Blame SOURCES/scap-security-guide-0.1.38-audit-kernel-module-loading.patch

71d622
From add7cd5c5a99e7b7d546aa0296885d7da1806d5f Mon Sep 17 00:00:00 2001
71d622
From: Marek Haicman <mhaicman@redhat.com>
71d622
Date: Thu, 22 Feb 2018 22:49:54 +0100
71d622
Subject: [PATCH 1/2] Fix kernel module loading and unloading rules
71d622
71d622
Fixed rule descriptions to make more sense, and fixing remediation
71d622
of general rule to set auditing of both b32 and b64 syscalls on
71d622
64-bit systems.
71d622
---
71d622
 .../bash/audit_rules_kernel_module_loading.sh      |  10 +-
71d622
 .../audit_rules_kernel_module_loading_delete.sh    |   8 +-
71d622
 .../bash/audit_rules_kernel_module_loading_init.sh |   8 +-
71d622
 shared/xccdf/system/auditing.xml                   | 161 ++++++++++-----------
71d622
 4 files changed, 91 insertions(+), 96 deletions(-)
71d622
71d622
diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading.sh b/shared/fixes/bash/audit_rules_kernel_module_loading.sh
71d622
index 12d6dd0181..268da407f7 100644
71d622
--- a/shared/fixes/bash/audit_rules_kernel_module_loading.sh
71d622
+++ b/shared/fixes/bash/audit_rules_kernel_module_loading.sh
71d622
@@ -5,11 +5,11 @@
71d622
 
71d622
 # First perform the remediation of the syscall rule
71d622
 # Retrieve hardware architecture of the underlying system
71d622
-# Note: 32-bit kernel modules can't be loaded / unloaded on 64-bit kernel =>
71d622
-#       it's not required on a 64-bit system to check also for the presence
71d622
-#       of 32-bit's equivalent of the corresponding rule. Therefore for
71d622
-#       each system it's enought to check presence of system's native rule form.
71d622
-[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b64")
71d622
+# Note: 32-bit and 64-bit kernel syscall numbers not always line up =>
71d622
+#       it's required on a 64-bit system to check also for the presence
71d622
+#       of 32-bit's equivalent of the corresponding rule.
71d622
+#       (See `man 7 audit.rules` for details )
71d622
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
71d622
 
71d622
 for ARCH in "${RULE_ARCHS[@]}"
71d622
 do
71d622
diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh
71d622
index 59aadeeef8..131f1a2819 100644
71d622
--- a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh
71d622
+++ b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh
71d622
@@ -5,10 +5,10 @@
71d622
 
71d622
 # First perform the remediation of the syscall rule
71d622
 # Retrieve hardware architecture of the underlying system
71d622
-# If the system has a 32-bit processor, only the 32-bit rule is needed.
71d622
-# If the system has a 64-bit processor, both arch 32 and 64 need to be included in
71d622
-# the audit file because it is not possible to know if the computer will be booted
71d622
-# in 64 or 32 bit mode or for which architecture a binary is compiled.
71d622
+# Note: 32-bit and 64-bit kernel syscall numbers not always line up =>
71d622
+#       it's required on a 64-bit system to check also for the presence
71d622
+#       of 32-bit's equivalent of the corresponding rule.
71d622
+#       (See `man 7 audit.rules` for details )
71d622
 [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
71d622
 
71d622
 for ARCH in "${RULE_ARCHS[@]}"
71d622
diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh
71d622
index 04b06f9dee..c46a854068 100644
71d622
--- a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh
71d622
+++ b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh
71d622
@@ -5,10 +5,10 @@
71d622
 
71d622
 # First perform the remediation of the syscall rule
71d622
 # Retrieve hardware architecture of the underlying system
71d622
-# If the system has a 32-bit processor, only the 32-bit rule is needed.
71d622
-# If the system has a 64-bit processor, both arch 32 and 64 need to be included in
71d622
-# the audit file because it is not possible to know if the computer will be booted
71d622
-# in 64 or 32 bit mode or for which architecture a binary is compiled.
71d622
+# Note: 32-bit and 64-bit kernel syscall numbers not always line up =>
71d622
+#       it's required on a 64-bit system to check also for the presence
71d622
+#       of 32-bit's equivalent of the corresponding rule.
71d622
+#       (See `man 7 audit.rules` for details )
71d622
 [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
71d622
 
71d622
 for ARCH in "${RULE_ARCHS[@]}"
71d622
diff --git a/shared/xccdf/system/auditing.xml b/shared/xccdf/system/auditing.xml
71d622
index 85487ee417..b68820fe9b 100644
71d622
--- a/shared/xccdf/system/auditing.xml
71d622
+++ b/shared/xccdf/system/auditing.xml
71d622
@@ -113,7 +113,7 @@ to establish, correlate, and investigate the events leading up to an outage or a
71d622
 Ensuring the <tt>auditd</tt> service is active ensures audit records
71d622
 generated by the kernel are appropriately recorded.
71d622
 

71d622
-Additionally, a properly configured audit subsystem ensures that actions of 
71d622
+Additionally, a properly configured audit subsystem ensures that actions of
71d622
 individual system users can be uniquely traced to those users so they
71d622
 can be held accountable for their actions.
71d622
 </rationale>
71d622
@@ -727,7 +727,7 @@ with limited audit storage capacity.
71d622
 </rationale>
71d622
 <platform idref="cpe:/a:machine" />
71d622
 <ident cce="80541-6"/>
71d622
-<oval id="auditd_audispd_configure_remote_server" value="var_audispd_remote_server" /> 
71d622
+<oval id="auditd_audispd_configure_remote_server" value="var_audispd_remote_server" />
71d622
 <ref disa="1851" nist="" srg="SRG-OS-000342-GPOS-00133" stigid="030300"/>
71d622
 </Rule>
71d622
 
71d622
@@ -3401,42 +3401,40 @@ of what was executed on the system, as well as, for accountability purposes.
71d622
 
71d622
 <Group id="audit_kernel_module_loading">
71d622
 <title>Record Information on Kernel Modules Loading and Unloading</title>
71d622
-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
71d622
-to read audit rules during daemon startup (the default), add the following lines to a file
71d622
-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
71d622
-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
71d622
-
-w /usr/sbin/insmod -p x -k modules
71d622
--w /usr/sbin/rmmod -p x -k modules
71d622
--w /usr/sbin/modprobe -p x -k modules
71d622
--a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules
71d622
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
71d622
-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
71d622
-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
71d622
-b64 as appropriate for your system:
71d622
-
-w /usr/sbin/insmod -p x -k modules
71d622
+<description>To capture kernel module loading and unloading events, use following lines, setting ARCH to
71d622
+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
71d622
+
71d622
+-w /usr/sbin/insmod -p x -k modules
71d622
 -w /usr/sbin/rmmod -p x -k modules
71d622
 -w /usr/sbin/modprobe -p x -k modules
71d622
--a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules
71d622
+-a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules
71d622
+
71d622
+
71d622
+Place to add the lines depends on a way <tt>auditd</tt> daemon is configured. If it is configured
71d622
+to use the <tt>augenrules</tt> program (the default), add the lines to a file with suffix
71d622
+<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
71d622
+
71d622
+If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
71d622
+add the lines to file <tt>/etc/audit/audit.rules</tt>.
71d622
 </description>
71d622
 
71d622
 <Rule id="audit_rules_kernel_module_loading" severity="medium" prodtype="rhel7">
71d622
 <title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading</title>
71d622
-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
71d622
-to read audit rules during daemon startup (the default), add the following lines to a file
71d622
-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
71d622
-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
71d622
-
-w /usr/sbin/insmod -p x -k modules
71d622
--w /usr/sbin/rmmod -p x -k modules
71d622
--w /usr/sbin/modprobe -p x -k modules
71d622
--a always,exit -F arch=ARCH -S init_module -S delete_module -k modules
71d622
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
71d622
-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
71d622
-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
71d622
-b64 as appropriate for your system:
71d622
-
-w /usr/sbin/insmod -p x -k modules
71d622
+<description>To capture kernel module loading and unloading events, use following lines, setting ARCH to
71d622
+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
71d622
+
71d622
+-w /usr/sbin/insmod -p x -k modules
71d622
 -w /usr/sbin/rmmod -p x -k modules
71d622
 -w /usr/sbin/modprobe -p x -k modules
71d622
--a always,exit -F arch=ARCH -S init_module -S delete_module -k modules
71d622
+-a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules
71d622
+
71d622
+
71d622
+Place to add the lines depends on a way <tt>auditd</tt> daemon is configured. If it is configured
71d622
+to use the <tt>augenrules</tt> program (the default), add the lines to a file with suffix
71d622
+<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
71d622
+
71d622
+If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
71d622
+add the lines to file <tt>/etc/audit/audit.rules</tt>.
71d622
 </description>
71d622
 <ocil>
71d622
 <audit-syscall-check-macro syscall="init_module" />
71d622
@@ -3452,22 +3450,22 @@ to have an audit trail of modules that have been introduced into the kernel.
71d622
 </Rule>
71d622
 
71d622
 <Rule id="audit_rules_kernel_module_loading_init" severity="medium" prodtype="rhel7">
71d622
-<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - init_module</title>
71d622
-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
71d622
-to read audit rules during daemon startup (the default), add the following lines to a file
71d622
-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
71d622
-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
71d622
-
-a always,exit -F arch=ARCH -S init_module -F key=modules
71d622
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
71d622
-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
71d622
-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
71d622
-b64 as appropriate for your system:
71d622
+<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading - init_module</title>
71d622
+<description>To capture kernel module loading events, use following line, setting ARCH to
71d622
+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
71d622
 
-a always,exit -F arch=ARCH -S init_module -F key=modules
71d622
+
71d622
+Place to add the line depends on a way <tt>auditd</tt> daemon is configured. If it is configured
71d622
+to use the <tt>augenrules</tt> program (the default), add the line to a file with suffix
71d622
+<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
71d622
+
71d622
+If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
71d622
+add the line to file <tt>/etc/audit/audit.rules</tt>.
71d622
 </description>
71d622
 <ocil>
71d622
 <audit-syscall-check-macro syscall="init_module" />
71d622
 </ocil>
71d622
-<rationale>The addition/removal of kernel modules can be used to alter the behavior of
71d622
+<rationale>The addition of kernel modules can be used to alter the behavior of
71d622
 the kernel and potentially introduce malicious code into kernel space. It is important
71d622
 to have an audit trail of modules that have been introduced into the kernel.</rationale>
71d622
 <platform idref="cpe:/a:machine" />
71d622
@@ -3478,22 +3476,22 @@ to have an audit trail of modules that have been introduced into the kernel.
71d622
 </Rule>
71d622
 
71d622
 <Rule id="audit_rules_kernel_module_loading_delete" severity="medium" prodtype="rhel7">
71d622
-<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - delete_module</title>
71d622
-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
71d622
-to read audit rules during daemon startup (the default), add the following lines to a file
71d622
-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
71d622
-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
71d622
-
-a always,exit -F arch=ARCH -S delete_module -F key=modules
71d622
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
71d622
-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
71d622
-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
71d622
-b64 as appropriate for your system:
71d622
+<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Unloading - delete_module</title>
71d622
+<description>To capture kernel module unloading events, use following line, setting ARCH to
71d622
+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
71d622
 
-a always,exit -F arch=ARCH -S delete_module -F key=modules
71d622
+
71d622
+Place to add the line depends on a way <tt>auditd</tt> daemon is configured. If it is configured
71d622
+to use the <tt>augenrules</tt> program (the default), add the line to a file with suffix
71d622
+<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
71d622
+
71d622
+If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
71d622
+add the line to file <tt>/etc/audit/audit.rules</tt>.
71d622
 </description>
71d622
 <ocil>
71d622
 <audit-syscall-check-macro syscall="delete_module" />
71d622
 </ocil>
71d622
-<rationale>The addition/removal of kernel modules can be used to alter the behavior of
71d622
+<rationale>The removal of kernel modules can be used to alter the behavior of
71d622
 the kernel and potentially introduce malicious code into kernel space. It is important
71d622
 to have an audit trail of modules that have been introduced into the kernel.</rationale>
71d622
 <platform idref="cpe:/a:machine" />
71d622
@@ -3504,23 +3502,22 @@ to have an audit trail of modules that have been introduced into the kernel.
71d622
 </Rule>
71d622
 
71d622
 <Rule id="audit_rules_kernel_module_loading_insmod" severity="medium" prodtype="rhel7">
71d622
-<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - insmod</title>
71d622
-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
71d622
-to read audit rules during daemon startup (the default), add the following lines to a file
71d622
-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
71d622
-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
71d622
-
-w /usr/sbin/insmod -p x -k modules
71d622
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
71d622
-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
71d622
-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
71d622
-b64 as appropriate for your system:
71d622
+<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading - insmod</title>
71d622
+<description>To capture invocation of insmod, utility used to insert modules into kernel,
71d622
+use the following line:
71d622
 
-w /usr/sbin/insmod -p x -k modules
71d622
+Place to add the line depends on a way <tt>auditd</tt> daemon is configured. If it is configured
71d622
+to use the <tt>augenrules</tt> program (the default), add the line to a file with suffix
71d622
+<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
71d622
+
71d622
+If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
71d622
+add the line to file <tt>/etc/audit/audit.rules</tt>.
71d622
 </description>
71d622
 <ocil clause="there is not output">
71d622
 To verify that auditing is configured for system administrator actions, run the following command:
71d622
 
$ sudo auditctl -l | grep "watch=/usr/sbin/insmod"
71d622
 </ocil>
71d622
-<rationale>The addition/removal of kernel modules can be used to alter the behavior of
71d622
+<rationale>The addition of kernel modules can be used to alter the behavior of
71d622
 the kernel and potentially introduce malicious code into kernel space. It is important
71d622
 to have an audit trail of modules that have been introduced into the kernel.</rationale>
71d622
 <platform idref="cpe:/a:machine" />
71d622
@@ -3531,23 +3528,22 @@ to have an audit trail of modules that have been introduced into the kernel.
71d622
 </Rule>
71d622
 
71d622
 <Rule id="audit_rules_kernel_module_loading_rmmod" severity="medium" prodtype="rhel7">
71d622
-<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - rmmod</title>
71d622
-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
71d622
-to read audit rules during daemon startup (the default), add the following lines to a file
71d622
-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
71d622
-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
71d622
-
-w /usr/sbin/rmmod -p x -k modules
71d622
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
71d622
-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
71d622
-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
71d622
-b64 as appropriate for your system:
71d622
+<title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Unloading - rmmod</title>
71d622
+<description>To capture invocation of rmmod, utility used to remove modules from kernel,
71d622
+add the following line:
71d622
 
-w /usr/sbin/rmmod -p x -k modules
71d622
+Place to add the line depends on a way <tt>auditd</tt> daemon is configured. If it is configured
71d622
+to use the <tt>augenrules</tt> program (the default), add the line to a file with suffix
71d622
+<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
71d622
+
71d622
+If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
71d622
+add the line to file <tt>/etc/audit/audit.rules</tt>.
71d622
 </description>
71d622
 <ocil clause="there is not output">
71d622
 To verify that auditing is configured for system administrator actions, run the following command:
71d622
 
$ sudo auditctl -l | grep "watch=/usr/sbin/rmmod"
71d622
 </ocil>
71d622
-<rationale>The addition/removal of kernel modules can be used to alter the behavior of
71d622
+<rationale>The removal of kernel modules can be used to alter the behavior of
71d622
 the kernel and potentially introduce malicious code into kernel space. It is important
71d622
 to have an audit trail of modules that have been introduced into the kernel.</rationale>
71d622
 <platform idref="cpe:/a:machine" />
71d622
@@ -3559,16 +3555,15 @@ to have an audit trail of modules that have been introduced into the kernel.
71d622
 
71d622
 <Rule id="audit_rules_kernel_module_loading_modprobe" severity="medium" prodtype="rhel7">
71d622
 <title>Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - modprobe</title>
71d622
-<description>If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt> program
71d622
-to read audit rules during daemon startup (the default), add the following lines to a file
71d622
-with suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt> to capture kernel module
71d622
-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
71d622
-
-w /usr/sbin/modprobe -p x -k modules
71d622
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to read audit
71d622
-rules during daemon startup, add the following lines to <tt>/etc/audit/audit.rules</tt> file
71d622
-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
71d622
-b64 as appropriate for your system:
71d622
+<description>To capture invocation of modprobe, utility used to insert / remove modules from kernel,
71d622
+add the following line:
71d622
 
-w /usr/sbin/modprobe -p x -k modules
71d622
+Place to add the line depends on a way <tt>auditd</tt> daemon is configured. If it is configured
71d622
+to use the <tt>augenrules</tt> program (the default), add the line to a file with suffix
71d622
+<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
71d622
+
71d622
+If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
71d622
+add the line to file <tt>/etc/audit/audit.rules</tt>.
71d622
 </description>
71d622
 <ocil clause="there is not output">
71d622
 To verify that auditing is configured for system administrator actions, run the following command:
71d622
71d622
From 2a9d3771707c7db41861dbf3ca03c8a455481ba8 Mon Sep 17 00:00:00 2001
71d622
From: Marek Haicman <mhaicman@redhat.com>
71d622
Date: Thu, 22 Feb 2018 23:13:29 +0100
71d622
Subject: [PATCH 2/2] Add basic tests for kernel module loading and unloading
71d622
 rules
71d622
71d622
---
71d622
 .../rule_audit_rules_kernel_module_loading/default.fail.sh         | 7 +++++++
71d622
 .../rule_audit_rules_kernel_module_loading_delete/default.fail.sh  | 7 +++++++
71d622
 .../rule_audit_rules_kernel_module_loading_init/default.fail.sh    | 7 +++++++
71d622
 .../rule_audit_rules_kernel_module_loading_insmod/default.fail.sh  | 7 +++++++
71d622
 .../default.fail.sh                                                | 7 +++++++
71d622
 .../rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh   | 7 +++++++
71d622
 6 files changed, 42 insertions(+)
71d622
 create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh
71d622
 create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh
71d622
 create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh
71d622
 create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh
71d622
 create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh
71d622
 create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh
71d622
71d622
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh
71d622
new file mode 100644
71d622
index 0000000000..48457258e5
71d622
--- /dev/null
71d622
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh
71d622
@@ -0,0 +1,7 @@
71d622
+#!/bin/bash
71d622
+# profiles = xccdf_org.ssgproject.content_profile_C2S
71d622
+# remediation = bash
71d622
+
71d622
+rm -f /etc/audit/rules.d/*
71d622
+> /etc/audit/audit.rules
71d622
+true
71d622
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh
71d622
new file mode 100644
71d622
index 0000000000..12fe012776
71d622
--- /dev/null
71d622
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh
71d622
@@ -0,0 +1,7 @@
71d622
+#!/bin/bash
71d622
+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
71d622
+# remediation = bash
71d622
+
71d622
+rm -f /etc/audit/rules.d/*
71d622
+> /etc/audit/audit.rules
71d622
+true
71d622
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh
71d622
new file mode 100644
71d622
index 0000000000..12fe012776
71d622
--- /dev/null
71d622
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh
71d622
@@ -0,0 +1,7 @@
71d622
+#!/bin/bash
71d622
+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
71d622
+# remediation = bash
71d622
+
71d622
+rm -f /etc/audit/rules.d/*
71d622
+> /etc/audit/audit.rules
71d622
+true
71d622
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh
71d622
new file mode 100644
71d622
index 0000000000..12fe012776
71d622
--- /dev/null
71d622
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh
71d622
@@ -0,0 +1,7 @@
71d622
+#!/bin/bash
71d622
+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
71d622
+# remediation = bash
71d622
+
71d622
+rm -f /etc/audit/rules.d/*
71d622
+> /etc/audit/audit.rules
71d622
+true
71d622
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh
71d622
new file mode 100644
71d622
index 0000000000..12fe012776
71d622
--- /dev/null
71d622
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh
71d622
@@ -0,0 +1,7 @@
71d622
+#!/bin/bash
71d622
+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
71d622
+# remediation = bash
71d622
+
71d622
+rm -f /etc/audit/rules.d/*
71d622
+> /etc/audit/audit.rules
71d622
+true
71d622
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh
71d622
new file mode 100644
71d622
index 0000000000..12fe012776
71d622
--- /dev/null
71d622
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh
71d622
@@ -0,0 +1,7 @@
71d622
+#!/bin/bash
71d622
+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
71d622
+# remediation = bash
71d622
+
71d622
+rm -f /etc/audit/rules.d/*
71d622
+> /etc/audit/audit.rules
71d622
+true