|
 |
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml
|
|
|
575137 |
index 910b8a335d..5784e5ad8f 100644
|
|
|
575137 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml
|
|
|
575137 |
@@ -10,11 +10,11 @@ description: |-
|
|
|
575137 |
to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
575137 |
startup (the default), add the following lines to a file with suffix
|
|
|
575137 |
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
|
|
|
575137 |
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
575137 |
utility to read audit rules during daemon startup, add the following lines to
|
|
|
575137 |
<tt>/etc/audit/audit.rules</tt> file:
|
|
|
575137 |
- -a always,exit -F arch=b64 -S open -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
|
|
|
575137 |
+ -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
|
|
|
575137 |
|
|
|
575137 |
rationale: |-
|
|
|
575137 |
Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
|
|
|
575137 |
@@ -36,4 +36,4 @@ warnings:
|
|
|
575137 |
number of ways while still achieving the desired effect. Here the system calls
|
|
|
575137 |
have been placed independent of other system calls. Grouping system calls related
|
|
|
575137 |
to the same event is more efficient. See the following example:
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml
|
|
|
575137 |
index fbf0bd1665..81841900f0 100644
|
|
|
575137 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml
|
|
|
575137 |
@@ -36,4 +36,4 @@ warnings:
|
|
|
575137 |
number of ways while still achieving the desired effect. Here the system calls
|
|
|
575137 |
have been placed independent of other system calls. Grouping system calls related
|
|
|
575137 |
to the same event is more efficient. See the following example:
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml
|
|
|
575137 |
index 4ae6609bbc..3515398d50 100644
|
|
|
575137 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml
|
|
|
575137 |
@@ -36,4 +36,4 @@ warnings:
|
|
|
575137 |
number of ways while still achieving the desired effect. Here the system calls
|
|
|
575137 |
have been placed independent of other system calls. Grouping system calls related
|
|
|
575137 |
to the same event is more efficient. See the following example:
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=group-modify
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml
|
|
|
575137 |
index fb0f465ed4..deb20d24c5 100644
|
|
|
575137 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml
|
|
|
575137 |
@@ -10,11 +10,11 @@ description: |-
|
|
|
575137 |
to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
575137 |
startup (the default), add the following lines to a file with suffix
|
|
|
575137 |
<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
575137 |
utility to read audit rules during daemon startup, add the following lines to
|
|
|
575137 |
<tt>/etc/audit/audit.rules</tt> file:
|
|
|
575137 |
- -a always,exit -F arch=b64 -S open -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+ -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
|
|
|
575137 |
rationale: |-
|
|
|
575137 |
Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
|
|
|
575137 |
@@ -36,4 +36,4 @@ warnings:
|
|
|
575137 |
number of ways while still achieving the desired effect. Here the system calls
|
|
|
575137 |
have been placed independent of other system calls. Grouping system calls related
|
|
|
575137 |
to the same event is more efficient. See the following example:
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml
|
|
|
575137 |
index 4c489f2679..d65c9171e4 100644
|
|
|
575137 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml
|
|
|
575137 |
@@ -36,4 +36,4 @@ warnings:
|
|
|
575137 |
number of ways while still achieving the desired effect. Here the system calls
|
|
|
575137 |
have been placed independent of other system calls. Grouping system calls related
|
|
|
575137 |
to the same event is more efficient. See the following example:
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml
|
|
|
575137 |
index e5decedd03..da910036b2 100644
|
|
|
575137 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml
|
|
|
575137 |
@@ -36,4 +36,4 @@ warnings:
|
|
|
575137 |
number of ways while still achieving the desired effect. Here the system calls
|
|
|
575137 |
have been placed independent of other system calls. Grouping system calls related
|
|
|
575137 |
to the same event is more efficient. See the following example:
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat/rule.yml
|
|
|
575137 |
index 4e36f77912..c509cf49c3 100644
|
|
|
575137 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat/rule.yml
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat/rule.yml
|
|
|
575137 |
@@ -58,4 +58,4 @@ warnings:
|
|
|
575137 |
number of ways while still achieving the desired effect. Here the system calls
|
|
|
575137 |
have been placed independent of other system calls. Grouping system calls related
|
|
|
575137 |
to the same event is more efficient. See the following example:
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write/rule.yml
|
|
|
575137 |
index c5ef0ad70a..fb72b3d4f7 100644
|
|
|
575137 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write/rule.yml
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write/rule.yml
|
|
|
575137 |
@@ -57,4 +57,4 @@ warnings:
|
|
|
575137 |
number of ways while still achieving the desired effect. Here the system calls
|
|
|
575137 |
have been placed independent of other system calls. Grouping system calls related
|
|
|
575137 |
to the same event is more efficient. See the following example:
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat/rule.yml
|
|
|
575137 |
index 414956e43d..86e43df256 100644
|
|
|
575137 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat/rule.yml
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat/rule.yml
|
|
|
575137 |
@@ -19,13 +19,13 @@ description: |-
|
|
|
575137 |
utility to read audit rules during daemon startup, add the rules below to
|
|
|
575137 |
<tt>/etc/audit/audit.rules</tt> file.
|
|
|
575137 |
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
|
|
|
575137 |
If the system is 64 bit then also add the following lines:
|
|
|
575137 |
|
|
|
575137 |
- -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
- -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
+ -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
+ -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
|
|
|
575137 |
|
|
|
575137 |
rationale: |-
|
|
|
575137 |
@@ -58,4 +58,4 @@ warnings:
|
|
|
575137 |
number of ways while still achieving the desired effect. Here the system calls
|
|
|
575137 |
have been placed independent of other system calls. Grouping system calls related
|
|
|
575137 |
to the same event is more efficient. See the following example:
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/rule.yml
|
|
|
575137 |
index 0108be7bb6..a05b8127b2 100644
|
|
|
575137 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/rule.yml
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/rule.yml
|
|
|
575137 |
@@ -18,13 +18,13 @@ description: |-
|
|
|
575137 |
utility to read audit rules during daemon startup, add the rules below to
|
|
|
575137 |
<tt>/etc/audit/audit.rules</tt> file.
|
|
|
575137 |
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
|
|
|
575137 |
If the system is 64 bit then also add the following lines:
|
|
|
575137 |
|
|
|
575137 |
- -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
- -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
+ -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
+ -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
|
|
|
575137 |
|
|
|
575137 |
rationale: |-
|
|
|
575137 |
@@ -57,4 +57,4 @@ warnings:
|
|
|
575137 |
number of ways while still achieving the desired effect. Here the system calls
|
|
|
575137 |
have been placed independent of other system calls. Grouping system calls related
|
|
|
575137 |
to the same event is more efficient. See the following example:
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order/rule.yml
|
|
|
575137 |
index 64e7389981..6f792a5d73 100644
|
|
|
575137 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order/rule.yml
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order/rule.yml
|
|
|
575137 |
@@ -21,19 +21,19 @@ description: |-
|
|
|
575137 |
utility to read audit rules during daemon startup, check the order of rules below in
|
|
|
575137 |
<tt>/etc/audit/audit.rules</tt> file.
|
|
|
575137 |
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-access
|
|
|
575137 |
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-access
|
|
|
575137 |
|
|
|
575137 |
If the system is 64 bit then also add the following lines:
|
|
|
575137 |
|
|
|
575137 |
- -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
- -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
- -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
- -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
+ -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
+ -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
+ -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
+ -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-access
|
|
|
575137 |
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-access
|
|
|
575137 |
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat/rule.yml
|
|
|
575137 |
index 593cb7eeb6..94eed06377 100644
|
|
|
575137 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat/rule.yml
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat/rule.yml
|
|
|
575137 |
@@ -58,4 +58,4 @@ warnings:
|
|
|
575137 |
number of ways while still achieving the desired effect. Here the system calls
|
|
|
575137 |
have been placed independent of other system calls. Grouping system calls related
|
|
|
575137 |
to the same event is more efficient. See the following example:
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/rule.yml
|
|
|
575137 |
index 7d2343544d..9875ae1215 100644
|
|
|
575137 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/rule.yml
|
|
|
575137 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write/rule.yml
|
|
|
575137 |
@@ -57,4 +57,4 @@ warnings:
|
|
|
575137 |
number of ways while still achieving the desired effect. Here the system calls
|
|
|
575137 |
have been placed independent of other system calls. Grouping system calls related
|
|
|
575137 |
to the same event is more efficient. See the following example:
|
|
|
575137 |
- -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
+ -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>={{{ auid }}} -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
diff --git a/shared/templates/create_audit_rules_path_syscall.py b/shared/templates/create_audit_rules_path_syscall.py
|
|
|
575137 |
index 0283bf439c..9ab984491e 100644
|
|
|
575137 |
--- a/shared/templates/create_audit_rules_path_syscall.py
|
|
|
575137 |
+++ b/shared/templates/create_audit_rules_path_syscall.py
|
|
|
575137 |
@@ -11,7 +11,7 @@
|
|
|
575137 |
|
|
|
575137 |
class AuditRulesPathSyscallGenerator(FilesGenerator):
|
|
|
575137 |
def generate(self, target, args):
|
|
|
575137 |
- path,syscall = args[0:2]
|
|
|
575137 |
+ path,syscall,pos = args[0:3]
|
|
|
575137 |
pathid = re.sub('[-\./]', '_', path)
|
|
|
575137 |
# remove root slash made into '_'
|
|
|
575137 |
pathid = pathid[1:]
|
|
|
575137 |
@@ -21,7 +21,8 @@ def generate(self, target, args):
|
|
|
575137 |
{
|
|
|
575137 |
"PATH": path,
|
|
|
575137 |
"PATHID": pathid,
|
|
|
575137 |
- "SYSCALL": syscall
|
|
|
575137 |
+ "SYSCALL": syscall,
|
|
|
575137 |
+ "POS": pos
|
|
|
575137 |
},
|
|
|
575137 |
"./oval/audit_rules_{0}_{1}.xml", pathid, syscall
|
|
|
575137 |
)
|
|
|
575137 |
@@ -30,4 +31,4 @@ def generate(self, target, args):
|
|
|
575137 |
|
|
|
575137 |
def csv_format(self):
|
|
|
575137 |
return("CSV should contains lines of the format: " +
|
|
|
575137 |
- "PATH,SYSCALL")
|
|
|
575137 |
+ "PATH,SYSCALL,POS")
|
|
|
575137 |
diff --git a/shared/templates/create_audit_rules_unsuccessful_file_modification_detailed.py b/shared/templates/create_audit_rules_unsuccessful_file_modification_detailed.py
|
|
|
575137 |
index c14c35a381..5afed5993d 100644
|
|
|
575137 |
--- a/shared/templates/create_audit_rules_unsuccessful_file_modification_detailed.py
|
|
|
575137 |
+++ b/shared/templates/create_audit_rules_unsuccessful_file_modification_detailed.py
|
|
|
575137 |
@@ -14,26 +14,29 @@
|
|
|
575137 |
|
|
|
575137 |
class ARUFMDetailedGenerator(FilesGenerator):
|
|
|
575137 |
def generate(self, target, args):
|
|
|
575137 |
- syscall = re.sub('[-\./]', '_', args[0])
|
|
|
575137 |
+ syscall,pos = args[0:2]
|
|
|
575137 |
if target == "oval":
|
|
|
575137 |
self.file_from_template(
|
|
|
575137 |
"./template_OVAL_audit_rules_unsuccessful_file_modification_o_creat",
|
|
|
575137 |
{
|
|
|
575137 |
- "SYSCALL": syscall
|
|
|
575137 |
+ "SYSCALL": syscall,
|
|
|
575137 |
+ "POS": pos
|
|
|
575137 |
},
|
|
|
575137 |
"./oval/audit_rules_unsuccessful_file_modification_{0}_o_creat.xml", syscall
|
|
|
575137 |
)
|
|
|
575137 |
self.file_from_template(
|
|
|
575137 |
"./template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write",
|
|
|
575137 |
{
|
|
|
575137 |
- "SYSCALL": syscall
|
|
|
575137 |
+ "SYSCALL": syscall,
|
|
|
575137 |
+ "POS": pos
|
|
|
575137 |
},
|
|
|
575137 |
"./oval/audit_rules_unsuccessful_file_modification_{0}_o_trunc_write.xml", syscall
|
|
|
575137 |
)
|
|
|
575137 |
self.file_from_template(
|
|
|
575137 |
"./template_OVAL_audit_rules_unsuccessful_file_modification_rule_order",
|
|
|
575137 |
{
|
|
|
575137 |
- "SYSCALL": syscall
|
|
|
575137 |
+ "SYSCALL": syscall,
|
|
|
575137 |
+ "POS": pos
|
|
|
575137 |
},
|
|
|
575137 |
"./oval/audit_rules_unsuccessful_file_modification_{0}_rule_order.xml", syscall
|
|
|
575137 |
)
|
|
|
575137 |
diff --git a/shared/templates/csv/audit_rules_path_syscall.csv b/shared/templates/csv/audit_rules_path_syscall.csv
|
|
|
575137 |
index 015f02f58d..3738369e7e 100644
|
|
|
575137 |
--- a/shared/templates/csv/audit_rules_path_syscall.csv
|
|
|
575137 |
+++ b/shared/templates/csv/audit_rules_path_syscall.csv
|
|
|
575137 |
@@ -2,10 +2,11 @@
|
|
|
575137 |
# <path>,<syscall>
|
|
|
575137 |
# - path is the absolute path to watch
|
|
|
575137 |
# - syscall is the syscall to wath the path for
|
|
|
575137 |
+# - pos is the position of syscall parameter with flags (in audit format)
|
|
|
575137 |
|
|
|
575137 |
-/etc/passwd,open
|
|
|
575137 |
-/etc/passwd,openat
|
|
|
575137 |
-/etc/passwd,open_by_handle_at
|
|
|
575137 |
-/etc/group,open
|
|
|
575137 |
-/etc/group,openat
|
|
|
575137 |
-/etc/group,open_by_handle_at
|
|
|
575137 |
+/etc/passwd,open,a1
|
|
|
575137 |
+/etc/passwd,openat,a2
|
|
|
575137 |
+/etc/passwd,open_by_handle_at,a2
|
|
|
575137 |
+/etc/group,open,a1
|
|
|
575137 |
+/etc/group,openat,a2
|
|
|
575137 |
+/etc/group,open_by_handle_at,a2
|
|
|
575137 |
diff --git a/shared/templates/csv/audit_rules_unsuccessful_file_modification_detailed.csv b/shared/templates/csv/audit_rules_unsuccessful_file_modification_detailed.csv
|
|
|
575137 |
index 97d5c04e14..99d007048f 100644
|
|
|
575137 |
--- a/shared/templates/csv/audit_rules_unsuccessful_file_modification_detailed.csv
|
|
|
575137 |
+++ b/shared/templates/csv/audit_rules_unsuccessful_file_modification_detailed.csv
|
|
|
575137 |
@@ -1,7 +1,8 @@
|
|
|
575137 |
# format:
|
|
|
575137 |
# <syscall>
|
|
|
575137 |
# - syscall is the syscall to generate detailed rules for
|
|
|
575137 |
+# - pos is the position of syscall parameter with flags (in audit format)
|
|
|
575137 |
|
|
|
575137 |
-open
|
|
|
575137 |
-openat
|
|
|
575137 |
-open_by_handle_at
|
|
|
575137 |
+open,a1
|
|
|
575137 |
+openat,a2
|
|
|
575137 |
+open_by_handle_at,a2
|
|
|
575137 |
diff --git a/shared/templates/template_OVAL_audit_rules_path_syscall b/shared/templates/template_OVAL_audit_rules_path_syscall
|
|
|
575137 |
index b720091f5b..3e5db49b54 100644
|
|
|
575137 |
--- a/shared/templates/template_OVAL_audit_rules_path_syscall
|
|
|
575137 |
+++ b/shared/templates/template_OVAL_audit_rules_path_syscall
|
|
|
575137 |
@@ -46,11 +46,11 @@
|
|
|
575137 |
|
|
|
575137 |
|
|
|
575137 |
<constant_variable id="var_audit_rule_32bit_{{{ SYSCALL }}}_write_{{{ PATHID }}}_regex" version="1" datatype="string" comment="audit rule arch and syscal">
|
|
|
575137 |
- <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path={{{ PATH }}})[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
|
|
|
575137 |
+ <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+{{{ POS }}}&03)[\s]+(?:-F[\s]+path={{{ PATH }}})[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
|
|
|
575137 |
</constant_variable>
|
|
|
575137 |
|
|
|
575137 |
<constant_variable id="var_audit_rule_64bit_{{{ SYSCALL }}}_write_{{{ PATHID }}}_regex" version="1" datatype="string" comment="audit rule arch and syscal">
|
|
|
575137 |
- <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path={{{ PATH }}})[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
|
|
|
575137 |
+ <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+{{{ POS }}}&03)[\s]+(?:-F[\s]+path={{{ PATH }}})[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
|
|
|
575137 |
</constant_variable>
|
|
|
575137 |
|
|
|
575137 |
|
|
|
575137 |
diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat
|
|
|
575137 |
index 8b3e9970e2..9d31e8a14b 100644
|
|
|
575137 |
--- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat
|
|
|
575137 |
+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat
|
|
|
575137 |
@@ -17,16 +17,16 @@
|
|
|
575137 |
|
|
|
575137 |
<criteria operator="AND">
|
|
|
575137 |
<extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
|
|
|
575137 |
- <criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit a2&0100 eacces augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eacces_augenrules" />
|
|
|
575137 |
- <criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit a2&0100 eperm augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eperm_augenrules" />
|
|
|
575137 |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit {{{ POS }}}&0100 eacces augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eacces_augenrules" />
|
|
|
575137 |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit {{{ POS }}}&0100 eperm augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eperm_augenrules" />
|
|
|
575137 |
|
|
|
575137 |
<criteria operator="OR">
|
|
|
575137 |
|
|
|
575137 |
<extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
|
|
|
575137 |
|
|
|
575137 |
<criteria operator="AND">
|
|
|
575137 |
- <criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit a2&0100 eacces augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eacces_augenrules" />
|
|
|
575137 |
- <criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit a2&0100 eperm augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eperm_augenrules" />
|
|
|
575137 |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit {{{ POS }}}&0100 eacces augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eacces_augenrules" />
|
|
|
575137 |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit {{{ POS }}}&0100 eperm augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eperm_augenrules" />
|
|
|
575137 |
</criteria>
|
|
|
575137 |
</criteria>
|
|
|
575137 |
</criteria>
|
|
|
575137 |
@@ -34,16 +34,16 @@
|
|
|
575137 |
|
|
|
575137 |
<criteria operator="AND">
|
|
|
575137 |
<extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
|
|
|
575137 |
- <criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit a2&0100 eacces auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eacces_auditctl" />
|
|
|
575137 |
- <criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit a2&0100 eperm auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eperm_auditctl" />
|
|
|
575137 |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit {{{ POS }}}&0100 eacces auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eacces_auditctl" />
|
|
|
575137 |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit {{{ POS }}}&0100 eperm auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eperm_auditctl" />
|
|
|
575137 |
|
|
|
575137 |
<criteria operator="OR">
|
|
|
575137 |
|
|
|
575137 |
<extend_definition comment="64-bit_system" definition_ref="system_info_architecture_64bit" negate="true" />
|
|
|
575137 |
|
|
|
575137 |
<criteria operator="AND">
|
|
|
575137 |
- <criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit a2&0100 eacces auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eacces_auditctl" />
|
|
|
575137 |
- <criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit a2&0100 eperm auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eperm_auditctl" />
|
|
|
575137 |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit {{{ POS }}}&0100 eacces auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eacces_auditctl" />
|
|
|
575137 |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit {{{ POS }}}&0100 eperm auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eperm_auditctl" />
|
|
|
575137 |
|
|
|
575137 |
</criteria>
|
|
|
575137 |
</criteria>
|
|
|
575137 |
@@ -72,7 +72,7 @@
|
|
|
575137 |
<local_variable id="var_audit_rule_{{{ SYSCALL }}}_o_creat_32bit_a20100_eacces_regex" version="1" datatype="string" comment="Expression to match 32bit {{{ SYSCALL }}} O_CREAT EACCES syscall">
|
|
|
575137 |
<concat>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_32bit_head" />
|
|
|
575137 |
- <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
575137 |
+ <literal_component>(?:-F\s+{{{ POS }}}&0100)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_tail" />
|
|
|
575137 |
</concat>
|
|
|
575137 |
</local_variable>
|
|
|
575137 |
@@ -81,7 +81,7 @@
|
|
|
575137 |
<local_variable id="var_audit_rule_{{{ SYSCALL }}}_o_creat_32bit_a20100_eperm_regex" version="1" datatype="string" comment="Expression to match 32bit {{{ SYSCALL }}} O_CREAT EPERM syscall">
|
|
|
575137 |
<concat>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_32bit_head" />
|
|
|
575137 |
- <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
575137 |
+ <literal_component>(?:-F\s+{{{ POS }}}&0100)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_tail" />
|
|
|
575137 |
</concat>
|
|
|
575137 |
</local_variable>
|
|
|
575137 |
@@ -90,7 +90,7 @@
|
|
|
575137 |
<local_variable id="var_audit_rule_{{{ SYSCALL }}}_o_creat_64bit_a20100_eacces_regex" version="1" datatype="string" comment="Expression to match 64bit {{{ SYSCALL }}} O_CREAT EACCES syscall">
|
|
|
575137 |
<concat>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_64bit_head" />
|
|
|
575137 |
- <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
575137 |
+ <literal_component>(?:-F\s+{{{ POS }}}&0100)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_tail" />
|
|
|
575137 |
</concat>
|
|
|
575137 |
</local_variable>
|
|
|
575137 |
@@ -99,7 +99,7 @@
|
|
|
575137 |
<local_variable id="var_audit_rule_{{{ SYSCALL }}}_o_creat_64bit_a20100_eperm_regex" version="1" datatype="string" comment="Expression to match 32bit {{{ SYSCALL }}} O_CREAT EPERM syscall">
|
|
|
575137 |
<concat>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_64bit_head" />
|
|
|
575137 |
- <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
575137 |
+ <literal_component>(?:-F\s+{{{ POS }}}&0100)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_tail" />
|
|
|
575137 |
</concat>
|
|
|
575137 |
</local_variable>
|
|
|
575137 |
diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write
|
|
|
575137 |
index 392e82485a..a4ed459a34 100644
|
|
|
575137 |
--- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write
|
|
|
575137 |
+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write
|
|
|
575137 |
@@ -17,16 +17,16 @@
|
|
|
575137 |
|
|
|
575137 |
<criteria operator="AND">
|
|
|
575137 |
<extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
|
|
|
575137 |
- <criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit a2&01003 eacces augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eacces_augenrules" />
|
|
|
575137 |
- <criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit a2&01003 eperm augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eperm_augenrules" />
|
|
|
575137 |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit {{{ POS }}}&01003 eacces augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eacces_augenrules" />
|
|
|
575137 |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit {{{ POS }}}&01003 eperm augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eperm_augenrules" />
|
|
|
575137 |
|
|
|
575137 |
<criteria operator="OR">
|
|
|
575137 |
|
|
|
575137 |
<extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
|
|
|
575137 |
|
|
|
575137 |
<criteria operator="AND">
|
|
|
575137 |
- <criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit a2&01003 eacces augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eacces_augenrules" />
|
|
|
575137 |
- <criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit a2&01003 eperm augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eperm_augenrules" />
|
|
|
575137 |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit {{{ POS }}}&01003 eacces augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eacces_augenrules" />
|
|
|
575137 |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit {{{ POS }}}&01003 eperm augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eperm_augenrules" />
|
|
|
575137 |
</criteria>
|
|
|
575137 |
</criteria>
|
|
|
575137 |
</criteria>
|
|
|
575137 |
@@ -34,16 +34,16 @@
|
|
|
575137 |
|
|
|
575137 |
<criteria operator="AND">
|
|
|
575137 |
<extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
|
|
|
575137 |
- <criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit a2&01003 eacces auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eacces_auditctl" />
|
|
|
575137 |
- <criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit a2&01003 eperm auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eperm_auditctl" />
|
|
|
575137 |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit {{{ POS }}}&01003 eacces auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eacces_auditctl" />
|
|
|
575137 |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit {{{ POS }}}&01003 eperm auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eperm_auditctl" />
|
|
|
575137 |
|
|
|
575137 |
<criteria operator="OR">
|
|
|
575137 |
|
|
|
575137 |
<extend_definition comment="64-bit_system" definition_ref="system_info_architecture_64bit" negate="true" />
|
|
|
575137 |
|
|
|
575137 |
<criteria operator="AND">
|
|
|
575137 |
- <criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit a2&01003 eacces auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eacces_auditctl" />
|
|
|
575137 |
- <criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit a2&01003 eperm auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eperm_auditctl" />
|
|
|
575137 |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit {{{ POS }}}&01003 eacces auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eacces_auditctl" />
|
|
|
575137 |
+ <criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit {{{ POS }}}&01003 eperm auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eperm_auditctl" />
|
|
|
575137 |
|
|
|
575137 |
</criteria>
|
|
|
575137 |
</criteria>
|
|
|
575137 |
@@ -72,7 +72,7 @@
|
|
|
575137 |
<local_variable id="var_audit_rule_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eacces_regex" version="1" datatype="string" comment="Expression to match 32bit {{{ SYSCALL }}} O_TRUNC EACCES syscall">
|
|
|
575137 |
<concat>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_trunc_32bit_head" />
|
|
|
575137 |
- <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
575137 |
+ <literal_component>(?:-F\s+{{{ POS }}}&01003)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_trunc_tail" />
|
|
|
575137 |
</concat>
|
|
|
575137 |
</local_variable>
|
|
|
575137 |
@@ -81,7 +81,7 @@
|
|
|
575137 |
<local_variable id="var_audit_rule_{{{ SYSCALL }}}_o_trunc_32bit_a201003_eperm_regex" version="1" datatype="string" comment="Expression to match 32bit {{{ SYSCALL }}} O_TRUNC EPERM EACCES syscall">
|
|
|
575137 |
<concat>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_trunc_32bit_head" />
|
|
|
575137 |
- <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
575137 |
+ <literal_component>(?:-F\s+{{{ POS }}}&01003)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_trunc_tail" />
|
|
|
575137 |
</concat>
|
|
|
575137 |
</local_variable>
|
|
|
575137 |
@@ -90,7 +90,7 @@
|
|
|
575137 |
<local_variable id="var_audit_rule_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eacces_regex" version="1" datatype="string" comment="Expression to match 64bit {{{ SYSCALL }}} O_TRUNC EACCES syscall">
|
|
|
575137 |
<concat>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_trunc_64bit_head" />
|
|
|
575137 |
- <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
575137 |
+ <literal_component>(?:-F\s+{{{ POS }}}&01003)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_trunc_tail" />
|
|
|
575137 |
</concat>
|
|
|
575137 |
</local_variable>
|
|
|
575137 |
@@ -99,7 +99,7 @@
|
|
|
575137 |
<local_variable id="var_audit_rule_{{{ SYSCALL }}}_o_trunc_64bit_a201003_eperm_regex" version="1" datatype="string" comment="Expression to match 64bit {{{ SYSCALL }}} O_TRUNC EPERM syscall">
|
|
|
575137 |
<concat>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_trunc_64bit_head" />
|
|
|
575137 |
- <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
575137 |
+ <literal_component>(?:-F\s+{{{ POS }}}&01003)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_trunc_tail" />
|
|
|
575137 |
</concat>
|
|
|
575137 |
</local_variable>
|
|
|
575137 |
diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order
|
|
|
575137 |
index 38be967c75..8178c94e11 100644
|
|
|
575137 |
--- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order
|
|
|
575137 |
+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order
|
|
|
575137 |
@@ -73,14 +73,14 @@
|
|
|
575137 |
<local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_32bit_a20100_eacces_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
575137 |
<concat>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_32bit_head" />
|
|
|
575137 |
- <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
575137 |
+ <literal_component>(?:-F\s+{{{ POS }}}&0100)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
|
|
|
575137 |
</concat>
|
|
|
575137 |
</local_variable>
|
|
|
575137 |
<local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_32bit_a201003_eacces_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
575137 |
<concat>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_32bit_head" />
|
|
|
575137 |
- <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
575137 |
+ <literal_component>(?:-F\s+{{{ POS }}}&01003)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
|
|
|
575137 |
</concat>
|
|
|
575137 |
</local_variable>
|
|
|
575137 |
@@ -96,14 +96,14 @@
|
|
|
575137 |
<local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_32bit_a20100_eperm_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
575137 |
<concat>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_32bit_head" />
|
|
|
575137 |
- <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
575137 |
+ <literal_component>(?:-F\s+{{{ POS }}}&0100)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
|
|
|
575137 |
</concat>
|
|
|
575137 |
</local_variable>
|
|
|
575137 |
<local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_32bit_a201003_eperm_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
575137 |
<concat>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_32bit_head" />
|
|
|
575137 |
- <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
575137 |
+ <literal_component>(?:-F\s+{{{ POS }}}&01003)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
|
|
|
575137 |
</concat>
|
|
|
575137 |
</local_variable>
|
|
|
575137 |
@@ -119,14 +119,14 @@
|
|
|
575137 |
<local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_64bit_a20100_eacces_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
575137 |
<concat>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_64bit_head" />
|
|
|
575137 |
- <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
575137 |
+ <literal_component>(?:-F\s+{{{ POS }}}&0100)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
|
|
|
575137 |
</concat>
|
|
|
575137 |
</local_variable>
|
|
|
575137 |
<local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_64bit_a201003_eacces_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
575137 |
<concat>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_64bit_head" />
|
|
|
575137 |
- <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
575137 |
+ <literal_component>(?:-F\s+{{{ POS }}}&01003)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
|
|
|
575137 |
</concat>
|
|
|
575137 |
</local_variable>
|
|
|
575137 |
@@ -142,14 +142,14 @@
|
|
|
575137 |
<local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_64bit_a20100_eperm_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
575137 |
<concat>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_64bit_head" />
|
|
|
575137 |
- <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
575137 |
+ <literal_component>(?:-F\s+{{{ POS }}}&0100)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
|
|
|
575137 |
</concat>
|
|
|
575137 |
</local_variable>
|
|
|
575137 |
<local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_64bit_a201003_eperm_regex" version="1" datatype="string" comment="arches to audit">
|
|
|
575137 |
<concat>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_64bit_head" />
|
|
|
575137 |
- <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
575137 |
+ <literal_component>(?:-F\s+{{{ POS }}}&01003)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
|
|
|
575137 |
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
|
|
|
575137 |
</concat>
|
|
|
575137 |
</local_variable>
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh
|
|
|
575137 |
index 1d7e184d77..a9a4207877 100644
|
|
|
575137 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_correct_rule.pass.sh
|
|
|
575137 |
@@ -6,5 +6,5 @@
|
|
|
575137 |
# Use auditctl in RHEL7
|
|
|
575137 |
sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
|
|
|
575137 |
|
|
|
575137 |
-echo "-a always,exit -F arch=b32 -S open -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules
|
|
|
575137 |
-echo "-a always,exit -F arch=b64 -S open -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules
|
|
|
575137 |
+echo "-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules
|
|
|
575137 |
+echo "-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_multiple_syscalls.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_multiple_syscalls.pass.sh
|
|
|
575137 |
deleted file mode 100644
|
|
|
575137 |
index 3a021a17c2..0000000000
|
|
|
575137 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_multiple_syscalls.pass.sh
|
|
|
575137 |
+++ /dev/null
|
|
|
575137 |
@@ -1,10 +0,0 @@
|
|
|
575137 |
-#!/bin/bash
|
|
|
575137 |
-
|
|
|
575137 |
-# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
-# remediation = none
|
|
|
575137 |
-
|
|
|
575137 |
-# Use auditctl in RHEL7
|
|
|
575137 |
-sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
|
|
|
575137 |
-
|
|
|
575137 |
-echo "-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules
|
|
|
575137 |
-echo "-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh
|
|
|
575137 |
index 86b90c7081..0eabbe097c 100644
|
|
|
575137 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/auditctl_wrong_dir.fail.sh
|
|
|
575137 |
@@ -6,5 +6,5 @@
|
|
|
575137 |
# Use auditctl in RHEL7
|
|
|
575137 |
sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
|
|
|
575137 |
|
|
|
575137 |
-echo "-a always,exit -F arch=b32 -S open -F a2&03 -F path=/etc/password -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules
|
|
|
575137 |
-echo "-a always,exit -F arch=b64 -S open -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules
|
|
|
575137 |
+echo "-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/password -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules
|
|
|
575137 |
+echo "-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh
|
|
|
575137 |
index 5498915471..6e17de9c20 100644
|
|
|
575137 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_correct_rule.pass.sh
|
|
|
575137 |
@@ -3,5 +3,5 @@
|
|
|
575137 |
# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
# remediation = none
|
|
|
575137 |
|
|
|
575137 |
-echo "-a always,exit -F arch=b32 -S open -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
|
|
|
575137 |
-echo "-a always,exit -F arch=b64 -S open -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
|
|
|
575137 |
+echo "-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
|
|
|
575137 |
+echo "-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh
|
|
|
575137 |
index 2852da3aaa..7b7b6bc76d 100644
|
|
|
575137 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_open/augenrules_wrong_dir.fail.sh
|
|
|
575137 |
@@ -3,5 +3,5 @@
|
|
|
575137 |
# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
# remediation = none
|
|
|
575137 |
|
|
|
575137 |
-echo "-a always,exit -F arch=b32 -S open -F a2&03 -F path=/etc/password -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
|
|
|
575137 |
-echo "-a always,exit -F arch=b64 -S open -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
|
|
|
575137 |
+echo "-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/password -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
|
|
|
575137 |
+echo "-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_correct_rule.pass.sh
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..472b62ee57
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_correct_rule.pass.sh
|
|
|
575137 |
@@ -0,0 +1,10 @@
|
|
|
575137 |
+#!/bin/bash
|
|
|
575137 |
+
|
|
|
575137 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
+# remediation = none
|
|
|
575137 |
+
|
|
|
575137 |
+# Use auditctl in RHEL7
|
|
|
575137 |
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
|
|
|
575137 |
+
|
|
|
575137 |
+echo "-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules
|
|
|
575137 |
+echo "-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_multiple_syscalls.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_multiple_syscalls.pass.sh
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..595a97ab22
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_multiple_syscalls.pass.sh
|
|
|
575137 |
@@ -0,0 +1,10 @@
|
|
|
575137 |
+#!/bin/bash
|
|
|
575137 |
+
|
|
|
575137 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
+# remediation = none
|
|
|
575137 |
+
|
|
|
575137 |
+# Use auditctl in RHEL7
|
|
|
575137 |
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
|
|
|
575137 |
+
|
|
|
575137 |
+echo "-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules
|
|
|
575137 |
+echo "-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_wrong_dir.fail.sh
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..6ef86ff816
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/auditctl_wrong_dir.fail.sh
|
|
|
575137 |
@@ -0,0 +1,10 @@
|
|
|
575137 |
+#!/bin/bash
|
|
|
575137 |
+
|
|
|
575137 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
+# remediation = none
|
|
|
575137 |
+
|
|
|
575137 |
+# Use auditctl in RHEL7
|
|
|
575137 |
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
|
|
|
575137 |
+
|
|
|
575137 |
+echo "-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/password -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules
|
|
|
575137 |
+echo "-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/audit.rules
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_correct_rule.pass.sh
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..8c4aaaac25
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_correct_rule.pass.sh
|
|
|
575137 |
@@ -0,0 +1,7 @@
|
|
|
575137 |
+#!/bin/bash
|
|
|
575137 |
+
|
|
|
575137 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
+# remediation = none
|
|
|
575137 |
+
|
|
|
575137 |
+echo "-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
|
|
|
575137 |
+echo "-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_escaped_gt.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_escaped_gt.fail.sh
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..28ee5ffd9d
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_escaped_gt.fail.sh
|
|
|
575137 |
@@ -0,0 +1,7 @@
|
|
|
575137 |
+#!/bin/bash
|
|
|
575137 |
+
|
|
|
575137 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
+# remediation = none
|
|
|
575137 |
+
|
|
|
575137 |
+echo "-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
|
|
|
575137 |
+echo "-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_wrong_dir.fail.sh
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..9c9ac0fad4
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/audit_path_syscall/rule_audit_rules_etc_passwd_openat/augenrules_wrong_dir.fail.sh
|
|
|
575137 |
@@ -0,0 +1,7 @@
|
|
|
575137 |
+#!/bin/bash
|
|
|
575137 |
+
|
|
|
575137 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
+# remediation = none
|
|
|
575137 |
+
|
|
|
575137 |
+echo "-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/password -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
|
|
|
575137 |
+echo "-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" >> /etc/audit/rules.d/var_log_audit.rules
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_open_o_creat.rules b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_open_o_creat.rules
|
|
|
575137 |
index 0a07041e63..1b4fca8722 100644
|
|
|
575137 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_open_o_creat.rules
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_open_o_creat.rules
|
|
|
575137 |
@@ -1,5 +1,5 @@
|
|
|
575137 |
## Unsuccessful file creation (open with O_CREAT)
|
|
|
575137 |
--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_open_o_trunc_write.rules b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_open_o_trunc_write.rules
|
|
|
575137 |
index 0ce682f401..7313ee8afd 100644
|
|
|
575137 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_open_o_trunc_write.rules
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_open_o_trunc_write.rules
|
|
|
575137 |
@@ -1,5 +1,5 @@
|
|
|
575137 |
## Unsuccessful file modifications (open for write or truncate)
|
|
|
575137 |
--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_openat_o_creat.rules b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_openat_o_creat.rules
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..b8b4020a58
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_openat_o_creat.rules
|
|
|
575137 |
@@ -0,0 +1,5 @@
|
|
|
575137 |
+## Unsuccessful file creation (open with O_CREAT)
|
|
|
575137 |
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_openat_o_trunc_write.rules b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_openat_o_trunc_write.rules
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..21083847d8
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/audit_openat_o_trunc_write.rules
|
|
|
575137 |
@@ -0,0 +1,5 @@
|
|
|
575137 |
+## Unsuccessful file modifications (open for write or truncate)
|
|
|
575137 |
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_before_last.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_before_last.pass.sh
|
|
|
575137 |
deleted file mode 100644
|
|
|
575137 |
index acdec877ef..0000000000
|
|
|
575137 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_before_last.pass.sh
|
|
|
575137 |
+++ /dev/null
|
|
|
575137 |
@@ -1,7 +0,0 @@
|
|
|
575137 |
-#!/bin/bash
|
|
|
575137 |
-
|
|
|
575137 |
-# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
-# remediation = none
|
|
|
575137 |
-
|
|
|
575137 |
-sed 's/openat,open_by_handle_at/open,open_by_handle_at/' ../audit_open_o_creat.rules > /etc/audit/rules.d/open_o_creat.rules
|
|
|
575137 |
-sed -i 's/ open,/ openat,/' /etc/audit/rules.d/open_o_creat.rules
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_last.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_last.pass.sh
|
|
|
575137 |
deleted file mode 100644
|
|
|
575137 |
index 33a3ad88bf..0000000000
|
|
|
575137 |
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_last.pass.sh
|
|
|
575137 |
+++ /dev/null
|
|
|
575137 |
@@ -1,7 +0,0 @@
|
|
|
575137 |
-#!/bin/bash
|
|
|
575137 |
-
|
|
|
575137 |
-# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
-# remediation = none
|
|
|
575137 |
-
|
|
|
575137 |
-sed 's/_by_handle_at//' ../audit_open_o_creat.rules > /etc/audit/rules.d/open_o_creat.rules
|
|
|
575137 |
-sed -i 's/open,/open_by_handle_at,/' /etc/audit/rules.d/open_o_creat.rules
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/empty.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/empty.fail.sh
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..8ad6e6db48
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/empty.fail.sh
|
|
|
575137 |
@@ -0,0 +1,8 @@
|
|
|
575137 |
+#!/bin/bash
|
|
|
575137 |
+
|
|
|
575137 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
+# remediation = none
|
|
|
575137 |
+
|
|
|
575137 |
+rm -f /etc/audit/rules.d/*
|
|
|
575137 |
+> /etc/audit/audit.rules
|
|
|
575137 |
+true
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/o_creat_last.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/o_creat_last.pass.sh
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..920799a16a
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/o_creat_last.pass.sh
|
|
|
575137 |
@@ -0,0 +1,7 @@
|
|
|
575137 |
+#!/bin/bash
|
|
|
575137 |
+
|
|
|
575137 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
+# remediation = none
|
|
|
575137 |
+
|
|
|
575137 |
+sed 's/_by_handle_at/at/' ../audit_openat_o_creat.rules > /etc/audit/rules.d/openat_o_creat.rules
|
|
|
575137 |
+sed -i 's/openat,/open_by_handle_at,/' /etc/audit/rules.d/openat_o_creat.rules
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/o_creat_rules.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/o_creat_rules.pass.sh
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..177e34e936
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/o_creat_rules.pass.sh
|
|
|
575137 |
@@ -0,0 +1,6 @@
|
|
|
575137 |
+#!/bin/bash
|
|
|
575137 |
+
|
|
|
575137 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
+# remediation = none
|
|
|
575137 |
+
|
|
|
575137 |
+cp ../audit_openat_o_creat.rules /etc/audit/rules.d/
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/o_trunc_write.fails.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/o_trunc_write.fails.sh
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..c5c656184f
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/o_trunc_write.fails.sh
|
|
|
575137 |
@@ -0,0 +1,6 @@
|
|
|
575137 |
+#!/bin/bash
|
|
|
575137 |
+
|
|
|
575137 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
+# remediation = none
|
|
|
575137 |
+
|
|
|
575137 |
+cp ../audit_openat_o_trunc_write.rules /etc/audit/rules.d/
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/open_rules.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/open_rules.fail.sh
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..4da58d43ca
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/open_rules.fail.sh
|
|
|
575137 |
@@ -0,0 +1,6 @@
|
|
|
575137 |
+#!/bin/bash
|
|
|
575137 |
+
|
|
|
575137 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
+# remediation = none
|
|
|
575137 |
+
|
|
|
575137 |
+cp ../audit_open.rules /etc/audit/rules.d/
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/rules-amis.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/rules-amis.fail.sh
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..6d274c2c8a
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_creat/rules-amis.fail.sh
|
|
|
575137 |
@@ -0,0 +1,6 @@
|
|
|
575137 |
+#!/bin/bash
|
|
|
575137 |
+
|
|
|
575137 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
+# remediation = none
|
|
|
575137 |
+
|
|
|
575137 |
+sed '3,4d' ../audit_openat_o_creat.rules > /etc/audit/rules.d/openat-o_creat.rules
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/empty.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/empty.fail.sh
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..8ad6e6db48
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/empty.fail.sh
|
|
|
575137 |
@@ -0,0 +1,8 @@
|
|
|
575137 |
+#!/bin/bash
|
|
|
575137 |
+
|
|
|
575137 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
+# remediation = none
|
|
|
575137 |
+
|
|
|
575137 |
+rm -f /etc/audit/rules.d/*
|
|
|
575137 |
+> /etc/audit/audit.rules
|
|
|
575137 |
+true
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/o_creat.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/o_creat.fail.sh
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..18c2133ff2
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/o_creat.fail.sh
|
|
|
575137 |
@@ -0,0 +1,6 @@
|
|
|
575137 |
+#!/bin/bash
|
|
|
575137 |
+
|
|
|
575137 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
+# remediation = none
|
|
|
575137 |
+
|
|
|
575137 |
+cp ../audit_open_o_creat.rules /etc/audit/rules.d/
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/o_trunc.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/o_trunc.pass.sh
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..9156a1c53f
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/o_trunc.pass.sh
|
|
|
575137 |
@@ -0,0 +1,6 @@
|
|
|
575137 |
+#!/bin/bash
|
|
|
575137 |
+
|
|
|
575137 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
+# remediation = none
|
|
|
575137 |
+
|
|
|
575137 |
+cp ../audit_open_o_trunc_write.rules /etc/audit/rules.d/
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/open_rules.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/open_rules.fail.sh
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..4da58d43ca
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/open_rules.fail.sh
|
|
|
575137 |
@@ -0,0 +1,6 @@
|
|
|
575137 |
+#!/bin/bash
|
|
|
575137 |
+
|
|
|
575137 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
+# remediation = none
|
|
|
575137 |
+
|
|
|
575137 |
+cp ../audit_open.rules /etc/audit/rules.d/
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/rules-amis.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/rules-amis.fail.sh
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..7f677fd2c6
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write/rules-amis.fail.sh
|
|
|
575137 |
@@ -0,0 +1,6 @@
|
|
|
575137 |
+#!/bin/bash
|
|
|
575137 |
+
|
|
|
575137 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
+# remediation = none
|
|
|
575137 |
+
|
|
|
575137 |
+sed '3,4d' ../audit_open_o_trunc_write.rules > /etc/audit/rules.d/open-o_trunc_write.rules
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/ordered_arch.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/ordered_arch.pass.sh
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..72673b69a5
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/ordered_arch.pass.sh
|
|
|
575137 |
@@ -0,0 +1,9 @@
|
|
|
575137 |
+#!/bin/bash
|
|
|
575137 |
+
|
|
|
575137 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
+# remediation = none
|
|
|
575137 |
+
|
|
|
575137 |
+grep -h 'arch=b32.*EACCES' ../audit_openat_o_creat.rules ../audit_openat_o_trunc_write.rules ../audit_open.rules > /etc/audit/rules.d/ordered_by_arch_error.rules
|
|
|
575137 |
+grep -h 'arch=b32.*EPERM' ../audit_openat_o_creat.rules ../audit_openat_o_trunc_write.rules ../audit_open.rules >> /etc/audit/rules.d/ordered_by_arch_error.rules
|
|
|
575137 |
+grep -h 'arch=b64.*EACCES' ../audit_openat_o_creat.rules ../audit_openat_o_trunc_write.rules ../audit_open.rules >> /etc/audit/rules.d/ordered_by_arch_error.rules
|
|
|
575137 |
+grep -h 'arch=b64.*EPERM' ../audit_openat_o_creat.rules ../audit_openat_o_trunc_write.rules ../audit_open.rules >> /etc/audit/rules.d/ordered_by_arch_error.rules
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/ordered_filter.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/ordered_filter.pass.sh
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..993c399c26
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/ordered_filter.pass.sh
|
|
|
575137 |
@@ -0,0 +1,6 @@
|
|
|
575137 |
+#!/bin/bash
|
|
|
575137 |
+
|
|
|
575137 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
+# remediation = none
|
|
|
575137 |
+
|
|
|
575137 |
+cat ../audit_openat_o_creat.rules ../audit_openat_o_trunc_write.rules ../audit_open.rules > /etc/audit/rules.d/ordered_by_filter.rules
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/rule_missing.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/rule_missing.fail.sh
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..885548c7c5
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/rule_missing.fail.sh
|
|
|
575137 |
@@ -0,0 +1,7 @@
|
|
|
575137 |
+#!/bin/bash
|
|
|
575137 |
+
|
|
|
575137 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
+# remediation = none
|
|
|
575137 |
+
|
|
|
575137 |
+cat ../audit_openat_o_creat.rules ../audit_openat_o_trunc_write.rules ../audit_open.rules > /etc/audit/rules.d/ordered_by_filter.rules
|
|
|
575137 |
+sed -i '2d' /etc/audit/rules.d/ordered_by_filter.rules
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/sorted_rules.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/sorted_rules.fail.sh
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..bee7042570
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/sorted_rules.fail.sh
|
|
|
575137 |
@@ -0,0 +1,7 @@
|
|
|
575137 |
+#!/bin/bash
|
|
|
575137 |
+
|
|
|
575137 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
+# remediation = none
|
|
|
575137 |
+
|
|
|
575137 |
+cat ../audit_openat_o_creat.rules ../audit_openat_o_trunc_write.rules ../audit_open.rules > ./ordered_by_filter.rules
|
|
|
575137 |
+sort ./ordered_by_filter.rules > /etc/audit/rules.d/unsuccessful_open.rules
|
|
|
575137 |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/unordered.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/unordered.fail.sh
|
|
|
575137 |
new file mode 100644
|
|
|
575137 |
index 0000000000..6e71b5456e
|
|
|
575137 |
--- /dev/null
|
|
|
575137 |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_openat_rule_order/unordered.fail.sh
|
|
|
575137 |
@@ -0,0 +1,11 @@
|
|
|
575137 |
+#!/bin/bash
|
|
|
575137 |
+
|
|
|
575137 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
575137 |
+# remediation = none
|
|
|
575137 |
+
|
|
|
575137 |
+# The rule without filter is less specific, and thus, catches more events than the more specific rules (with O_CREAT and O_TRUNC filters)
|
|
|
575137 |
+# If they rule withou filter is first, it will catch everything and rules below it will never trigger
|
|
|
575137 |
+grep -h 'arch=b32.*EACCES' ../audit_open.rules ../audit_openat_o_creat.rules ../audit_openat_o_trunc_write.rules > /etc/audit/rules.d/unordered.rules
|
|
|
575137 |
+grep -h 'arch=b32.*EPERM' ../audit_open.rules ../audit_openat_o_creat.rules ../audit_openat_o_trunc_write.rules >> /etc/audit/rules.d/unordered.rules
|
|
|
575137 |
+grep -h 'arch=b64.*EACCES' ../audit_open.rules ../audit_openat_o_creat.rules ../audit_openat_o_trunc_write.rules >> /etc/audit/rules.d/unordered.rules
|
|
|
575137 |
+grep -h 'arch=b64.*EPERM' ../audit_open.rules ../audit_openat_o_creat.rules ../audit_openat_o_trunc_write.rules >> /etc/audit/rules.d/unordered.rules
|