Blame SOURCES/scap-security-guide-0.1.41-fix_syscall_in_last_position.patch

28bffe
diff --git a/shared/templates/template_OVAL_audit_rules_path_syscall b/shared/templates/template_OVAL_audit_rules_path_syscall
28bffe
index dcc1d7b0a2..2544099b8d 100644
28bffe
--- a/shared/templates/template_OVAL_audit_rules_path_syscall
28bffe
+++ b/shared/templates/template_OVAL_audit_rules_path_syscall
28bffe
@@ -40,13 +40,14 @@
28bffe
     </criteria>
28bffe
   </definition>
28bffe
 
28bffe
+
28bffe
   
28bffe
   <constant_variable id="var_audit_rule_32bit_{{{ SYSCALL }}}_write_{{{ PATHID }}}_regex" version="1" datatype="string" comment="audit rule arch and syscal">
28bffe
-      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path={{{ PATH }}})[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
28bffe
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path={{{ PATH }}})[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
28bffe
   </constant_variable>
28bffe
 
28bffe
   <constant_variable id="var_audit_rule_64bit_{{{ SYSCALL }}}_write_{{{ PATHID }}}_regex" version="1" datatype="string" comment="audit rule arch and syscal">
28bffe
-      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path={{{ PATH }}})[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
28bffe
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path={{{ PATH }}})[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
28bffe
   </constant_variable>
28bffe
 
28bffe
   
28bffe
diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification
28bffe
index 804c0d50b8..cbed460f00 100644
28bffe
--- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification
28bffe
+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification
28bffe
@@ -46,12 +46,60 @@
28bffe
     </criteria>
28bffe
   </definition>
28bffe
 
28bffe
+  
28bffe
+  <constant_variable id="var_32bit_arufm_{{{ NAME }}}_head" version="1" datatype="string" comment="audit rule arch and syscal">
28bffe
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ NAME }}})(?:|(?:,[\S]+)+))[\s]+</value>
28bffe
+  </constant_variable>
28bffe
+  <constant_variable id="var_64bit_arufm_{{{ NAME }}}_head" version="1" datatype="string" comment="audit rule arch and syscal">
28bffe
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ NAME }}})(?:|(?:,[\S]+)+))[\s]+</value>
28bffe
+  </constant_variable>
28bffe
+  <constant_variable id="var_arufm_{{{ NAME }}}_tail" version="1" datatype="string" comment="audit rule auid and key">
28bffe
+    <value>[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
28bffe
+  </constant_variable>
28bffe
+
28bffe
+  
28bffe
+  <local_variable id="var_32bit_arufm_eacces_{{{ NAME }}}_regex" version="1" datatype="string" comment="Expression to match 32bit {{{ NAME }}} EACCES syscall">
28bffe
+    <concat>
28bffe
+      <variable_component var_ref="var_32bit_arufm_{{{ NAME }}}_head" />
28bffe
+      <literal_component>(?:-F\s+exit=-EACCES)</literal_component>
28bffe
+      <variable_component var_ref="var_arufm_{{{ NAME }}}_tail" />
28bffe
+    </concat>
28bffe
+  </local_variable>
28bffe
+
28bffe
+  
28bffe
+  <local_variable id="var_32bit_arufm_eperm_{{{ NAME }}}_regex" version="1" datatype="string" comment="Expression to match 32bit {{{ NAME }}} EPERM EACCES syscall">
28bffe
+    <concat>
28bffe
+      <variable_component var_ref="var_32bit_arufm_{{{ NAME }}}_head" />
28bffe
+      <literal_component>(?:-F\s+exit=-EPERM)</literal_component>
28bffe
+      <variable_component var_ref="var_arufm_{{{ NAME }}}_tail" />
28bffe
+    </concat>
28bffe
+  </local_variable>
28bffe
+
28bffe
+  
28bffe
+  <local_variable id="var_64bit_arufm_eacces_{{{ NAME }}}_regex" version="1" datatype="string" comment="Expression to match 64bit {{{ NAME }}} EACCES syscall">
28bffe
+    <concat>
28bffe
+      <variable_component var_ref="var_64bit_arufm_{{{ NAME }}}_head" />
28bffe
+      <literal_component>(?:-F\s+exit=-EACCES)</literal_component>
28bffe
+      <variable_component var_ref="var_arufm_{{{ NAME }}}_tail" />
28bffe
+    </concat>
28bffe
+  </local_variable>
28bffe
+
28bffe
+  
28bffe
+  <local_variable id="var_64bit_arufm_eperm_{{{ NAME }}}_regex" version="1" datatype="string" comment="Expression to match 64bit {{{ NAME }}} EPERM syscall">
28bffe
+    <concat>
28bffe
+      <variable_component var_ref="var_64bit_arufm_{{{ NAME }}}_head" />
28bffe
+      <literal_component>(?:-F\s+exit=-EPERM)</literal_component>
28bffe
+      <variable_component var_ref="var_arufm_{{{ NAME }}}_tail" />
28bffe
+    </concat>
28bffe
+  </local_variable>
28bffe
+
28bffe
+
28bffe
   <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eacces" id="test_32bit_arufm_eacces_{{{ NAME }}}_augenrules" version="1">
28bffe
     <ind:object object_ref="object_32bit_arufm_eacces_{{{ NAME }}}_augenrules" />
28bffe
   </ind:textfilecontent54_test>
28bffe
   <ind:textfilecontent54_object id="object_32bit_arufm_eacces_{{{ NAME }}}_augenrules" version="1">
28bffe
     <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
28bffe
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
28bffe
+    <ind:pattern operation="pattern match" var_ref="var_32bit_arufm_eacces_{{{ NAME }}}_regex" />
28bffe
     <ind:instance datatype="int">1</ind:instance>
28bffe
   </ind:textfilecontent54_object>
28bffe
 
28bffe
@@ -60,7 +108,7 @@
28bffe
   </ind:textfilecontent54_test>
28bffe
   <ind:textfilecontent54_object id="object_32bit_arufm_eperm_{{{ NAME }}}_augenrules" version="1">
28bffe
     <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
28bffe
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
28bffe
+    <ind:pattern operation="pattern match" var_ref="var_32bit_arufm_eperm_{{{ NAME }}}_regex" />
28bffe
     <ind:instance datatype="int">1</ind:instance>
28bffe
   </ind:textfilecontent54_object>
28bffe
 
28bffe
@@ -69,7 +117,7 @@
28bffe
   </ind:textfilecontent54_test>
28bffe
   <ind:textfilecontent54_object id="object_64bit_arufm_eacces_{{{ NAME }}}_augenrules" version="1">
28bffe
     <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
28bffe
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
28bffe
+    <ind:pattern operation="pattern match" var_ref="var_64bit_arufm_eacces_{{{ NAME }}}_regex" />
28bffe
     <ind:instance datatype="int">1</ind:instance>
28bffe
   </ind:textfilecontent54_object>
28bffe
 
28bffe
@@ -78,7 +126,7 @@
28bffe
   </ind:textfilecontent54_test>
28bffe
   <ind:textfilecontent54_object id="object_64bit_arufm_eperm_{{{ NAME }}}_augenrules" version="1">
28bffe
     <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
28bffe
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
28bffe
+    <ind:pattern operation="pattern match" var_ref="var_64bit_arufm_eperm_{{{ NAME }}}_regex" />
28bffe
     <ind:instance datatype="int">1</ind:instance>
28bffe
   </ind:textfilecontent54_object>
28bffe
 
28bffe
@@ -87,7 +135,7 @@
28bffe
   </ind:textfilecontent54_test>
28bffe
   <ind:textfilecontent54_object id="object_32bit_arufm_eacces_{{{ NAME }}}_auditctl" version="1">
28bffe
     <ind:filepath>/etc/audit/audit.rules</ind:filepath>
28bffe
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
28bffe
+    <ind:pattern operation="pattern match" var_ref="var_32bit_arufm_eacces_{{{ NAME }}}_regex" />
28bffe
     <ind:instance datatype="int">1</ind:instance>
28bffe
   </ind:textfilecontent54_object>
28bffe
 
28bffe
@@ -96,7 +144,7 @@
28bffe
   </ind:textfilecontent54_test>
28bffe
   <ind:textfilecontent54_object id="object_32bit_arufm_eperm_{{{ NAME }}}_auditctl" version="1">
28bffe
     <ind:filepath>/etc/audit/audit.rules</ind:filepath>
28bffe
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
28bffe
+    <ind:pattern operation="pattern match" var_ref="var_32bit_arufm_eperm_{{{ NAME }}}_regex" />
28bffe
     <ind:instance datatype="int">1</ind:instance>
28bffe
   </ind:textfilecontent54_object>
28bffe
 
28bffe
@@ -105,7 +153,7 @@
28bffe
   </ind:textfilecontent54_test>
28bffe
   <ind:textfilecontent54_object id="object_64bit_arufm_eacces_{{{ NAME }}}_auditctl" version="1">
28bffe
     <ind:filepath>/etc/audit/audit.rules</ind:filepath>
28bffe
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
28bffe
+    <ind:pattern operation="pattern match" var_ref="var_64bit_arufm_eacces_{{{ NAME }}}_regex" />
28bffe
     <ind:instance datatype="int">1</ind:instance>
28bffe
   </ind:textfilecontent54_object>
28bffe
 
28bffe
@@ -114,7 +162,7 @@
28bffe
   </ind:textfilecontent54_test>
28bffe
   <ind:textfilecontent54_object id="object_64bit_arufm_eperm_{{{ NAME }}}_auditctl" version="1">
28bffe
     <ind:filepath>/etc/audit/audit.rules</ind:filepath>
28bffe
-    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
28bffe
+    <ind:pattern operation="pattern match" var_ref="var_64bit_arufm_eperm_{{{ NAME }}}_regex" />
28bffe
     <ind:instance datatype="int">1</ind:instance>
28bffe
   </ind:textfilecontent54_object>
28bffe
 
28bffe
diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat
28bffe
index 7f1bf6f68f..01e155f016 100644
28bffe
--- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat
28bffe
+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat
28bffe
@@ -51,10 +51,10 @@
28bffe
 
28bffe
   
28bffe
   <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_o_creat_32bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
28bffe
-      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*</value>
28bffe
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+</value>
28bffe
   </constant_variable>
28bffe
   <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_o_creat_64bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
28bffe
-      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*</value>
28bffe
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+</value>
28bffe
   </constant_variable>
28bffe
   <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_o_creat_tail" version="1" datatype="string" comment="audit rule auid and key">
28bffe
     <value>[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
28bffe
diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write
28bffe
index ce7d3c44c7..64f7277a60 100644
28bffe
--- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write
28bffe
+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write
28bffe
@@ -51,10 +51,10 @@
28bffe
 
28bffe
   
28bffe
   <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_o_trunc_32bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
28bffe
-      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*</value>
28bffe
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+</value>
28bffe
   </constant_variable>
28bffe
   <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_o_trunc_64bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
28bffe
-      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*</value>
28bffe
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+</value>
28bffe
   </constant_variable>
28bffe
   <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_o_trunc_tail" version="1" datatype="string" comment="audit rule auid and key">
28bffe
     <value>[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
28bffe
diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order
28bffe
index 66a8ecf249..12da792d51 100644
28bffe
--- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order
28bffe
+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order
28bffe
@@ -52,10 +52,10 @@
28bffe
 
28bffe
   
28bffe
   <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_order_32bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
28bffe
-      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*</value>
28bffe
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+</value>
28bffe
   </constant_variable>
28bffe
   <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_order_64bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
28bffe
-      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*</value>
28bffe
+      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+</value>
28bffe
   </constant_variable>
28bffe
   <constant_variable id="var_audit_rule_{{{ SYSCALL }}}_order_tail" version="1" datatype="string" comment="audit rule auid and key">
28bffe
     <value>[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
28bffe
@@ -84,7 +84,7 @@
28bffe
   <local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_32bit_eacces_regex" version="1" datatype="string" comment="arches to audit">
28bffe
     <concat>
28bffe
       <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_32bit_head" />
28bffe
-      <literal_component>(?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
28bffe
+      <literal_component>(?:-F\s+exit=-EACCES)</literal_component>
28bffe
       <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
28bffe
     </concat>
28bffe
   </local_variable>
28bffe
@@ -107,7 +107,7 @@
28bffe
   <local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_32bit_eperm_regex" version="1" datatype="string" comment="arches to audit">
28bffe
     <concat>
28bffe
       <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_32bit_head" />
28bffe
-      <literal_component>(?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
28bffe
+      <literal_component>(?:-F\s+exit=-EPERM)</literal_component>
28bffe
       <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
28bffe
     </concat>
28bffe
   </local_variable>
28bffe
@@ -130,7 +130,7 @@
28bffe
   <local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_64bit_eacces_regex" version="1" datatype="string" comment="arches to audit">
28bffe
     <concat>
28bffe
       <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_64bit_head" />
28bffe
-      <literal_component>(?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
28bffe
+      <literal_component>(?:-F\s+exit=-EACCES)</literal_component>
28bffe
       <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
28bffe
     </concat>
28bffe
   </local_variable>
28bffe
@@ -153,7 +153,7 @@
28bffe
   <local_variable id="var_audit_rule_{{{ SYSCALL }}}_order_64bit_eperm_regex" version="1" datatype="string" comment="arches to audit">
28bffe
     <concat>
28bffe
       <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_64bit_head" />
28bffe
-      <literal_component>(?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
28bffe
+      <literal_component>(?:-F\s+exit=-EPERM)</literal_component>
28bffe
       <variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_order_tail" />
28bffe
     </concat>
28bffe
   </local_variable>
28bffe
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open/open_before_last.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open/open_before_last.pass.sh
28bffe
new file mode 100644
28bffe
index 0000000000..1f30447324
28bffe
--- /dev/null
28bffe
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open/open_before_last.pass.sh
28bffe
@@ -0,0 +1,7 @@
28bffe
+#!/bin/bash
28bffe
+
28bffe
+# profiles = xccdf_org.ssgproject.content_profile_ospp
28bffe
+# remediation = none
28bffe
+
28bffe
+sed 's/openat,open_by_handle_at/open,open_by_handle_at/' ../audit_open.rules > /etc/audit/rules.d/open_o_creat.rules
28bffe
+sed -i 's/ open,/ openat,/' /etc/audit/rules.d/open_o_creat.rules
28bffe
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open/open_last.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open/open_last.pass.sh
28bffe
new file mode 100644
28bffe
index 0000000000..d3fdcf71a5
28bffe
--- /dev/null
28bffe
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open/open_last.pass.sh
28bffe
@@ -0,0 +1,7 @@
28bffe
+#!/bin/bash
28bffe
+
28bffe
+# profiles = xccdf_org.ssgproject.content_profile_ospp
28bffe
+# remediation = none
28bffe
+
28bffe
+sed 's/_by_handle_at//' ../audit_open.rules > /etc/audit/rules.d/open_o_creat.rules
28bffe
+sed -i 's/open,/open_by_handle_at,/' /etc/audit/rules.d/open_o_creat.rules
28bffe
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_before_last.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_before_last.pass.sh
28bffe
new file mode 100644
28bffe
index 0000000000..acdec877ef
28bffe
--- /dev/null
28bffe
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_before_last.pass.sh
28bffe
@@ -0,0 +1,7 @@
28bffe
+#!/bin/bash
28bffe
+
28bffe
+# profiles = xccdf_org.ssgproject.content_profile_ospp
28bffe
+# remediation = none
28bffe
+
28bffe
+sed 's/openat,open_by_handle_at/open,open_by_handle_at/' ../audit_open_o_creat.rules > /etc/audit/rules.d/open_o_creat.rules
28bffe
+sed -i 's/ open,/ openat,/' /etc/audit/rules.d/open_o_creat.rules
28bffe
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_last.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_last.pass.sh
28bffe
new file mode 100644
28bffe
index 0000000000..33a3ad88bf
28bffe
--- /dev/null
28bffe
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_last.pass.sh
28bffe
@@ -0,0 +1,7 @@
28bffe
+#!/bin/bash
28bffe
+
28bffe
+# profiles = xccdf_org.ssgproject.content_profile_ospp
28bffe
+# remediation = none
28bffe
+
28bffe
+sed 's/_by_handle_at//' ../audit_open_o_creat.rules > /etc/audit/rules.d/open_o_creat.rules
28bffe
+sed -i 's/open,/open_by_handle_at,/' /etc/audit/rules.d/open_o_creat.rules