commit 724676573314ec7537015db800ea9edc08bdeafe

Author: Gabriel Becker <ggasparb@redhat.com>

Date:   Fri Apr 5 14:49:41 2019 +0200

    Mark rules that are not applicable in containers. Backport of 8a858d0c and 313b634c.

diff --git a/linux_os/guide/services/base/service_irqbalance_enabled.rule b/linux_os/guide/services/base/service_irqbalance_enabled.rule

index a94a60d..d74e543 100644

--- a/linux_os/guide/services/base/service_irqbalance_enabled.rule

+++ b/linux_os/guide/services/base/service_irqbalance_enabled.rule

@@ -24,3 +24,5 @@ references:

     nist: CM-7

 ocil: '{{{ ocil_service_disabled(service="irqbalance") }}}'

+

+platform: machine

diff --git a/linux_os/guide/services/cron_and_at/group.yml b/linux_os/guide/services/cron_and_at/group.yml

index 30f07e0..745ed46 100644

--- a/linux_os/guide/services/cron_and_at/group.yml

+++ b/linux_os/guide/services/cron_and_at/group.yml

@@ -8,3 +8,5 @@ description: |-

     all systems to perform necessary maintenance tasks, while at may or

     may not be required on a given system. Both daemons should be

     configured defensively.

+

+platform: machine

diff --git a/linux_os/guide/services/docker/docker_storage_configured.rule b/linux_os/guide/services/docker/docker_storage_configured.rule

index c675292..a1c90e6 100644

--- a/linux_os/guide/services/docker/docker_storage_configured.rule

+++ b/linux_os/guide/services/docker/docker_storage_configured.rule

@@ -20,3 +20,5 @@ severity: low

 identifiers:

     cce@rhel7: 80441-9

+

+platform: machine

diff --git a/linux_os/guide/services/docker/service_docker_enabled.rule b/linux_os/guide/services/docker/service_docker_enabled.rule

index 6cd9df4..309771b 100644

--- a/linux_os/guide/services/docker/service_docker_enabled.rule

+++ b/linux_os/guide/services/docker/service_docker_enabled.rule

@@ -20,3 +20,5 @@ identifiers:

     cce@rhel7: 80440-1

 ocil: '{{{ ocil_service_enabled(service="docker") }}}'

+

+platform: machine

diff --git a/linux_os/guide/services/mail/group.yml b/linux_os/guide/services/mail/group.yml

index 97ddf50..13f9730 100644

--- a/linux_os/guide/services/mail/group.yml

+++ b/linux_os/guide/services/mail/group.yml

@@ -23,3 +23,5 @@ description: |-

     Postfix was coded with security in mind and can also be more effectively contained by

     SELinux as its modular design has resulted in separate processes performing specific actions.

     More information is available on its website, {{{ weblink(link="http://www.postfix.org") }}}.

+

+platform: machine

diff --git a/linux_os/guide/services/ntp/group.yml b/linux_os/guide/services/ntp/group.yml

index c85ac8c..737b7f4 100644

--- a/linux_os/guide/services/ntp/group.yml

+++ b/linux_os/guide/services/ntp/group.yml

@@ -55,3 +55,5 @@ description: |-

     The upstream manual pages at {{{ weblink(link="http://chrony.tuxfamily.org/manual.html") }}} for

     <tt>chronyd</tt> and {{{ weblink(link="http://www.ntp.org") }}} for <tt>ntpd</tt> provide additional

     information on the capabilities and configuration of each of the NTP daemons.

+

+platform: machine

diff --git a/linux_os/guide/services/ssh/group.yml b/linux_os/guide/services/ssh/group.yml

index 8919c8c..feb65ee 100644

--- a/linux_os/guide/services/ssh/group.yml

+++ b/linux_os/guide/services/ssh/group.yml

@@ -12,3 +12,5 @@ description: |-

     {{{ weblink(link="http://www.openssh.org") }}}. Its server program

     is called <tt>sshd</tt> and provided by the RPM package

     <tt>openssh-server</tt>.

+

+platform: machine

diff --git a/linux_os/guide/services/sssd/group.yml b/linux_os/guide/services/sssd/group.yml

index 49bfab9..ce74b3a 100644

--- a/linux_os/guide/services/sssd/group.yml

+++ b/linux_os/guide/services/sssd/group.yml

@@ -17,3 +17,5 @@ description: |-

     {{%- elif product == "rhel6" -%}}

         {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Introduction.html") }}}

     {{%- endif %}}

+

+platform: machine

diff --git a/linux_os/guide/services/sssd/sssd-ldap/group.yml b/linux_os/guide/services/sssd/sssd-ldap/group.yml

index a7c4c7d..0428dd1 100644

--- a/linux_os/guide/services/sssd/sssd-ldap/group.yml

+++ b/linux_os/guide/services/sssd/sssd-ldap/group.yml

@@ -13,3 +13,5 @@ description: |-

     SSSD can support many backends including LDAP. The <tt>sssd-ldap</tt> backend

     allows SSSD to fetch identity information from an LDAP server.

+

+platform: machine

diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot.rule b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot.rule

index beb9a4d..52e6a26 100644

--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot.rule

+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot.rule

@@ -82,3 +82,5 @@ warnings:

         key sequence if running in <tt>runlevel 6</tt> (e.g. in GNOME, KDE, etc.)! The

         <tt>Ctrl-Alt-Del</tt> key sequence will only be disabled if running in

         the non-graphical <tt>runlevel 3</tt>.

+

+platform: machine

diff --git a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot.rule b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot.rule

index 165bf92..d8d9116 100644

--- a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot.rule

+++ b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot.rule

@@ -36,3 +36,5 @@ ocil: |-

     <tt>systemd.confirm_spawn=(1|yes|true|on)</tt> in the kernel boot arguments.

     Presence of a <tt>systemd.confirm_spawn=(1|yes|true|on)</tt> indicates

     that interactive boot is enabled at boot time.

+

+platform: machine

diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth.rule b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth.rule

index 3d752e2..12d547d 100644

--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth.rule

+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth.rule

@@ -66,3 +66,5 @@ ocil: |-

     ExecStart and /sbin/sulogin:

     
ExecStart=-/sbin/sulogin

 {{% endif %}}

+

+platform: machine

diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed.rule b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed.rule

index 56c2464..d721694 100644

--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed.rule

+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed.rule

@@ -41,3 +41,5 @@ references:

 ocil_clause: 'the package is not installed'

 ocil: '{{{ ocil_package(package="screen") }}}'

+

+platform: machine

diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages.rule b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages.rule

index 815097b..5c58455 100644

--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages.rule

+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages.rule

@@ -37,3 +37,5 @@ ocil: |-

     To verify the operating system has the packages required for multifactor

     authentication installed, run the following command:

     
$ sudo yum list installed esc pam_pkcs11 authconfig-gtk

+

+platform: machine

diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth.rule b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth.rule

index 5b01b62..e4c0870 100644

--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth.rule

+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth.rule

@@ -41,3 +41,5 @@ references:

 ocil_clause: 'non-exempt accounts are not using CAC authentication'

 ocil: "Interview the SA to determine if all accounts not exempted by policy are\nusing CAC authentication.\nFor DoD systems, the following systems and accounts are exempt from using\nsmart card (CAC) authentication:\n
\n
SIPRNET systems
 \n
Standalone systems
\n
Application accounts
\n
Temporary employee accounts, such as students or interns, who cannot easily receive a CAC or PIV
\n
Operational tactical locations that are not collocated with RAPIDS workstations to issue CAC or ALT
\n
Test systems, such as those with an Interim Approval to Test (IATT) and use a separate VPN, firewall, or security measure preventing access to network and system components from outside the protection boundary documented in the IATT.
\n
"

+

+platform: machine

diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking.rule b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking.rule

index 9af1126..c68db6d 100644

--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking.rule

+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking.rule

@@ -42,3 +42,5 @@ ocil: |-

     
cert_policy = ca, ocsp_on, signature;

     cert_policy = ca, ocsp_on, signature;

     cert_policy = ca, ocsp_on, signature;

+

+platform: machine

diff --git a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled.rule b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled.rule

index a2be942..184571c 100644

--- a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled.rule

+++ b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled.rule

@@ -31,3 +31,5 @@ references:

     ospp@rhel7: FIA_AFL.1

 ocil: '{{{ ocil_service_disabled(service="debug-shell") }}}'

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod.rule

index f1cd259..98fb3f8 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod.rule

@@ -57,3 +57,5 @@ warnings:

         number of ways while still achieving the desired effect.  Here the system calls

         have been placed independent of other system calls.  Grouping these system

         calls with others as identifying earlier in this guide is more efficient.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown.rule

index bc765d3..77be3c4 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown.rule

@@ -55,3 +55,5 @@ warnings:

         number of ways while still achieving the desired effect.  Here the system calls

         have been placed independent of other system calls.  Grouping these system

         calls with others as identifying earlier in this guide is more efficient.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod.rule

index 62f9d31..e530ea9 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod.rule

@@ -55,3 +55,5 @@ warnings:

         number of ways while still achieving the desired effect. Here the system calls

         have been placed independent of other system calls. Grouping these system

         calls with others as identifying earlier in this guide is more efficient.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat.rule

index 6a3db98..2410fc9 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat.rule

@@ -55,3 +55,5 @@ warnings:

         number of ways while still achieving the desired effect. Here the system calls

         have been placed independent of other system calls. Grouping these system

         calls with others as identifying earlier in this guide is more efficient.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown.rule

index b4ffe52..4f0c7e7 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown.rule

@@ -55,3 +55,5 @@ warnings:

         number of ways while still achieving the desired effect. Here the system calls

         have been placed independent of other system calls. Grouping these system

         calls with others as identifying earlier in this guide is more efficient.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat.rule

index 5a3435d..12d51f8 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat.rule

@@ -55,3 +55,5 @@ warnings:

         number of ways while still achieving the desired effect. Here the system calls

         have been placed independent of other system calls. Grouping these system

         calls with others as identifying earlier in this guide is more efficient.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr.rule

index ad029f1..b0ff227 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr.rule

@@ -61,3 +61,5 @@ warnings:

         number of ways while still achieving the desired effect. Here the system calls

         have been placed independent of other system calls. Grouping these system

         calls with others as identifying earlier in this guide is more efficient.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr.rule

index e9cd1f9..4e19015 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr.rule

@@ -55,3 +55,5 @@ warnings:

         number of ways while still achieving the desired effect. Here the system calls

         have been placed independent of other system calls. Grouping these system

         calls with others as identifying earlier in this guide is more efficient.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown.rule

index 5cfd606..39fb8bd 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown.rule

@@ -55,3 +55,5 @@ warnings:

         number of ways while still achieving the desired effect. Here the system calls

         have been placed independent of other system calls. Grouping these system

         calls with others as identifying earlier in this guide is more efficient.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr.rule

index 72311d8..52d0c85 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr.rule

@@ -61,3 +61,5 @@ warnings:

         number of ways while still achieving the desired effect. Here the system calls

         have been placed independent of other system calls. Grouping these system

         calls with others as identifying earlier in this guide is more efficient.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr.rule

index f84b153..f7ffae4 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr.rule

@@ -55,3 +55,5 @@ warnings:

         number of ways while still achieving the desired effect. Here the system calls

         have been placed independent of other system calls. Grouping these system

         calls with others as identifying earlier in this guide is more efficient.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr.rule

index 6bd3dfc..3ff38cf 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr.rule

@@ -60,3 +60,5 @@ warnings:

         number of ways while still achieving the desired effect. Here the system calls

         have been placed independent of other system calls. Grouping these system

         calls with others as identifying earlier in this guide is more efficient.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr.rule

index eaec4c5..da633bd 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr.rule

@@ -55,3 +55,5 @@ warnings:

         number of ways while still achieving the desired effect. Here the system calls

         have been placed independent of other system calls. Grouping these system

         calls with others as identifying earlier in this guide is more efficient.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/group.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/group.yml

index 0de3ac0..0be694d 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/group.yml

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/group.yml

@@ -19,3 +19,5 @@ description: |-

     
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

         -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

         -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon.rule

index 8e40014..f2c7891 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon.rule

@@ -47,3 +47,5 @@ ocil: |-

     
$ sudo grep "path=/usr/bin/chcon" /etc/audit/audit.rules /etc/audit/rules.d/*

     The output should return something similar to:

     
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon.rule

index 2a97b84..ea42555 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon.rule

@@ -46,3 +46,5 @@ ocil: |-

     
$ sudo grep "path=/usr/sbin/restorecon" /etc/audit/audit.rules /etc/audit/rules.d/*

     The output should return something similar to:

     
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage.rule

index c2aedce..dd62afa 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage.rule

@@ -47,3 +47,5 @@ ocil: |-

     
$ sudo grep "path=/usr/sbin/semanage" /etc/audit/audit.rules /etc/audit/rules.d/*

     The output should return something similar to:

     
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool.rule

index 247453e..2804b8d 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool.rule

@@ -47,3 +47,5 @@ ocil: |-

     
$ sudo grep "path=/usr/sbin/setsebool" /etc/audit/audit.rules /etc/audit/rules.d/*

     The output should return something similar to:

     
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events.rule

index 346cd5a..d110f8a 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events.rule

@@ -65,3 +65,5 @@ warnings:

         
<tt>audit_rules_file_deletion_events_unlink</tt>

         
<tt>audit_rules_file_deletion_events_unlinkat</tt>

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename.rule

index e9948eb..51b1d54 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename.rule

@@ -40,3 +40,5 @@ references:

     stigid@rhel7: "030880"

 {{{ complete_ocil_entry_audit_syscall(syscall="rename") }}}

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat.rule

index 82c93a2..96133fc 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat.rule

@@ -40,3 +40,5 @@ references:

     stigid@rhel7: "030890"

 {{{ complete_ocil_entry_audit_syscall(syscall="renameat") }}}

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir.rule

index 419cb05..21abd3a 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir.rule

@@ -40,3 +40,5 @@ references:

     stigid@rhel7: "030900"

 {{{ complete_ocil_entry_audit_syscall(syscall="rmdir") }}}

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink.rule

index cfd3553..25c2ec2 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink.rule

@@ -40,3 +40,5 @@ references:

     stigid@rhel7: "030910"

 {{{ complete_ocil_entry_audit_syscall(syscall="unlink") }}}

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat.rule

index 217a3cb..390a4e5 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat.rule

@@ -40,3 +40,5 @@ references:

     stigid@rhel7: "030920"

 {{{ complete_ocil_entry_audit_syscall(syscall="unlinkat") }}}

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete.rule

index f6a5e3e..370fbab 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete.rule

@@ -38,3 +38,5 @@ references:

     stigid@rhel7: "030830"

 {{{ complete_ocil_entry_audit_syscall(syscall="delete_module") }}}

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit.rule

index 4ce4f24..d86680d 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit.rule

@@ -36,3 +36,5 @@ references:

     stigid@rhel7: "030821"

 {{{ complete_ocil_entry_audit_syscall(syscall="finit_module") }}}

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init.rule

index 8b73da7..01de6c8 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init.rule

@@ -37,3 +37,5 @@ references:

     stigid@rhel7: "030820"

 {{{ complete_ocil_entry_audit_syscall(syscall="init_module") }}}

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod.rule

index 3c4e05f..9610d30 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod.rule

@@ -41,3 +41,5 @@ ocil_clause: 'there is not output'

 ocil: |-

     To verify that auditing is configured for system administrator actions, run the following command:

     
$ sudo auditctl -l | grep "watch=/usr/sbin/insmod"

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe.rule

index 8ce37aa..bd266b8 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe.rule

@@ -41,3 +41,5 @@ ocil_clause: 'there is not output'

 ocil: |-

     To verify that auditing is configured for system administrator actions, run the following command:

     
$ sudo auditctl -l | grep "watch=/usr/sbin/modprobe"

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod.rule

index 7ab7824..b913129 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod.rule

@@ -41,3 +41,5 @@ ocil_clause: 'there is not output'

 ocil: |-

     To verify that auditing is configured for system administrator actions, run the following command:

     
$ sudo auditctl -l | grep "watch=/usr/sbin/rmmod"

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events.rule

index a2bd65f..11d187d 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events.rule

@@ -53,3 +53,5 @@ warnings:

         
<tt>audit_rules_login_events_faillock</tt>

         
<tt>audit_rules_login_events_lastlog</tt>

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock.rule

index 78f9d91..b730fdd 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock.rule

@@ -43,3 +43,5 @@ ocil_clause: 'there is not output'

 ocil: |-

     To verify that auditing is configured for system administrator actions, run the following command:

     
$ sudo auditctl -l | grep "watch=/var/log/faillock"

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog.rule

index 6c1919d..83c5cb7 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog.rule

@@ -43,3 +43,5 @@ ocil_clause: 'there is not output'

 ocil: |-

     To verify that auditing is configured for system administrator actions, run the following command:

     
$ sudo auditctl -l | grep "watch=/var/log/lastlog"

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog.rule

index b0eed40..9a9770a 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog.rule

@@ -43,3 +43,5 @@ ocil_clause: 'there is not output'

 ocil: |-

     To verify that auditing is configured for system administrator actions, run the following command:

     
$ sudo auditctl -l | grep "watch=/var/log/tallylog"

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands.rule

index a1408e9..3815429 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands.rule

@@ -81,3 +81,5 @@ warnings:

         
<tt>audit_rules_privileged_commands_umount</tt>

         
<tt>audit_rules_privileged_commands_passwd</tt>

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage.rule

index c2d56b1..9d6c828 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage.rule

@@ -48,3 +48,5 @@ ocil: |-

     following command:

     
$ sudo grep chage /etc/audit/audit.rules /etc/audit/rules.d/*

     It should return a relevant line in the audit rules.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh.rule

index 4c81432..ac5c38a 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh.rule

@@ -48,3 +48,5 @@ ocil: |-

     following command:

     
$ sudo grep chsh /etc/audit/audit.rules /etc/audit/rules.d/*

     It should return a relevant line in the audit rules.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab.rule

index 5baa248..03bcb6c 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab.rule

@@ -48,3 +48,5 @@ ocil: |-

     following command:

     
$ sudo grep crontab /etc/audit/audit.rules /etc/audit/rules.d/*

     It should return a relevant line in the audit rules.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd.rule

index cb856fa..5c8c407 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd.rule

@@ -49,3 +49,5 @@ ocil: |-

     following command:

     
$ sudo grep gpasswd /etc/audit/audit.rules /etc/audit/rules.d/*

     It should return a relevant line in the audit rules.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp.rule

index 32f0182..b8f8e5c 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp.rule

@@ -49,3 +49,5 @@ ocil: |-

     following command:

     
$ sudo grep newgrp /etc/audit/audit.rules /etc/audit/rules.d/*

     It should return a relevant line in the audit rules.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check.rule

index 7219c00..fda2e0c 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check.rule

@@ -48,3 +48,5 @@ ocil: |-

     following command:

     
$ sudo grep pam_timestamp_check /etc/audit/audit.rules /etc/audit/rules.d/*

     It should return a relevant line in the audit rules.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd.rule

index 8466855..cb41772 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd.rule

@@ -49,3 +49,5 @@ ocil: |-

     following command:

     
$ sudo grep passwd /etc/audit/audit.rules /etc/audit/rules.d/*

     It should return a relevant line in the audit rules.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop.rule

index b648c05..6f3f787 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop.rule

@@ -48,3 +48,5 @@ ocil: |-

     following command:

     
$ sudo grep postdrop /etc/audit/audit.rules /etc/audit/rules.d/*

     It should return a relevant line in the audit rules.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue.rule

index eadb5f9..d6f4eeb 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue.rule

@@ -48,3 +48,5 @@ ocil: |-

     following command:

     
$ sudo grep postqueue /etc/audit/audit.rules /etc/audit/rules.d/*

     It should return a relevant line in the audit rules.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown.rule

index 600608b..21e0a11 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown.rule

@@ -46,3 +46,5 @@ ocil: |-

     following command:

     
$ sudo grep pt_chown /etc/audit/audit.rules /etc/audit/rules.d/*

     It should return a relevant line in the audit rules.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign.rule

index 07b6ecc..fa7ff2b 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign.rule

@@ -49,3 +49,5 @@ ocil: |-

     following command:

     
$ sudo grep ssh-keysign /etc/audit/audit.rules /etc/audit/rules.d/*

     It should return a relevant line in the audit rules.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su.rule

index 5e7c3fc..d791805 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su.rule

@@ -49,3 +49,5 @@ ocil: |-

     following command:

     
$ sudo grep su /etc/audit/audit.rules /etc/audit/rules.d/*

     It should return a relevant line in the audit rules.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo.rule

index b9c1c7a..e8b3585 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo.rule

@@ -49,3 +49,5 @@ ocil: |-

     following command:

     
$ sudo grep sudo /etc/audit/audit.rules /etc/audit/rules.d/*

     It should return a relevant line in the audit rules.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit.rule

index 176de59..8984a84 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit.rule

@@ -49,3 +49,5 @@ ocil: |-

     following command:

     
$ sudo grep sudoedit /etc/audit/audit.rules /etc/audit/rules.d/*

     It should return a relevant line in the audit rules.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount.rule

index d0fe096..5b636ea 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount.rule

@@ -48,3 +48,5 @@ ocil: |-

     following command:

     
$ sudo grep umount /etc/audit/audit.rules /etc/audit/rules.d/*

     It should return a relevant line in the audit rules.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd.rule

index 61e6cc6..205bf97 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd.rule

@@ -49,3 +49,5 @@ ocil: |-

     following command:

     
$ sudo grep unix_chkpwd /etc/audit/audit.rules /etc/audit/rules.d/*

     It should return a relevant line in the audit rules.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper.rule

index 83bec28..91f31f3 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper.rule

@@ -49,3 +49,5 @@ ocil: |-

     following command:

     
$ sudo grep userhelper /etc/audit/audit.rules /etc/audit/rules.d/*

     It should return a relevant line in the audit rules.

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable.rule

index 991abcf..2c42c74 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable.rule

@@ -37,3 +37,5 @@ references:

     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.310(a)(2)(iv),164.312(d),164.310(d)(2)(iii),164.312(b),164.312(e)

     nist: AC-6,AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5

     pcidss: Req-10.5.2

+

+platform: machine

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification.rule

index 7c4018b..5952dbb 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification.rule

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification.rule

@@ -47,3 +47,5 @@ ocil: |-

     If the system is configured to watch for changes to its SELinux

     configuration, a line should be returned (including

     <tt>perm=wa</tt> indicating permissions that are watched).

+