diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat.rule

new file mode 100644

index 0000000000..91fcecd155

--- /dev/null

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat.rule

@@ -0,0 +1,55 @@

+documentation_complete: true

+

+prodtype: rhel7,fedora

+

+title: 'Record Unauthorized Creation Attempts to Files - open_by_handle_at O_CREAT'

+

+

+description: |-

+    The audit system should collect unauthorized file accesses for

+    all users and root. The <tt>open_by_handle_at</tt> syscall can be used to create new files

+    when O_CREAT flag is specified.

+    The following auidt rules will asure that unsuccessful attempts to create a

+    file via <tt>open_by_handle_at</tt> syscall are collected.

+    If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>

+    program to read audit rules during daemon startup (the default), add the

+    rules below to a file with suffix <tt>.rules</tt> in the directory

+    <tt>/etc/audit/rules.d</tt>.

+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>

+    utility to read audit rules during daemon startup, add the rules below to

+    <tt>/etc/audit/audit.rules</tt> file.

+    

+    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create

+    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create

+    

+    If the system is 64 bit then also add the following lines:

+    

+    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create

+    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create

+    

+

+rationale: |-

+    Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing

+    these events could serve as evidence of potential system compromise.

+

+severity: medium

+

+references:

+    cis: 5.2.10

+    cui: 3.1.7

+    disa: 172,2884

+    hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)

+    nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5

+    ospp@rhel7: FAU_GEN.1.1.c

+    pcidss: Req-10.2.4,Req-10.2.1

+    srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172

+

+{{{ complete_ocil_entry_audit_syscall(syscall="open_by_handle_at") }}}

+

+warnings:

+    - general: |-

+        Note that these rules can be configured in a

+        number of ways while still achieving the desired effect. Here the system calls

+        have been placed independent of other system calls. Grouping system calls related

+        to the same event is more efficient. See the following example:

+        
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write.rule

new file mode 100644

index 0000000000..06e96678f2

--- /dev/null

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write.rule

@@ -0,0 +1,54 @@

+documentation_complete: true

+

+prodtype: rhel7,fedora

+

+title: 'Record Unauthorized Modification Attempts to Files - open_by_handle_at O_TRUNC'

+

+description: |-

+    The audit system should collect detailed unauthorized file accesses for

+    all users and root. The <tt>open_by_handle_at</tt> syscall can be used to modify files

+    if called for write operation of with O_TRUNC flag.

+    The following auidt rules will asure that unsuccessful attempts to modify a

+    file via <tt>open_by_handle_at</tt> syscall are collected.

+    If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>

+    program to read audit rules during daemon startup (the default), add the

+    rules below to a file with suffix <tt>.rules</tt> in the directory

+    <tt>/etc/audit/rules.d</tt>.

+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>

+    utility to read audit rules during daemon startup, add the rules below to

+    <tt>/etc/audit/audit.rules</tt> file.

+    

+    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification

+    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification

+    

+    If the system is 64 bit then also add the following lines:

+    

+    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification

+    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification

+    

+

+rationale: |-

+    Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing

+    these events could serve as evidence of potential system compromise.

+

+severity: medium

+

+references:

+    cis: 5.2.10

+    cui: 3.1.7

+    disa: 172,2884

+    hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)

+    nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5

+    ospp@rhel7: FAU_GEN.1.1.c

+    pcidss: Req-10.2.4,Req-10.2.1

+    srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172

+

+{{{ complete_ocil_entry_audit_syscall(syscall="open_by_handle_at") }}}

+

+warnings:

+    - general: |-

+        Note that these rules can be configured in a

+        number of ways while still achieving the desired effect. Here the system calls

+        have been placed independent of other system calls. Grouping system calls related

+        to the same event is more efficient. See the following example:

+        
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order.rule

new file mode 100644

index 0000000000..0ecd5fff2f

--- /dev/null

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order.rule

@@ -0,0 +1,58 @@

+documentation_complete: true

+

+prodtype: rhel7,fedora

+

+title: 'Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly'

+

+description: |-

+    The audit system should collect detailed unauthorized file

+    accesses for all users and root.

+    To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access

+    of files via <tt>open_by_handle_at</tt> syscall the audit rules collecting these events need to be in certain order.

+    The more specific rules need to come before the less specific rules. The reason for that is that more

+    specific rules cover a subset of events covered in the less specific rules, thus, they need to come

+    before to not be overshadowed by less specific rules, which match a bigger set of events.

+    Make sure that rules for unsuccessful calls of <tt>open_by_handle_at</tt> syscall are in the order shown below.

+    If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>

+    program to read audit rules during daemon startup (the default), check the order of

+    rules below in a file with suffix <tt>.rules</tt> in the directory

+    <tt>/etc/audit/rules.d</tt>.

+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>

+    utility to read audit rules during daemon startup, check the order of rules below in

+    <tt>/etc/audit/audit.rules</tt> file.

+    

+    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create

+    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create

+    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification

+    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification

+    -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access

+    -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access

+    

+    If the system is 64 bit then also add the following lines:

+    

+    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create

+    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create

+    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification

+    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification

+    -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access

+    -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access

+    

+

+rationale: |-

+    The more specific rules cover a subset of events covered by the less specific rules.

+    By ordering them from more specific to less specific, it is assured that the less specific

+    rule will not catch events better recorded by the more specific rule.

+

+severity: medium

+

+references:

+    cis: 5.2.10

+    cui: 3.1.7

+    disa: 172,2884

+    hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)

+    nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5

+    ospp@rhel7: FAU_GEN.1.1.c

+    pcidss: Req-10.2.4,Req-10.2.1

+    srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172

+

+{{{ complete_ocil_entry_audit_syscall(syscall="open_by_handle_at") }}}

diff --git a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_creat.xml

deleted file mode 100644

index 3eb97c1234..0000000000

--- a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_creat.xml

+++ /dev/null

@@ -1,200 +0,0 @@

-<def-group>

-  <definition class="compliance" id="audit_rules_unsuccessful_file_modification_open_o_creat" version="1">

-    <metadata>

-      <title>Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - open o_creat</title>

-      <affected family="unix">

-        <platform>Red Hat Enterprise Linux 7</platform>

-        <platform>multi_platform_fedora</platform>

-      </affected>

-      <description>Audit rules about the information on the unsuccessful use of open O_CREAT is enabled.</description>

-    </metadata>

-

-    <criteria operator="OR">

-

-      

-      <criteria operator="AND">

-        <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />

-        <criterion comment="Verify audit rule open 32bit a2&0100 eacces augenrules exists" test_ref="test_arufm_open_o_creat_32bit_a20100_eacces_augenrules" />

-        <criterion comment="Verify audit rule open 32bit a2&0100 eperm augenrules exists" test_ref="test_arufm_open_o_creat_32bit_a20100_eperm_augenrules" />

-

-        <criteria operator="OR">

-          

-          <extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />

-          

-          <criteria operator="AND">

-            <criterion comment="Verify audit rule open 64bit a2&0100 eacces augenrules exists" test_ref="test_arufm_open_o_creat_64bit_a20100_eacces_augenrules" />

-            <criterion comment="Verify audit rule open 64bit a2&0100 eperm augenrules exists" test_ref="test_arufm_open_o_creat_64bit_a20100_eperm_augenrules" />

-          </criteria>

-        </criteria>

-      </criteria>

-

-      

-      <criteria operator="AND">

-        <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />

-        <criterion comment="Verify audit rule open 32bit a2&0100 eacces auditctl exists" test_ref="test_arufm_open_o_creat_32bit_a20100_eacces_auditctl" />

-        <criterion comment="Verify audit rule open 32bit a2&0100 eperm auditctl exists" test_ref="test_arufm_open_o_creat_32bit_a20100_eperm_auditctl" />

-

-        <criteria operator="OR">

-          

-          <extend_definition comment="64-bit_system" definition_ref="system_info_architecture_64bit" negate="true" />

-          

-          <criteria operator="AND">

-            <criterion comment="Verify audit rule open 64bit a2&0100 eacces auditctl exists" test_ref="test_arufm_open_o_creat_64bit_a20100_eacces_auditctl" />

-            <criterion comment="Verify audit rule open 64bit a2&0100 eperm auditctl exists" test_ref="test_arufm_open_o_creat_64bit_a20100_eperm_auditctl" />

-

-          </criteria>

-        </criteria>

-      </criteria>

-

-    </criteria>

-  </definition>

-

-  

-  <constant_variable id="var_audit_rule_open_o_creat_32bit_head" version="1" datatype="string" comment="audit rule arch and syscal">

-      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*</value>

-  </constant_variable>

-  <constant_variable id="var_audit_rule_open_o_creat_64bit_head" version="1" datatype="string" comment="audit rule arch and syscal">

-      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*</value>

-  </constant_variable>

-  <constant_variable id="var_audit_rule_open_o_creat_tail" version="1" datatype="string" comment="audit rule auid and key">

-    <value>[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>

-  </constant_variable>

-

-  

-  <constant_variable id="var_audit_rule_open_o_creat_separator_regex" version="1" datatype="string" comment="audit rule auid and key">

-    <value>(?:[^.]|\.\s)*</value>

-  </constant_variable>

-

-  

-  <local_variable id="var_audit_rule_open_o_creat_32bit_a20100_eacces_regex" version="1" datatype="string" comment="Expression to match 32bit open O_CREAT EACCES syscall">

-    <concat>

-      <variable_component var_ref="var_audit_rule_open_o_creat_32bit_head" />

-      <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)</literal_component>

-      <variable_component var_ref="var_audit_rule_open_o_creat_tail" />

-    </concat>

-  </local_variable>

-

-  

-  <local_variable id="var_audit_rule_open_o_creat_32bit_a20100_eperm_regex" version="1" datatype="string" comment="Expression to match 32bit open O_CREAT EPERM syscall">

-    <concat>

-      <variable_component var_ref="var_audit_rule_open_o_creat_32bit_head" />

-      <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)</literal_component>

-      <variable_component var_ref="var_audit_rule_open_o_creat_tail" />

-    </concat>

-  </local_variable>

-

-  

-  <local_variable id="var_audit_rule_open_o_creat_64bit_a20100_eacces_regex" version="1" datatype="string" comment="Expression to match 64bit open O_CREAT EACCES syscall">

-    <concat>

-      <variable_component var_ref="var_audit_rule_open_o_creat_64bit_head" />

-      <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)</literal_component>

-      <variable_component var_ref="var_audit_rule_open_o_creat_tail" />

-    </concat>

-  </local_variable>

-

-  

-  <local_variable id="var_audit_rule_open_o_creat_64bit_a20100_eperm_regex" version="1" datatype="string" comment="Expression to match 32bit open O_CREAT EPERM syscall">

-    <concat>

-      <variable_component var_ref="var_audit_rule_open_o_creat_64bit_head" />

-      <literal_component>(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)</literal_component>

-      <variable_component var_ref="var_audit_rule_open_o_creat_tail" />

-    </concat>

-  </local_variable>

-

-

-  

-  

- comment="defined audit rule must exist" id="test_arufm_open_o_creat_32bit_a20100_eacces_augenrules" version="1">

-    <ind:object object_ref="object_arufm_open_o_creat_32bit_a20100_eacces_augenrules" />

-  </ind:textfilecontent54_test>

-  <ind:textfilecontent54_object id="object_arufm_open_o_creat_32bit_a20100_eacces_augenrules" version="1">

-    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>

-    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_creat_32bit_a20100_eacces_regex" />

-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

-  </ind:textfilecontent54_object>

-

-

-  

-  

- comment="defined audit rule must exist" id="test_arufm_open_o_creat_32bit_a20100_eperm_augenrules" version="1">

-    <ind:object object_ref="object_arufm_open_o_creat_32bit_a20100_eperm_augenrules" />

-  </ind:textfilecontent54_test>

-  <ind:textfilecontent54_object id="object_arufm_open_o_creat_32bit_a20100_eperm_augenrules" version="1">

-    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>

-    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_creat_32bit_a20100_eperm_regex" />

-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

-  </ind:textfilecontent54_object>

-

-

-  

-  

- comment="defined audit rule must exist" id="test_arufm_open_o_creat_64bit_a20100_eacces_augenrules" version="1">

-    <ind:object object_ref="object_arufm_open_o_creat_64bit_a20100_eacces_augenrules" />

-  </ind:textfilecontent54_test>

-  <ind:textfilecontent54_object id="object_arufm_open_o_creat_64bit_a20100_eacces_augenrules" version="1">

-    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>

-    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_creat_64bit_a20100_eacces_regex" />

-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

-  </ind:textfilecontent54_object>

-

-

-  

-  

- comment="defined audit rule must exist" id="test_arufm_open_o_creat_64bit_a20100_eperm_augenrules" version="1">

-    <ind:object object_ref="object_arufm_open_o_creat_64bit_a20100_eperm_augenrules" />

-  </ind:textfilecontent54_test>

-  <ind:textfilecontent54_object id="object_arufm_open_o_creat_64bit_a20100_eperm_augenrules" version="1">

-    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>

-    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_creat_64bit_a20100_eperm_regex" />

-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

-  </ind:textfilecontent54_object>

-

-

-  

-  

- comment="defined audit rule must exist" id="test_arufm_open_o_creat_32bit_a20100_eacces_auditctl" version="1">

-    <ind:object object_ref="object_arufm_open_o_creat_32bit_a20100_eacces_auditctl" />

-  </ind:textfilecontent54_test>

-  <ind:textfilecontent54_object id="object_arufm_open_o_creat_32bit_a20100_eacces_auditctl" version="1">

-    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>

-    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_creat_32bit_a20100_eacces_regex" />

-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

-  </ind:textfilecontent54_object>

-

-

-  

-  

- comment="defined audit rule must exist" id="test_arufm_open_o_creat_32bit_a20100_eperm_auditctl" version="1">

-    <ind:object object_ref="object_arufm_open_o_creat_32bit_a20100_eperm_auditctl" />

-  </ind:textfilecontent54_test>

-  <ind:textfilecontent54_object id="object_arufm_open_o_creat_32bit_a20100_eperm_auditctl" version="1">

-    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>

-    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_creat_32bit_a20100_eperm_regex" />

-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

-  </ind:textfilecontent54_object>

-

-

-  

-  

- comment="defined audit rule must exist" id="test_arufm_open_o_creat_64bit_a20100_eacces_auditctl" version="1">

-    <ind:object object_ref="object_arufm_open_o_creat_64bit_a20100_eacces_auditctl" />

-  </ind:textfilecontent54_test>

-  <ind:textfilecontent54_object id="object_arufm_open_o_creat_64bit_a20100_eacces_auditctl" version="1">

-    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>

-    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_creat_64bit_a20100_eacces_regex" />

-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

-  </ind:textfilecontent54_object>

-

-

-  

-  

- comment="defined audit rule must exist" id="test_arufm_open_o_creat_64bit_a20100_eperm_auditctl" version="1">

-    <ind:object object_ref="object_arufm_open_o_creat_64bit_a20100_eperm_auditctl" />

-  </ind:textfilecontent54_test>

-  <ind:textfilecontent54_object id="object_arufm_open_o_creat_64bit_a20100_eperm_auditctl" version="1">

-    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>

-    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_creat_64bit_a20100_eperm_regex" />

-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

-  </ind:textfilecontent54_object>

-

-</def-group>

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat.rule

index c879183de2..a78f614c8f 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat.rule

@@ -2,7 +2,7 @@ documentation_complete: true

 prodtype: rhel7,fedora

-title: 'Record Unauthorized Creation Attempts to Files (unsuccessful) - open O_CREAT'

+title: 'Record Unauthorized Creation Attempts to Files - open O_CREAT'

 description: |-

@@ -50,5 +50,6 @@ warnings:

     - general: |-

         Note that these rules can be configured in a

         number of ways while still achieving the desired effect. Here the system calls

-        have been placed independent of other system calls. Grouping these system

-        calls with others as identifying earlier in this guide is more efficient.

+        have been placed independent of other system calls. Grouping system calls related

+        to the same event is more efficient. See the following example:

+        
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create

diff --git a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_trunc_write.xml

deleted file mode 100644

index 49540d8d4c..0000000000

--- a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_trunc_write.xml

+++ /dev/null

@@ -1,200 +0,0 @@

-<def-group>

-  <definition class="compliance" id="audit_rules_unsuccessful_file_modification_open_o_trunc_write" version="1">

-    <metadata>

-      <title>Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - open o_trunc</title>

-      <affected family="unix">

-        <platform>Red Hat Enterprise Linux 7</platform>

-        <platform>multi_platform_fedora</platform>

-      </affected>

-      <description>Audit rules about the information on the unsuccessful use of open O_TRUNC is enabled.</description>

-    </metadata>

-

-    <criteria operator="OR">

-

-      

-      <criteria operator="AND">

-        <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />

-        <criterion comment="Verify audit rule open 32bit a2&01003 eacces augenrules exists" test_ref="test_arufm_open_o_trunc_32bit_a201003_eacces_augenrules" />

-        <criterion comment="Verify audit rule open 32bit a2&01003 eperm augenrules exists" test_ref="test_arufm_open_o_trunc_32bit_a201003_eperm_augenrules" />

-

-        <criteria operator="OR">

-          

-          <extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />

-          

-          <criteria operator="AND">

-            <criterion comment="Verify audit rule open 64bit a2&01003 eacces augenrules exists" test_ref="test_arufm_open_o_trunc_64bit_a201003_eacces_augenrules" />

-            <criterion comment="Verify audit rule open 64bit a2&01003 eperm augenrules exists" test_ref="test_arufm_open_o_trunc_64bit_a201003_eperm_augenrules" />

-          </criteria>

-        </criteria>

-      </criteria>

-

-      

-      <criteria operator="AND">

-        <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />

-        <criterion comment="Verify audit rule open 32bit a2&01003 eacces auditctl exists" test_ref="test_arufm_open_o_trunc_32bit_a201003_eacces_auditctl" />

-        <criterion comment="Verify audit rule open 32bit a2&01003 eperm auditctl exists" test_ref="test_arufm_open_o_trunc_32bit_a201003_eperm_auditctl" />

-

-        <criteria operator="OR">

-          

-          <extend_definition comment="64-bit_system" definition_ref="system_info_architecture_64bit" negate="true" />

-          

-          <criteria operator="AND">

-            <criterion comment="Verify audit rule open 64bit a2&01003 eacces auditctl exists" test_ref="test_arufm_open_o_trunc_64bit_a201003_eacces_auditctl" />

-            <criterion comment="Verify audit rule open 64bit a2&01003 eperm auditctl exists" test_ref="test_arufm_open_o_trunc_64bit_a201003_eperm_auditctl" />

-

-          </criteria>

-        </criteria>

-      </criteria>

-

-    </criteria>

-  </definition>

-

-  

-  <constant_variable id="var_audit_rule_open_o_trunc_32bit_head" version="1" datatype="string" comment="audit rule arch and syscal">

-      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*</value>

-  </constant_variable>

-  <constant_variable id="var_audit_rule_open_o_trunc_64bit_head" version="1" datatype="string" comment="audit rule arch and syscal">

-      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*</value>

-  </constant_variable>

-  <constant_variable id="var_audit_rule_open_o_trunc_tail" version="1" datatype="string" comment="audit rule auid and key">

-    <value>[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>

-  </constant_variable>

-

-  

-  <constant_variable id="var_audit_rule_open_o_trunc_separator_regex" version="1" datatype="string" comment="audit rule auid and key">

-    <value>(?:[^.]|\.\s)*</value>

-  </constant_variable>

-

-  

-  <local_variable id="var_audit_rule_open_o_trunc_32bit_a201003_eacces_regex" version="1" datatype="string" comment="Expression to match 32bit open O_TRUNC EACCES syscall">

-    <concat>

-      <variable_component var_ref="var_audit_rule_open_o_trunc_32bit_head" />

-      <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)</literal_component>

-      <variable_component var_ref="var_audit_rule_open_o_trunc_tail" />

-    </concat>

-  </local_variable>

-

-  

-  <local_variable id="var_audit_rule_open_o_trunc_32bit_a201003_eperm_regex" version="1" datatype="string" comment="Expression to match 32bit open O_TRUNC EPERM EACCES syscall">

-    <concat>

-      <variable_component var_ref="var_audit_rule_open_o_trunc_32bit_head" />

-      <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)</literal_component>

-      <variable_component var_ref="var_audit_rule_open_o_trunc_tail" />

-    </concat>

-  </local_variable>

-

-  

-  <local_variable id="var_audit_rule_open_o_trunc_64bit_a201003_eacces_regex" version="1" datatype="string" comment="Expression to match 64bit open O_TRUNC EACCES syscall">

-    <concat>

-      <variable_component var_ref="var_audit_rule_open_o_trunc_64bit_head" />

-      <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)</literal_component>

-      <variable_component var_ref="var_audit_rule_open_o_trunc_tail" />

-    </concat>

-  </local_variable>

-

-  

-  <local_variable id="var_audit_rule_open_o_trunc_64bit_a201003_eperm_regex" version="1" datatype="string" comment="Expression to match 64bit open O_TRUNC EPERM syscall">

-    <concat>

-      <variable_component var_ref="var_audit_rule_open_o_trunc_64bit_head" />

-      <literal_component>(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)</literal_component>

-      <variable_component var_ref="var_audit_rule_open_o_trunc_tail" />

-    </concat>

-  </local_variable>

-

-

-  

-  

- comment="defined audit rule must exist" id="test_arufm_open_o_trunc_32bit_a201003_eacces_augenrules" version="1">

-    <ind:object object_ref="object_arufm_open_o_trunc_32bit_a201003_eacces_augenrules" />

-  </ind:textfilecontent54_test>

-  <ind:textfilecontent54_object id="object_arufm_open_o_trunc_32bit_a201003_eacces_augenrules" version="1">

-    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>

-    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_trunc_32bit_a201003_eacces_regex" />

-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

-  </ind:textfilecontent54_object>

-

-

-  

-  

- comment="defined audit rule must exist" id="test_arufm_open_o_trunc_32bit_a201003_eperm_augenrules" version="1">

-    <ind:object object_ref="object_arufm_open_o_trunc_32bit_a201003_eperm_augenrules" />

-  </ind:textfilecontent54_test>

-  <ind:textfilecontent54_object id="object_arufm_open_o_trunc_32bit_a201003_eperm_augenrules" version="1">

-    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>

-    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_trunc_32bit_a201003_eperm_regex" />

-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

-  </ind:textfilecontent54_object>

-

-

-  

-  

- comment="defined audit rule must exist" id="test_arufm_open_o_trunc_64bit_a201003_eacces_augenrules" version="1">

-    <ind:object object_ref="object_arufm_open_o_trunc_64bit_a201003_eacces_augenrules" />

-  </ind:textfilecontent54_test>

-  <ind:textfilecontent54_object id="object_arufm_open_o_trunc_64bit_a201003_eacces_augenrules" version="1">

-    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>

-    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_trunc_64bit_a201003_eacces_regex" />

-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

-  </ind:textfilecontent54_object>

-

-

-  

-  

- comment="defined audit rule must exist" id="test_arufm_open_o_trunc_64bit_a201003_eperm_augenrules" version="1">

-    <ind:object object_ref="object_arufm_open_o_trunc_64bit_a201003_eperm_augenrules" />

-  </ind:textfilecontent54_test>

-  <ind:textfilecontent54_object id="object_arufm_open_o_trunc_64bit_a201003_eperm_augenrules" version="1">

-    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>

-    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_trunc_64bit_a201003_eperm_regex" />

-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

-  </ind:textfilecontent54_object>

-

-

-  

-  

- comment="defined audit rule must exist" id="test_arufm_open_o_trunc_32bit_a201003_eacces_auditctl" version="1">

-    <ind:object object_ref="object_arufm_open_o_trunc_32bit_a201003_eacces_auditctl" />

-  </ind:textfilecontent54_test>

-  <ind:textfilecontent54_object id="object_arufm_open_o_trunc_32bit_a201003_eacces_auditctl" version="1">

-    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>

-    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_trunc_32bit_a201003_eacces_regex" />

-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

-  </ind:textfilecontent54_object>

-

-

-  

-  

- comment="defined audit rule must exist" id="test_arufm_open_o_trunc_32bit_a201003_eperm_auditctl" version="1">

-    <ind:object object_ref="object_arufm_open_o_trunc_32bit_a201003_eperm_auditctl" />

-  </ind:textfilecontent54_test>

-  <ind:textfilecontent54_object id="object_arufm_open_o_trunc_32bit_a201003_eperm_auditctl" version="1">

-    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>

-    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_trunc_32bit_a201003_eperm_regex" />

-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

-  </ind:textfilecontent54_object>

-

-

-  

-  

- comment="defined audit rule must exist" id="test_arufm_open_o_trunc_64bit_a201003_eacces_auditctl" version="1">

-    <ind:object object_ref="object_arufm_open_o_trunc_64bit_a201003_eacces_auditctl" />

-  </ind:textfilecontent54_test>

-  <ind:textfilecontent54_object id="object_arufm_open_o_trunc_64bit_a201003_eacces_auditctl" version="1">

-    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>

-    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_trunc_64bit_a201003_eacces_regex" />

-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

-  </ind:textfilecontent54_object>

-

-

-  

-  

- comment="defined audit rule must exist" id="test_arufm_open_o_trunc_64bit_a201003_eperm_auditctl" version="1">

-    <ind:object object_ref="object_arufm_open_o_trunc_64bit_a201003_eperm_auditctl" />

-  </ind:textfilecontent54_test>

-  <ind:textfilecontent54_object id="object_arufm_open_o_trunc_64bit_a201003_eperm_auditctl" version="1">

-    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>

-    <ind:pattern operation="pattern match" var_ref="var_audit_rule_open_o_trunc_64bit_a201003_eperm_regex" />

-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

-  </ind:textfilecontent54_object>

-

-</def-group>

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write.rule

index 8525b31bb1..bf5bae97c5 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write.rule

@@ -2,7 +2,7 @@ documentation_complete: true

 prodtype: rhel7,fedora

-title: 'Record Unauthorized Modification Attempts to Files (unsuccessful) - open O_TRUNC'

+title: 'Record Unauthorized Modification Attempts to Files - open O_TRUNC'

 description: |-

     The audit system should collect detailed unauthorized file accesses for

@@ -49,5 +49,6 @@ warnings:

     - general: |-

         Note that these rules can be configured in a

         number of ways while still achieving the desired effect. Here the system calls

-        have been placed independent of other system calls. Grouping these system

-        calls with others as identifying earlier in this guide is more efficient.

+        have been placed independent of other system calls. Grouping system calls related

+        to the same event is more efficient. See the following example:

+        
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification

diff --git a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_rule_order.xml

deleted file mode 100644

index 780fdf60d4..0000000000

--- a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_rule_order.xml

+++ /dev/null

@@ -1,474 +0,0 @@

-<def-group>

-  <definition class="compliance" id="audit_rules_unsuccessful_file_modification_open_rule_order" version="1">

-    <metadata>

-      <title>Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly</title>

-      <affected family="unix">

-        <platform>Red Hat Enterprise Linux 7</platform>

-        <platform>multi_platform_fedora</platform>

-      </affected>

-      <description>Audit rules about the information on the unsuccessful use of open is configured in the proper rule order.</description>

-

-    </metadata>

-

-    <criteria operator="OR">

-

-      

-      <criteria operator="AND">

-        <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />

-        <criterion comment="audit augenrules 32-bit" test_ref="test_arufm_open_order_32bit_eacces_augenrules" />

-        <criterion comment="audit augenrules 32-bit" test_ref="test_arufm_open_order_32bit_eperm_augenrules" />

-

-        <criteria operator="OR">

-          

-          <extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />

-          

-          <criteria operator="AND">

-            <criterion comment="audit augenrules 64-bit" test_ref="test_arufm_open_order_64bit_eacces_augenrules" />

-            <criterion comment="audit augenrules 64-bit" test_ref="test_arufm_open_order_64bit_eperm_augenrules" />

-          </criteria>

-        </criteria>

-      </criteria>

-

-      

-      <criteria operator="AND">

-        <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />

-        <criterion comment="audit augenrules 32-bit" test_ref="test_arufm_open_order_32bit_eacces_auditctl" />

-        <criterion comment="audit augenrules 32-bit" test_ref="test_arufm_open_order_32bit_eperm_auditctl" />

-

-        <criteria operator="OR">

-          

-          <extend_definition comment="64-bit_system" definition_ref="system_info_architecture_64bit" negate="true" />

-          

-          <criteria operator="AND">

-            <criterion comment="audit augenrules 32-bit" test_ref="test_arufm_open_order_64bit_eacces_auditctl" />

-            <criterion comment="audit augenrules 32-bit" test_ref="test_arufm_open_order_64bit_eperm_auditctl" />

-

-          </criteria>

-        </criteria>

-      </criteria>

-

-    </criteria>

-  </definition>

-

-  

-  <constant_variable id="var_audit_rule_open_order_32bit_head" version="1" datatype="string" comment="audit rule arch and syscal">

-      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*</value>

-  </constant_variable>

-  <constant_variable id="var_audit_rule_open_order_64bit_head" version="1" datatype="string" comment="audit rule arch and syscal">

-      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*</value>

-  </constant_variable>

-  <constant_variable id="var_audit_rule_open_order_tail" version="1" datatype="string" comment="audit rule auid and key">

-    <value>[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>

-  </constant_variable>

-

-  

-  <constant_variable id="var_audit_rule_open_order_separator_regex" version="1" datatype="string" comment="audit rule auid and key">

-    <value>(?:[^.]|\.\s)*</value>

-  </constant_variable>

-

-  

-  <local_variable id="var_audit_rule_open_order_32bit_a20100_eacces_regex" version="1" datatype="string" comment="arches to audit">

-    <concat>