|
|
28bffe |
diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification
|
|
|
28bffe |
index bc88220dac..804c0d50b8 100644
|
|
|
28bffe |
--- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification
|
|
|
28bffe |
+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification
|
|
|
28bffe |
@@ -51,7 +51,7 @@
|
|
|
28bffe |
</ind:textfilecontent54_test>
|
|
|
28bffe |
<ind:textfilecontent54_object id="object_32bit_arufm_eacces_{{{ NAME }}}_augenrules" version="1">
|
|
|
28bffe |
<ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]*(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
|
|
|
28bffe |
<ind:instance datatype="int">1</ind:instance>
|
|
|
28bffe |
</ind:textfilecontent54_object>
|
|
|
28bffe |
|
|
|
28bffe |
@@ -60,7 +60,7 @@
|
|
|
28bffe |
</ind:textfilecontent54_test>
|
|
|
28bffe |
<ind:textfilecontent54_object id="object_32bit_arufm_eperm_{{{ NAME }}}_augenrules" version="1">
|
|
|
28bffe |
<ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]*(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
|
|
|
28bffe |
<ind:instance datatype="int">1</ind:instance>
|
|
|
28bffe |
</ind:textfilecontent54_object>
|
|
|
28bffe |
|
|
|
28bffe |
@@ -69,7 +69,7 @@
|
|
|
28bffe |
</ind:textfilecontent54_test>
|
|
|
28bffe |
<ind:textfilecontent54_object id="object_64bit_arufm_eacces_{{{ NAME }}}_augenrules" version="1">
|
|
|
28bffe |
<ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]*(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
|
|
|
28bffe |
<ind:instance datatype="int">1</ind:instance>
|
|
|
28bffe |
</ind:textfilecontent54_object>
|
|
|
28bffe |
|
|
|
28bffe |
@@ -78,7 +78,7 @@
|
|
|
28bffe |
</ind:textfilecontent54_test>
|
|
|
28bffe |
<ind:textfilecontent54_object id="object_64bit_arufm_eperm_{{{ NAME }}}_augenrules" version="1">
|
|
|
28bffe |
<ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]*(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
|
|
|
28bffe |
<ind:instance datatype="int">1</ind:instance>
|
|
|
28bffe |
</ind:textfilecontent54_object>
|
|
|
28bffe |
|
|
|
28bffe |
@@ -87,7 +87,7 @@
|
|
|
28bffe |
</ind:textfilecontent54_test>
|
|
|
28bffe |
<ind:textfilecontent54_object id="object_32bit_arufm_eacces_{{{ NAME }}}_auditctl" version="1">
|
|
|
28bffe |
<ind:filepath>/etc/audit/audit.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]*(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
|
|
|
28bffe |
<ind:instance datatype="int">1</ind:instance>
|
|
|
28bffe |
</ind:textfilecontent54_object>
|
|
|
28bffe |
|
|
|
28bffe |
@@ -96,7 +96,7 @@
|
|
|
28bffe |
</ind:textfilecontent54_test>
|
|
|
28bffe |
<ind:textfilecontent54_object id="object_32bit_arufm_eperm_{{{ NAME }}}_auditctl" version="1">
|
|
|
28bffe |
<ind:filepath>/etc/audit/audit.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]*(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
|
|
|
28bffe |
<ind:instance datatype="int">1</ind:instance>
|
|
|
28bffe |
</ind:textfilecontent54_object>
|
|
|
28bffe |
|
|
|
28bffe |
@@ -105,7 +105,7 @@
|
|
|
28bffe |
</ind:textfilecontent54_test>
|
|
|
28bffe |
<ind:textfilecontent54_object id="object_64bit_arufm_eacces_{{{ NAME }}}_auditctl" version="1">
|
|
|
28bffe |
<ind:filepath>/etc/audit/audit.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]*(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
|
|
|
28bffe |
<ind:instance datatype="int">1</ind:instance>
|
|
|
28bffe |
</ind:textfilecontent54_object>
|
|
|
28bffe |
|
|
|
28bffe |
@@ -114,7 +114,7 @@
|
|
|
28bffe |
</ind:textfilecontent54_test>
|
|
|
28bffe |
<ind:textfilecontent54_object id="object_64bit_arufm_eperm_{{{ NAME }}}_auditctl" version="1">
|
|
|
28bffe |
<ind:filepath>/etc/audit/audit.rules</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]*(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
|
|
|
28bffe |
<ind:instance datatype="int">1</ind:instance>
|
|
|
28bffe |
</ind:textfilecontent54_object>
|
|
|
28bffe |
|
|
|
28bffe |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/one_sys_with_filter.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/one_sys_with_filter.fail.sh
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..a76abb7901
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/one_sys_with_filter.fail.sh
|
|
|
28bffe |
@@ -0,0 +1,8 @@
|
|
|
28bffe |
+#!/bin/bash
|
|
|
28bffe |
+
|
|
|
28bffe |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
28bffe |
+
|
|
|
28bffe |
+echo "-a always,exit -F arch=b32 -S unlink -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules
|
|
|
28bffe |
+echo "-a always,exit -F arch=b64 -S unlink -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules
|
|
|
28bffe |
+echo "-a always,exit -F arch=b32 -S unlink -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules
|
|
|
28bffe |
+echo "-a always,exit -F arch=b64 -S unlink -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules
|
|
|
28bffe |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/two_sys_with_filter.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/two_sys_with_filter.fail.sh
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..85270468b5
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/two_sys_with_filter.fail.sh
|
|
|
28bffe |
@@ -0,0 +1,8 @@
|
|
|
28bffe |
+#!/bin/bash
|
|
|
28bffe |
+
|
|
|
28bffe |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
28bffe |
+
|
|
|
28bffe |
+echo "-a always,exit -F arch=b32 -S unlink,unlinkat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules
|
|
|
28bffe |
+echo "-a always,exit -F arch=b64 -S unlink,unlinkat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules
|
|
|
28bffe |
+echo "-a always,exit -F arch=b32 -S unlink,unlinkat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules
|
|
|
28bffe |
+echo "-a always,exit -F arch=b64 -S unlink,unlinkat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules
|