ -0,0 +1,54 @@ +documentation_complete: true + +prodtype: rhel7,fedora + +title: 'Record Unauthorized Modification Attempts to Files - openat O_TRUNC' + +description: |- + The audit system should collect detailed unauthorized file accesses for + all users and root. The openat syscall can be used to modify files + if called for write operation of with O_TRUNC flag. + The following auidt rules will asure that unsuccessful attempts to modify a + file via openat syscall are collected. + If the auditd daemon is configured to use the augenrules + program to read audit rules during daemon startup (the default), add the + rules below to a file with suffix .rules in the directory + /etc/audit/rules.d. + If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the rules below to + /etc/audit/audit.rules file. + 
+    -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+
+ If the system is 64 bit then also add the following lines: + 
+    -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+
+ +rationale: |- + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing + these events could serve as evidence of potential system compromise. + +severity: medium + +references: + cis: 5.2.10 + cui: 3.1.7 + disa: 172,2884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 + ospp@rhel7: FAU_GEN.1.1.c + pcidss: Req-10.2.4,Req-10.2.1 + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 + +{{{ complete_ocil_entry_audit_syscall(syscall="openat") }}} + +warnings: + - general: |- + Note that these rules can be configured in a + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: + 
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_rule_order.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_rule_order.rule new file mode 100644 index 0000000000..d5849a46bf --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_rule_order.rule @@ -0,0 +1,58 @@ +documentation_complete: true + +prodtype: rhel7,fedora + +title: 'Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly' + +description: |- + The audit system should collect detailed unauthorized file + accesses for all users and root. + To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access + of files via openat syscall the audit rules collecting these events need to be in certain order. + The more specific rules need to come before the less specific rules. The reason for that is that more + specific rules cover a subset of events covered in the less specific rules, thus, they need to come + before to not be overshadowed by less specific rules, which match a bigger set of events. + Make sure that rules for unsuccessful calls of openat syscall are in the order shown below. + If the auditd daemon is configured to use the augenrules + program to read audit rules during daemon startup (the default), check the order of + rules below in a file with suffix .rules in the directory + /etc/audit/rules.d. + If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, check the order of rules below in + /etc/audit/audit.rules file. + 
+    -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+    -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+
+ If the system is 64 bit then also add the following lines: + 
+    -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+    -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+    -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+    -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
+
+ +rationale: |- + The more specific rules cover a subset of events covered by the less specific rules. + By ordering them from more specific to less specific, it is assured that the less specific + rule will not catch events better recorded by the more specific rule. + +severity: medium + +references: + cis: 5.2.10 + cui: 3.1.7 + disa: 172,2884 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 + ospp@rhel7: FAU_GEN.1.1.c + pcidss: Req-10.2.4,Req-10.2.1 + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 + +{{{ complete_ocil_entry_audit_syscall(syscall="openat") }}} diff --git a/shared/templates/create_audit_rules_unsuccessful_file_modification_detailed.py b/shared/templates/create_audit_rules_unsuccessful_file_modification_detailed.py new file mode 100644 index 0000000000..c14c35a381 --- /dev/null +++ b/shared/templates/create_audit_rules_unsuccessful_file_modification_detailed.py @@ -0,0 +1,45 @@ +#!/usr/bin/python2 + +# +# create_audit_rules_unsuccessful_file_modification_detailed.py +# generate template-based checks for unsuccessful file modifications detailed +# - audit_rules_unsuccessful_file_modification_syscall_o_creat +# - audit_rules_unsuccessful_file_modification_syscall_o_trunc_write +# - audit_rules_unsuccessful_file_modification_syscall_rule_order + + +from template_common import FilesGenerator, UnknownTargetError + +import re + +class ARUFMDetailedGenerator(FilesGenerator): + def generate(self, target, args): + syscall = re.sub('[-\./]', '_', args[0]) + if target == "oval": + self.file_from_template( + "./template_OVAL_audit_rules_unsuccessful_file_modification_o_creat", + { + "SYSCALL": syscall + }, + "./oval/audit_rules_unsuccessful_file_modification_{0}_o_creat.xml", syscall + ) + self.file_from_template( + "./template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write", + { + "SYSCALL": syscall + }, + "./oval/audit_rules_unsuccessful_file_modification_{0}_o_trunc_write.xml", syscall + ) + self.file_from_template( + "./template_OVAL_audit_rules_unsuccessful_file_modification_rule_order", + { + "SYSCALL": syscall + }, + "./oval/audit_rules_unsuccessful_file_modification_{0}_rule_order.xml", syscall + ) + else: + raise UnknownTargetError(target) + + def csv_format(self): + return("CSV should contains lines of the format: " + + "SYSCALL") diff --git a/shared/templates/csv/audit_rules_unsuccessful_file_modification_detailed.csv b/shared/templates/csv/audit_rules_unsuccessful_file_modification_detailed.csv new file mode 100644 index 0000000000..97d5c04e14 --- /dev/null +++ b/shared/templates/csv/audit_rules_unsuccessful_file_modification_detailed.csv @@ -0,0 +1,7 @@ +# format: +# +# - syscall is the syscall to generate detailed rules for + +open +openat +open_by_handle_at diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat new file mode 100644 index 0000000000..7f1bf6f68f --- /dev/null +++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat @@ -0,0 +1,200 @@ + + + + Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - {{{ SYSCALL }}} o_creat + + Red Hat Enterprise Linux 7 + multi_platform_fedora + + Audit rules about the information on the unsuccessful use of {{{ SYSCALL }}} O_CREAT is enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]* + + + [\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:[^.]|\.\s)* + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write new file mode 100644 index 0000000000..ce7d3c44c7 --- /dev/null +++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write @@ -0,0 +1,200 @@ + + + + Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - {{{ SYSCALL }}} o_trunc + + Red Hat Enterprise Linux 7 + multi_platform_fedora + + Audit rules about the information on the unsuccessful use of {{{ SYSCALL }}} O_TRUNC is enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]* + + + [\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:[^.]|\.\s)* + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order new file mode 100644 index 0000000000..66a8ecf249 --- /dev/null +++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order @@ -0,0 +1,474 @@ + + + + Ensure auditd Rules For Unauthorized Attempts To {{{ SYSCALL }}} Are Ordered Correctly + + Red Hat Enterprise Linux 7 + multi_platform_fedora + + Audit rules about the information on the unsuccessful use of {{{ SYSCALL }}} is configured in the proper rule order. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]* + + + [\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:[^.]|\.\s)* + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + + + + + + + + + + + + + + /etc/audit/rules\.d/.*\.rules + + 1 + + + diff --git a/ssg/build_templates.py b/ssg/build_templates.py index 8c6a18843e..964f6802e3 100644 --- a/ssg/build_templates.py +++ b/ssg/build_templates.py @@ -21,6 +21,7 @@ from create_sysctl import SysctlGenerator from create_audit_rules_dac_modification import AuditRulesDacModificationGenerator from create_audit_rules_unsuccessful_file_modification import AuditRulesUnsuccessfulFileModificationGenerator +from create_audit_rules_unsuccessful_file_modification_detailed import ARUFMDetailedGenerator from create_audit_rules_file_deletion_events import AuditRulesFileDeletionEventsGenerator from create_audit_rules_login_events import AuditRulesLoginEventsGenerator from create_audit_rules_privileged_commands import AuditRulesPrivilegedCommandsGenerator @@ -64,10 +65,12 @@ def __init__(self, env_yaml): "selinux_booleans.csv": SEBoolGenerator(), "audit_rules_dac_modification.csv": AuditRulesDacModificationGenerator(), "audit_rules_unsuccessful_file_modification.csv": AuditRulesUnsuccessfulFileModificationGenerator(), + "audit_rules_unsuccessful_file_modification_detailed.csv": ARUFMDetailedGenerator(), "audit_rules_file_deletion_events.csv": AuditRulesFileDeletionEventsGenerator(), "audit_rules_login_events.csv": AuditRulesLoginEventsGenerator(), "audit_rules_privileged_commands.csv": AuditRulesPrivilegedCommandsGenerator(), "audit_rules_usergroup_modification.csv": AuditRulesUserGroupModificationGenerator(), + "audit_rules_usergroup_modification.csv": AuditRulesUserGroupModificationGenerator(), "audit_rules_execution.csv": AuditRulesExecutionGenerator(), } self.langs = TEMPLATED_LANGUAGES