|
|
28bffe |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat.rule
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..91fcecd155
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat.rule
|
|
|
28bffe |
@@ -0,0 +1,55 @@
|
|
|
28bffe |
+documentation_complete: true
|
|
|
28bffe |
+
|
|
|
28bffe |
+prodtype: rhel7,fedora
|
|
|
28bffe |
+
|
|
|
28bffe |
+title: 'Record Unauthorized Creation Attempts to Files - open_by_handle_at O_CREAT'
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+description: |-
|
|
|
28bffe |
+ The audit system should collect unauthorized file accesses for
|
|
|
28bffe |
+ all users and root. The <tt>open_by_handle_at</tt> syscall can be used to create new files
|
|
|
28bffe |
+ when O_CREAT flag is specified.
|
|
|
28bffe |
+ The following auidt rules will asure that unsuccessful attempts to create a
|
|
|
28bffe |
+ file via <tt>open_by_handle_at</tt> syscall are collected.
|
|
|
28bffe |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>
|
|
|
28bffe |
+ program to read audit rules during daemon startup (the default), add the
|
|
|
28bffe |
+ rules below to a file with suffix <tt>.rules</tt> in the directory
|
|
|
28bffe |
+ <tt>/etc/audit/rules.d</tt>.
|
|
|
28bffe |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
28bffe |
+ utility to read audit rules during daemon startup, add the rules below to
|
|
|
28bffe |
+ <tt>/etc/audit/audit.rules</tt> file.
|
|
|
28bffe |
+
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
28bffe |
+
|
|
|
28bffe |
+ If the system is 64 bit then also add the following lines:
|
|
|
28bffe |
+
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+rationale: |-
|
|
|
28bffe |
+ Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
|
|
|
28bffe |
+ these events could serve as evidence of potential system compromise.
|
|
|
28bffe |
+
|
|
|
28bffe |
+severity: medium
|
|
|
28bffe |
+
|
|
|
28bffe |
+references:
|
|
|
28bffe |
+ cis: 5.2.10
|
|
|
28bffe |
+ cui: 3.1.7
|
|
|
28bffe |
+ disa: 172,2884
|
|
|
28bffe |
+ hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
|
|
|
28bffe |
+ nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5
|
|
|
28bffe |
+ ospp@rhel7: FAU_GEN.1.1.c
|
|
|
28bffe |
+ pcidss: Req-10.2.4,Req-10.2.1
|
|
|
28bffe |
+ srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172
|
|
|
28bffe |
+
|
|
|
28bffe |
+{{{ complete_ocil_entry_audit_syscall(syscall="open_by_handle_at") }}}
|
|
|
28bffe |
+
|
|
|
28bffe |
+warnings:
|
|
|
28bffe |
+ - general: |-
|
|
|
28bffe |
+ Note that these rules can be configured in a
|
|
|
28bffe |
+ number of ways while still achieving the desired effect. Here the system calls
|
|
|
28bffe |
+ have been placed independent of other system calls. Grouping system calls related
|
|
|
28bffe |
+ to the same event is more efficient. See the following example:
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
28bffe |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write.rule
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..06e96678f2
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write.rule
|
|
|
28bffe |
@@ -0,0 +1,54 @@
|
|
|
28bffe |
+documentation_complete: true
|
|
|
28bffe |
+
|
|
|
28bffe |
+prodtype: rhel7,fedora
|
|
|
28bffe |
+
|
|
|
28bffe |
+title: 'Record Unauthorized Modification Attempts to Files - open_by_handle_at O_TRUNC'
|
|
|
28bffe |
+
|
|
|
28bffe |
+description: |-
|
|
|
28bffe |
+ The audit system should collect detailed unauthorized file accesses for
|
|
|
28bffe |
+ all users and root. The <tt>open_by_handle_at</tt> syscall can be used to modify files
|
|
|
28bffe |
+ if called for write operation of with O_TRUNC flag.
|
|
|
28bffe |
+ The following auidt rules will asure that unsuccessful attempts to modify a
|
|
|
28bffe |
+ file via <tt>open_by_handle_at</tt> syscall are collected.
|
|
|
28bffe |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>
|
|
|
28bffe |
+ program to read audit rules during daemon startup (the default), add the
|
|
|
28bffe |
+ rules below to a file with suffix <tt>.rules</tt> in the directory
|
|
|
28bffe |
+ <tt>/etc/audit/rules.d</tt>.
|
|
|
28bffe |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
28bffe |
+ utility to read audit rules during daemon startup, add the rules below to
|
|
|
28bffe |
+ <tt>/etc/audit/audit.rules</tt> file.
|
|
|
28bffe |
+
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
28bffe |
+
|
|
|
28bffe |
+ If the system is 64 bit then also add the following lines:
|
|
|
28bffe |
+
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+rationale: |-
|
|
|
28bffe |
+ Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
|
|
|
28bffe |
+ these events could serve as evidence of potential system compromise.
|
|
|
28bffe |
+
|
|
|
28bffe |
+severity: medium
|
|
|
28bffe |
+
|
|
|
28bffe |
+references:
|
|
|
28bffe |
+ cis: 5.2.10
|
|
|
28bffe |
+ cui: 3.1.7
|
|
|
28bffe |
+ disa: 172,2884
|
|
|
28bffe |
+ hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
|
|
|
28bffe |
+ nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5
|
|
|
28bffe |
+ ospp@rhel7: FAU_GEN.1.1.c
|
|
|
28bffe |
+ pcidss: Req-10.2.4,Req-10.2.1
|
|
|
28bffe |
+ srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172
|
|
|
28bffe |
+
|
|
|
28bffe |
+{{{ complete_ocil_entry_audit_syscall(syscall="open_by_handle_at") }}}
|
|
|
28bffe |
+
|
|
|
28bffe |
+warnings:
|
|
|
28bffe |
+ - general: |-
|
|
|
28bffe |
+ Note that these rules can be configured in a
|
|
|
28bffe |
+ number of ways while still achieving the desired effect. Here the system calls
|
|
|
28bffe |
+ have been placed independent of other system calls. Grouping system calls related
|
|
|
28bffe |
+ to the same event is more efficient. See the following example:
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
28bffe |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order.rule
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..0ecd5fff2f
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order.rule
|
|
|
28bffe |
@@ -0,0 +1,58 @@
|
|
|
28bffe |
+documentation_complete: true
|
|
|
28bffe |
+
|
|
|
28bffe |
+prodtype: rhel7,fedora
|
|
|
28bffe |
+
|
|
|
28bffe |
+title: 'Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly'
|
|
|
28bffe |
+
|
|
|
28bffe |
+description: |-
|
|
|
28bffe |
+ The audit system should collect detailed unauthorized file
|
|
|
28bffe |
+ accesses for all users and root.
|
|
|
28bffe |
+ To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
|
|
|
28bffe |
+ of files via <tt>open_by_handle_at</tt> syscall the audit rules collecting these events need to be in certain order.
|
|
|
28bffe |
+ The more specific rules need to come before the less specific rules. The reason for that is that more
|
|
|
28bffe |
+ specific rules cover a subset of events covered in the less specific rules, thus, they need to come
|
|
|
28bffe |
+ before to not be overshadowed by less specific rules, which match a bigger set of events.
|
|
|
28bffe |
+ Make sure that rules for unsuccessful calls of <tt>open_by_handle_at</tt> syscall are in the order shown below.
|
|
|
28bffe |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>
|
|
|
28bffe |
+ program to read audit rules during daemon startup (the default), check the order of
|
|
|
28bffe |
+ rules below in a file with suffix <tt>.rules</tt> in the directory
|
|
|
28bffe |
+ <tt>/etc/audit/rules.d</tt>.
|
|
|
28bffe |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
28bffe |
+ utility to read audit rules during daemon startup, check the order of rules below in
|
|
|
28bffe |
+ <tt>/etc/audit/audit.rules</tt> file.
|
|
|
28bffe |
+
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
|
|
|
28bffe |
+
|
|
|
28bffe |
+ If the system is 64 bit then also add the following lines:
|
|
|
28bffe |
+
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+rationale: |-
|
|
|
28bffe |
+ The more specific rules cover a subset of events covered by the less specific rules.
|
|
|
28bffe |
+ By ordering them from more specific to less specific, it is assured that the less specific
|
|
|
28bffe |
+ rule will not catch events better recorded by the more specific rule.
|
|
|
28bffe |
+
|
|
|
28bffe |
+severity: medium
|
|
|
28bffe |
+
|
|
|
28bffe |
+references:
|
|
|
28bffe |
+ cis: 5.2.10
|
|
|
28bffe |
+ cui: 3.1.7
|
|
|
28bffe |
+ disa: 172,2884
|
|
|
28bffe |
+ hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
|
|
|
28bffe |
+ nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5
|
|
|
28bffe |
+ ospp@rhel7: FAU_GEN.1.1.c
|
|
|
28bffe |
+ pcidss: Req-10.2.4,Req-10.2.1
|
|
|
28bffe |
+ srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172
|
|
|
28bffe |
+
|
|
|
28bffe |
+{{{ complete_ocil_entry_audit_syscall(syscall="open_by_handle_at") }}}
|
|
|
28bffe |
diff --git a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_creat.xml
|
|
|
28bffe |
deleted file mode 100644
|
|
|
28bffe |
index 3eb97c1234..0000000000
|
|
|
28bffe |
--- a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_creat.xml
|
|
|
28bffe |
+++ /dev/null
|
|
|
28bffe |
@@ -1,200 +0,0 @@
|
|
|
28bffe |
-<def-group>
|
|
|
28bffe |
- <definition class="compliance" id="audit_rules_unsuccessful_file_modification_open_o_creat" version="1">
|
|
|
28bffe |
- <metadata>
|
|
|
28bffe |
- <title>Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - open o_creat</title>
|
|
|
28bffe |
- <affected family="unix">
|
|
|
28bffe |
- <platform>Red Hat Enterprise Linux 7</platform>
|
|
|
28bffe |
- <platform>multi_platform_fedora</platform>
|
|
|
28bffe |
- </affected>
|
|
|
28bffe |
- <description>Audit rules about the information on the unsuccessful use of open O_CREAT is enabled.</description>
|
|
|
28bffe |
- </metadata>
|
|
|
28bffe |
-
|
|
|
28bffe |
- <criteria operator="OR">
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <criteria operator="AND">
|
|
|
28bffe |
- <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
|
|
|
28bffe |
- <criterion comment="Verify audit rule open 32bit a2&0100 eacces augenrules exists" test_ref="test_arufm_open_o_creat_32bit_a20100_eacces_augenrules" />
|
|
|
28bffe |
- <criterion comment="Verify audit rule open 32bit a2&0100 eperm augenrules exists" test_ref="test_arufm_open_o_creat_32bit_a20100_eperm_augenrules" />
|
|
|
28bffe |
-
|
|
|
28bffe |
- <criteria operator="OR">
|
|
|
28bffe |
-
|
|
|
28bffe |
- <extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
|
|
|
28bffe |
-
|
|
|
28bffe |
- <criteria operator="AND">
|
|
|
28bffe |
- <criterion comment="Verify audit rule open 64bit a2&0100 eacces augenrules exists" test_ref="test_arufm_open_o_creat_64bit_a20100_eacces_augenrules" />
|
|
|
28bffe |
- <criterion comment="Verify audit rule open 64bit a2&0100 eperm augenrules exists" test_ref="test_arufm_open_o_creat_64bit_a20100_eperm_augenrules" />
|
|
|
28bffe |
- </criteria>
|
|
|
28bffe |
- </criteria>
|
|
|
28bffe |
- </criteria>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <criteria operator="AND">
|
|
|
28bffe |
- <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
|
|
|
28bffe |
- <criterion comment="Verify audit rule open 32bit a2&0100 eacces auditctl exists" test_ref="test_arufm_open_o_creat_32bit_a20100_eacces_auditctl" />
|
|
|
28bffe |
- <criterion comment="Verify audit rule open 32bit a2&0100 eperm auditctl exists" test_ref="test_arufm_open_o_creat_32bit_a20100_eperm_auditctl" />
|
|
|
28bffe |
-
|
|
|
28bffe |
- <criteria operator="OR">
|
|
|
28bffe |
-
|
|
|
28bffe |
- <extend_definition comment="64-bit_system" definition_ref="system_info_architecture_64bit" negate="true" />
|
|
|
28bffe |
-
|
|
|
28bffe |
- <criteria operator="AND">
|
|
|
28bffe |
- <criterion comment="Verify audit rule open 64bit a2&0100 eacces auditctl exists" test_ref="test_arufm_open_o_creat_64bit_a20100_eacces_auditctl" />
|
|
|
28bffe |
- <criterion comment="Verify audit rule open 64bit a2&0100 eperm auditctl exists" test_ref="test_arufm_open_o_creat_64bit_a20100_eperm_auditctl" />
|
|
|
28bffe |
-
|
|
|
28bffe |
- </criteria>
|
|
|
28bffe |
- </criteria>
|
|
|
28bffe |
- </criteria>
|
|
|
28bffe |
-
|
|
|
28bffe |
- </criteria>
|
|
|
28bffe |
- </definition>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <constant_variable id="var_audit_rule_open_o_creat_32bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
|
|
|
28bffe |
- <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*</value>
|
|
|
28bffe |
- </constant_variable>
|
|
|
28bffe |
- <constant_variable id="var_audit_rule_open_o_creat_64bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
|
|
|
28bffe |
- <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*</value>
|
|
|
28bffe |
- </constant_variable>
|
|
|
28bffe |
- <constant_variable id="var_audit_rule_open_o_creat_tail" version="1" datatype="string" comment="audit rule auid and key">
|
|
|
28bffe |
- <value>[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
|
|
|
28bffe |
- </constant_variable>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <constant_variable id="var_audit_rule_open_o_creat_separator_regex" version="1" datatype="string" comment="audit rule auid and key">
|
|
|
28bffe |
- <value>(?:[^.]|\.\s)*</value>
|
|
|
28bffe |
- </constant_variable>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <local_variable id="var_audit_rule_open_o_creat_32bit_a20100_eacces_regex" version="1" datatype="string" comment="Expression to match 32bit open O_CREAT EACCES syscall">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_o_creat_32bit_head" />
|
|
|
28bffe |
- <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_o_creat_tail" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <local_variable id="var_audit_rule_open_o_creat_32bit_a20100_eperm_regex" version="1" datatype="string" comment="Expression to match 32bit open O_CREAT EPERM syscall">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_o_creat_32bit_head" />
|
|
|
28bffe |
- <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_o_creat_tail" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <local_variable id="var_audit_rule_open_o_creat_64bit_a20100_eacces_regex" version="1" datatype="string" comment="Expression to match 64bit open O_CREAT EACCES syscall">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_o_creat_64bit_head" />
|
|
|
28bffe |
- <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_o_creat_tail" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <local_variable id="var_audit_rule_open_o_creat_64bit_a20100_eperm_regex" version="1" datatype="string" comment="Expression to match 32bit open O_CREAT EPERM syscall">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_o_creat_64bit_head" />
|
|
|
28bffe |
- <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_o_creat_tail" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="defined audit rule must exist" id="test_arufm_open_o_creat_32bit_a20100_eacces_augenrules" version="1">
|
|
|
28bffe |
- <ind:object object_ref="object_arufm_open_o_creat_32bit_a20100_eacces_augenrules" />
|
|
|
28bffe |
- </ind:textfilecontent54_test>
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_o_creat_32bit_a20100_eacces_augenrules" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_creat_32bit_a20100_eacces_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="defined audit rule must exist" id="test_arufm_open_o_creat_32bit_a20100_eperm_augenrules" version="1">
|
|
|
28bffe |
- <ind:object object_ref="object_arufm_open_o_creat_32bit_a20100_eperm_augenrules" />
|
|
|
28bffe |
- </ind:textfilecontent54_test>
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_o_creat_32bit_a20100_eperm_augenrules" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_creat_32bit_a20100_eperm_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="defined audit rule must exist" id="test_arufm_open_o_creat_64bit_a20100_eacces_augenrules" version="1">
|
|
|
28bffe |
- <ind:object object_ref="object_arufm_open_o_creat_64bit_a20100_eacces_augenrules" />
|
|
|
28bffe |
- </ind:textfilecontent54_test>
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_o_creat_64bit_a20100_eacces_augenrules" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_creat_64bit_a20100_eacces_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="defined audit rule must exist" id="test_arufm_open_o_creat_64bit_a20100_eperm_augenrules" version="1">
|
|
|
28bffe |
- <ind:object object_ref="object_arufm_open_o_creat_64bit_a20100_eperm_augenrules" />
|
|
|
28bffe |
- </ind:textfilecontent54_test>
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_o_creat_64bit_a20100_eperm_augenrules" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_creat_64bit_a20100_eperm_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="defined audit rule must exist" id="test_arufm_open_o_creat_32bit_a20100_eacces_auditctl" version="1">
|
|
|
28bffe |
- <ind:object object_ref="object_arufm_open_o_creat_32bit_a20100_eacces_auditctl" />
|
|
|
28bffe |
- </ind:textfilecontent54_test>
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_o_creat_32bit_a20100_eacces_auditctl" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_creat_32bit_a20100_eacces_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="defined audit rule must exist" id="test_arufm_open_o_creat_32bit_a20100_eperm_auditctl" version="1">
|
|
|
28bffe |
- <ind:object object_ref="object_arufm_open_o_creat_32bit_a20100_eperm_auditctl" />
|
|
|
28bffe |
- </ind:textfilecontent54_test>
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_o_creat_32bit_a20100_eperm_auditctl" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_creat_32bit_a20100_eperm_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="defined audit rule must exist" id="test_arufm_open_o_creat_64bit_a20100_eacces_auditctl" version="1">
|
|
|
28bffe |
- <ind:object object_ref="object_arufm_open_o_creat_64bit_a20100_eacces_auditctl" />
|
|
|
28bffe |
- </ind:textfilecontent54_test>
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_o_creat_64bit_a20100_eacces_auditctl" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_creat_64bit_a20100_eacces_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="defined audit rule must exist" id="test_arufm_open_o_creat_64bit_a20100_eperm_auditctl" version="1">
|
|
|
28bffe |
- <ind:object object_ref="object_arufm_open_o_creat_64bit_a20100_eperm_auditctl" />
|
|
|
28bffe |
- </ind:textfilecontent54_test>
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_o_creat_64bit_a20100_eperm_auditctl" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_creat_64bit_a20100_eperm_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
-</def-group>
|
|
|
28bffe |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat.rule
|
|
|
28bffe |
index c879183de2..a78f614c8f 100644
|
|
|
28bffe |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat.rule
|
|
|
28bffe |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat.rule
|
|
|
28bffe |
@@ -2,7 +2,7 @@ documentation_complete: true
|
|
|
28bffe |
|
|
|
28bffe |
prodtype: rhel7,fedora
|
|
|
28bffe |
|
|
|
28bffe |
-title: 'Record Unauthorized Creation Attempts to Files (unsuccessful) - open O_CREAT'
|
|
|
28bffe |
+title: 'Record Unauthorized Creation Attempts to Files - open O_CREAT'
|
|
|
28bffe |
|
|
|
28bffe |
|
|
|
28bffe |
description: |-
|
|
|
28bffe |
@@ -50,5 +50,6 @@ warnings:
|
|
|
28bffe |
- general: |-
|
|
|
28bffe |
Note that these rules can be configured in a
|
|
|
28bffe |
number of ways while still achieving the desired effect. Here the system calls
|
|
|
28bffe |
- have been placed independent of other system calls. Grouping these system
|
|
|
28bffe |
- calls with others as identifying earlier in this guide is more efficient.
|
|
|
28bffe |
+ have been placed independent of other system calls. Grouping system calls related
|
|
|
28bffe |
+ to the same event is more efficient. See the following example:
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
28bffe |
diff --git a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_trunc_write.xml
|
|
|
28bffe |
deleted file mode 100644
|
|
|
28bffe |
index 49540d8d4c..0000000000
|
|
|
28bffe |
--- a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_trunc_write.xml
|
|
|
28bffe |
+++ /dev/null
|
|
|
28bffe |
@@ -1,200 +0,0 @@
|
|
|
28bffe |
-<def-group>
|
|
|
28bffe |
- <definition class="compliance" id="audit_rules_unsuccessful_file_modification_open_o_trunc_write" version="1">
|
|
|
28bffe |
- <metadata>
|
|
|
28bffe |
- <title>Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - open o_trunc</title>
|
|
|
28bffe |
- <affected family="unix">
|
|
|
28bffe |
- <platform>Red Hat Enterprise Linux 7</platform>
|
|
|
28bffe |
- <platform>multi_platform_fedora</platform>
|
|
|
28bffe |
- </affected>
|
|
|
28bffe |
- <description>Audit rules about the information on the unsuccessful use of open O_TRUNC is enabled.</description>
|
|
|
28bffe |
- </metadata>
|
|
|
28bffe |
-
|
|
|
28bffe |
- <criteria operator="OR">
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <criteria operator="AND">
|
|
|
28bffe |
- <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
|
|
|
28bffe |
- <criterion comment="Verify audit rule open 32bit a2&01003 eacces augenrules exists" test_ref="test_arufm_open_o_trunc_32bit_a201003_eacces_augenrules" />
|
|
|
28bffe |
- <criterion comment="Verify audit rule open 32bit a2&01003 eperm augenrules exists" test_ref="test_arufm_open_o_trunc_32bit_a201003_eperm_augenrules" />
|
|
|
28bffe |
-
|
|
|
28bffe |
- <criteria operator="OR">
|
|
|
28bffe |
-
|
|
|
28bffe |
- <extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
|
|
|
28bffe |
-
|
|
|
28bffe |
- <criteria operator="AND">
|
|
|
28bffe |
- <criterion comment="Verify audit rule open 64bit a2&01003 eacces augenrules exists" test_ref="test_arufm_open_o_trunc_64bit_a201003_eacces_augenrules" />
|
|
|
28bffe |
- <criterion comment="Verify audit rule open 64bit a2&01003 eperm augenrules exists" test_ref="test_arufm_open_o_trunc_64bit_a201003_eperm_augenrules" />
|
|
|
28bffe |
- </criteria>
|
|
|
28bffe |
- </criteria>
|
|
|
28bffe |
- </criteria>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <criteria operator="AND">
|
|
|
28bffe |
- <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
|
|
|
28bffe |
- <criterion comment="Verify audit rule open 32bit a2&01003 eacces auditctl exists" test_ref="test_arufm_open_o_trunc_32bit_a201003_eacces_auditctl" />
|
|
|
28bffe |
- <criterion comment="Verify audit rule open 32bit a2&01003 eperm auditctl exists" test_ref="test_arufm_open_o_trunc_32bit_a201003_eperm_auditctl" />
|
|
|
28bffe |
-
|
|
|
28bffe |
- <criteria operator="OR">
|
|
|
28bffe |
-
|
|
|
28bffe |
- <extend_definition comment="64-bit_system" definition_ref="system_info_architecture_64bit" negate="true" />
|
|
|
28bffe |
-
|
|
|
28bffe |
- <criteria operator="AND">
|
|
|
28bffe |
- <criterion comment="Verify audit rule open 64bit a2&01003 eacces auditctl exists" test_ref="test_arufm_open_o_trunc_64bit_a201003_eacces_auditctl" />
|
|
|
28bffe |
- <criterion comment="Verify audit rule open 64bit a2&01003 eperm auditctl exists" test_ref="test_arufm_open_o_trunc_64bit_a201003_eperm_auditctl" />
|
|
|
28bffe |
-
|
|
|
28bffe |
- </criteria>
|
|
|
28bffe |
- </criteria>
|
|
|
28bffe |
- </criteria>
|
|
|
28bffe |
-
|
|
|
28bffe |
- </criteria>
|
|
|
28bffe |
- </definition>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <constant_variable id="var_audit_rule_open_o_trunc_32bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
|
|
|
28bffe |
- <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*</value>
|
|
|
28bffe |
- </constant_variable>
|
|
|
28bffe |
- <constant_variable id="var_audit_rule_open_o_trunc_64bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
|
|
|
28bffe |
- <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*</value>
|
|
|
28bffe |
- </constant_variable>
|
|
|
28bffe |
- <constant_variable id="var_audit_rule_open_o_trunc_tail" version="1" datatype="string" comment="audit rule auid and key">
|
|
|
28bffe |
- <value>[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
|
|
|
28bffe |
- </constant_variable>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <constant_variable id="var_audit_rule_open_o_trunc_separator_regex" version="1" datatype="string" comment="audit rule auid and key">
|
|
|
28bffe |
- <value>(?:[^.]|\.\s)*</value>
|
|
|
28bffe |
- </constant_variable>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <local_variable id="var_audit_rule_open_o_trunc_32bit_a201003_eacces_regex" version="1" datatype="string" comment="Expression to match 32bit open O_TRUNC EACCES syscall">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_o_trunc_32bit_head" />
|
|
|
28bffe |
- <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_o_trunc_tail" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <local_variable id="var_audit_rule_open_o_trunc_32bit_a201003_eperm_regex" version="1" datatype="string" comment="Expression to match 32bit open O_TRUNC EPERM EACCES syscall">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_o_trunc_32bit_head" />
|
|
|
28bffe |
- <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_o_trunc_tail" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <local_variable id="var_audit_rule_open_o_trunc_64bit_a201003_eacces_regex" version="1" datatype="string" comment="Expression to match 64bit open O_TRUNC EACCES syscall">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_o_trunc_64bit_head" />
|
|
|
28bffe |
- <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_o_trunc_tail" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <local_variable id="var_audit_rule_open_o_trunc_64bit_a201003_eperm_regex" version="1" datatype="string" comment="Expression to match 64bit open O_TRUNC EPERM syscall">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_o_trunc_64bit_head" />
|
|
|
28bffe |
- <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_o_trunc_tail" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="defined audit rule must exist" id="test_arufm_open_o_trunc_32bit_a201003_eacces_augenrules" version="1">
|
|
|
28bffe |
- <ind:object object_ref="object_arufm_open_o_trunc_32bit_a201003_eacces_augenrules" />
|
|
|
28bffe |
- </ind:textfilecontent54_test>
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_o_trunc_32bit_a201003_eacces_augenrules" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_trunc_32bit_a201003_eacces_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="defined audit rule must exist" id="test_arufm_open_o_trunc_32bit_a201003_eperm_augenrules" version="1">
|
|
|
28bffe |
- <ind:object object_ref="object_arufm_open_o_trunc_32bit_a201003_eperm_augenrules" />
|
|
|
28bffe |
- </ind:textfilecontent54_test>
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_o_trunc_32bit_a201003_eperm_augenrules" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_trunc_32bit_a201003_eperm_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="defined audit rule must exist" id="test_arufm_open_o_trunc_64bit_a201003_eacces_augenrules" version="1">
|
|
|
28bffe |
- <ind:object object_ref="object_arufm_open_o_trunc_64bit_a201003_eacces_augenrules" />
|
|
|
28bffe |
- </ind:textfilecontent54_test>
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_o_trunc_64bit_a201003_eacces_augenrules" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_trunc_64bit_a201003_eacces_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="defined audit rule must exist" id="test_arufm_open_o_trunc_64bit_a201003_eperm_augenrules" version="1">
|
|
|
28bffe |
- <ind:object object_ref="object_arufm_open_o_trunc_64bit_a201003_eperm_augenrules" />
|
|
|
28bffe |
- </ind:textfilecontent54_test>
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_o_trunc_64bit_a201003_eperm_augenrules" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_trunc_64bit_a201003_eperm_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="defined audit rule must exist" id="test_arufm_open_o_trunc_32bit_a201003_eacces_auditctl" version="1">
|
|
|
28bffe |
- <ind:object object_ref="object_arufm_open_o_trunc_32bit_a201003_eacces_auditctl" />
|
|
|
28bffe |
- </ind:textfilecontent54_test>
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_o_trunc_32bit_a201003_eacces_auditctl" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_trunc_32bit_a201003_eacces_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="defined audit rule must exist" id="test_arufm_open_o_trunc_32bit_a201003_eperm_auditctl" version="1">
|
|
|
28bffe |
- <ind:object object_ref="object_arufm_open_o_trunc_32bit_a201003_eperm_auditctl" />
|
|
|
28bffe |
- </ind:textfilecontent54_test>
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_o_trunc_32bit_a201003_eperm_auditctl" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_trunc_32bit_a201003_eperm_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="defined audit rule must exist" id="test_arufm_open_o_trunc_64bit_a201003_eacces_auditctl" version="1">
|
|
|
28bffe |
- <ind:object object_ref="object_arufm_open_o_trunc_64bit_a201003_eacces_auditctl" />
|
|
|
28bffe |
- </ind:textfilecontent54_test>
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_o_trunc_64bit_a201003_eacces_auditctl" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_trunc_64bit_a201003_eacces_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="defined audit rule must exist" id="test_arufm_open_o_trunc_64bit_a201003_eperm_auditctl" version="1">
|
|
|
28bffe |
- <ind:object object_ref="object_arufm_open_o_trunc_64bit_a201003_eperm_auditctl" />
|
|
|
28bffe |
- </ind:textfilecontent54_test>
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_o_trunc_64bit_a201003_eperm_auditctl" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_trunc_64bit_a201003_eperm_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
-</def-group>
|
|
|
28bffe |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write.rule
|
|
|
28bffe |
index 8525b31bb1..bf5bae97c5 100644
|
|
|
28bffe |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write.rule
|
|
|
28bffe |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write.rule
|
|
|
28bffe |
@@ -2,7 +2,7 @@ documentation_complete: true
|
|
|
28bffe |
|
|
|
28bffe |
prodtype: rhel7,fedora
|
|
|
28bffe |
|
|
|
28bffe |
-title: 'Record Unauthorized Modification Attempts to Files (unsuccessful) - open O_TRUNC'
|
|
|
28bffe |
+title: 'Record Unauthorized Modification Attempts to Files - open O_TRUNC'
|
|
|
28bffe |
|
|
|
28bffe |
description: |-
|
|
|
28bffe |
The audit system should collect detailed unauthorized file accesses for
|
|
|
28bffe |
@@ -49,5 +49,6 @@ warnings:
|
|
|
28bffe |
- general: |-
|
|
|
28bffe |
Note that these rules can be configured in a
|
|
|
28bffe |
number of ways while still achieving the desired effect. Here the system calls
|
|
|
28bffe |
- have been placed independent of other system calls. Grouping these system
|
|
|
28bffe |
- calls with others as identifying earlier in this guide is more efficient.
|
|
|
28bffe |
+ have been placed independent of other system calls. Grouping system calls related
|
|
|
28bffe |
+ to the same event is more efficient. See the following example:
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
28bffe |
diff --git a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_rule_order.xml
|
|
|
28bffe |
deleted file mode 100644
|
|
|
28bffe |
index 780fdf60d4..0000000000
|
|
|
28bffe |
--- a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_rule_order.xml
|
|
|
28bffe |
+++ /dev/null
|
|
|
28bffe |
@@ -1,474 +0,0 @@
|
|
|
28bffe |
-<def-group>
|
|
|
28bffe |
- <definition class="compliance" id="audit_rules_unsuccessful_file_modification_open_rule_order" version="1">
|
|
|
28bffe |
- <metadata>
|
|
|
28bffe |
- <title>Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly</title>
|
|
|
28bffe |
- <affected family="unix">
|
|
|
28bffe |
- <platform>Red Hat Enterprise Linux 7</platform>
|
|
|
28bffe |
- <platform>multi_platform_fedora</platform>
|
|
|
28bffe |
- </affected>
|
|
|
28bffe |
- <description>Audit rules about the information on the unsuccessful use of open is configured in the proper rule order.</description>
|
|
|
28bffe |
-
|
|
|
28bffe |
- </metadata>
|
|
|
28bffe |
-
|
|
|
28bffe |
- <criteria operator="OR">
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <criteria operator="AND">
|
|
|
28bffe |
- <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
|
|
|
28bffe |
- <criterion comment="audit augenrules 32-bit" test_ref="test_arufm_open_order_32bit_eacces_augenrules" />
|
|
|
28bffe |
- <criterion comment="audit augenrules 32-bit" test_ref="test_arufm_open_order_32bit_eperm_augenrules" />
|
|
|
28bffe |
-
|
|
|
28bffe |
- <criteria operator="OR">
|
|
|
28bffe |
-
|
|
|
28bffe |
- <extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
|
|
|
28bffe |
-
|
|
|
28bffe |
- <criteria operator="AND">
|
|
|
28bffe |
- <criterion comment="audit augenrules 64-bit" test_ref="test_arufm_open_order_64bit_eacces_augenrules" />
|
|
|
28bffe |
- <criterion comment="audit augenrules 64-bit" test_ref="test_arufm_open_order_64bit_eperm_augenrules" />
|
|
|
28bffe |
- </criteria>
|
|
|
28bffe |
- </criteria>
|
|
|
28bffe |
- </criteria>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <criteria operator="AND">
|
|
|
28bffe |
- <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
|
|
|
28bffe |
- <criterion comment="audit augenrules 32-bit" test_ref="test_arufm_open_order_32bit_eacces_auditctl" />
|
|
|
28bffe |
- <criterion comment="audit augenrules 32-bit" test_ref="test_arufm_open_order_32bit_eperm_auditctl" />
|
|
|
28bffe |
-
|
|
|
28bffe |
- <criteria operator="OR">
|
|
|
28bffe |
-
|
|
|
28bffe |
- <extend_definition comment="64-bit_system" definition_ref="system_info_architecture_64bit" negate="true" />
|
|
|
28bffe |
-
|
|
|
28bffe |
- <criteria operator="AND">
|
|
|
28bffe |
- <criterion comment="audit augenrules 32-bit" test_ref="test_arufm_open_order_64bit_eacces_auditctl" />
|
|
|
28bffe |
- <criterion comment="audit augenrules 32-bit" test_ref="test_arufm_open_order_64bit_eperm_auditctl" />
|
|
|
28bffe |
-
|
|
|
28bffe |
- </criteria>
|
|
|
28bffe |
- </criteria>
|
|
|
28bffe |
- </criteria>
|
|
|
28bffe |
-
|
|
|
28bffe |
- </criteria>
|
|
|
28bffe |
- </definition>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <constant_variable id="var_audit_rule_open_order_32bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
|
|
|
28bffe |
- <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*</value>
|
|
|
28bffe |
- </constant_variable>
|
|
|
28bffe |
- <constant_variable id="var_audit_rule_open_order_64bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
|
|
|
28bffe |
- <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*</value>
|
|
|
28bffe |
- </constant_variable>
|
|
|
28bffe |
- <constant_variable id="var_audit_rule_open_order_tail" version="1" datatype="string" comment="audit rule auid and key">
|
|
|
28bffe |
- <value>[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
|
|
|
28bffe |
- </constant_variable>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <constant_variable id="var_audit_rule_open_order_separator_regex" version="1" datatype="string" comment="audit rule auid and key">
|
|
|
28bffe |
- <value>(?:[^.]|\.\s)*</value>
|
|
|
28bffe |
- </constant_variable>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <local_variable id="var_audit_rule_open_order_32bit_a20100_eacces_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_32bit_head" />
|
|
|
28bffe |
- <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_tail" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
- <local_variable id="var_audit_rule_open_order_32bit_a201003_eacces_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_32bit_head" />
|
|
|
28bffe |
- <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_tail" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
- <local_variable id="var_audit_rule_open_order_32bit_eacces_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_32bit_head" />
|
|
|
28bffe |
- <literal_component>(?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_tail" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <local_variable id="var_audit_rule_open_order_32bit_a20100_eperm_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_32bit_head" />
|
|
|
28bffe |
- <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_tail" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
- <local_variable id="var_audit_rule_open_order_32bit_a201003_eperm_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_32bit_head" />
|
|
|
28bffe |
- <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_tail" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
- <local_variable id="var_audit_rule_open_order_32bit_eperm_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_32bit_head" />
|
|
|
28bffe |
- <literal_component>(?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_tail" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <local_variable id="var_audit_rule_open_order_64bit_a20100_eacces_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_64bit_head" />
|
|
|
28bffe |
- <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_tail" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
- <local_variable id="var_audit_rule_open_order_64bit_a201003_eacces_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_64bit_head" />
|
|
|
28bffe |
- <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_tail" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
- <local_variable id="var_audit_rule_open_order_64bit_eacces_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_64bit_head" />
|
|
|
28bffe |
- <literal_component>(?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_tail" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <local_variable id="var_audit_rule_open_order_64bit_a20100_eperm_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_64bit_head" />
|
|
|
28bffe |
- <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_tail" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
- <local_variable id="var_audit_rule_open_order_64bit_a201003_eperm_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_64bit_head" />
|
|
|
28bffe |
- <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_tail" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
- <local_variable id="var_audit_rule_open_order_64bit_eperm_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_64bit_head" />
|
|
|
28bffe |
- <literal_component>(?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_tail" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_32bit_a20100_eacces_augenrules" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_32bit_a20100_eacces_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_32bit_a201003_eacces_augenrules" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_32bit_a201003_eacces_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_nofilter_32bit_eacces_augenrules" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_32bit_eacces_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
- <local_variable id="var_arufm_open_order_32bit_eacces_augenrules_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <object_component item_field="text" object_ref="object_arufm_open_order_32bit_a20100_eacces_augenrules" />
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
|
|
|
28bffe |
- <object_component item_field="text" object_ref="object_arufm_open_order_32bit_a201003_eacces_augenrules" />
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
|
|
|
28bffe |
- <object_component item_field="text" object_ref="object_arufm_open_order_nofilter_32bit_eacces_augenrules" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="defined audit rule must exist" id="test_arufm_open_order_32bit_eacces_augenrules" version="1">
|
|
|
28bffe |
- <ind:object object_ref="object_arufm_open_order_32bit_eacces_augenrules" />
|
|
|
28bffe |
- </ind:textfilecontent54_test>
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_32bit_eacces_augenrules" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_arufm_open_order_32bit_eacces_augenrules_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_32bit_a20100_eperm_augenrules" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_32bit_a20100_eperm_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_32bit_a201003_eperm_augenrules" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_32bit_a201003_eperm_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_nofilter_32bit_eperm_augenrules" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_32bit_eperm_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
- <local_variable id="var_arufm_open_order_32bit_open_eperm_augenrules_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <object_component item_field="text" object_ref="object_arufm_open_order_32bit_a20100_eperm_augenrules" />
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
|
|
|
28bffe |
- <object_component item_field="text" object_ref="object_arufm_open_order_32bit_a201003_eperm_augenrules" />
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
|
|
|
28bffe |
- <object_component item_field="text" object_ref="object_arufm_open_order_nofilter_32bit_eperm_augenrules" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="defined audit rule must exist" id="test_arufm_open_order_32bit_eperm_augenrules" version="1">
|
|
|
28bffe |
- <ind:object object_ref="object_arufm_open_order_32bit_eperm_augenrules" />
|
|
|
28bffe |
- </ind:textfilecontent54_test>
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_32bit_eperm_augenrules" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_arufm_open_order_32bit_open_eperm_augenrules_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_64bit_a20100_eacces_augenrules" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_64bit_a20100_eacces_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_64bit_a201003_eacces_augenrules" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_64bit_a201003_eacces_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_nofilter_64bit_eacces_augenrules" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_64bit_eacces_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
- <local_variable id="var_arufm_open_order_64bit_eacces_augenrules_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <object_component item_field="text" object_ref="object_arufm_open_order_64bit_a20100_eacces_augenrules" />
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
|
|
|
28bffe |
- <object_component item_field="text" object_ref="object_arufm_open_order_64bit_a201003_eacces_augenrules" />
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
|
|
|
28bffe |
- <object_component item_field="text" object_ref="object_arufm_open_order_nofilter_64bit_eacces_augenrules" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="defined audit rule must exist" id="test_arufm_open_order_64bit_eacces_augenrules" version="1">
|
|
|
28bffe |
- <ind:object object_ref="object_arufm_open_order_64bit_eacces_augenrules" />
|
|
|
28bffe |
- </ind:textfilecontent54_test>
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_64bit_eacces_augenrules" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_arufm_open_order_64bit_eacces_augenrules_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_64bit_a20100_eperm_augenrules" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_64bit_a20100_eperm_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_64bit_a201003_eperm_augenrules" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_64bit_a201003_eperm_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_nofilter_64bit_eperm_augenrules" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_64bit_eperm_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
- <local_variable id="var_arufm_open_order_64bit_open_eperm_augenrules_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <object_component item_field="text" object_ref="object_arufm_open_order_64bit_a20100_eperm_augenrules" />
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
|
|
|
28bffe |
- <object_component item_field="text" object_ref="object_arufm_open_order_64bit_a201003_eperm_augenrules" />
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
|
|
|
28bffe |
- <object_component item_field="text" object_ref="object_arufm_open_order_nofilter_64bit_eperm_augenrules" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="defined audit rule must exist" id="test_arufm_open_order_64bit_eperm_augenrules" version="1">
|
|
|
28bffe |
- <ind:object object_ref="object_arufm_open_order_64bit_eperm_augenrules" />
|
|
|
28bffe |
- </ind:textfilecontent54_test>
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_64bit_eperm_augenrules" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_arufm_open_order_64bit_open_eperm_augenrules_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_32bit_a20100_eacces_auditctl" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_32bit_a20100_eacces_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_32bit_a201003_eacces_auditctl" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_32bit_a201003_eacces_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_nofilter_32bit_eacces_auditctl" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_32bit_eacces_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
- <local_variable id="var_arufm_open_order_32bit_auditctl_eacces_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <object_component item_field="text" object_ref="object_arufm_open_order_32bit_a20100_eacces_auditctl" />
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
|
|
|
28bffe |
- <object_component item_field="text" object_ref="object_arufm_open_order_32bit_a201003_eacces_auditctl" />
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
|
|
|
28bffe |
- <object_component item_field="text" object_ref="object_arufm_open_order_nofilter_32bit_eacces_auditctl" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="defined audit rule must exist" id="test_arufm_open_order_32bit_eacces_auditctl" version="1">
|
|
|
28bffe |
- <ind:object object_ref="object_arufm_open_order_32bit_eacces_auditctl" />
|
|
|
28bffe |
- </ind:textfilecontent54_test>
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_32bit_eacces_auditctl" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_arufm_open_order_32bit_auditctl_eacces_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_32bit_a20100_eperm_auditctl" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_32bit_a20100_eperm_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_32bit_a201003_eperm_auditctl" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_32bit_a201003_eperm_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_nofilter_32bit_eperm_auditctl" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_32bit_eperm_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <local_variable id="var_arufm_open_order_32bit_open_auditctl_eperm_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <object_component item_field="text" object_ref="object_arufm_open_order_32bit_a20100_eperm_auditctl" />
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
|
|
|
28bffe |
- <object_component item_field="text" object_ref="object_arufm_open_order_32bit_a201003_eperm_auditctl" />
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
|
|
|
28bffe |
- <object_component item_field="text" object_ref="object_arufm_open_order_nofilter_32bit_eperm_auditctl" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="Test order of audit 32bit auditctl eperm rules order" id="test_arufm_open_order_32bit_eperm_auditctl" version="1">
|
|
|
28bffe |
- <ind:object object_ref="object_arufm_open_order_32bit_eperm_auditctl" />
|
|
|
28bffe |
- </ind:textfilecontent54_test>
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_32bit_eperm_auditctl" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_arufm_open_order_32bit_open_auditctl_eperm_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_64bit_a20100_eacces_auditctl" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_64bit_a20100_eacces_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_64bit_a201003_eacces_auditctl" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_64bit_a201003_eacces_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_nofilter_64bit_eacces_auditctl" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_64bit_eacces_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
- <local_variable id="var_arufm_open_order_64bit_auditctl_eacces_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <object_component item_field="text" object_ref="object_arufm_open_order_64bit_a20100_eacces_auditctl" />
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
|
|
|
28bffe |
- <object_component item_field="text" object_ref="object_arufm_open_order_64bit_a201003_eacces_auditctl" />
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
|
|
|
28bffe |
- <object_component item_field="text" object_ref="object_arufm_open_order_nofilter_64bit_eacces_auditctl" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="defined audit rule must exist" id="test_arufm_open_order_64bit_eacces_auditctl" version="1">
|
|
|
28bffe |
- <ind:object object_ref="object_arufm_open_order_64bit_eacces_auditctl" />
|
|
|
28bffe |
- </ind:textfilecontent54_test>
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_64bit_eacces_auditctl" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_arufm_open_order_64bit_auditctl_eacces_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_64bit_a20100_eperm_auditctl" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_64bit_a20100_eperm_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_64bit_a201003_eperm_auditctl" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_64bit_a201003_eperm_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_nofilter_64bit_eperm_auditctl" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_order_64bit_eperm_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
- <local_variable id="var_arufm_open_order_64bit_open_auditctl_eperm_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
- <concat>
|
|
|
28bffe |
- <object_component item_field="text" object_ref="object_arufm_open_order_64bit_a20100_eperm_auditctl" />
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
|
|
|
28bffe |
- <object_component item_field="text" object_ref="object_arufm_open_order_64bit_a201003_eperm_auditctl" />
|
|
|
28bffe |
- <variable_component var_ref="var_audit_rule_open_order_separator_regex" />
|
|
|
28bffe |
- <object_component item_field="text" object_ref="object_arufm_open_order_nofilter_64bit_eperm_auditctl" />
|
|
|
28bffe |
- </concat>
|
|
|
28bffe |
- </local_variable>
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="defined audit rule must exist" id="test_arufm_open_order_64bit_eperm_auditctl" version="1">
|
|
|
28bffe |
- <ind:object object_ref="object_arufm_open_order_64bit_eperm_auditctl" />
|
|
|
28bffe |
- </ind:textfilecontent54_test>
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_arufm_open_order_64bit_eperm_auditctl" version="1">
|
|
|
28bffe |
- <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match" var_ref="var_arufm_open_order_64bit_open_auditctl_eperm_regex" />
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
-</def-group>
|
|
|
28bffe |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order.rule
|
|
|
28bffe |
index 60a1b9de12..0c6949e27d 100644
|
|
|
28bffe |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order.rule
|
|
|
28bffe |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order.rule
|
|
|
28bffe |
@@ -39,8 +39,9 @@ description: |-
|
|
|
28bffe |
|
|
|
28bffe |
|
|
|
28bffe |
rationale: |-
|
|
|
28bffe |
- Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
|
|
|
28bffe |
- these events could serve as evidence of potential system compromise.
|
|
|
28bffe |
+ The more specific rules cover a subset of events covered by the less specific rules.
|
|
|
28bffe |
+ By ordering them from more specific to less specific, it is assured that the less specific
|
|
|
28bffe |
+ rule will not catch events better recorded by the more specific rule.
|
|
|
28bffe |
|
|
|
28bffe |
severity: medium
|
|
|
28bffe |
|
|
|
28bffe |
@@ -55,10 +56,3 @@ references:
|
|
|
28bffe |
srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172
|
|
|
28bffe |
|
|
|
28bffe |
{{{ complete_ocil_entry_audit_syscall(syscall="open") }}}
|
|
|
28bffe |
-
|
|
|
28bffe |
-warnings:
|
|
|
28bffe |
- - general: |-
|
|
|
28bffe |
- Note that these rules can be configured in a
|
|
|
28bffe |
- number of ways while still achieving the desired effect. Here the system calls
|
|
|
28bffe |
- have been placed independent of other system calls. Grouping these system
|
|
|
28bffe |
- calls with others as identifying earlier in this guide is more efficient.
|
|
|
28bffe |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat.rule
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..7470e2f80d
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat.rule
|
|
|
28bffe |
@@ -0,0 +1,55 @@
|
|
|
28bffe |
+documentation_complete: true
|
|
|
28bffe |
+
|
|
|
28bffe |
+prodtype: rhel7,fedora
|
|
|
28bffe |
+
|
|
|
28bffe |
+title: 'Record Unauthorized Creation Attempts to Files - openat O_CREAT'
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+description: |-
|
|
|
28bffe |
+ The audit system should collect unauthorized file accesses for
|
|
|
28bffe |
+ all users and root. The <tt>openat</tt> syscall can be used to create new files
|
|
|
28bffe |
+ when O_CREAT flag is specified.
|
|
|
28bffe |
+ The following auidt rules will asure that unsuccessful attempts to create a
|
|
|
28bffe |
+ file via <tt>openat</tt> syscall are collected.
|
|
|
28bffe |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>
|
|
|
28bffe |
+ program to read audit rules during daemon startup (the default), add the
|
|
|
28bffe |
+ rules below to a file with suffix <tt>.rules</tt> in the directory
|
|
|
28bffe |
+ <tt>/etc/audit/rules.d</tt>.
|
|
|
28bffe |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
28bffe |
+ utility to read audit rules during daemon startup, add the rules below to
|
|
|
28bffe |
+ <tt>/etc/audit/audit.rules</tt> file.
|
|
|
28bffe |
+
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
28bffe |
+
|
|
|
28bffe |
+ If the system is 64 bit then also add the following lines:
|
|
|
28bffe |
+
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+rationale: |-
|
|
|
28bffe |
+ Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
|
|
|
28bffe |
+ these events could serve as evidence of potential system compromise.
|
|
|
28bffe |
+
|
|
|
28bffe |
+severity: medium
|
|
|
28bffe |
+
|
|
|
28bffe |
+references:
|
|
|
28bffe |
+ cis: 5.2.10
|
|
|
28bffe |
+ cui: 3.1.7
|
|
|
28bffe |
+ disa: 172,2884
|
|
|
28bffe |
+ hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
|
|
|
28bffe |
+ nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5
|
|
|
28bffe |
+ ospp@rhel7: FAU_GEN.1.1.c
|
|
|
28bffe |
+ pcidss: Req-10.2.4,Req-10.2.1
|
|
|
28bffe |
+ srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172
|
|
|
28bffe |
+
|
|
|
28bffe |
+{{{ complete_ocil_entry_audit_syscall(syscall="openat") }}}
|
|
|
28bffe |
+
|
|
|
28bffe |
+warnings:
|
|
|
28bffe |
+ - general: |-
|
|
|
28bffe |
+ Note that these rules can be configured in a
|
|
|
28bffe |
+ number of ways while still achieving the desired effect. Here the system calls
|
|
|
28bffe |
+ have been placed independent of other system calls. Grouping system calls related
|
|
|
28bffe |
+ to the same event is more efficient. See the following example:
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
28bffe |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write.rule
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..8ee69927d8
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write.rule
|
|
|
28bffe |
@@ -0,0 +1,54 @@
|
|
|
28bffe |
+documentation_complete: true
|
|
|
28bffe |
+
|
|
|
28bffe |
+prodtype: rhel7,fedora
|
|
|
28bffe |
+
|
|
|
28bffe |
+title: 'Record Unauthorized Modification Attempts to Files - openat O_TRUNC'
|
|
|
28bffe |
+
|
|
|
28bffe |
+description: |-
|
|
|
28bffe |
+ The audit system should collect detailed unauthorized file accesses for
|
|
|
28bffe |
+ all users and root. The <tt>openat</tt> syscall can be used to modify files
|
|
|
28bffe |
+ if called for write operation of with O_TRUNC flag.
|
|
|
28bffe |
+ The following auidt rules will asure that unsuccessful attempts to modify a
|
|
|
28bffe |
+ file via <tt>openat</tt> syscall are collected.
|
|
|
28bffe |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>
|
|
|
28bffe |
+ program to read audit rules during daemon startup (the default), add the
|
|
|
28bffe |
+ rules below to a file with suffix <tt>.rules</tt> in the directory
|
|
|
28bffe |
+ <tt>/etc/audit/rules.d</tt>.
|
|
|
28bffe |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
28bffe |
+ utility to read audit rules during daemon startup, add the rules below to
|
|
|
28bffe |
+ <tt>/etc/audit/audit.rules</tt> file.
|
|
|
28bffe |
+
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
28bffe |
+
|
|
|
28bffe |
+ If the system is 64 bit then also add the following lines:
|
|
|
28bffe |
+
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+rationale: |-
|
|
|
28bffe |
+ Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
|
|
|
28bffe |
+ these events could serve as evidence of potential system compromise.
|
|
|
28bffe |
+
|
|
|
28bffe |
+severity: medium
|
|
|
28bffe |
+
|
|
|
28bffe |
+references:
|
|
|
28bffe |
+ cis: 5.2.10
|
|
|
28bffe |
+ cui: 3.1.7
|
|
|
28bffe |
+ disa: 172,2884
|
|
|
28bffe |
+ hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
|
|
|
28bffe |
+ nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5
|
|
|
28bffe |
+ ospp@rhel7: FAU_GEN.1.1.c
|
|
|
28bffe |
+ pcidss: Req-10.2.4,Req-10.2.1
|
|
|
28bffe |
+ srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172
|
|
|
28bffe |
+
|
|
|
28bffe |
+{{{ complete_ocil_entry_audit_syscall(syscall="openat") }}}
|
|
|
28bffe |
+
|
|
|
28bffe |
+warnings:
|
|
|
28bffe |
+ - general: |-
|
|
|
28bffe |
+ Note that these rules can be configured in a
|
|
|
28bffe |
+ number of ways while still achieving the desired effect. Here the system calls
|
|
|
28bffe |
+ have been placed independent of other system calls. Grouping system calls related
|
|
|
28bffe |
+ to the same event is more efficient. See the following example:
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
28bffe |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_rule_order.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_rule_order.rule
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..d5849a46bf
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_rule_order.rule
|
|
|
28bffe |
@@ -0,0 +1,58 @@
|
|
|
28bffe |
+documentation_complete: true
|
|
|
28bffe |
+
|
|
|
28bffe |
+prodtype: rhel7,fedora
|
|
|
28bffe |
+
|
|
|
28bffe |
+title: 'Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly'
|
|
|
28bffe |
+
|
|
|
28bffe |
+description: |-
|
|
|
28bffe |
+ The audit system should collect detailed unauthorized file
|
|
|
28bffe |
+ accesses for all users and root.
|
|
|
28bffe |
+ To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
|
|
|
28bffe |
+ of files via <tt>openat</tt> syscall the audit rules collecting these events need to be in certain order.
|
|
|
28bffe |
+ The more specific rules need to come before the less specific rules. The reason for that is that more
|
|
|
28bffe |
+ specific rules cover a subset of events covered in the less specific rules, thus, they need to come
|
|
|
28bffe |
+ before to not be overshadowed by less specific rules, which match a bigger set of events.
|
|
|
28bffe |
+ Make sure that rules for unsuccessful calls of <tt>openat</tt> syscall are in the order shown below.
|
|
|
28bffe |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>
|
|
|
28bffe |
+ program to read audit rules during daemon startup (the default), check the order of
|
|
|
28bffe |
+ rules below in a file with suffix <tt>.rules</tt> in the directory
|
|
|
28bffe |
+ <tt>/etc/audit/rules.d</tt>.
|
|
|
28bffe |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
28bffe |
+ utility to read audit rules during daemon startup, check the order of rules below in
|
|
|
28bffe |
+ <tt>/etc/audit/audit.rules</tt> file.
|
|
|
28bffe |
+
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
|
|
|
28bffe |
+
|
|
|
28bffe |
+ If the system is 64 bit then also add the following lines:
|
|
|
28bffe |
+
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+rationale: |-
|
|
|
28bffe |
+ The more specific rules cover a subset of events covered by the less specific rules.
|
|
|
28bffe |
+ By ordering them from more specific to less specific, it is assured that the less specific
|
|
|
28bffe |
+ rule will not catch events better recorded by the more specific rule.
|
|
|
28bffe |
+
|
|
|
28bffe |
+severity: medium
|
|
|
28bffe |
+
|
|
|
28bffe |
+references:
|
|
|
28bffe |
+ cis: 5.2.10
|
|
|
28bffe |
+ cui: 3.1.7
|
|
|
28bffe |
+ disa: 172,2884
|
|
|
28bffe |
+ hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
|
|
|
28bffe |
+ nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5
|
|
|
28bffe |
+ ospp@rhel7: FAU_GEN.1.1.c
|
|
|
28bffe |
+ pcidss: Req-10.2.4,Req-10.2.1
|
|
|
28bffe |
+ srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172
|
|
|
28bffe |
+
|
|
|
28bffe |
+{{{ complete_ocil_entry_audit_syscall(syscall="openat") }}}
|
|
|
28bffe |
diff --git a/shared/templates/create_audit_rules_unsuccessful_file_modification_detailed.py b/shared/templates/create_audit_rules_unsuccessful_file_modification_detailed.py
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..c14c35a381
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/shared/templates/create_audit_rules_unsuccessful_file_modification_detailed.py
|
|
|
28bffe |
@@ -0,0 +1,45 @@
|
|
|
28bffe |
+#!/usr/bin/python2
|
|
|
28bffe |
+
|
|
|
28bffe |
+#
|
|
|
28bffe |
+# create_audit_rules_unsuccessful_file_modification_detailed.py
|
|
|
28bffe |
+# generate template-based checks for unsuccessful file modifications detailed
|
|
|
28bffe |
+# - audit_rules_unsuccessful_file_modification_syscall_o_creat
|
|
|
28bffe |
+# - audit_rules_unsuccessful_file_modification_syscall_o_trunc_write
|
|
|
28bffe |
+# - audit_rules_unsuccessful_file_modification_syscall_rule_order
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+from template_common import FilesGenerator, UnknownTargetError
|
|
|
28bffe |
+
|
|
|
28bffe |
+import re
|
|
|
28bffe |
+
|
|
|
28bffe |
+class ARUFMDetailedGenerator(FilesGenerator):
|
|
|
28bffe |
+ def generate(self, target, args):
|
|
|
28bffe |
+ syscall = re.sub('[-\./]', '_', args[0])
|
|
|
28bffe |
+ if target == "oval":
|
|
|
28bffe |
+ self.file_from_template(
|
|
|
28bffe |
+ "./template_OVAL_audit_rules_unsuccessful_file_modification_o_creat",
|
|
|
28bffe |
+ {
|
|
|
28bffe |
+ "SYSCALL": syscall
|
|
|
28bffe |
+ },
|
|
|
28bffe |
+ "./oval/audit_rules_unsuccessful_file_modification_{0}_o_creat.xml", syscall
|
|
|
28bffe |
+ )
|
|
|
28bffe |
+ self.file_from_template(
|
|
|
28bffe |
+ "./template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write",
|
|
|
28bffe |
+ {
|
|
|
28bffe |
+ "SYSCALL": syscall
|
|
|
28bffe |
+ },
|
|
|
28bffe |
+ "./oval/audit_rules_unsuccessful_file_modification_{0}_o_trunc_write.xml", syscall
|
|
|
28bffe |
+ )
|
|
|
28bffe |
+ self.file_from_template(
|
|
|
28bffe |
+ "./template_OVAL_audit_rules_unsuccessful_file_modification_rule_order",
|
|
|
28bffe |
+ {
|
|
|
28bffe |
+ "SYSCALL": syscall
|
|
|
28bffe |
+ },
|
|
|
28bffe |
+ "./oval/audit_rules_unsuccessful_file_modification_{0}_rule_order.xml", syscall
|
|
|
28bffe |
+ )
|
|
|
28bffe |
+ else:
|
|
|
28bffe |
+ raise UnknownTargetError(target)
|
|
|
28bffe |
+
|
|
|
28bffe |
+ def csv_format(self):
|
|
|
28bffe |
+ return("CSV should contains lines of the format: " +
|
|
|
28bffe |
+ "SYSCALL")
|
|
|
28bffe |
diff --git a/shared/templates/csv/audit_rules_unsuccessful_file_modification_detailed.csv b/shared/templates/csv/audit_rules_unsuccessful_file_modification_detailed.csv
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..97d5c04e14
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/shared/templates/csv/audit_rules_unsuccessful_file_modification_detailed.csv
|
|
|
28bffe |
@@ -0,0 +1,7 @@
|
|
|
28bffe |
+# format:
|
|
|
28bffe |
+# <syscall>
|
|
|
28bffe |
+# - syscall is the syscall to generate detailed rules for
|
|
|
28bffe |
+
|
|
|
28bffe |
+open
|
|
|
28bffe |
+openat
|
|
|
28bffe |
+open_by_handle_at
|
|
|
28bffe |
diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..7f1bf6f68f
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat
|
|
|
28bffe |
@@ -0,0 +1,200 @@
|
|
|
28bffe |
+<def-group>
|
|
|
28bffe |
+ <definition class="compliance" id="audit_rules_unsuccessful_file_modification_{{{ SYSCALL }}}_o_creat" version="1">
|
|
|
28bffe |
+ <metadata>
|
|
|
28bffe |
+ <title>Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - {{{ SYSCALL }}} o_creat</title>
|
|
|
28bffe |
+ <affected family="unix">
|
|
|
28bffe |
+ <platform>Red Hat Enterprise Linux 7</platform>
|
|
|
28bffe |
+ <platform>multi_platform_fedora</platform>
|
|
|
28bffe |
+ </affected>
|
|
|
28bffe |
+ <description>Audit rules about the information on the unsuccessful use of {{{ SYSCALL }}} O_CREAT is enabled.</description>
|
|
|
28bffe |
+ </metadata>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <criteria operator="OR">
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <criteria operator="AND">
|
|
|
28bffe |
+ <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
|
|
|
28bffe |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit a2&0100 eacces augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eacces_augenrules" />
|
|
|
28bffe |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit a2&0100 eperm augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eperm_augenrules" />
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <criteria operator="OR">
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <criteria operator="AND">
|
|
|
28bffe |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit a2&0100 eacces augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eacces_augenrules" />
|
|
|
28bffe |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit a2&0100 eperm augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eperm_augenrules" />
|
|
|
28bffe |
+ </criteria>
|
|
|
28bffe |
+ </criteria>
|
|
|
28bffe |
+ </criteria>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <criteria operator="AND">
|
|
|
28bffe |
+ <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
|
|
|
28bffe |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit a2&0100 eacces auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eacces_auditctl" />
|
|
|
28bffe |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit a2&0100 eperm auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eperm_auditctl" />
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <criteria operator="OR">
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <extend_definition comment="64-bit_system" definition_ref="system_info_architecture_64bit" negate="true" />
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <criteria operator="AND">
|
|
|
28bffe |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit a2&0100 eacces auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eacces_auditctl" />
|
|
|
28bffe |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit a2&0100 eperm auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eperm_auditctl" />
|
|
|
28bffe |
+
|
|
|
28bffe |
+ </criteria>
|
|
|
28bffe |
+ </criteria>
|
|
|
28bffe |
+ </criteria>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ </criteria>
|
|
|
28bffe |
+ </definition>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_o_creat_32bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
|
|
|
28bffe |
+ <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*</value>
|
|
|
28bffe |
+ </constant_variable>
|
|
|
28bffe |
+ <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_o_creat_64bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
|
|
|
28bffe |
+ <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*</value>
|
|
|
28bffe |
+ </constant_variable>
|
|
|
28bffe |
+ <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_o_creat_tail" version="1" datatype="string" comment="audit rule auid and key">
|
|
|
28bffe |
+ <value>[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
|
|
|
28bffe |
+ </constant_variable>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_o_creat_separator_regex" version="1" datatype="string" comment="audit rule auid and key">
|
|
|
28bffe |
+ <value>(?:[^.]|\.\s)*</value>
|
|
|
28bffe |
+ </constant_variable>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <local_variable id="var_audit_rule_{{{ SYSCALL }}}_o_creat_32bit_a20100_eacces_regex" version="1" datatype="string" comment="Expression to match 32bit {{{ SYSCALL }}} O_CREAT EACCES syscall">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_32bit_head" />
|
|
|
28bffe |
+ <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_tail" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <local_variable id="var_audit_rule_{{{ SYSCALL }}}_o_creat_32bit_a20100_eperm_regex" version="1" datatype="string" comment="Expression to match 32bit {{{ SYSCALL }}} O_CREAT EPERM syscall">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_32bit_head" />
|
|
|
28bffe |
+ <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_tail" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <local_variable id="var_audit_rule_{{{ SYSCALL }}}_o_creat_64bit_a20100_eacces_regex" version="1" datatype="string" comment="Expression to match 64bit {{{ SYSCALL }}} O_CREAT EACCES syscall">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_64bit_head" />
|
|
|
28bffe |
+ <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_tail" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <local_variable id="var_audit_rule_{{{ SYSCALL }}}_o_creat_64bit_a20100_eperm_regex" version="1" datatype="string" comment="Expression to match 32bit {{{ SYSCALL }}} O_CREAT EPERM syscall">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_64bit_head" />
|
|
|
28bffe |
+ <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_tail" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eacces_augenrules" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eacces_augenrules" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eacces_augenrules" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_32bit_a20100_eacces_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eperm_augenrules" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eperm_augenrules" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eperm_augenrules" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_32bit_a20100_eperm_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eacces_augenrules" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eacces_augenrules" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eacces_augenrules" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_64bit_a20100_eacces_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eperm_augenrules" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eperm_augenrules" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eperm_augenrules" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_64bit_a20100_eperm_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eacces_auditctl" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eacces_auditctl" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eacces_auditctl" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_32bit_a20100_eacces_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eperm_auditctl" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eperm_auditctl" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eperm_auditctl" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_32bit_a20100_eperm_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eacces_auditctl" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eacces_auditctl" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eacces_auditctl" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_64bit_a20100_eacces_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eperm_auditctl" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eperm_auditctl" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eperm_auditctl" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_64bit_a20100_eperm_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+</def-group>
|
|
|
28bffe |
diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..ce7d3c44c7
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write
|
|
|
28bffe |
@@ -0,0 +1,200 @@
|
|
|
28bffe |
+<def-group>
|
|
|
28bffe |
+ <definition class="compliance" id="audit_rules_unsuccessful_file_modification_{{{ SYSCALL }}}_o_trunc_write" version="1">
|
|
|
28bffe |
+ <metadata>
|
|
|
28bffe |
+ <title>Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - {{{ SYSCALL }}} o_trunc</title>
|
|
|
28bffe |
+ <affected family="unix">
|
|
|
28bffe |
+ <platform>Red Hat Enterprise Linux 7</platform>
|
|
|
28bffe |
+ <platform>multi_platform_fedora</platform>
|
|
|
28bffe |
+ </affected>
|
|
|
28bffe |
+ <description>Audit rules about the information on the unsuccessful use of {{{ SYSCALL }}} O_TRUNC is enabled.</description>
|
|
|
28bffe |
+ </metadata>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <criteria operator="OR">
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <criteria operator="AND">
|
|
|
28bffe |
+ <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
|
|
|
28bffe |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit a2&01003 eacces augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eacces_augenrules" />
|
|
|
28bffe |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit a2&01003 eperm augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eperm_augenrules" />
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <criteria operator="OR">
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <criteria operator="AND">
|
|
|
28bffe |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit a2&01003 eacces augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eacces_augenrules" />
|
|
|
28bffe |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit a2&01003 eperm augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eperm_augenrules" />
|
|
|
28bffe |
+ </criteria>
|
|
|
28bffe |
+ </criteria>
|
|
|
28bffe |
+ </criteria>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <criteria operator="AND">
|
|
|
28bffe |
+ <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
|
|
|
28bffe |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit a2&01003 eacces auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eacces_auditctl" />
|
|
|
28bffe |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit a2&01003 eperm auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eperm_auditctl" />
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <criteria operator="OR">
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <extend_definition comment="64-bit_system" definition_ref="system_info_architecture_64bit" negate="true" />
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <criteria operator="AND">
|
|
|
28bffe |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit a2&01003 eacces auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eacces_auditctl" />
|
|
|
28bffe |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit a2&01003 eperm auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eperm_auditctl" />
|
|
|
28bffe |
+
|
|
|
28bffe |
+ </criteria>
|
|
|
28bffe |
+ </criteria>
|
|
|
28bffe |
+ </criteria>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ </criteria>
|
|
|
28bffe |
+ </definition>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_o_trunc_32bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
|
|
|
28bffe |
+ <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*</value>
|
|
|
28bffe |
+ </constant_variable>
|
|
|
28bffe |
+ <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_o_trunc_64bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
|
|
|
28bffe |
+ <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*</value>
|
|
|
28bffe |
+ </constant_variable>
|
|
|
28bffe |
+ <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_o_trunc_tail" version="1" datatype="string" comment="audit rule auid and key">
|
|
|
28bffe |
+ <value>[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
|
|
|
28bffe |
+ </constant_variable>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_o_trunc_separator_regex" version="1" datatype="string" comment="audit rule auid and key">
|
|
|
28bffe |
+ <value>(?:[^.]|\.\s)*</value>
|
|
|
28bffe |
+ </constant_variable>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <local_variable id="var_audit_rule_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eacces_regex" version="1" datatype="string" comment="Expression to match 32bit {{{ SYSCALL }}} O_TRUNC EACCES syscall">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_trunc_32bit_head" />
|
|
|
28bffe |
+ <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_trunc_tail" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <local_variable id="var_audit_rule_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eperm_regex" version="1" datatype="string" comment="Expression to match 32bit {{{ SYSCALL }}} O_TRUNC EPERM EACCES syscall">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_trunc_32bit_head" />
|
|
|
28bffe |
+ <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_trunc_tail" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <local_variable id="var_audit_rule_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eacces_regex" version="1" datatype="string" comment="Expression to match 64bit {{{ SYSCALL }}} O_TRUNC EACCES syscall">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_trunc_64bit_head" />
|
|
|
28bffe |
+ <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_trunc_tail" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <local_variable id="var_audit_rule_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eperm_regex" version="1" datatype="string" comment="Expression to match 64bit {{{ SYSCALL }}} O_TRUNC EPERM syscall">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_trunc_64bit_head" />
|
|
|
28bffe |
+ <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_trunc_tail" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eacces_augenrules" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_arufm_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eacces_augenrules" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eacces_augenrules" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eacces_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eperm_augenrules" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_arufm_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eperm_augenrules" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eperm_augenrules" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eperm_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eacces_augenrules" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_arufm_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eacces_augenrules" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eacces_augenrules" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eacces_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eperm_augenrules" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_arufm_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eperm_augenrules" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eperm_augenrules" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eperm_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eacces_auditctl" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_arufm_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eacces_auditctl" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eacces_auditctl" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eacces_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eperm_auditctl" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_arufm_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eperm_auditctl" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eperm_auditctl" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eperm_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eacces_auditctl" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_arufm_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eacces_auditctl" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eacces_auditctl" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eacces_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eperm_auditctl" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_arufm_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eperm_auditctl" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eperm_auditctl" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eperm_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+</def-group>
|
|
|
28bffe |
diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..66a8ecf249
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order
|
|
|
28bffe |
@@ -0,0 +1,474 @@
|
|
|
28bffe |
+<def-group>
|
|
|
28bffe |
+ <definition class="compliance" id="audit_rules_unsuccessful_file_modification_{{{ SYSCALL }}}_rule_order" version="1">
|
|
|
28bffe |
+ <metadata>
|
|
|
28bffe |
+ <title>Ensure auditd Rules For Unauthorized Attempts To {{{ SYSCALL }}} Are Ordered Correctly</title>
|
|
|
28bffe |
+ <affected family="unix">
|
|
|
28bffe |
+ <platform>Red Hat Enterprise Linux 7</platform>
|
|
|
28bffe |
+ <platform>multi_platform_fedora</platform>
|
|
|
28bffe |
+ </affected>
|
|
|
28bffe |
+ <description>Audit rules about the information on the unsuccessful use of {{{ SYSCALL }}} is configured in the proper rule order.</description>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ </metadata>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <criteria operator="OR">
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <criteria operator="AND">
|
|
|
28bffe |
+ <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
|
|
|
28bffe |
+ <criterion comment="audit augenrules 32-bit" test_ref="test_arufm_{{{ SYSCALL }}}_order_32bit_eacces_augenrules" />
|
|
|
28bffe |
+ <criterion comment="audit augenrules 32-bit" test_ref="test_arufm_{{{ SYSCALL }}}_order_32bit_eperm_augenrules" />
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <criteria operator="OR">
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <criteria operator="AND">
|
|
|
28bffe |
+ <criterion comment="audit augenrules 64-bit" test_ref="test_arufm_{{{ SYSCALL }}}_order_64bit_eacces_augenrules" />
|
|
|
28bffe |
+ <criterion comment="audit augenrules 64-bit" test_ref="test_arufm_{{{ SYSCALL }}}_order_64bit_eperm_augenrules" />
|
|
|
28bffe |
+ </criteria>
|
|
|
28bffe |
+ </criteria>
|
|
|
28bffe |
+ </criteria>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <criteria operator="AND">
|
|
|
28bffe |
+ <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
|
|
|
28bffe |
+ <criterion comment="audit augenrules 32-bit" test_ref="test_arufm_{{{ SYSCALL }}}_order_32bit_eacces_auditctl" />
|
|
|
28bffe |
+ <criterion comment="audit augenrules 32-bit" test_ref="test_arufm_{{{ SYSCALL }}}_order_32bit_eperm_auditctl" />
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <criteria operator="OR">
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <extend_definition comment="64-bit_system" definition_ref="system_info_architecture_64bit" negate="true" />
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <criteria operator="AND">
|
|
|
28bffe |
+ <criterion comment="audit augenrules 32-bit" test_ref="test_arufm_{{{ SYSCALL }}}_order_64bit_eacces_auditctl" />
|
|
|
28bffe |
+ <criterion comment="audit augenrules 32-bit" test_ref="test_arufm_{{{ SYSCALL }}}_order_64bit_eperm_auditctl" />
|
|
|
28bffe |
+
|
|
|
28bffe |
+ </criteria>
|
|
|
28bffe |
+ </criteria>
|
|
|
28bffe |
+ </criteria>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ </criteria>
|
|
|
28bffe |
+ </definition>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_order_32bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
|
|
|
28bffe |
+ <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*</value>
|
|
|
28bffe |
+ </constant_variable>
|
|
|
28bffe |
+ <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_order_64bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
|
|
|
28bffe |
+ <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*</value>
|
|
|
28bffe |
+ </constant_variable>
|
|
|
28bffe |
+ <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_order_tail" version="1" datatype="string" comment="audit rule auid and key">
|
|
|
28bffe |
+ <value>[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
|
|
|
28bffe |
+ </constant_variable>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" version="1" datatype="string" comment="audit rule auid and key">
|
|
|
28bffe |
+ <value>(?:[^.]|\.\s)*</value>
|
|
|
28bffe |
+ </constant_variable>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_32bit_a20100_eacces_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_32bit_head" />
|
|
|
28bffe |
+ <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+ <local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_32bit_a201003_eacces_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_32bit_head" />
|
|
|
28bffe |
+ <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+ <local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_32bit_eacces_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_32bit_head" />
|
|
|
28bffe |
+ <literal_component>(?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_32bit_a20100_eperm_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_32bit_head" />
|
|
|
28bffe |
+ <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+ <local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_32bit_a201003_eperm_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_32bit_head" />
|
|
|
28bffe |
+ <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+ <local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_32bit_eperm_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_32bit_head" />
|
|
|
28bffe |
+ <literal_component>(?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_64bit_a20100_eacces_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_64bit_head" />
|
|
|
28bffe |
+ <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+ <local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_64bit_a201003_eacces_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_64bit_head" />
|
|
|
28bffe |
+ <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+ <local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_64bit_eacces_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_64bit_head" />
|
|
|
28bffe |
+ <literal_component>(?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_64bit_a20100_eperm_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_64bit_head" />
|
|
|
28bffe |
+ <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+ <local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_64bit_a201003_eperm_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_64bit_head" />
|
|
|
28bffe |
+ <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+ <local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_64bit_eperm_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_64bit_head" />
|
|
|
28bffe |
+ <literal_component>(?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_32bit_a20100_eacces_augenrules" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_order_32bit_a20100_eacces_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_32bit_a201003_eacces_augenrules" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_order_32bit_a201003_eacces_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_nofilter_32bit_eacces_augenrules" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_order_32bit_eacces_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <local_variable id="var_arufm_rule_order_32bit_{{{ SYSCALL }}}_eacces_augenrules_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a20100_eacces_augenrules" />
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
28bffe |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a201003_eacces_augenrules" />
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
28bffe |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_nofilter_32bit_eacces_augenrules" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_order_32bit_eacces_augenrules" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_eacces_augenrules" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_32bit_eacces_augenrules" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_arufm_rule_order_32bit_{{{ SYSCALL }}}_eacces_augenrules_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_32bit_a20100_eperm_augenrules" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_order_32bit_a20100_eperm_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_32bit_a201003_eperm_augenrules" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_order_32bit_a201003_eperm_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_nofilter_32bit_eperm_augenrules" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_order_32bit_eperm_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <local_variable id="var_arufm_rule_order_32bit_{{{ SYSCALL }}}_eperm_augenrules_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a20100_eperm_augenrules" />
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
28bffe |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a201003_eperm_augenrules" />
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
28bffe |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_nofilter_32bit_eperm_augenrules" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_order_32bit_eperm_augenrules" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_eperm_augenrules" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_32bit_eperm_augenrules" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_arufm_rule_order_32bit_{{{ SYSCALL }}}_eperm_augenrules_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_64bit_a20100_eacces_augenrules" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_order_64bit_a20100_eacces_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_64bit_a201003_eacces_augenrules" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_order_64bit_a201003_eacces_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_nofilter_64bit_eacces_augenrules" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_order_64bit_eacces_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <local_variable id="var_arufm_rule_order_64bit_{{{ SYSCALL }}}_eacces_augenrules_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a20100_eacces_augenrules" />
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
28bffe |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a201003_eacces_augenrules" />
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
28bffe |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_nofilter_64bit_eacces_augenrules" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_order_64bit_eacces_augenrules" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_eacces_augenrules" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_64bit_eacces_augenrules" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_arufm_rule_order_64bit_{{{ SYSCALL }}}_eacces_augenrules_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_64bit_a20100_eperm_augenrules" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_order_64bit_a20100_eperm_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_64bit_a201003_eperm_augenrules" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_order_64bit_a201003_eperm_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_nofilter_64bit_eperm_augenrules" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_order_64bit_eperm_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <local_variable id="var_arufm_rule_order_64bit_{{{ SYSCALL }}}_eperm_augenrules_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a20100_eperm_augenrules" />
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
28bffe |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a201003_eperm_augenrules" />
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
28bffe |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_nofilter_64bit_eperm_augenrules" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_order_64bit_eperm_augenrules" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_eperm_augenrules" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_64bit_eperm_augenrules" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_arufm_rule_order_64bit_{{{ SYSCALL }}}_eperm_augenrules_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_32bit_a20100_eacces_auditctl" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_order_32bit_a20100_eacces_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_32bit_a201003_eacces_auditctl" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_order_32bit_a201003_eacces_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_nofilter_32bit_eacces_auditctl" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_order_32bit_eacces_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <local_variable id="var_arufm_rule_order_32bit_{{{ SYSCALL }}}_auditctl_eacces_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a20100_eacces_auditctl" />
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
28bffe |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a201003_eacces_auditctl" />
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
28bffe |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_nofilter_32bit_eacces_auditctl" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_order_32bit_eacces_auditctl" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_eacces_auditctl" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_32bit_eacces_auditctl" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_arufm_rule_order_32bit_{{{ SYSCALL }}}_auditctl_eacces_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_32bit_a20100_eperm_auditctl" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_order_32bit_a20100_eperm_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_32bit_a201003_eperm_auditctl" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_order_32bit_a201003_eperm_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_nofilter_32bit_eperm_auditctl" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_order_32bit_eperm_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <local_variable id="var_arufm_rule_order_32bit_{{{ SYSCALL }}}_auditctl_eperm_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a20100_eperm_auditctl" />
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
28bffe |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_a201003_eperm_auditctl" />
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
28bffe |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_nofilter_32bit_eperm_auditctl" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="Test order of audit 32bit auditctl eperm rules order" id="test_arufm_{{{ SYSCALL }}}_order_32bit_eperm_auditctl" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_arufm_{{{ SYSCALL }}}_order_32bit_eperm_auditctl" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_32bit_eperm_auditctl" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_arufm_rule_order_32bit_{{{ SYSCALL }}}_auditctl_eperm_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_64bit_a20100_eacces_auditctl" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_order_64bit_a20100_eacces_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_64bit_a201003_eacces_auditctl" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_order_64bit_a201003_eacces_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_nofilter_64bit_eacces_auditctl" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_order_64bit_eacces_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <local_variable id="var_arufm_{{{ SYSCALL }}}_order_64bit_auditctl_eacces_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a20100_eacces_auditctl" />
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
28bffe |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a201003_eacces_auditctl" />
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
28bffe |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_nofilter_64bit_eacces_auditctl" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_order_64bit_eacces_auditctl" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_eacces_auditctl" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_64bit_eacces_auditctl" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_arufm_{{{ SYSCALL }}}_order_64bit_auditctl_eacces_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_64bit_a20100_eperm_auditctl" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_order_64bit_a20100_eperm_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_64bit_a201003_eperm_auditctl" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_order_64bit_a201003_eperm_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_nofilter_64bit_eperm_auditctl" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_order_64bit_eperm_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <local_variable id="var_arufm_rule_order_64bit_{{{ SYSCALL }}}_auditctl_eperm_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
28bffe |
+ <concat>
|
|
|
28bffe |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a20100_eperm_auditctl" />
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
28bffe |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_a201003_eperm_auditctl" />
|
|
|
28bffe |
+ <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_separator_regex" />
|
|
|
28bffe |
+ <object_component item_field="text" object_ref="object_arufm_{{{ SYSCALL }}}_order_nofilter_64bit_eperm_auditctl" />
|
|
|
28bffe |
+ </concat>
|
|
|
28bffe |
+ </local_variable>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_order_64bit_eperm_auditctl" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_arufm_{{{ SYSCALL }}}_order_64bit_eperm_auditctl" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_order_64bit_eperm_auditctl" version="1">
|
|
|
28bffe |
+ <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match" var_ref="var_arufm_rule_order_64bit_{{{ SYSCALL }}}_auditctl_eperm_regex" />
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+</def-group>
|
|
|
28bffe |
diff --git a/ssg/build_templates.py b/ssg/build_templates.py
|
|
|
28bffe |
index 8c6a18843e..964f6802e3 100644
|
|
|
28bffe |
--- a/ssg/build_templates.py
|
|
|
28bffe |
+++ b/ssg/build_templates.py
|
|
|
28bffe |
@@ -21,6 +21,7 @@
|
|
|
28bffe |
from create_sysctl import SysctlGenerator
|
|
|
28bffe |
from create_audit_rules_dac_modification import AuditRulesDacModificationGenerator
|
|
|
28bffe |
from create_audit_rules_unsuccessful_file_modification import AuditRulesUnsuccessfulFileModificationGenerator
|
|
|
28bffe |
+from create_audit_rules_unsuccessful_file_modification_detailed import ARUFMDetailedGenerator
|
|
|
28bffe |
from create_audit_rules_file_deletion_events import AuditRulesFileDeletionEventsGenerator
|
|
|
28bffe |
from create_audit_rules_login_events import AuditRulesLoginEventsGenerator
|
|
|
28bffe |
from create_audit_rules_privileged_commands import AuditRulesPrivilegedCommandsGenerator
|
|
|
28bffe |
@@ -64,10 +65,12 @@ def __init__(self, env_yaml):
|
|
|
28bffe |
"selinux_booleans.csv": SEBoolGenerator(),
|
|
|
28bffe |
"audit_rules_dac_modification.csv": AuditRulesDacModificationGenerator(),
|
|
|
28bffe |
"audit_rules_unsuccessful_file_modification.csv": AuditRulesUnsuccessfulFileModificationGenerator(),
|
|
|
28bffe |
+ "audit_rules_unsuccessful_file_modification_detailed.csv": ARUFMDetailedGenerator(),
|
|
|
28bffe |
"audit_rules_file_deletion_events.csv": AuditRulesFileDeletionEventsGenerator(),
|
|
|
28bffe |
"audit_rules_login_events.csv": AuditRulesLoginEventsGenerator(),
|
|
|
28bffe |
"audit_rules_privileged_commands.csv": AuditRulesPrivilegedCommandsGenerator(),
|
|
|
28bffe |
"audit_rules_usergroup_modification.csv": AuditRulesUserGroupModificationGenerator(),
|
|
|
28bffe |
+ "audit_rules_usergroup_modification.csv": AuditRulesUserGroupModificationGenerator(),
|
|
|
28bffe |
"audit_rules_execution.csv": AuditRulesExecutionGenerator(),
|
|
|
28bffe |
}
|
|
|
28bffe |
self.langs = TEMPLATED_LANGUAGES
|