From 8ecd84502c677f29e250fae6518a1a0a421e264a Mon Sep 17 00:00:00 2001
From: Johnny Hughes <johnny@centos.org>
Date: Mon, 14 May 2018 14:40:52 +0000
Subject: [PATCH] Manual CentOS Debranding

---
 SOURCES/scap-security-guide-0.1.38-audit-kernel-module-loading.patch |  426 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 426 insertions(+), 0 deletions(-)

diff --git a/SOURCES/scap-security-guide-0.1.38-audit-kernel-module-loading.patch b/SOURCES/scap-security-guide-0.1.38-audit-kernel-module-loading.patch
new file mode 100644
index 0000000..5101aa7
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.38-audit-kernel-module-loading.patch
@@ -0,0 +1,426 @@
+From add7cd5c5a99e7b7d546aa0296885d7da1806d5f Mon Sep 17 00:00:00 2001
+From: Marek Haicman <mhaicman@redhat.com>
+Date: Thu, 22 Feb 2018 22:49:54 +0100
+Subject: [PATCH 1/2] Fix kernel module loading and unloading rules
+
+Fixed rule descriptions to make more sense, and fixing remediation
+of general rule to set auditing of both b32 and b64 syscalls on
+64-bit systems.
+---
+ .../bash/audit_rules_kernel_module_loading.sh      |  10 +-
+ .../audit_rules_kernel_module_loading_delete.sh    |   8 +-
+ .../bash/audit_rules_kernel_module_loading_init.sh |   8 +-
+ shared/xccdf/system/auditing.xml                   | 161 ++++++++++-----------
+ 4 files changed, 91 insertions(+), 96 deletions(-)
+
+diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading.sh b/shared/fixes/bash/audit_rules_kernel_module_loading.sh
+index 12d6dd0181..268da407f7 100644
+--- a/shared/fixes/bash/audit_rules_kernel_module_loading.sh
++++ b/shared/fixes/bash/audit_rules_kernel_module_loading.sh
+@@ -5,11 +5,11 @@
+ 
+ # First perform the remediation of the syscall rule
+ # Retrieve hardware architecture of the underlying system
+-# Note: 32-bit kernel modules can't be loaded / unloaded on 64-bit kernel =>
+-#       it's not required on a 64-bit system to check also for the presence
+-#       of 32-bit's equivalent of the corresponding rule. Therefore for
+-#       each system it's enought to check presence of system's native rule form.
+-[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b64")
++# Note: 32-bit and 64-bit kernel syscall numbers not always line up =>
++#       it's required on a 64-bit system to check also for the presence
++#       of 32-bit's equivalent of the corresponding rule.
++#       (See `man 7 audit.rules` for details )
++[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+ 
+ for ARCH in "${RULE_ARCHS[@]}"
+ do
+diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh
+index 59aadeeef8..131f1a2819 100644
+--- a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh
++++ b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh
+@@ -5,10 +5,10 @@
+ 
+ # First perform the remediation of the syscall rule
+ # Retrieve hardware architecture of the underlying system
+-# If the system has a 32-bit processor, only the 32-bit rule is needed.
+-# If the system has a 64-bit processor, both arch 32 and 64 need to be included in
+-# the audit file because it is not possible to know if the computer will be booted
+-# in 64 or 32 bit mode or for which architecture a binary is compiled.
++# Note: 32-bit and 64-bit kernel syscall numbers not always line up =>
++#       it's required on a 64-bit system to check also for the presence
++#       of 32-bit's equivalent of the corresponding rule.
++#       (See `man 7 audit.rules` for details )
+ [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+ 
+ for ARCH in "${RULE_ARCHS[@]}"
+diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh
+index 04b06f9dee..c46a854068 100644
+--- a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh
++++ b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh
+@@ -5,10 +5,10 @@
+ 
+ # First perform the remediation of the syscall rule
+ # Retrieve hardware architecture of the underlying system
+-# If the system has a 32-bit processor, only the 32-bit rule is needed.
+-# If the system has a 64-bit processor, both arch 32 and 64 need to be included in
+-# the audit file because it is not possible to know if the computer will be booted
+-# in 64 or 32 bit mode or for which architecture a binary is compiled.
++# Note: 32-bit and 64-bit kernel syscall numbers not always line up =>
++#       it's required on a 64-bit system to check also for the presence
++#       of 32-bit's equivalent of the corresponding rule.
++#       (See `man 7 audit.rules` for details )
+ [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+ 
+ for ARCH in "${RULE_ARCHS[@]}"
+diff --git a/shared/xccdf/system/auditing.xml b/shared/xccdf/system/auditing.xml
+index 85487ee417..b68820fe9b 100644
+--- a/shared/xccdf/system/auditing.xml
++++ b/shared/xccdf/system/auditing.xml
+@@ -113,7 +113,7 @@ to establish, correlate, and investigate the events leading up to an outage or a
+ Ensuring the <tt>auditd</tt> service is active ensures audit records
+ generated by the kernel are appropriately recorded.
+ <br /><br />
+-Additionally, a properly configured audit subsystem ensures that actions of 
++Additionally, a properly configured audit subsystem ensures that actions of
+ individual system users can be uniquely traced to those users so they
+ can be held accountable for their actions.
+ </rationale>
+@@ -727,7 +727,7 @@ with limited audit storage capacity.
+ </rationale>
+ <platform idref="cpe:/a:machine" />
+ <ident cce="80541-6"/>
+-<oval id="auditd_audispd_configure_remote_server" value="var_audispd_remote_server" /> 
++<oval id="auditd_audispd_configure_remote_server" value="var_audispd_remote_server" />
+ <ref disa="1851" nist="" srg="SRG-OS-000342-GPOS-00133" stigid="030300"/>
+ </Rule>
+ 
+@@ -3401,42 +3401,40 @@ of what was executed on the system, as well as, for accountability purposes.</ra
+ 
+ <Group id="audit_kernel_module_loading">
+ <title>Record Information on Kernel Modules Loading and Unloading</title>
+-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
+-to read audit rules during daemon startup (the default), add the following lines to a file
+-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
+-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
+-<pre>-w /usr/sbin/insmod -p x -k modules
+--w /usr/sbin/rmmod -p x -k modules
+--w /usr/sbin/modprobe -p x -k modules
+--a always,exit -F arch=<i>ARCH</i> -S init_module,delete_module -F key=modules</pre>
+-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
+-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
+-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
+-b64 as appropriate for your system:
+-<pre>-w /usr/sbin/insmod -p x -k modules
++<description>To capture kernel module loading and unloading events, use following lines, setting ARCH to
++either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
++<pre>
++-w /usr/sbin/insmod -p x -k modules
+ -w /usr/sbin/rmmod -p x -k modules
+ -w /usr/sbin/modprobe -p x -k modules
+--a always,exit -F arch=<i>ARCH</i> -S init_module,delete_module -F key=modules</pre>
++-a always,exit -F arch=<i>ARCH</i> -S init_module,delete_module -F key=modules
++</pre>
++
++Place to add the lines depends on a way <tt>auditd</tt> daemon is configured. If it is configured
++to use the <tt>augenrules</tt> program (the default), add the lines to a file with suffix
++<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
++
++If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
++add the lines to file <tt>/etc/audit/audit.rules</tt>.
+ </description>
+ 
+ <Rule id="audit_rules_kernel_module_loading" severity="medium" prodtype="rhel7">
+ <title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading</title>
+-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
+-to read audit rules during daemon startup (the default), add the following lines to a file
+-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
+-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
+-<pre>-w /usr/sbin/insmod -p x -k modules
+--w /usr/sbin/rmmod -p x -k modules
+--w /usr/sbin/modprobe -p x -k modules
+--a always,exit -F arch=<i>ARCH</i> -S init_module -S delete_module -k modules</pre>
+-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
+-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
+-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
+-b64 as appropriate for your system:
+-<pre>-w /usr/sbin/insmod -p x -k modules
++<description>To capture kernel module loading and unloading events, use following lines, setting ARCH to
++either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
++<pre>
++-w /usr/sbin/insmod -p x -k modules
+ -w /usr/sbin/rmmod -p x -k modules
+ -w /usr/sbin/modprobe -p x -k modules
+--a always,exit -F arch=<i>ARCH</i> -S init_module -S delete_module -k modules</pre>
++-a always,exit -F arch=<i>ARCH</i> -S init_module,delete_module -F key=modules
++</pre>
++
++Place to add the lines depends on a way <tt>auditd</tt> daemon is configured. If it is configured
++to use the <tt>augenrules</tt> program (the default), add the lines to a file with suffix
++<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
++
++If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
++add the lines to file <tt>/etc/audit/audit.rules</tt>.
+ </description>
+ <ocil>
+ <audit-syscall-check-macro syscall="init_module" />
+@@ -3452,22 +3450,22 @@ to have an audit trail of modules that have been introduced into the kernel.</ra
+ </Rule>
+ 
+ <Rule id="audit_rules_kernel_module_loading_init" severity="medium" prodtype="rhel7">
+-<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - init_module</title>
+-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
+-to read audit rules during daemon startup (the default), add the following lines to a file
+-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
+-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
+-<pre>-a always,exit -F arch=<i>ARCH</i> -S init_module -F key=modules</pre>
+-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
+-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
+-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
+-b64 as appropriate for your system:
++<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading - init_module</title>
++<description>To capture kernel module loading events, use following line, setting ARCH to
++either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
+ <pre>-a always,exit -F arch=<i>ARCH</i> -S init_module -F key=modules</pre>
++
++Place to add the line depends on a way <tt>auditd</tt> daemon is configured. If it is configured
++to use the <tt>augenrules</tt> program (the default), add the line to a file with suffix
++<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
++
++If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
++add the line to file <tt>/etc/audit/audit.rules</tt>.
+ </description>
+ <ocil>
+ <audit-syscall-check-macro syscall="init_module" />
+ </ocil>
+-<rationale>The addition/removal of kernel modules can be used to alter the behavior of
++<rationale>The addition of kernel modules can be used to alter the behavior of
+ the kernel and potentially introduce malicious code into kernel space. It is important
+ to have an audit trail of modules that have been introduced into the kernel.</rationale>
+ <platform idref="cpe:/a:machine" />
+@@ -3478,22 +3476,22 @@ to have an audit trail of modules that have been introduced into the kernel.</ra
+ </Rule>
+ 
+ <Rule id="audit_rules_kernel_module_loading_delete" severity="medium" prodtype="rhel7">
+-<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - delete_module</title>
+-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
+-to read audit rules during daemon startup (the default), add the following lines to a file
+-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
+-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
+-<pre>-a always,exit -F arch=<i>ARCH</i> -S delete_module -F key=modules</pre>
+-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
+-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
+-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
+-b64 as appropriate for your system:
++<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Unloading - delete_module</title>
++<description>To capture kernel module unloading events, use following line, setting ARCH to
++either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
+ <pre>-a always,exit -F arch=<i>ARCH</i> -S delete_module -F key=modules</pre>
++
++Place to add the line depends on a way <tt>auditd</tt> daemon is configured. If it is configured
++to use the <tt>augenrules</tt> program (the default), add the line to a file with suffix
++<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
++
++If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
++add the line to file <tt>/etc/audit/audit.rules</tt>.
+ </description>
+ <ocil>
+ <audit-syscall-check-macro syscall="delete_module" />
+ </ocil>
+-<rationale>The addition/removal of kernel modules can be used to alter the behavior of
++<rationale>The removal of kernel modules can be used to alter the behavior of
+ the kernel and potentially introduce malicious code into kernel space. It is important
+ to have an audit trail of modules that have been introduced into the kernel.</rationale>
+ <platform idref="cpe:/a:machine" />
+@@ -3504,23 +3502,22 @@ to have an audit trail of modules that have been introduced into the kernel.</ra
+ </Rule>
+ 
+ <Rule id="audit_rules_kernel_module_loading_insmod" severity="medium" prodtype="rhel7">
+-<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - insmod</title>
+-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
+-to read audit rules during daemon startup (the default), add the following lines to a file
+-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
+-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
+-<pre>-w /usr/sbin/insmod -p x -k modules</pre>
+-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
+-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
+-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
+-b64 as appropriate for your system:
++<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading - insmod</title>
++<description>To capture invocation of insmod, utility used to insert modules into kernel,
++use the following line:
+ <pre>-w /usr/sbin/insmod -p x -k modules</pre>
++Place to add the line depends on a way <tt>auditd</tt> daemon is configured. If it is configured
++to use the <tt>augenrules</tt> program (the default), add the line to a file with suffix
++<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
++
++If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
++add the line to file <tt>/etc/audit/audit.rules</tt>.
+ </description>
+ <ocil clause="there is not output">
+ To verify that auditing is configured for system administrator actions, run the following command:
+ <pre>$ sudo auditctl -l | grep "watch=/usr/sbin/insmod"</pre>
+ </ocil>
+-<rationale>The addition/removal of kernel modules can be used to alter the behavior of
++<rationale>The addition of kernel modules can be used to alter the behavior of
+ the kernel and potentially introduce malicious code into kernel space. It is important
+ to have an audit trail of modules that have been introduced into the kernel.</rationale>
+ <platform idref="cpe:/a:machine" />
+@@ -3531,23 +3528,22 @@ to have an audit trail of modules that have been introduced into the kernel.</ra
+ </Rule>
+ 
+ <Rule id="audit_rules_kernel_module_loading_rmmod" severity="medium" prodtype="rhel7">
+-<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - rmmod</title>
+-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
+-to read audit rules during daemon startup (the default), add the following lines to a file
+-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
+-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
+-<pre>-w /usr/sbin/rmmod -p x -k modules</pre>
+-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
+-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
+-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
+-b64 as appropriate for your system:
++<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Unloading - rmmod</title>
++<description>To capture invocation of rmmod, utility used to remove modules from kernel,
++add the following line:
+ <pre>-w /usr/sbin/rmmod -p x -k modules</pre>
++Place to add the line depends on a way <tt>auditd</tt> daemon is configured. If it is configured
++to use the <tt>augenrules</tt> program (the default), add the line to a file with suffix
++<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
++
++If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
++add the line to file <tt>/etc/audit/audit.rules</tt>.
+ </description>
+ <ocil clause="there is not output">
+ To verify that auditing is configured for system administrator actions, run the following command:
+ <pre>$ sudo auditctl -l | grep "watch=/usr/sbin/rmmod"</pre>
+ </ocil>
+-<rationale>The addition/removal of kernel modules can be used to alter the behavior of
++<rationale>The removal of kernel modules can be used to alter the behavior of
+ the kernel and potentially introduce malicious code into kernel space. It is important
+ to have an audit trail of modules that have been introduced into the kernel.</rationale>
+ <platform idref="cpe:/a:machine" />
+@@ -3559,16 +3555,15 @@ to have an audit trail of modules that have been introduced into the kernel.</ra
+ 
+ <Rule id="audit_rules_kernel_module_loading_modprobe" severity="medium" prodtype="rhel7">
+ <title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - modprobe</title>
+-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
+-to read audit rules during daemon startup (the default), add the following lines to a file
+-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
+-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
+-<pre>-w /usr/sbin/modprobe -p x -k modules</pre>
+-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
+-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
+-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
+-b64 as appropriate for your system:
++<description>To capture invocation of modprobe, utility used to insert / remove modules from kernel,
++add the following line:
+ <pre>-w /usr/sbin/modprobe -p x -k modules</pre>
++Place to add the line depends on a way <tt>auditd</tt> daemon is configured. If it is configured
++to use the <tt>augenrules</tt> program (the default), add the line to a file with suffix
++<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
++
++If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
++add the line to file <tt>/etc/audit/audit.rules</tt>.
+ </description>
+ <ocil clause="there is not output">
+ To verify that auditing is configured for system administrator actions, run the following command:
+
+From 2a9d3771707c7db41861dbf3ca03c8a455481ba8 Mon Sep 17 00:00:00 2001
+From: Marek Haicman <mhaicman@redhat.com>
+Date: Thu, 22 Feb 2018 23:13:29 +0100
+Subject: [PATCH 2/2] Add basic tests for kernel module loading and unloading
+ rules
+
+---
+ .../rule_audit_rules_kernel_module_loading/default.fail.sh         | 7 +++++++
+ .../rule_audit_rules_kernel_module_loading_delete/default.fail.sh  | 7 +++++++
+ .../rule_audit_rules_kernel_module_loading_init/default.fail.sh    | 7 +++++++
+ .../rule_audit_rules_kernel_module_loading_insmod/default.fail.sh  | 7 +++++++
+ .../default.fail.sh                                                | 7 +++++++
+ .../rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh   | 7 +++++++
+ 6 files changed, 42 insertions(+)
+ create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh
+ create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh
+ create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh
+ create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh
+ create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh
+ create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh
+
+diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh
+new file mode 100644
+index 0000000000..48457258e5
+--- /dev/null
++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++# profiles = xccdf_org.ssgproject.content_profile_C2S
++# remediation = bash
++
++rm -f /etc/audit/rules.d/*
++> /etc/audit/audit.rules
++true
+diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh
+new file mode 100644
+index 0000000000..12fe012776
+--- /dev/null
++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
++# remediation = bash
++
++rm -f /etc/audit/rules.d/*
++> /etc/audit/audit.rules
++true
+diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh
+new file mode 100644
+index 0000000000..12fe012776
+--- /dev/null
++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
++# remediation = bash
++
++rm -f /etc/audit/rules.d/*
++> /etc/audit/audit.rules
++true
+diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh
+new file mode 100644
+index 0000000000..12fe012776
+--- /dev/null
++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
++# remediation = bash
++
++rm -f /etc/audit/rules.d/*
++> /etc/audit/audit.rules
++true
+diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh
+new file mode 100644
+index 0000000000..12fe012776
+--- /dev/null
++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
++# remediation = bash
++
++rm -f /etc/audit/rules.d/*
++> /etc/audit/audit.rules
++true
+diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh
+new file mode 100644
+index 0000000000..12fe012776
+--- /dev/null
++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
++# remediation = bash
++
++rm -f /etc/audit/rules.d/*
++> /etc/audit/audit.rules
++true

--
Gitblit v1.8.0