|
|
28bffe |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_rename.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_rename.rule
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..3fdcb3e89d
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_rename.rule
|
|
|
28bffe |
@@ -0,0 +1,46 @@
|
|
|
28bffe |
+documentation_complete: true
|
|
|
28bffe |
+
|
|
|
28bffe |
+prodtype: rhel7,fedora
|
|
|
28bffe |
+
|
|
|
28bffe |
+title: 'Record Unsuccessul Delete Attempts to Files - rename'
|
|
|
28bffe |
+
|
|
|
28bffe |
+description: |-
|
|
|
28bffe |
+ The audit system should collect unsuccessful file deletion
|
|
|
28bffe |
+ attempts for all users and root. If the <tt>auditd</tt> daemon is configured
|
|
|
28bffe |
+ to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
28bffe |
+ startup (the default), add the following lines to a file with suffix
|
|
|
28bffe |
+ <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
|
|
|
28bffe |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
28bffe |
+ utility to read audit rules during daemon startup, add the following lines to
|
|
|
28bffe |
+ <tt>/etc/audit/audit.rules</tt> file.
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
|
|
28bffe |
+ If the system is 64 bit then also add the following lines:
|
|
|
28bffe |
+
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
|
|
28bffe |
+
|
|
|
28bffe |
+rationale: |-
|
|
|
28bffe |
+ Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
|
|
|
28bffe |
+ these events could serve as evidence of potential system compromise.
|
|
|
28bffe |
+
|
|
|
28bffe |
+severity: medium
|
|
|
28bffe |
+
|
|
|
28bffe |
+references:
|
|
|
28bffe |
+ cis: 5.2.10
|
|
|
28bffe |
+ cui: 3.1.7
|
|
|
28bffe |
+ disa: 172,2884
|
|
|
28bffe |
+ hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
|
|
|
28bffe |
+ nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5
|
|
|
28bffe |
+ ospp@rhel7: FAU_GEN.1.1.c
|
|
|
28bffe |
+ pcidss: Req-10.2.4,Req-10.2.1
|
|
|
28bffe |
+ srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172
|
|
|
28bffe |
+
|
|
|
28bffe |
+{{{ complete_ocil_entry_audit_syscall(syscall="rename") }}}
|
|
|
28bffe |
+
|
|
|
28bffe |
+warnings:
|
|
|
28bffe |
+ - general: |-
|
|
|
28bffe |
+ Note that these rules can be configured in a
|
|
|
28bffe |
+ number of ways while still achieving the desired effect. Here the system calls
|
|
|
28bffe |
+ have been placed independent of other system calls. Grouping these system
|
|
|
28bffe |
+ calls with others as identifying earlier in this guide is more efficient.
|
|
|
28bffe |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_renameat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_renameat.rule
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..848ea3256e
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_renameat.rule
|
|
|
28bffe |
@@ -0,0 +1,46 @@
|
|
|
28bffe |
+documentation_complete: true
|
|
|
28bffe |
+
|
|
|
28bffe |
+prodtype: rhel7,fedora
|
|
|
28bffe |
+
|
|
|
28bffe |
+title: 'Record Unsuccessul Delete Attempts to Files - renameat'
|
|
|
28bffe |
+
|
|
|
28bffe |
+description: |-
|
|
|
28bffe |
+ The audit system should collect unsuccessful file deletion
|
|
|
28bffe |
+ attempts for all users and root. If the <tt>auditd</tt> daemon is configured
|
|
|
28bffe |
+ to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
28bffe |
+ startup (the default), add the following lines to a file with suffix
|
|
|
28bffe |
+ <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
|
|
|
28bffe |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
28bffe |
+ utility to read audit rules during daemon startup, add the following lines to
|
|
|
28bffe |
+ <tt>/etc/audit/audit.rules</tt> file.
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
|
|
28bffe |
+ If the system is 64 bit then also add the following lines:
|
|
|
28bffe |
+
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
|
|
28bffe |
+
|
|
|
28bffe |
+rationale: |-
|
|
|
28bffe |
+ Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
|
|
|
28bffe |
+ these events could serve as evidence of potential system compromise.
|
|
|
28bffe |
+
|
|
|
28bffe |
+severity: medium
|
|
|
28bffe |
+
|
|
|
28bffe |
+references:
|
|
|
28bffe |
+ cis: 5.2.10
|
|
|
28bffe |
+ cui: 3.1.7
|
|
|
28bffe |
+ disa: 172,2884
|
|
|
28bffe |
+ hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
|
|
|
28bffe |
+ nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5
|
|
|
28bffe |
+ ospp@rhel7: FAU_GEN.1.1.c
|
|
|
28bffe |
+ pcidss: Req-10.2.4,Req-10.2.1
|
|
|
28bffe |
+ srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172
|
|
|
28bffe |
+
|
|
|
28bffe |
+{{{ complete_ocil_entry_audit_syscall(syscall="renameat") }}}
|
|
|
28bffe |
+
|
|
|
28bffe |
+warnings:
|
|
|
28bffe |
+ - general: |-
|
|
|
28bffe |
+ Note that these rules can be configured in a
|
|
|
28bffe |
+ number of ways while still achieving the desired effect. Here the system calls
|
|
|
28bffe |
+ have been placed independent of other system calls. Grouping these system
|
|
|
28bffe |
+ calls with others as identifying earlier in this guide is more efficient.
|
|
|
28bffe |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlink.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlink.rule
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..8a64a965ea
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlink.rule
|
|
|
28bffe |
@@ -0,0 +1,46 @@
|
|
|
28bffe |
+documentation_complete: true
|
|
|
28bffe |
+
|
|
|
28bffe |
+prodtype: rhel7,fedora
|
|
|
28bffe |
+
|
|
|
28bffe |
+title: 'Record Unsuccessul Delete Attempts to Files - unlink'
|
|
|
28bffe |
+
|
|
|
28bffe |
+description: |-
|
|
|
28bffe |
+ The audit system should collect unsuccessful file deletion
|
|
|
28bffe |
+ attempts for all users and root. If the <tt>auditd</tt> daemon is configured
|
|
|
28bffe |
+ to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
28bffe |
+ startup (the default), add the following lines to a file with suffix
|
|
|
28bffe |
+ <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
|
|
|
28bffe |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
28bffe |
+ utility to read audit rules during daemon startup, add the following lines to
|
|
|
28bffe |
+ <tt>/etc/audit/audit.rules</tt> file.
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
|
|
28bffe |
+ If the system is 64 bit then also add the following lines:
|
|
|
28bffe |
+
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
|
|
28bffe |
+
|
|
|
28bffe |
+rationale: |-
|
|
|
28bffe |
+ Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
|
|
|
28bffe |
+ these events could serve as evidence of potential system compromise.
|
|
|
28bffe |
+
|
|
|
28bffe |
+severity: medium
|
|
|
28bffe |
+
|
|
|
28bffe |
+references:
|
|
|
28bffe |
+ cis: 5.2.10
|
|
|
28bffe |
+ cui: 3.1.7
|
|
|
28bffe |
+ disa: 172,2884
|
|
|
28bffe |
+ hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
|
|
|
28bffe |
+ nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5
|
|
|
28bffe |
+ ospp@rhel7: FAU_GEN.1.1.c
|
|
|
28bffe |
+ pcidss: Req-10.2.4,Req-10.2.1
|
|
|
28bffe |
+ srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172
|
|
|
28bffe |
+
|
|
|
28bffe |
+{{{ complete_ocil_entry_audit_syscall(syscall="unlink") }}}
|
|
|
28bffe |
+
|
|
|
28bffe |
+warnings:
|
|
|
28bffe |
+ - general: |-
|
|
|
28bffe |
+ Note that these rules can be configured in a
|
|
|
28bffe |
+ number of ways while still achieving the desired effect. Here the system calls
|
|
|
28bffe |
+ have been placed independent of other system calls. Grouping these system
|
|
|
28bffe |
+ calls with others as identifying earlier in this guide is more efficient.
|
|
|
28bffe |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlinkat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlinkat.rule
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..c89d7d880b
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlinkat.rule
|
|
|
28bffe |
@@ -0,0 +1,46 @@
|
|
|
28bffe |
+documentation_complete: true
|
|
|
28bffe |
+
|
|
|
28bffe |
+prodtype: rhel7,fedora
|
|
|
28bffe |
+
|
|
|
28bffe |
+title: 'Record Unsuccessul Delete Attempts to Files - unlinkat'
|
|
|
28bffe |
+
|
|
|
28bffe |
+description: |-
|
|
|
28bffe |
+ The audit system should collect unsuccessful file deletion
|
|
|
28bffe |
+ attempts for all users and root. If the <tt>auditd</tt> daemon is configured
|
|
|
28bffe |
+ to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
28bffe |
+ startup (the default), add the following lines to a file with suffix
|
|
|
28bffe |
+ <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
|
|
|
28bffe |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
28bffe |
+ utility to read audit rules during daemon startup, add the following lines to
|
|
|
28bffe |
+ <tt>/etc/audit/audit.rules</tt> file.
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
|
|
28bffe |
+ -a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
|
|
28bffe |
+ If the system is 64 bit then also add the following lines:
|
|
|
28bffe |
+
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
|
|
28bffe |
+ -a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
|
|
28bffe |
+
|
|
|
28bffe |
+rationale: |-
|
|
|
28bffe |
+ Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
|
|
|
28bffe |
+ these events could serve as evidence of potential system compromise.
|
|
|
28bffe |
+
|
|
|
28bffe |
+severity: medium
|
|
|
28bffe |
+
|
|
|
28bffe |
+references:
|
|
|
28bffe |
+ cis: 5.2.10
|
|
|
28bffe |
+ cui: 3.1.7
|
|
|
28bffe |
+ disa: 172,2884
|
|
|
28bffe |
+ hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
|
|
|
28bffe |
+ nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5
|
|
|
28bffe |
+ ospp@rhel7: FAU_GEN.1.1.c
|
|
|
28bffe |
+ pcidss: Req-10.2.4,Req-10.2.1
|
|
|
28bffe |
+ srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172
|
|
|
28bffe |
+
|
|
|
28bffe |
+{{{ complete_ocil_entry_audit_syscall(syscall="unlinkat") }}}
|
|
|
28bffe |
+
|
|
|
28bffe |
+warnings:
|
|
|
28bffe |
+ - general: |-
|
|
|
28bffe |
+ Note that these rules can be configured in a
|
|
|
28bffe |
+ number of ways while still achieving the desired effect. Here the system calls
|
|
|
28bffe |
+ have been placed independent of other system calls. Grouping these system
|
|
|
28bffe |
+ calls with others as identifying earlier in this guide is more efficient.
|
|
|
28bffe |
diff --git a/rhel7/profiles/ospp42-draft.profile b/rhel7/profiles/ospp42-draft.profile
|
|
|
28bffe |
index 6ca2b4b58f..1f5e45a436 100644
|
|
|
28bffe |
--- a/rhel7/profiles/ospp42-draft.profile
|
|
|
28bffe |
+++ b/rhel7/profiles/ospp42-draft.profile
|
|
|
28bffe |
@@ -90,6 +90,10 @@ selections:
|
|
|
28bffe |
- audit_rules_unsuccessful_file_modification_open
|
|
|
28bffe |
- audit_rules_unsuccessful_file_modification_ftruncate
|
|
|
28bffe |
- audit_rules_unsuccessful_file_modification_truncate
|
|
|
28bffe |
+ - audit_rules_unsuccessful_file_modification_unlink
|
|
|
28bffe |
+ - audit_rules_unsuccessful_file_modification_unlinkat
|
|
|
28bffe |
+ - audit_rules_unsuccessful_file_modification_rename
|
|
|
28bffe |
+ - audit_rules_unsuccessful_file_modification_renameat
|
|
|
28bffe |
- audit_rules_file_deletion_events_renameat
|
|
|
28bffe |
- audit_rules_file_deletion_events_rename
|
|
|
28bffe |
- audit_rules_file_deletion_events_rmdir
|
|
|
28bffe |
diff --git a/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv b/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv
|
|
|
28bffe |
index 632bd19a68..3246204984 100644
|
|
|
28bffe |
--- a/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv
|
|
|
28bffe |
+++ b/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv
|
|
|
28bffe |
@@ -3,4 +3,8 @@ ftruncate
|
|
|
28bffe |
open
|
|
|
28bffe |
openat
|
|
|
28bffe |
open_by_handle_at
|
|
|
28bffe |
+rename
|
|
|
28bffe |
+renameat
|
|
|
28bffe |
truncate
|
|
|
28bffe |
+unlink
|
|
|
28bffe |
+unlinkat
|
|
|
28bffe |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/default.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/default.pass.sh
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..a6b47565ea
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/default.pass.sh
|
|
|
28bffe |
@@ -0,0 +1,8 @@
|
|
|
28bffe |
+#!/bin/bash
|
|
|
28bffe |
+
|
|
|
28bffe |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
28bffe |
+
|
|
|
28bffe |
+echo "-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules
|
|
|
28bffe |
+echo "-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules
|
|
|
28bffe |
+echo "-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules
|
|
|
28bffe |
+echo "-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules
|
|
|
28bffe |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/empty.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/empty.fail.sh
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..d703da5cf8
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/empty.fail.sh
|
|
|
28bffe |
@@ -0,0 +1,7 @@
|
|
|
28bffe |
+#!/bin/bash
|
|
|
28bffe |
+
|
|
|
28bffe |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
28bffe |
+
|
|
|
28bffe |
+rm -f /etc/audit/rules.d/*
|
|
|
28bffe |
+> /etc/audit/audit.rules
|
|
|
28bffe |
+true
|
|
|
28bffe |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/only_eacces.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/only_eacces.fail.sh
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..07d6e6b22b
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/only_eacces.fail.sh
|
|
|
28bffe |
@@ -0,0 +1,6 @@
|
|
|
28bffe |
+#!/bin/bash
|
|
|
28bffe |
+
|
|
|
28bffe |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
28bffe |
+
|
|
|
28bffe |
+echo "-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules
|
|
|
28bffe |
+echo "-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules
|