Blame SOURCES/scap-security-guide-0.1.49-split-audit-rules.patch

54c0d5
From dd25ef669719bffe40f3024dbc949e421779f106 Mon Sep 17 00:00:00 2001
54c0d5
From: Vojtech Polasek <vpolasek@redhat.com>
54c0d5
Date: Mon, 9 Dec 2019 16:25:50 +0100
54c0d5
Subject: [PATCH] Split audit rules for OSPP
54c0d5
54c0d5
---
54c0d5
 docs/manual/developer_guide.adoc              |   7 +
54c0d5
 .../policy_rules/audit_access_failed/rule.yml |  53 +++++++
54c0d5
 .../tests/correct_rules.pass.sh               |   1 +
54c0d5
 .../audit_access_success/rule.yml             |  58 ++++++++
54c0d5
 .../tests/correct_rules.pass.sh               |   1 +
54c0d5
 .../audit_basic_configuration/rule.yml        |  66 +++++++++
54c0d5
 .../tests/correct_rules.pass.sh               |   3 +
54c0d5
 .../tests/file_missing.fail.sh                |   3 +
54c0d5
 .../tests/file_not_identical.fail.sh          |   4 +
54c0d5
 .../policy_rules/audit_create_failed/rule.yml |  66 +++++++++
54c0d5
 .../tests/correct_rules.pass.sh               |   1 +
54c0d5
 .../audit_create_success/rule.yml             |  59 ++++++++
54c0d5
 .../tests/correct_rules.pass.sh               |   1 +
54c0d5
 .../policy_rules/audit_delete_failed/rule.yml |  58 ++++++++
54c0d5
 .../tests/correct_rules.pass.sh               |   1 +
54c0d5
 .../audit_delete_success/rule.yml             |  57 ++++++++
54c0d5
 .../tests/correct_rules.pass.sh               |   1 +
54c0d5
 .../tests/failed_delete_rules.fail.sh         |   1 +
54c0d5
 .../tests/no_rule.fail.sh                     |   1 +
54c0d5
 .../audit_immutable_login_uids/rule.yml       |  54 +++++++
54c0d5
 .../tests/correct_rules.pass.sh               |   1 +
54c0d5
 .../policy_rules/audit_modify_failed/rule.yml |  66 +++++++++
54c0d5
 .../tests/correct_rules.pass.sh               |   1 +
54c0d5
 .../audit_modify_success/rule.yml             |  61 ++++++++
54c0d5
 .../tests/correct_rules.pass.sh               |   1 +
54c0d5
 .../policy_rules/audit_module_load/rule.yml   |  58 ++++++++
54c0d5
 .../tests/correct_rules.pass.sh               |   1 +
54c0d5
 .../policy_rules/audit_ospp_general/rule.yml  | 138 ++++++++++++++++++
54c0d5
 .../tests/correct_rules.pass.sh               |   1 +
54c0d5
 .../audit_owner_change_failed/rule.yml        |  59 ++++++++
54c0d5
 .../tests/correct_rules.pass.sh               |   1 +
54c0d5
 .../audit_owner_change_success/rule.yml       |  60 ++++++++
54c0d5
 .../tests/correct_rules.pass.sh               |   1 +
54c0d5
 .../audit_perm_change_failed/rule.yml         |  58 ++++++++
54c0d5
 .../tests/correct_rules.pass.sh               |   1 +
54c0d5
 .../audit_perm_change_success/rule.yml        |  57 ++++++++
54c0d5
 .../tests/correct_rules.pass.sh               |   1 +
54c0d5
 .../audit_rules_for_ospp/oval/shared.xml      |   8 +-
54c0d5
 rhel8/profiles/ospp.profile                   |  17 ++-
54c0d5
 shared/macros-ansible.jinja                   |  15 ++
54c0d5
 shared/macros-bash.jinja                      |  11 ++
54c0d5
 shared/macros-oval.jinja                      |  41 ++++++
54c0d5
 shared/references/cce-redhat-avail.txt        |  11 --
54c0d5
 .../template_ANSIBLE_audit_file_contents      |  11 ++
54c0d5
 .../template_BASH_audit_file_contents         |  14 ++
54c0d5
 .../template_OVAL_audit_file_contents         |   7 +
54c0d5
 ssg/templates.py                              |  20 +++
54c0d5
 tests/shared/audit/10-base-config.rules       |  13 ++
54c0d5
 tests/shared/audit/11-loginuid.rules          |   3 +
54c0d5
 .../audit/30-ospp-v42-1-create-failed.rules   |  13 ++
54c0d5
 .../audit/30-ospp-v42-1-create-success.rules  |   7 +
54c0d5
 .../audit/30-ospp-v42-2-modify-failed.rules   |  13 ++
54c0d5
 .../audit/30-ospp-v42-2-modify-success.rules  |   7 +
54c0d5
 .../audit/30-ospp-v42-3-access-failed.rules   |   5 +
54c0d5
 .../audit/30-ospp-v42-3-access-success.rules  |   4 +
54c0d5
 .../audit/30-ospp-v42-4-delete-failed.rules   |   5 +
54c0d5
 .../audit/30-ospp-v42-4-delete-success.rules  |   3 +
54c0d5
 .../30-ospp-v42-5-perm-change-failed.rules    |   5 +
54c0d5
 .../30-ospp-v42-5-perm-change-success.rules   |   3 +
54c0d5
 .../30-ospp-v42-6-owner-change-failed.rules   |   5 +
54c0d5
 .../30-ospp-v42-6-owner-change-success.rules  |   3 +
54c0d5
 tests/shared/audit/30-ospp-v42.rules          |  80 ++++++++++
54c0d5
 tests/shared/audit/43-module-load.rules       |   6 +
54c0d5
 63 files changed, 1376 insertions(+), 16 deletions(-)
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_failed/tests/correct_rules.pass.sh
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_success/tests/correct_rules.pass.sh
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/correct_rules.pass.sh
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_missing.fail.sh
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_not_identical.fail.sh
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_failed/tests/correct_rules.pass.sh
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_success/tests/correct_rules.pass.sh
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_failed/tests/correct_rules.pass.sh
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/correct_rules.pass.sh
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/failed_delete_rules.fail.sh
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/no_rule.fail.sh
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/tests/correct_rules.pass.sh
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_failed/tests/correct_rules.pass.sh
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_success/tests/correct_rules.pass.sh
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_module_load/tests/correct_rules.pass.sh
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/tests/correct_rules.pass.sh
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/tests/correct_rules.pass.sh
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/tests/correct_rules.pass.sh
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml
54c0d5
 create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/tests/correct_rules.pass.sh
54c0d5
 create mode 100644 shared/templates/template_ANSIBLE_audit_file_contents
54c0d5
 create mode 100644 shared/templates/template_BASH_audit_file_contents
54c0d5
 create mode 100644 shared/templates/template_OVAL_audit_file_contents
54c0d5
 create mode 100644 tests/shared/audit/10-base-config.rules
54c0d5
 create mode 100644 tests/shared/audit/11-loginuid.rules
54c0d5
 create mode 100644 tests/shared/audit/30-ospp-v42-1-create-failed.rules
54c0d5
 create mode 100644 tests/shared/audit/30-ospp-v42-1-create-success.rules
54c0d5
 create mode 100644 tests/shared/audit/30-ospp-v42-2-modify-failed.rules
54c0d5
 create mode 100644 tests/shared/audit/30-ospp-v42-2-modify-success.rules
54c0d5
 create mode 100644 tests/shared/audit/30-ospp-v42-3-access-failed.rules
54c0d5
 create mode 100644 tests/shared/audit/30-ospp-v42-3-access-success.rules
54c0d5
 create mode 100644 tests/shared/audit/30-ospp-v42-4-delete-failed.rules
54c0d5
 create mode 100644 tests/shared/audit/30-ospp-v42-4-delete-success.rules
54c0d5
 create mode 100644 tests/shared/audit/30-ospp-v42-5-perm-change-failed.rules
54c0d5
 create mode 100644 tests/shared/audit/30-ospp-v42-5-perm-change-success.rules
54c0d5
 create mode 100644 tests/shared/audit/30-ospp-v42-6-owner-change-failed.rules
54c0d5
 create mode 100644 tests/shared/audit/30-ospp-v42-6-owner-change-success.rules
54c0d5
 create mode 100644 tests/shared/audit/30-ospp-v42.rules
54c0d5
 create mode 100644 tests/shared/audit/43-module-load.rules
54c0d5
54c0d5
diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc
54c0d5
index 4cccea23d..76c1c1021 100644
54c0d5
--- a/docs/manual/developer_guide.adoc
54c0d5
+++ b/docs/manual/developer_guide.adoc
54c0d5
@@ -1449,6 +1449,13 @@ audit_rules_privileged_commands::
54c0d5
 ** *path* - the path of the privileged command - eg. `/usr/bin/mount`
54c0d5
 * Languages: Ansible, Bash, OVAL
54c0d5
 
54c0d5
+audit_file_contents::
54c0d5
+* Ensure that audit `.rules` file specified by parameter `filepath` contains the contents specified in parameter `contents`.
54c0d5
+* Parameters:
54c0d5
+** *filepath* - path to audit rules file, e.g.: `/etc/audit/rules.d/10-base-config.rules`
54c0d5
+** *contents* - expected contents of the file
54c0d5
+* Languages: Ansible, Bash, OVAL
54c0d5
+
54c0d5
 audit_rules_unsuccessful_file_modification::
54c0d5
 * Ensure there is an Audit rule to record unsuccessful attempts to access files
54c0d5
 * Parameters:
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
54c0d5
new file mode 100644
54c0d5
index 000000000..6172751f1
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
54c0d5
@@ -0,0 +1,53 @@
54c0d5
+documentation_complete: true
54c0d5
+
54c0d5
+prodtype: rhel8
54c0d5
+
54c0d5
+title: 'Configure auditing of unsuccessful file accesses'
54c0d5
+
54c0d5
+{{% set file_contents_audit_access_failed =
54c0d5
+"## Unsuccessful file access (any other opens) This has to go last.
54c0d5
+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
54c0d5
+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
54c0d5
+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
54c0d5
+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
54c0d5
+" %}}
54c0d5
+
54c0d5
+description: |-
54c0d5
+    Ensure that unsuccessful attempts to access a file are audited.
54c0d5
+
54c0d5
+    The following rules configure audit as described above:
54c0d5
+    
{{{ file_contents_audit_access_failed|indent }}}    
54c0d5
+    
54c0d5
+    Load new Audit rules into kernel by running:
54c0d5
+    
augenrules --load
54c0d5
+    
54c0d5
+    Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
54c0d5
+
54c0d5
+
54c0d5
+rationale: |-
54c0d5
+    Unsuccessful attempts to access a file might be signs of malicious activity happening within the system. Auditing of such activities helps in their monitoring and investigation.
54c0d5
+
54c0d5
+severity: medium
54c0d5
+
54c0d5
+identifiers:
54c0d5
+    cce@rhel8: 82833-5
54c0d5
+
54c0d5
+references:
54c0d5
+    ospp: FAU_GEN.1.1.c
54c0d5
+    nist: AU-2(a)
54c0d5
+    srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205
54c0d5
+
54c0d5
+ocil_clause: 'the file does not exist or the content differs'
54c0d5
+
54c0d5
+ocil: |-
54c0d5
+    To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
54c0d5
+    
cat /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
54c0d5
+    The output has to be exactly as follows:
54c0d5
+    
{{{ file_contents_audit_access_failed|indent }}}    
54c0d5
+
54c0d5
+template:
54c0d5
+    name: audit_file_contents
54c0d5
+    vars:
54c0d5
+        filepath: /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
54c0d5
+        contents: |+
54c0d5
+            {{{ file_contents_audit_access_failed|indent(12) }}}
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/tests/correct_rules.pass.sh
54c0d5
new file mode 100644
54c0d5
index 000000000..ce7c7a0dd
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/tests/correct_rules.pass.sh
54c0d5
@@ -0,0 +1 @@
54c0d5
+cp $SHARED/audit/30-ospp-v42-3-access-failed.rules /etc/audit/rules.d/
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
54c0d5
new file mode 100644
54c0d5
index 000000000..8d0625a1d
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
54c0d5
@@ -0,0 +1,58 @@
54c0d5
+documentation_complete: true
54c0d5
+
54c0d5
+prodtype: rhel8
54c0d5
+
54c0d5
+title: 'Configure auditing of successful file accesses'
54c0d5
+
54c0d5
+{{% set file_contents_audit_access_success =
54c0d5
+"## Successful file access (any other opens) This has to go last.
54c0d5
+## These next two are likely to result in a whole lot of events
54c0d5
+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
54c0d5
+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
54c0d5
+" %}}
54c0d5
+
54c0d5
+description: |-
54c0d5
+    Ensure that successful attempts to access a file are audited.
54c0d5
+
54c0d5
+    The following rules configure audit as described above:
54c0d5
+    
{{{ file_contents_audit_access_success|indent }}}    
54c0d5
+
54c0d5
+    The <tt>Audit</tt> package provides pre-configured  rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42-3-access-success.rules</tt>.
54c0d5
+    To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
54c0d5
+    
54c0d5
+    cp /usr/share/audit/sample-rules/30-ospp-v42-3-access-success.rules /etc/audit/rules.d/
54c0d5
+    
54c0d5
+    
54c0d5
+    Load new Audit rules into kernel by running:
54c0d5
+    
augenrules --load
54c0d5
+    
54c0d5
+    Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
54c0d5
+    
54c0d5
+
54c0d5
+rationale: |-
54c0d5
+    Auditing of successful attempts to access a file helps in investigation of activities performed on the system. 
54c0d5
+
54c0d5
+severity: medium
54c0d5
+
54c0d5
+identifiers:
54c0d5
+    cce@rhel8: 82834-3
54c0d5
+
54c0d5
+references:
54c0d5
+    ospp: FAU_GEN.1.1.c
54c0d5
+    nist: AU-2(a)
54c0d5
+    srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205
54c0d5
+
54c0d5
+ocil_clause: 'the file does not exist or the content differs'
54c0d5
+
54c0d5
+ocil: |-
54c0d5
+    To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
54c0d5
+    
cat /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
54c0d5
+    The output has to be exactly as follows:
54c0d5
+    
{{{ file_contents_audit_access_success|indent }}}    
54c0d5
+
54c0d5
+template:
54c0d5
+    name: audit_file_contents
54c0d5
+    vars:
54c0d5
+        filepath: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
54c0d5
+        contents: |+
54c0d5
+            {{{ file_contents_audit_access_success|indent(12) }}}
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_access_success/tests/correct_rules.pass.sh
54c0d5
new file mode 100644
54c0d5
index 000000000..7092f2c47
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/tests/correct_rules.pass.sh
54c0d5
@@ -0,0 +1 @@
54c0d5
+cp $SHARED/audit/30-ospp-v42-3-access-success.rules /etc/audit/rules.d/
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
54c0d5
new file mode 100644
54c0d5
index 000000000..24cac20a2
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
54c0d5
@@ -0,0 +1,66 @@
54c0d5
+documentation_complete: true
54c0d5
+
54c0d5
+prodtype: rhel8
54c0d5
+
54c0d5
+title: 'Configure basic parameters of Audit system'
54c0d5
+
54c0d5
+{{% set file_contents_audit_base_config =
54c0d5
+"## First rule - delete all
54c0d5
+-D
54c0d5
+
54c0d5
+## Increase the buffers to survive stress events.
54c0d5
+## Make this bigger for busy systems
54c0d5
+-b 8192
54c0d5
+
54c0d5
+## This determine how long to wait in burst of events
54c0d5
+--backlog_wait_time 60000
54c0d5
+
54c0d5
+## Set failure mode to syslog
54c0d5
+-f 1
54c0d5
+
54c0d5
+" %}}
54c0d5
+
54c0d5
+description: |-
54c0d5
+    Perform basic configuration of Audit system.
54c0d5
+    Make sure that any previously defined rules are cleared, the auditing system is configured to handle sudden bursts of events, and in cases of failure, messages are configured to be directed to system log.
54c0d5
+
54c0d5
+    The following rules configure audit as described above:
54c0d5
+    
{{{ file_contents_audit_base_config|indent }}}    
54c0d5
+
54c0d5
+    The <tt>Audit</tt> package provides pre-configured  rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/10-base-config.rules</tt>.
54c0d5
+    To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
54c0d5
+    
54c0d5
+    cp /usr/share/audit/sample-rules/10-base-config.rules /etc/audit/rules.d/
54c0d5
+    
54c0d5
+    
54c0d5
+    Load new Audit rules into kernel by running:
54c0d5
+    
augenrules --load
54c0d5
+    
54c0d5
+
54c0d5
+rationale: |-
54c0d5
+    Without basic configurations, audit may not perform as expected. It may not be able to correctly handle events under stressful conditions, or log events in case of failure.
54c0d5
+
54c0d5
+severity: medium
54c0d5
+
54c0d5
+identifiers:
54c0d5
+    cce@rhel8: 82827-7
54c0d5
+
54c0d5
+references:
54c0d5
+    ospp: FAU_GEN.1.1.c
54c0d5
+    nist: AU-2(a)
54c0d5
+    srg: SRG-OS-000365-GPOS-00152,SRG-OS-000475-GPOS-00220
54c0d5
+
54c0d5
+ocil_clause: 'the file does not exist or the content differs'
54c0d5
+
54c0d5
+ocil: |-
54c0d5
+    To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
54c0d5
+    
cat /etc/audit/rules.d/10-base-config.rules
54c0d5
+    The output has to be exactly as follows:
54c0d5
+    
{{{ file_contents_audit_base_config|indent }}}    
54c0d5
+
54c0d5
+template:
54c0d5
+    name: audit_file_contents
54c0d5
+    vars:
54c0d5
+        filepath: /etc/audit/rules.d/10-base-config.rules
54c0d5
+        contents: |+
54c0d5
+            {{{ file_contents_audit_base_config|indent(12) }}}
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/correct_rules.pass.sh
54c0d5
new file mode 100644
54c0d5
index 000000000..2335ce458
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/correct_rules.pass.sh
54c0d5
@@ -0,0 +1,3 @@
54c0d5
+# profiles = xccdf_org.ssgproject.content_profile_ospp
54c0d5
+
54c0d5
+cp $SHARED/audit/10-base-config.rules /etc/audit/rules.d/
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_missing.fail.sh b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_missing.fail.sh
54c0d5
new file mode 100644
54c0d5
index 000000000..aa506a736
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_missing.fail.sh
54c0d5
@@ -0,0 +1,3 @@
54c0d5
+# profiles = xccdf_org.ssgproject.content_profile_ospp
54c0d5
+
54c0d5
+rm -f /etc/audit/rules.d/10-base-config.rules
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_not_identical.fail.sh b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_not_identical.fail.sh
54c0d5
new file mode 100644
54c0d5
index 000000000..4e7ce04c5
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_not_identical.fail.sh
54c0d5
@@ -0,0 +1,4 @@
54c0d5
+# profiles = xccdf_org.ssgproject.content_profile_ospp
54c0d5
+
54c0d5
+cp /usr/share/audit/sample-rules/10-base-config.rules /etc/audit/rules.d/
54c0d5
+echo "some additional text" >> /etc/audit/rules.d/10-base-config.rules
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml
54c0d5
new file mode 100644
54c0d5
index 000000000..7cd677661
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml
54c0d5
@@ -0,0 +1,66 @@
54c0d5
+documentation_complete: true
54c0d5
+
54c0d5
+prodtype: rhel8
54c0d5
+
54c0d5
+title: 'Configure auditing of unsuccessful file creations'
54c0d5
+
54c0d5
+{{% set file_contents_audit_create_failed =
54c0d5
+"## Unsuccessful file creation (open with O_CREAT)
54c0d5
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
54c0d5
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
54c0d5
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
54c0d5
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
54c0d5
+-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
54c0d5
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
54c0d5
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
54c0d5
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
54c0d5
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
54c0d5
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
54c0d5
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
54c0d5
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
54c0d5
+" %}}
54c0d5
+
54c0d5
+description: |-
54c0d5
+    Ensure that unsuccessful attempts to create a file are audited.
54c0d5
+
54c0d5
+    The following rules configure audit as described above:
54c0d5
+    
{{{ file_contents_audit_create_failed|indent }}}    
54c0d5
+
54c0d5
+    The <tt>Audit</tt> package provides pre-configured  rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42-1-create-failed.rules</tt>.
54c0d5
+    To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
54c0d5
+    
54c0d5
+    cp /usr/share/audit/sample-rules/30-ospp-v42-1-create-failed.rules /etc/audit/rules.d/
54c0d5
+    
54c0d5
+    
54c0d5
+    Load new Audit rules into kernel by running:
54c0d5
+    
augenrules --load
54c0d5
+    
54c0d5
+    Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
54c0d5
+
54c0d5
+rationale: |-
54c0d5
+    Unsuccessful file creations might be a sign of a malicious action being performed on the system. Keeping log of such events helps in monitoring and investigation of such actions.
54c0d5
+
54c0d5
+severity: medium
54c0d5
+
54c0d5
+identifiers:
54c0d5
+    cce@rhel8: 82374-0
54c0d5
+
54c0d5
+references:
54c0d5
+    ospp: FAU_GEN.1.1.c
54c0d5
+    nist: AU-2(a)
54c0d5
+    srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205
54c0d5
+
54c0d5
+ocil_clause: 'the file does not exist or the content differs'
54c0d5
+
54c0d5
+ocil: |-
54c0d5
+    To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
54c0d5
+    
cat /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
54c0d5
+    The output has to be exactly as follows:
54c0d5
+    
{{{ file_contents_audit_create_failed|indent }}}    
54c0d5
+
54c0d5
+template:
54c0d5
+    name: audit_file_contents
54c0d5
+    vars:
54c0d5
+        filepath: /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
54c0d5
+        contents: |+
54c0d5
+            {{{ file_contents_audit_create_failed|indent(12) }}}
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/tests/correct_rules.pass.sh
54c0d5
new file mode 100644
54c0d5
index 000000000..9a7fe431a
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/tests/correct_rules.pass.sh
54c0d5
@@ -0,0 +1 @@
54c0d5
+cp $SHARED/audit/30-ospp-v42-1-create-failed.rules /etc/audit/rules.d/
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml
54c0d5
new file mode 100644
54c0d5
index 000000000..4c933ec50
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml
54c0d5
@@ -0,0 +1,59 @@
54c0d5
+documentation_complete: true
54c0d5
+
54c0d5
+prodtype: rhel8
54c0d5
+
54c0d5
+title: 'Configure auditing of successful file creations'
54c0d5
+
54c0d5
+{{% set file_contents_audit_create_success =
54c0d5
+"## Successful file creation (open with O_CREAT)
54c0d5
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
54c0d5
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
54c0d5
+-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
54c0d5
+-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
54c0d5
+-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
54c0d5
+-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
54c0d5
+" %}}
54c0d5
+
54c0d5
+description: |-
54c0d5
+    Ensure that successful attempts to create a file are audited.
54c0d5
+
54c0d5
+    The following rules configure audit as described above:
54c0d5
+    
{{{ file_contents_audit_create_success |indent }}}    
54c0d5
+
54c0d5
+    The <tt>Audit</tt> package provides pre-configured  rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42-1-create-success.rules</tt>.
54c0d5
+    To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
54c0d5
+    
54c0d5
+    cp /usr/share/audit/sample-rules/30-ospp-v42-1-create-success.rules /etc/audit/rules.d/
54c0d5
+    
54c0d5
+    
54c0d5
+    Load new Audit rules into kernel by running:
54c0d5
+    
augenrules --load
54c0d5
+    
54c0d5
+
54c0d5
+rationale: |-
54c0d5
+    Auditing of successful attempts to create a file helps in investigation of actions which happened on the system.
54c0d5
+
54c0d5
+severity: medium
54c0d5
+
54c0d5
+identifiers:
54c0d5
+    cce@rhel8: 82829-3
54c0d5
+
54c0d5
+references:
54c0d5
+    ospp: FAU_GEN.1.1.c
54c0d5
+    nist: AU-2(a)
54c0d5
+    srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205
54c0d5
+
54c0d5
+ocil_clause: 'the file does not exist or the content differs'
54c0d5
+
54c0d5
+ocil: |-
54c0d5
+    To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
54c0d5
+    
cat /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
54c0d5
+    The output has to be exactly as follows:
54c0d5
+    
{{{ file_contents_audit_create_success|indent }}}    
54c0d5
+
54c0d5
+template:
54c0d5
+    name: audit_file_contents
54c0d5
+    vars:
54c0d5
+        filepath: /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
54c0d5
+        contents: |+
54c0d5
+            {{{ file_contents_audit_create_success|indent(12) }}}
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_create_success/tests/correct_rules.pass.sh
54c0d5
new file mode 100644
54c0d5
index 000000000..dcc4afe73
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success/tests/correct_rules.pass.sh
54c0d5
@@ -0,0 +1 @@
54c0d5
+cp $SHARED/audit/30-ospp-v42-1-create-success.rules /etc/audit/rules.d/
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
54c0d5
new file mode 100644
54c0d5
index 000000000..b9084f217
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
54c0d5
@@ -0,0 +1,58 @@
54c0d5
+documentation_complete: true
54c0d5
+
54c0d5
+prodtype: rhel8
54c0d5
+
54c0d5
+title: 'Configure auditing of unsuccessful file deletions'
54c0d5
+
54c0d5
+{{% set file_contents_audit_delete_failed =
54c0d5
+"## Unsuccessful file delete
54c0d5
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
54c0d5
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
54c0d5
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
54c0d5
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
54c0d5
+" %}}
54c0d5
+
54c0d5
+description: |-
54c0d5
+    Ensure that unsuccessful attempts to delete a file are audited.
54c0d5
+
54c0d5
+    The following rules configure audit as described above:
54c0d5
+    
{{{ file_contents_audit_delete_failed|indent }}}    
54c0d5
+
54c0d5
+    The <tt>Audit</tt> package provides pre-configured  rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42-4-delete-failed.rules</tt>.
54c0d5
+    To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
54c0d5
+    
54c0d5
+    cp /usr/share/audit/sample-rules/30-ospp-v42-4-delete-failed.rules /etc/audit/rules.d/
54c0d5
+    
54c0d5
+    
54c0d5
+    Load new Audit rules into kernel by running:
54c0d5
+    
augenrules --load
54c0d5
+    
54c0d5
+    Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
54c0d5
+
54c0d5
+rationale: |-
54c0d5
+    Unsuccessful attempts to delete a file might be signs of malicious activities. Auditing of such events help in monitoring and investigating of such activities. 
54c0d5
+
54c0d5
+severity: medium
54c0d5
+
54c0d5
+identifiers:
54c0d5
+    cce@rhel8: 82835-0
54c0d5
+
54c0d5
+references:
54c0d5
+    ospp: FAU_GEN.1.1.c
54c0d5
+    nist: AU-2(a)
54c0d5
+    srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-OS-000467-GPOS-00211
54c0d5
+
54c0d5
+ocil_clause: 'the file does not exist or the content differs'
54c0d5
+
54c0d5
+ocil: |-
54c0d5
+    To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
54c0d5
+    
cat /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
54c0d5
+    The output has to be exactly as follows:
54c0d5
+    
{{{ file_contents_audit_delete_failed|indent }}}    
54c0d5
+
54c0d5
+template:
54c0d5
+    name: audit_file_contents
54c0d5
+    vars:
54c0d5
+        filepath: /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
54c0d5
+        contents: |+
54c0d5
+            {{{ file_contents_audit_delete_failed|indent(12) }}}
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/tests/correct_rules.pass.sh
54c0d5
new file mode 100644
54c0d5
index 000000000..9ae890203
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/tests/correct_rules.pass.sh
54c0d5
@@ -0,0 +1 @@
54c0d5
+cp $SHARED/audit/30-ospp-v42-4-delete-failed.rules /etc/audit/rules.d/
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml
54c0d5
new file mode 100644
54c0d5
index 000000000..7d445d751
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml
54c0d5
@@ -0,0 +1,57 @@
54c0d5
+documentation_complete: true
54c0d5
+
54c0d5
+prodtype: rhel8
54c0d5
+
54c0d5
+title: 'Configure auditing of successful file deletions'
54c0d5
+
54c0d5
+{{% set file_contents_audit_delete_success =
54c0d5
+"## Successful file delete
54c0d5
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
54c0d5
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
54c0d5
+" %}}
54c0d5
+
54c0d5
+description: |-
54c0d5
+    Ensure that successful attempts to delete a file are audited.
54c0d5
+
54c0d5
+    The following rules configure audit as described above:
54c0d5
+    
{{{ file_contents_audit_delete_success|indent }}}    
54c0d5
+
54c0d5
+    The <tt>Audit</tt> package provides pre-configured  rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42-4-delete-success.rules</tt>.
54c0d5
+    To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
54c0d5
+    
54c0d5
+    cp /usr/share/audit/sample-rules/30-ospp-v42-4-delete-success.rules /etc/audit/rules.d/
54c0d5
+    
54c0d5
+    
54c0d5
+    Load new Audit rules into kernel by running:
54c0d5
+    
augenrules --load
54c0d5
+    
54c0d5
+    Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
54c0d5
+    
54c0d5
+
54c0d5
+rationale: |-
54c0d5
+    Auditing of successful attempts to delete a file may help in monitoring and investigation of activities performed on the system.
54c0d5
+
54c0d5
+severity: medium
54c0d5
+
54c0d5
+identifiers:
54c0d5
+    cce@rhel8: 82836-8
54c0d5
+
54c0d5
+references:
54c0d5
+    ospp: FAU_GEN.1.1.c
54c0d5
+    nist: AU-2(a)
54c0d5
+    srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-OS-000467-GPOS-00211
54c0d5
+
54c0d5
+ocil_clause: 'the file does not exist or the content differs'
54c0d5
+
54c0d5
+ocil: |-
54c0d5
+    To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
54c0d5
+    
cat /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
54c0d5
+    The output has to be exactly as follows:
54c0d5
+    
{{{ file_contents_audit_delete_success|indent }}}    
54c0d5
+
54c0d5
+template:
54c0d5
+    name: audit_file_contents
54c0d5
+    vars:
54c0d5
+        filepath: /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
54c0d5
+        contents: |+
54c0d5
+            {{{ file_contents_audit_delete_success|indent(12) }}}
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/correct_rules.pass.sh
54c0d5
new file mode 100644
54c0d5
index 000000000..0a348baf6
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/correct_rules.pass.sh
54c0d5
@@ -0,0 +1 @@
54c0d5
+cp $SHARED/audit/30-ospp-v42-4-delete-success.rules /etc/audit/rules.d/
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/failed_delete_rules.fail.sh b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/failed_delete_rules.fail.sh
54c0d5
new file mode 100644
54c0d5
index 000000000..9ae890203
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/failed_delete_rules.fail.sh
54c0d5
@@ -0,0 +1 @@
54c0d5
+cp $SHARED/audit/30-ospp-v42-4-delete-failed.rules /etc/audit/rules.d/
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/no_rule.fail.sh b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/no_rule.fail.sh
54c0d5
new file mode 100644
54c0d5
index 000000000..3acb94ab6
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/no_rule.fail.sh
54c0d5
@@ -0,0 +1 @@
54c0d5
+rm -f /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules.
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
54c0d5
new file mode 100644
54c0d5
index 000000000..eb87848e8
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
54c0d5
@@ -0,0 +1,54 @@
54c0d5
+documentation_complete: true
54c0d5
+
54c0d5
+prodtype: rhel8
54c0d5
+
54c0d5
+title: 'Configure immutable Audit login UIDs'
54c0d5
+
54c0d5
+{{% set file_contents_audit_immutable_login =
54c0d5
+"## Make the loginuid immutable. This prevents tampering with the auid.
54c0d5
+--loginuid-immutable
54c0d5
+
54c0d5
+" %}}
54c0d5
+
54c0d5
+description: |-
54c0d5
+    Configure kernel to prevent modification of login UIDs once they are set. Changing login UUIDs while this configuration is enforced requires special capabilities which are not available to unprivileged users.   
54c0d5
+
54c0d5
+    The following rules configure audit as described above:
54c0d5
+    
{{{ file_contents_audit_immutable_login|indent }}}    
54c0d5
+
54c0d5
+    The <tt>Audit</tt> provides pre-configured  rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/11-loginuid.rules</tt>.
54c0d5
+    To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
54c0d5
+    
54c0d5
+    cp /usr/share/audit/sample-rules/11-loginuid.rules /etc/audit/rules.d/
54c0d5
+    
54c0d5
+    
54c0d5
+    Load new Audit rules into kernel by running:
54c0d5
+    
augenrules --load
54c0d5
+
54c0d5
+rationale: |-
54c0d5
+    If modification of login UIDs is not prevented, they can be changed by unprivileged users and make auditing complicated or impossible. 
54c0d5
+
54c0d5
+severity: medium
54c0d5
+
54c0d5
+identifiers:
54c0d5
+    cce@rhel8: 82828-5
54c0d5
+
54c0d5
+references:
54c0d5
+    ospp: FAU_GEN.1.1.c
54c0d5
+    nist: AU-2(a)
54c0d5
+    srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220
54c0d5
+
54c0d5
+ocil_clause: 'the file does not exist or the content differs'
54c0d5
+
54c0d5
+ocil: |-
54c0d5
+    To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
54c0d5
+    
cat /etc/audit/rules.d/11-loginuid.rules
54c0d5
+    The output has to be exactly as follows:
54c0d5
+    
{{{ file_contents_audit_immutable_login|indent }}}    
54c0d5
+
54c0d5
+template:
54c0d5
+    name: audit_file_contents
54c0d5
+    vars:
54c0d5
+        filepath: /etc/audit/rules.d/11-loginuid.rules
54c0d5
+        contents: |+
54c0d5
+            {{{ file_contents_audit_immutable_login|indent(12) }}}
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/tests/correct_rules.pass.sh
54c0d5
new file mode 100644
54c0d5
index 000000000..42178a67d
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/tests/correct_rules.pass.sh
54c0d5
@@ -0,0 +1 @@
54c0d5
+cp $SHARED/audit/11-loginuid.rules /etc/audit/rules.d/
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml
54c0d5
new file mode 100644
54c0d5
index 000000000..e9a24d9f5
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml
54c0d5
@@ -0,0 +1,66 @@
54c0d5
+documentation_complete: true
54c0d5
+
54c0d5
+prodtype: rhel8
54c0d5
+
54c0d5
+title: 'Configure auditing of unsuccessful file modifications'
54c0d5
+
54c0d5
+{{% set file_contents_audit_modify_failed =
54c0d5
+"## Unsuccessful file modifications (open for write or truncate)
54c0d5
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
54c0d5
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
54c0d5
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
54c0d5
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
54c0d5
+-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
54c0d5
+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
54c0d5
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
54c0d5
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
54c0d5
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
54c0d5
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
54c0d5
+-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
54c0d5
+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
54c0d5
+" %}}
54c0d5
+
54c0d5
+description: |-
54c0d5
+    Ensure that unsuccessful attempts to modify a file are audited.
54c0d5
+
54c0d5
+    The following rules configure audit as described above:
54c0d5
+    
{{{ file_contents_audit_modify_failed|indent }}}    
54c0d5
+
54c0d5
+    The <tt>Audit</tt> package provides pre-configured  rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42-2-modify-failed.rules</tt>.
54c0d5
+    To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
54c0d5
+    
54c0d5
+    cp /usr/share/audit/sample-rules/30-ospp-v42-2-modify-failed.rules /etc/audit/rules.d/
54c0d5
+    
54c0d5
+    
54c0d5
+    Load new Audit rules into kernel by running:
54c0d5
+    
augenrules --load
54c0d5
+    
54c0d5
+    Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
54c0d5
+
54c0d5
+rationale: |-
54c0d5
+    Unsuccessful file modifications might be a sign of a malicious action being performed on the system. Auditing of such events helps in detection and investigation of such actions.
54c0d5
+
54c0d5
+severity: medium
54c0d5
+
54c0d5
+identifiers:
54c0d5
+    cce@rhel8: 82830-1
54c0d5
+
54c0d5
+references:
54c0d5
+    ospp: FAU_GEN.1.1.c
54c0d5
+    nist: AU-2(a)
54c0d5
+    srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205
54c0d5
+
54c0d5
+ocil_clause: 'the file does not exist or the content differs'
54c0d5
+
54c0d5
+ocil: |-
54c0d5
+    To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
54c0d5
+    
cat /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
54c0d5
+    The output has to be exactly as follows:
54c0d5
+    
{{{ file_contents_audit_modify_failed|indent }}}    
54c0d5
+
54c0d5
+template:
54c0d5
+    name: audit_file_contents
54c0d5
+    vars:
54c0d5
+        filepath: /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
54c0d5
+        contents: |+
54c0d5
+            {{{ file_contents_audit_modify_failed|indent(12) }}}
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/tests/correct_rules.pass.sh
54c0d5
new file mode 100644
54c0d5
index 000000000..58a11a63c
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/tests/correct_rules.pass.sh
54c0d5
@@ -0,0 +1 @@
54c0d5
+cp $SHARED/audit/30-ospp-v42-2-modify-failed.rules /etc/audit/rules.d/
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml
54c0d5
new file mode 100644
54c0d5
index 000000000..71c313ece
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml
54c0d5
@@ -0,0 +1,61 @@
54c0d5
+documentation_complete: true
54c0d5
+
54c0d5
+prodtype: rhel8
54c0d5
+
54c0d5
+title: 'Configure auditing of successful file modifications'
54c0d5
+
54c0d5
+{{% set file_contents_audit_modify_success =
54c0d5
+"## Successful file modifications (open for write or truncate)
54c0d5
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
54c0d5
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
54c0d5
+-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
54c0d5
+-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
54c0d5
+-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
54c0d5
+-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
54c0d5
+" %}}
54c0d5
+
54c0d5
+description: |-
54c0d5
+    Ensure that successful attempts to modify a file are audited.
54c0d5
+
54c0d5
+    The following rules configure audit as described above:
54c0d5
+    
{{{ file_contents_audit_modify_success|indent }}}    
54c0d5
+
54c0d5
+    The <tt>Audit</tt> package provides pre-configured  rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42-2-modify-success.rules</tt>.
54c0d5
+    To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
54c0d5
+    
54c0d5
+    cp /usr/share/audit/sample-rules/30-ospp-v42-2-modify-success.rules /etc/audit/rules.d/
54c0d5
+    
54c0d5
+    
54c0d5
+    Load new Audit rules into kernel by running:
54c0d5
+    
augenrules --load
54c0d5
+    
54c0d5
+    Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
54c0d5
+
54c0d5
+
54c0d5
+rationale: |-
54c0d5
+    Auditing of successful attempts to modify a file helps in investigation of actions which happened on the system.
54c0d5
+
54c0d5
+severity: medium
54c0d5
+
54c0d5
+identifiers:
54c0d5
+    cce@rhel8: 82832-7
54c0d5
+
54c0d5
+references:
54c0d5
+    ospp: FAU_GEN.1.1.c
54c0d5
+    nist: AU-2(a)
54c0d5
+    srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205
54c0d5
+
54c0d5
+ocil_clause: 'the file does not exist or the content differs'
54c0d5
+
54c0d5
+ocil: |-
54c0d5
+    To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
54c0d5
+    
cat /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
54c0d5
+    The output has to be exactly as follows:
54c0d5
+    
{{{ file_contents_audit_modify_success|indent }}}    
54c0d5
+
54c0d5
+template:
54c0d5
+    name: audit_file_contents
54c0d5
+    vars:
54c0d5
+        filepath: /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
54c0d5
+        contents: |+
54c0d5
+            {{{ file_contents_audit_modify_success|indent(12) }}}
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/tests/correct_rules.pass.sh
54c0d5
new file mode 100644
54c0d5
index 000000000..163ffa5db
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/tests/correct_rules.pass.sh
54c0d5
@@ -0,0 +1 @@
54c0d5
+cp $SHARED/audit/30-ospp-v42-2-modify-success.rules /etc/audit/rules.d/
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml
54c0d5
new file mode 100644
54c0d5
index 000000000..30be01ce0
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml
54c0d5
@@ -0,0 +1,58 @@
54c0d5
+documentation_complete: true
54c0d5
+
54c0d5
+prodtype: rhel8
54c0d5
+
54c0d5
+title: 'Configure auditing of loading and unloading of kernel modules'
54c0d5
+
54c0d5
+{{% set file_contents_audit_module_load =
54c0d5
+"## These rules watch for kernel module insertion. By monitoring
54c0d5
+## the syscall, we do not need any watches on programs.
54c0d5
+-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
54c0d5
+-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
54c0d5
+-a always,exit -F arch=b32 -S delete_module -F key=module-unload
54c0d5
+-a always,exit -F arch=b64 -S delete_module -F key=module-unload
54c0d5
+" %}}
54c0d5
+
54c0d5
+description: |-
54c0d5
+    Ensure that loading and unloading of kernel modules is audited.
54c0d5
+
54c0d5
+    The following rules configure audit as described above:
54c0d5
+    
{{{ file_contents_audit_module_load|indent }}}    
54c0d5
+
54c0d5
+    The <tt>Audit</tt> package provides pre-configured  rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/43-module-load.rules</tt>.
54c0d5
+    To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
54c0d5
+    
54c0d5
+    cp /usr/share/audit/sample-rules/43-module-load.rules /etc/audit/rules.d/
54c0d5
+    
54c0d5
+    
54c0d5
+    Load new Audit rules into kernel by running:
54c0d5
+    
augenrules --load
54c0d5
+
54c0d5
+
54c0d5
+rationale: |-
54c0d5
+    Loading of a malicious kernel module introduces a risk to the system, as the module has access to sensitive data and perform actions at the operating system kernel level. Having such events audited helps in monitoring and investigating of malicious activities.
54c0d5
+
54c0d5
+severity: medium
54c0d5
+
54c0d5
+identifiers:
54c0d5
+    cce@rhel8: 82838-4
54c0d5
+
54c0d5
+references:
54c0d5
+    ospp: FAU_GEN.1.1.c
54c0d5
+    nist: AU-2(a)
54c0d5
+    srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222,SRG-OS-000475-GPOS-00220
54c0d5
+
54c0d5
+ocil_clause: 'the file does not exist or the content differs'
54c0d5
+
54c0d5
+ocil: |-
54c0d5
+    To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
54c0d5
+    
cat /etc/audit/rules.d/43-module-load.rules
54c0d5
+    The output has to be exactly as follows:
54c0d5
+    
{{{ file_contents_audit_module_load|indent }}}    
54c0d5
+
54c0d5
+template:
54c0d5
+    name: audit_file_contents
54c0d5
+    vars:
54c0d5
+        filepath: /etc/audit/rules.d/43-module-load.rules
54c0d5
+        contents: |+
54c0d5
+            {{{ file_contents_audit_module_load|indent(12) }}}
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_module_load/tests/correct_rules.pass.sh
54c0d5
new file mode 100644
54c0d5
index 000000000..c2d651e4c
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load/tests/correct_rules.pass.sh
54c0d5
@@ -0,0 +1 @@
54c0d5
+cp $SHARED/audit/43-module-load.rules /etc/audit/rules.d/
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
54c0d5
new file mode 100644
54c0d5
index 000000000..0649e0682
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
54c0d5
@@ -0,0 +1,138 @@
54c0d5
+documentation_complete: true
54c0d5
+
54c0d5
+prodtype: rhel8
54c0d5
+
54c0d5
+title: 'Perform general configuration of Audit for OSPP'
54c0d5
+
54c0d5
+{{% set file_contents_audit_ospp_general =
54c0d5
+"## The purpose of these rules is to meet the requirements for Operating
54c0d5
+## System Protection Profile (OSPP)v4.2. These rules depends on having
54c0d5
+## the following rule files copied to /etc/audit/rules.d:
54c0d5
+##
54c0d5
+## 10-base-config.rules, 11-loginuid.rules,
54c0d5
+## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
54c0d5
+## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
54c0d5
+## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
54c0d5
+## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
54c0d5
+## 30-ospp-v42-5-perm-change-failed.rules,
54c0d5
+## 30-ospp-v42-5-perm-change-success.rules,
54c0d5
+## 30-ospp-v42-6-owner-change-failed.rules,
54c0d5
+## 30-ospp-v42-6-owner-change-success.rules
54c0d5
+##
54c0d5
+## original copies may be found in /usr/share/audit/sample-rules/
54c0d5
+
54c0d5
+
54c0d5
+## User add delete modify. This is covered by pam. However, someone could
54c0d5
+## open a file and directly create or modify a user, so we'll watch passwd and
54c0d5
+## shadow for writes
54c0d5
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
54c0d5
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
54c0d5
+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
54c0d5
+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
54c0d5
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
54c0d5
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
54c0d5
+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
54c0d5
+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
54c0d5
+
54c0d5
+## User enable and disable. This is entirely handled by pam.
54c0d5
+
54c0d5
+## Group add delete modify. This is covered by pam. However, someone could
54c0d5
+## open a file and directly create or modify a user, so we'll watch group and
54c0d5
+## gshadow for writes
54c0d5
+-a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
54c0d5
+-a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
54c0d5
+-a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
54c0d5
+-a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
54c0d5
+
54c0d5
+
54c0d5
+## Use of special rights for config changes. This would be use of setuid
54c0d5
+## programs that relate to user accts. This is not all setuid apps because
54c0d5
+## requirements are only for ones that affect system configuration.
54c0d5
+-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
54c0d5
+-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
54c0d5
+-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
54c0d5
+-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
54c0d5
+-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
54c0d5
+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
54c0d5
+-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
54c0d5
+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
54c0d5
+-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
54c0d5
+-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
54c0d5
+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
54c0d5
+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
54c0d5
+-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
54c0d5
+
54c0d5
+## Privilege escalation via su or sudo. This is entirely handled by pam.
54c0d5
+
54c0d5
+## Audit log access
54c0d5
+-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
54c0d5
+## Attempts to Alter Process and Session Initiation Information
54c0d5
+-a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
54c0d5
+-a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
54c0d5
+-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
54c0d5
+
54c0d5
+## Attempts to modify MAC controls
54c0d5
+-a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
54c0d5
+
54c0d5
+## Software updates. This is entirely handled by rpm.
54c0d5
+
54c0d5
+## System start and shutdown. This is entirely handled by systemd
54c0d5
+
54c0d5
+## Kernel Module loading. This is handled in 43-module-load.rules
54c0d5
+
54c0d5
+## Application invocation. The requirements list an optional requirement
54c0d5
+## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
54c0d5
+## state results from that policy. This would be handled entirely by
54c0d5
+## that daemon.
54c0d5
+
54c0d5
+" %}}
54c0d5
+
54c0d5
+description: |-
54c0d5
+    Configure some basic <tt>Audit</tt> parameters specific for OSPP profile. 
54c0d5
+    In particular, configure <tt>Audit</tt> to watch for direct modification of files storing system user and group information, and usage of applications with special rights which can change system configuration.
54c0d5
+    Further audited events include access to audit log it self, attempts to Alter Process and Session Initiation Information, and attempts to modify MAC controls.
54c0d5
+    
54c0d5
+
54c0d5
+    The following rules configure audit as described above:
54c0d5
+    
{{{ file_contents_audit_ospp_general|indent }}}    
54c0d5
+
54c0d5
+    The <tt>Audit</tt> package provides pre-configured  rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42.rules</tt>.
54c0d5
+    To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
54c0d5
+    
54c0d5
+    cp /usr/share/audit/sample-rules/30-ospp-v42.rules /etc/audit/rules.d/
54c0d5
+    
54c0d5
+    
54c0d5
+    Load new Audit rules into kernel by running:
54c0d5
+    
augenrules --load
54c0d5
+    
54c0d5
+    Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
54c0d5
+
54c0d5
+
54c0d5
+
54c0d5
+rationale: |-
54c0d5
+    Auditing of events listed in the description provides data for monitoring and investigation of potentially malicious events e.g. tampering with <tt>Audit</tt> logs, malicious access to files storing information about system users and groups etc.
54c0d5
+
54c0d5
+severity: medium
54c0d5
+
54c0d5
+identifiers:
54c0d5
+    cce@rhel8: 82373-2
54c0d5
+
54c0d5
+references:
54c0d5
+    ospp: FAU_GEN.1.1.c
54c0d5
+    nist: AU-2(a)
54c0d5
+    srg: SRG-OS-000004-GPOS-00004,SRG-OS-000241-GPOS-00091,SRG-OS-000476-GPOS-00221,SRG-OS-000327-GPOS-00127,SRG-OS-000475-GPOS-00220,SRG-OS-000239-GPOS-00089,SRG-OS-000274-GPOS-00104,SRG-OS-000275-GPOS-00105,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121
54c0d5
+
54c0d5
+ocil_clause: 'the file does not exist or the content differs'
54c0d5
+
54c0d5
+ocil: |-
54c0d5
+    To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
54c0d5
+    
cat /etc/audit/rules.d/30-ospp-v42.rules
54c0d5
+    The output has to be exactly as follows:
54c0d5
+    
{{{ file_contents_audit_ospp_general|indent }}}    
54c0d5
+
54c0d5
+template:
54c0d5
+    name: audit_file_contents
54c0d5
+    vars:
54c0d5
+        filepath: /etc/audit/rules.d/30-ospp-v42.rules
54c0d5
+        contents: |+
54c0d5
+            {{{ file_contents_audit_ospp_general|indent(12) }}}
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh
54c0d5
new file mode 100644
54c0d5
index 000000000..dcf3a88a6
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh
54c0d5
@@ -0,0 +1 @@
54c0d5
+cp $SHARED/audit/30-ospp-v42.rules /etc/audit/rules.d/
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml
54c0d5
new file mode 100644
54c0d5
index 000000000..1068fb8a9
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml
54c0d5
@@ -0,0 +1,59 @@
54c0d5
+documentation_complete: true
54c0d5
+
54c0d5
+prodtype: rhel8
54c0d5
+
54c0d5
+title: 'Configure auditing of unsuccessful ownership changes'
54c0d5
+
54c0d5
+{{% set file_contents_audit_owner_change_failed =
54c0d5
+"## Unsuccessful ownership change
54c0d5
+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
54c0d5
+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
54c0d5
+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
54c0d5
+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
54c0d5
+" %}}
54c0d5
+
54c0d5
+description: |-
54c0d5
+    Ensure that unsuccessful attempts to change an ownership of files or directories are audited.
54c0d5
+
54c0d5
+    The following rules configure audit as described above:
54c0d5
+    
{{{ file_contents_audit_owner_change_failed|indent }}}    
54c0d5
+
54c0d5
+    The <tt>Audit</tt> package provides pre-configured  rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-failed.rules</tt>.
54c0d5
+    To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
54c0d5
+    
54c0d5
+    cp /usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-failed.rules /etc/audit/rules.d/
54c0d5
+    
54c0d5
+    
54c0d5
+    Load new Audit rules into kernel by running:
54c0d5
+    
augenrules --load
54c0d5
+    
54c0d5
+    Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
54c0d5
+    
54c0d5
+
54c0d5
+rationale: |-
54c0d5
+    Unsuccessful attempts to change an ownership of files or directories might be signs of a malicious activity. Having such events audited helps in monitoring and investigation of such activities.
54c0d5
+
54c0d5
+severity: medium
54c0d5
+
54c0d5
+identifiers:
54c0d5
+    cce@rhel8: 82384-9
54c0d5
+
54c0d5
+references:
54c0d5
+    ospp: FAU_GEN.1.1.c
54c0d5
+    nist: AU-2(a)
54c0d5
+    srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033
54c0d5
+
54c0d5
+ocil_clause: 'the file does not exist or the content differs'
54c0d5
+
54c0d5
+ocil: |-
54c0d5
+    To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
54c0d5
+    
cat /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
54c0d5
+    The output has to be exactly as follows:
54c0d5
+    
{{{ file_contents_audit_owner_change_failed|indent }}}    
54c0d5
+
54c0d5
+template:
54c0d5
+    name: audit_file_contents
54c0d5
+    vars:
54c0d5
+        filepath: /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
54c0d5
+        contents: |+
54c0d5
+            {{{ file_contents_audit_owner_change_failed|indent(12) }}}
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/tests/correct_rules.pass.sh
54c0d5
new file mode 100644
54c0d5
index 000000000..b5227b4c5
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/tests/correct_rules.pass.sh
54c0d5
@@ -0,0 +1 @@
54c0d5
+cp $SHARED/audit/30-ospp-v42-6-owner-change-failed.rules /etc/audit/rules.d/
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml
54c0d5
new file mode 100644
54c0d5
index 000000000..6ffa0e4fc
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml
54c0d5
@@ -0,0 +1,60 @@
54c0d5
+documentation_complete: true
54c0d5
+
54c0d5
+prodtype: rhel8
54c0d5
+
54c0d5
+title: 'Configure auditing of successful ownership changes'
54c0d5
+
54c0d5
+{{% set file_contents_audit_owner_change_success =
54c0d5
+"## Successful ownership change
54c0d5
+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
54c0d5
+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
54c0d5
+" %}}
54c0d5
+
54c0d5
+description: |-
54c0d5
+    Ensure that successful attempts to change an ownership of files or directories are audited.
54c0d5
+
54c0d5
+    The following rules configure audit as described above:
54c0d5
+    
{{{ file_contents_audit_owner_change_success|indent }}}    
54c0d5
+
54c0d5
+    The <tt>Audit</tt> package provides pre-configured  rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-success.rules</tt>.
54c0d5
+    To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
54c0d5
+    
54c0d5
+    cp /usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-success.rules /etc/audit/rules.d/
54c0d5
+    
54c0d5
+    
54c0d5
+    The file has the following SHA-256 checksum:
54c0d5
+    
7eb41a6aaf6737c2571b6424fae7fa53af4b41a9115b6c5732a5778ccd9900ad
54c0d5
+    
54c0d5
+    Load new Audit rules into kernel by running:
54c0d5
+    
augenrules --load
54c0d5
+    
54c0d5
+    Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
54c0d5
+
54c0d5
+
54c0d5
+rationale: |-
54c0d5
+    Auditing of successful ownership changes of files or directories helps in monitoring or investingating of activities performed on the system. 
54c0d5
+
54c0d5
+severity: medium
54c0d5
+
54c0d5
+identifiers:
54c0d5
+    cce@rhel8: 82385-6
54c0d5
+
54c0d5
+references:
54c0d5
+    ospp: FAU_GEN.1.1.c
54c0d5
+    nist: AU-2(a)
54c0d5
+    srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033
54c0d5
+
54c0d5
+ocil_clause: 'the file does not exist or the content differs'
54c0d5
+
54c0d5
+ocil: |-
54c0d5
+    To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
54c0d5
+    
cat /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
54c0d5
+    The output has to be exactly as follows:
54c0d5
+    
{{{ file_contents_audit_owner_change_success|indent }}}    
54c0d5
+
54c0d5
+template:
54c0d5
+    name: audit_file_contents
54c0d5
+    vars:
54c0d5
+        filepath: /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
54c0d5
+        contents: |+
54c0d5
+            {{{ file_contents_audit_owner_change_success|indent(12) }}}
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/tests/correct_rules.pass.sh
54c0d5
new file mode 100644
54c0d5
index 000000000..27eaf4a1f
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/tests/correct_rules.pass.sh
54c0d5
@@ -0,0 +1 @@
54c0d5
+cp $SHARED/audit/30-ospp-v42-6-owner-change-success.rules /etc/audit/rules.d/
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml
54c0d5
new file mode 100644
54c0d5
index 000000000..7be6299cb
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml
54c0d5
@@ -0,0 +1,58 @@
54c0d5
+documentation_complete: true
54c0d5
+
54c0d5
+prodtype: rhel8
54c0d5
+
54c0d5
+title: 'Configure auditing of unsuccessful permission changes'
54c0d5
+
54c0d5
+{{% set file_contents_audit_perm_change_failed =
54c0d5
+"## Unsuccessful permission change
54c0d5
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
54c0d5
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
54c0d5
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
54c0d5
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
54c0d5
+" %}}
54c0d5
+
54c0d5
+description: |-
54c0d5
+    Ensure that unsuccessful attempts to change file or directory permissions are audited.
54c0d5
+
54c0d5
+    The following rules configure audit as described above:
54c0d5
+    
{{{ file_contents_audit_perm_change_failed|indent }}}    
54c0d5
+
54c0d5
+    The <tt>Audit</tt> package provides pre-configured  rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-failed.rules</tt>.
54c0d5
+    To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
54c0d5
+    
54c0d5
+    cp /usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-failed.rules /etc/audit/rules.d/
54c0d5
+    
54c0d5
+    
54c0d5
+    Load new Audit rules into kernel by running:
54c0d5
+    
augenrules --load
54c0d5
+    
54c0d5
+    Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
54c0d5
+
54c0d5
+rationale: |-
54c0d5
+    Unsuccessful attempts to change permissions of files or directories might be signs of malicious activity. Having such events audited helps in monitoring and investigation of such activities. 
54c0d5
+
54c0d5
+severity: medium
54c0d5
+
54c0d5
+identifiers:
54c0d5
+    cce@rhel8: 82837-6
54c0d5
+
54c0d5
+references:
54c0d5
+    ospp: FAU_GEN.1.1.c
54c0d5
+    nist: AU-2(a)
54c0d5
+    srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033
54c0d5
+
54c0d5
+ocil_clause: 'the file does not exist or the content differs'
54c0d5
+
54c0d5
+ocil: |-
54c0d5
+    To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
54c0d5
+    
cat /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
54c0d5
+    The output has to be exactly as follows:
54c0d5
+    
{{{ file_contents_audit_perm_change_failed|indent }}}    
54c0d5
+
54c0d5
+template:
54c0d5
+    name: audit_file_contents
54c0d5
+    vars:
54c0d5
+        filepath: /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
54c0d5
+        contents: |+
54c0d5
+            {{{ file_contents_audit_perm_change_failed|indent(12) }}}
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/tests/correct_rules.pass.sh
54c0d5
new file mode 100644
54c0d5
index 000000000..149fda66d
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/tests/correct_rules.pass.sh
54c0d5
@@ -0,0 +1 @@
54c0d5
+cp $SHARED/audit/30-ospp-v42-5-perm-change-failed.rules /etc/audit/rules.d/
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml
54c0d5
new file mode 100644
54c0d5
index 000000000..e2a247370
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml
54c0d5
@@ -0,0 +1,57 @@
54c0d5
+documentation_complete: true
54c0d5
+
54c0d5
+prodtype: rhel8
54c0d5
+
54c0d5
+title: 'Configure auditing of successful permission changes'
54c0d5
+
54c0d5
+{{% set file_contents_audit_perm_change_success =
54c0d5
+"## Successful permission change
54c0d5
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
54c0d5
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
54c0d5
+" %}}
54c0d5
+
54c0d5
+description: |-
54c0d5
+    Ensure that successful attempts to modify permissions of iles or directories are audited.
54c0d5
+
54c0d5
+    The following rules configure audit as described above:
54c0d5
+    
{{{ file_contents_audit_perm_change_success|indent }}}    
54c0d5
+
54c0d5
+    The <tt>Audit</tt> package provides pre-configured  rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-success.rules</tt>.
54c0d5
+    To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
54c0d5
+    
54c0d5
+    cp /usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-success.rules /etc/audit/rules.d/
54c0d5
+    
54c0d5
+    
54c0d5
+    Load new Audit rules into kernel by running:
54c0d5
+    
augenrules --load
54c0d5
+    
54c0d5
+    Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
54c0d5
+
54c0d5
+
54c0d5
+rationale: |-
54c0d5
+    Auditing successful file or directory permission changes helps in monitoring and investigating of activities performed on the system.
54c0d5
+
54c0d5
+severity: medium
54c0d5
+
54c0d5
+identifiers:
54c0d5
+    cce@rhel8: 82383-1
54c0d5
+
54c0d5
+references:
54c0d5
+    ospp: FAU_GEN.1.1.c
54c0d5
+    nist: AU-2(a)
54c0d5
+    srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033
54c0d5
+
54c0d5
+ocil_clause: 'the file does not exist or the content differs'
54c0d5
+
54c0d5
+ocil: |-
54c0d5
+    To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
54c0d5
+    
cat /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
54c0d5
+    The output has to be exactly as follows:
54c0d5
+    
{{{ file_contents_audit_perm_change_success|indent }}}    
54c0d5
+
54c0d5
+template:
54c0d5
+    name: audit_file_contents
54c0d5
+    vars:
54c0d5
+        filepath: /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
54c0d5
+        contents: |+
54c0d5
+            {{{ file_contents_audit_perm_change_success|indent(12) }}}
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/tests/correct_rules.pass.sh
54c0d5
new file mode 100644
54c0d5
index 000000000..cfa6c3f90
54c0d5
--- /dev/null
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/tests/correct_rules.pass.sh
54c0d5
@@ -0,0 +1 @@
54c0d5
+cp $SHARED/audit/30-ospp-v42-5-perm-change-success.rules /etc/audit/rules.d/
54c0d5
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/oval/shared.xml b/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/oval/shared.xml
54c0d5
index 9e5b6032f..d25ea0840 100644
54c0d5
--- a/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/oval/shared.xml
54c0d5
+++ b/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/oval/shared.xml
54c0d5
@@ -1,15 +1,15 @@
54c0d5
 {{% macro audit_file_compare_criterion(file_id) %}}
54c0d5
-      <criterion comment="check {{{ file_id }}}.rules file" test_ref="test_compare_{{{ file_id }}}" />
54c0d5
+      <criterion comment="check {{{ file_id }}}.rules file" test_ref="test_compare_{{{ file_id }}}_old" />
54c0d5
 {{% endmacro %}}
54c0d5
 
54c0d5
 {{% macro audit_file_compare_test(file_id) %}}
54c0d5
   
54c0d5
   comment="Compare {{{ file_id }}}.rules file in /etc/audit/rules.d against file in /usr/share/doc/audit/"
54c0d5
-  id="test_compare_{{{ file_id }}}" version="1">
54c0d5
-    <ind:object object_ref="object_etc_{{{ file_id }}}" />
54c0d5
+  id="test_compare_{{{ file_id }}}_old" version="1">
54c0d5
+    <ind:object object_ref="object_etc_{{{ file_id }}}_old" />
54c0d5
     <ind:state state_ref="state_doc_{{{ file_id }}}" />
54c0d5
   </ind:textfilecontent54_test>
54c0d5
-  <ind:textfilecontent54_object id="object_etc_{{{ file_id }}}" version="1">
54c0d5
+  <ind:textfilecontent54_object id="object_etc_{{{ file_id }}}_old" version="1">
54c0d5
     <ind:filepath>/etc/audit/rules.d/{{{ file_id }}}.rules</ind:filepath>
54c0d5
     <ind:pattern operation="pattern match">(?:.*\n)*</ind:pattern>
54c0d5
     <ind:instance datatype="int">1</ind:instance>
54c0d5
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
54c0d5
index ef3ced501..5d3713ec7 100644
54c0d5
--- a/rhel8/profiles/ospp.profile
54c0d5
+++ b/rhel8/profiles/ospp.profile
54c0d5
@@ -377,7 +377,22 @@ selections:
54c0d5
     ## AU-2(a) / FAU_GEN.1.1.c
54c0d5
     ## Audit Kernel Module Loading and Unloading Events (Success/Failure)
54c0d5
     ## AU-2(a) / FAU_GEN.1.1.c
54c0d5
-    - audit_rules_for_ospp
54c0d5
+    - audit_basic_configuration
54c0d5
+    - audit_immutable_login_uids
54c0d5
+    - audit_create_failed
54c0d5
+    - audit_create_success
54c0d5
+    - audit_modify_failed
54c0d5
+    - audit_modify_success
54c0d5
+    - audit_access_failed
54c0d5
+    - audit_access_success
54c0d5
+    - audit_delete_failed
54c0d5
+    - audit_delete_success
54c0d5
+    - audit_perm_change_failed
54c0d5
+    - audit_perm_change_success
54c0d5
+    - audit_owner_change_failed
54c0d5
+    - audit_owner_change_success
54c0d5
+    - audit_ospp_general
54c0d5
+    - audit_module_load
54c0d5
 
54c0d5
     ## Enable Automatic Software Updates
54c0d5
     ## SI-2 / FMT_MOF_EXT.1
54c0d5
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
54c0d5
index f752e7a2b..c7fa22113 100644
54c0d5
--- a/shared/macros-ansible.jinja
54c0d5
+++ b/shared/macros-ansible.jinja
54c0d5
@@ -202,3 +202,18 @@
54c0d5
 {{%- macro ansible_coredump_config_set(msg='', parameter='', value='') %}}
54c0d5
 {{{ ansible_set_config_file(msg, "/etc/systemd/coredump.conf", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
54c0d5
 {{%- endmacro %}}
54c0d5
+
54c0d5
+{{#
54c0d5
+  Generates an Ansible task that puts 'contents' into a file at 'filepath'
54c0d5
+  Parameters:
54c0d5
+    - filepath - filepath of the file to check
54c0d5
+    - contents - contents that should be in the file
54c0d5
+#}}
54c0d5
+{{%- macro ansible_file_contents(filepath='', contents='') %}}
54c0d5
+- name: "Put contents into {{{ filepath }}} according to policy"
54c0d5
+  copy:
54c0d5
+    dest: "{{{ filepath }}}"
54c0d5
+    content: |+
54c0d5
+        {{{ contents|indent(8) }}}
54c0d5
+    force: yes
54c0d5
+{{%- endmacro %}}
54c0d5
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
54c0d5
index dc7fd2558..bc522fc1e 100644
54c0d5
--- a/shared/macros-bash.jinja
54c0d5
+++ b/shared/macros-bash.jinja
54c0d5
@@ -509,3 +509,14 @@ if ! grep -qE '^\s*account\s+required\s+pam_faillock\.so.*$' "{{{ pam_file }}}"
54c0d5
     sed -E -i --follow-symlinks '/^\s*account\s*required\s*pam_unix.so/i account     required      pam_faillock.so' "{{{ pam_file }}}"
54c0d5
 fi
54c0d5
 {{%- endmacro -%}}
54c0d5
+
54c0d5
+{{#
54c0d5
+  Generates bash script code that puts 'contents' into a file at 'filepath'
54c0d5
+  Parameters:
54c0d5
+    - filepath - filepath of the file to check
54c0d5
+    - contents - contents that should be in the file
54c0d5
+#}}
54c0d5
+{{%- macro bash_file_contents(filepath='', contents='') %}}
54c0d5
+cat << 'EOF' > {{{ filepath }}}
54c0d5
+{{{ contents }}}EOF
54c0d5
+{{%- endmacro %}}
54c0d5
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
54c0d5
index 5f391efdc..11752785f 100644
54c0d5
--- a/shared/macros-oval.jinja
54c0d5
+++ b/shared/macros-oval.jinja
54c0d5
@@ -448,3 +448,44 @@
54c0d5
     <unix:command_line operation="pattern match">^.*[\s]+{{{ option }}}=.*({{{ value }}}).*([\s]+.*$|$)</unix:command_line>
54c0d5
   </unix:process58_state>
54c0d5
 {{%- endmacro -%}}
54c0d5
+
54c0d5
+{{#
54c0d5
+  Macro which generates OVAL definition, test and object that check for contents
54c0d5
+  of the file.
54c0d5
+  Parameters:
54c0d5
+    - filepath - filepath of the file to check
54c0d5
+    - contents - contents that should be in the file
54c0d5
+#}}
54c0d5
+{{%- macro oval_file_contents(filepath='', filepath_id='', contents='') -%}}
54c0d5
+  <def-group>
54c0d5
+    <definition class="compliance" id="{{{ rule_id }}}" version="1">
54c0d5
+      <metadata>
54c0d5
+        <title>Check that contents of {{{ filepath }}} are as expected</title>
54c0d5
+        {{{- oval_affected(products) }}}
54c0d5
+        <description>Inspects the contents of {{{ filepath }}}</description>
54c0d5
+      </metadata>
54c0d5
+      <criteria operator="AND">
54c0d5
+          <criterion comment="Check contents of file" test_ref="test_whole_file_contents_{{{ filepath_id }}}" />
54c0d5
+      </criteria>
54c0d5
+    </definition>
54c0d5
+
54c0d5
+    
54c0d5
+    comment="Tests if contents of {{{ filepath }}} is exactly what is defined in rule description"
54c0d5
+    id="test_whole_file_contents_{{{ filepath_id }}}" version="1">
54c0d5
+      <ind:object object_ref="object_whole_file_contents_{{{ filepath_id }}}" />
54c0d5
+      <ind:state state_ref="state_whole_file_contents_{{{ filepath_id }}}" />
54c0d5
+    </ind:textfilecontent54_test>
54c0d5
+
54c0d5
+    <ind:textfilecontent54_object id="object_whole_file_contents_{{{ filepath_id }}}" version="1">
54c0d5
+      <ind:behaviors singleline="true" multiline="false" />
54c0d5
+      <ind:filepath>{{{ filepath }}}</ind:filepath>
54c0d5
+      <ind:pattern operation="pattern match">^.*$</ind:pattern>
54c0d5
+      <ind:instance datatype="int">1</ind:instance>
54c0d5
+    </ind:textfilecontent54_object>
54c0d5
+
54c0d5
+    <ind:textfilecontent54_state id="state_whole_file_contents_{{{ filepath_id }}}" version="1">
54c0d5
+      <ind:text operation="equals">{{{ contents }}}</ind:text>
54c0d5
+    </ind:textfilecontent54_state>
54c0d5
+
54c0d5
+  </def-group>
54c0d5
+{{%- endmacro %}}
54c0d5
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
54c0d5
index 1733872df..a961f0ec0 100644
54c0d5
--- a/shared/references/cce-redhat-avail.txt
54c0d5
+++ b/shared/references/cce-redhat-avail.txt
54c0d5
@@ -103,17 +103,6 @@ CCE-82823-6
54c0d5
 CCE-82824-4
54c0d5
 CCE-82825-1
54c0d5
 CCE-82826-9
54c0d5
-CCE-82827-7
54c0d5
-CCE-82828-5
54c0d5
-CCE-82829-3
54c0d5
-CCE-82830-1
54c0d5
-CCE-82832-7
54c0d5
-CCE-82833-5
54c0d5
-CCE-82834-3
54c0d5
-CCE-82835-0
54c0d5
-CCE-82836-8
54c0d5
-CCE-82837-6
54c0d5
-CCE-82838-4
54c0d5
 CCE-82839-2
54c0d5
 CCE-82841-8
54c0d5
 CCE-82842-6
54c0d5
diff --git a/shared/templates/template_ANSIBLE_audit_file_contents b/shared/templates/template_ANSIBLE_audit_file_contents
54c0d5
new file mode 100644
54c0d5
index 000000000..c28527454
54c0d5
--- /dev/null
54c0d5
+++ b/shared/templates/template_ANSIBLE_audit_file_contents
54c0d5
@@ -0,0 +1,11 @@
54c0d5
+# platform = multi_platform_all
54c0d5
+# reboot = false
54c0d5
+# strategy = restrict
54c0d5
+# complexity = low
54c0d5
+# disruption = low
54c0d5
+{{{
54c0d5
+    ansible_file_contents(
54c0d5
+        filepath=FILEPATH,
54c0d5
+        contents=CONTENTS,
54c0d5
+    )
54c0d5
+}}}
54c0d5
diff --git a/shared/templates/template_BASH_audit_file_contents b/shared/templates/template_BASH_audit_file_contents
54c0d5
new file mode 100644
54c0d5
index 000000000..f264be6f1
54c0d5
--- /dev/null
54c0d5
+++ b/shared/templates/template_BASH_audit_file_contents
54c0d5
@@ -0,0 +1,14 @@
54c0d5
+# platform = multi_platform_all
54c0d5
+# reboot = false
54c0d5
+# strategy = restrict
54c0d5
+# complexity = low
54c0d5
+# disruption = low
54c0d5
+
54c0d5
+{{{
54c0d5
+    bash_file_contents(
54c0d5
+        filepath=FILEPATH,
54c0d5
+        contents=CONTENTS,
54c0d5
+    )
54c0d5
+}}}
54c0d5
+
54c0d5
+augenrules --load
54c0d5
diff --git a/shared/templates/template_OVAL_audit_file_contents b/shared/templates/template_OVAL_audit_file_contents
54c0d5
new file mode 100644
54c0d5
index 000000000..02e1b661d
54c0d5
--- /dev/null
54c0d5
+++ b/shared/templates/template_OVAL_audit_file_contents
54c0d5
@@ -0,0 +1,7 @@
54c0d5
+{{{
54c0d5
+    oval_file_contents(
54c0d5
+        filepath=FILEPATH,
54c0d5
+        filepath_id=FILEPATH_ID,
54c0d5
+        contents=CONTENTS
54c0d5
+    )
54c0d5
+}}}
54c0d5
diff --git a/ssg/templates.py b/ssg/templates.py
54c0d5
index 8a96c8ed4..e5ed4890b 100644
54c0d5
--- a/ssg/templates.py
54c0d5
+++ b/ssg/templates.py
54c0d5
@@ -1,8 +1,10 @@
54c0d5
+from __future__ import absolute_import
54c0d5
 from __future__ import print_function
54c0d5
 
54c0d5
 import os
54c0d5
 import sys
54c0d5
 import re
54c0d5
+from xml.sax.saxutils import unescape
54c0d5
 
54c0d5
 import ssg.build_yaml
54c0d5
 
54c0d5
@@ -93,6 +95,10 @@ def audit_rules_privileged_commands(data, lang):
54c0d5
         data["path"] = path.replace("/", "\\/")
54c0d5
     return data
54c0d5
 
54c0d5
+@template(["ansible", "bash", "oval"])
54c0d5
+def audit_rules_rule_file(data, lang):
54c0d5
+    return data
54c0d5
+
54c0d5
 
54c0d5
 @template(["ansible", "bash", "oval"])
54c0d5
 def audit_rules_unsuccessful_file_modification(data, lang):
54c0d5
@@ -124,6 +130,20 @@ def audit_rules_usergroup_modification(data, lang):
54c0d5
     return data
54c0d5
 
54c0d5
 
54c0d5
+@template(["ansible", "bash", "oval"])
54c0d5
+def audit_file_contents(data, lang):
54c0d5
+    if lang == "oval":
54c0d5
+        pathid = re.sub(r'[-\./]', '_', data["filepath"])
54c0d5
+        # remove root slash made into '_'
54c0d5
+        pathid = pathid[1:]
54c0d5
+        data["filepath_id"] = pathid
54c0d5
+
54c0d5
+    # The build system converts "<",">" and "&" for us
54c0d5
+    if lang == "bash" or lang == "ansible":
54c0d5
+        data["contents"] = unescape(data["contents"])
54c0d5
+    return data
54c0d5
+
54c0d5
+
54c0d5
 def _file_owner_groupowner_permissions_regex(data):
54c0d5
     data["is_directory"] = data["filepath"].endswith("/")
54c0d5
     if "missing_file_pass" not in data:
54c0d5
diff --git a/tests/shared/audit/10-base-config.rules b/tests/shared/audit/10-base-config.rules
54c0d5
new file mode 100644
54c0d5
index 000000000..b86d66f9d
54c0d5
--- /dev/null
54c0d5
+++ b/tests/shared/audit/10-base-config.rules
54c0d5
@@ -0,0 +1,13 @@
54c0d5
+## First rule - delete all
54c0d5
+-D
54c0d5
+
54c0d5
+## Increase the buffers to survive stress events.
54c0d5
+## Make this bigger for busy systems
54c0d5
+-b 8192
54c0d5
+
54c0d5
+## This determine how long to wait in burst of events
54c0d5
+--backlog_wait_time 60000
54c0d5
+
54c0d5
+## Set failure mode to syslog
54c0d5
+-f 1
54c0d5
+
54c0d5
diff --git a/tests/shared/audit/11-loginuid.rules b/tests/shared/audit/11-loginuid.rules
54c0d5
new file mode 100644
54c0d5
index 000000000..9b0a3e98a
54c0d5
--- /dev/null
54c0d5
+++ b/tests/shared/audit/11-loginuid.rules
54c0d5
@@ -0,0 +1,3 @@
54c0d5
+## Make the loginuid immutable. This prevents tampering with the auid.
54c0d5
+--loginuid-immutable
54c0d5
+
54c0d5
diff --git a/tests/shared/audit/30-ospp-v42-1-create-failed.rules b/tests/shared/audit/30-ospp-v42-1-create-failed.rules
54c0d5
new file mode 100644
54c0d5
index 000000000..6aca1b943
54c0d5
--- /dev/null
54c0d5
+++ b/tests/shared/audit/30-ospp-v42-1-create-failed.rules
54c0d5
@@ -0,0 +1,13 @@
54c0d5
+## Unsuccessful file creation (open with O_CREAT)
54c0d5
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
54c0d5
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
54c0d5
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
54c0d5
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
54c0d5
+-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
54c0d5
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
54c0d5
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
54c0d5
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
54c0d5
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
54c0d5
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
54c0d5
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
54c0d5
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
54c0d5
diff --git a/tests/shared/audit/30-ospp-v42-1-create-success.rules b/tests/shared/audit/30-ospp-v42-1-create-success.rules
54c0d5
new file mode 100644
54c0d5
index 000000000..4141e3c60
54c0d5
--- /dev/null
54c0d5
+++ b/tests/shared/audit/30-ospp-v42-1-create-success.rules
54c0d5
@@ -0,0 +1,7 @@
54c0d5
+## Successful file creation (open with O_CREAT)
54c0d5
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
54c0d5
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
54c0d5
+-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
54c0d5
+-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
54c0d5
+-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
54c0d5
+-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
54c0d5
diff --git a/tests/shared/audit/30-ospp-v42-2-modify-failed.rules b/tests/shared/audit/30-ospp-v42-2-modify-failed.rules
54c0d5
new file mode 100644
54c0d5
index 000000000..ffe5bfd61
54c0d5
--- /dev/null
54c0d5
+++ b/tests/shared/audit/30-ospp-v42-2-modify-failed.rules
54c0d5
@@ -0,0 +1,13 @@
54c0d5
+## Unsuccessful file modifications (open for write or truncate)
54c0d5
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
54c0d5
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
54c0d5
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
54c0d5
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
54c0d5
+-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
54c0d5
+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
54c0d5
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
54c0d5
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
54c0d5
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
54c0d5
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
54c0d5
+-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
54c0d5
+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
54c0d5
diff --git a/tests/shared/audit/30-ospp-v42-2-modify-success.rules b/tests/shared/audit/30-ospp-v42-2-modify-success.rules
54c0d5
new file mode 100644
54c0d5
index 000000000..5617e018a
54c0d5
--- /dev/null
54c0d5
+++ b/tests/shared/audit/30-ospp-v42-2-modify-success.rules
54c0d5
@@ -0,0 +1,7 @@
54c0d5
+## Successful file modifications (open for write or truncate)
54c0d5
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
54c0d5
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
54c0d5
+-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
54c0d5
+-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
54c0d5
+-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
54c0d5
+-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
54c0d5
diff --git a/tests/shared/audit/30-ospp-v42-3-access-failed.rules b/tests/shared/audit/30-ospp-v42-3-access-failed.rules
54c0d5
new file mode 100644
54c0d5
index 000000000..a5aad3a95
54c0d5
--- /dev/null
54c0d5
+++ b/tests/shared/audit/30-ospp-v42-3-access-failed.rules
54c0d5
@@ -0,0 +1,5 @@
54c0d5
+## Unsuccessful file access (any other opens) This has to go last.
54c0d5
+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
54c0d5
+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
54c0d5
+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
54c0d5
+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
54c0d5
diff --git a/tests/shared/audit/30-ospp-v42-3-access-success.rules b/tests/shared/audit/30-ospp-v42-3-access-success.rules
54c0d5
new file mode 100644
54c0d5
index 000000000..0c8a6b657
54c0d5
--- /dev/null
54c0d5
+++ b/tests/shared/audit/30-ospp-v42-3-access-success.rules
54c0d5
@@ -0,0 +1,4 @@
54c0d5
+## Successful file access (any other opens) This has to go last.
54c0d5
+## These next two are likely to result in a whole lot of events
54c0d5
+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
54c0d5
+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
54c0d5
diff --git a/tests/shared/audit/30-ospp-v42-4-delete-failed.rules b/tests/shared/audit/30-ospp-v42-4-delete-failed.rules
54c0d5
new file mode 100644
54c0d5
index 000000000..946c9cc17
54c0d5
--- /dev/null
54c0d5
+++ b/tests/shared/audit/30-ospp-v42-4-delete-failed.rules
54c0d5
@@ -0,0 +1,5 @@
54c0d5
+## Unsuccessful file delete
54c0d5
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
54c0d5
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
54c0d5
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
54c0d5
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
54c0d5
diff --git a/tests/shared/audit/30-ospp-v42-4-delete-success.rules b/tests/shared/audit/30-ospp-v42-4-delete-success.rules
54c0d5
new file mode 100644
54c0d5
index 000000000..7955cdf85
54c0d5
--- /dev/null
54c0d5
+++ b/tests/shared/audit/30-ospp-v42-4-delete-success.rules
54c0d5
@@ -0,0 +1,3 @@
54c0d5
+## Successful file delete
54c0d5
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
54c0d5
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
54c0d5
diff --git a/tests/shared/audit/30-ospp-v42-5-perm-change-failed.rules b/tests/shared/audit/30-ospp-v42-5-perm-change-failed.rules
54c0d5
new file mode 100644
54c0d5
index 000000000..49b9299d5
54c0d5
--- /dev/null
54c0d5
+++ b/tests/shared/audit/30-ospp-v42-5-perm-change-failed.rules
54c0d5
@@ -0,0 +1,5 @@
54c0d5
+## Unsuccessful permission change
54c0d5
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
54c0d5
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
54c0d5
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
54c0d5
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
54c0d5
diff --git a/tests/shared/audit/30-ospp-v42-5-perm-change-success.rules b/tests/shared/audit/30-ospp-v42-5-perm-change-success.rules
54c0d5
new file mode 100644
54c0d5
index 000000000..52cbac873
54c0d5
--- /dev/null
54c0d5
+++ b/tests/shared/audit/30-ospp-v42-5-perm-change-success.rules
54c0d5
@@ -0,0 +1,3 @@
54c0d5
+## Successful permission change
54c0d5
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
54c0d5
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
54c0d5
diff --git a/tests/shared/audit/30-ospp-v42-6-owner-change-failed.rules b/tests/shared/audit/30-ospp-v42-6-owner-change-failed.rules
54c0d5
new file mode 100644
54c0d5
index 000000000..44e7148c2
54c0d5
--- /dev/null
54c0d5
+++ b/tests/shared/audit/30-ospp-v42-6-owner-change-failed.rules
54c0d5
@@ -0,0 +1,5 @@
54c0d5
+## Unsuccessful ownership change
54c0d5
+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
54c0d5
+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
54c0d5
+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
54c0d5
+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
54c0d5
diff --git a/tests/shared/audit/30-ospp-v42-6-owner-change-success.rules b/tests/shared/audit/30-ospp-v42-6-owner-change-success.rules
54c0d5
new file mode 100644
54c0d5
index 000000000..056b706fc
54c0d5
--- /dev/null
54c0d5
+++ b/tests/shared/audit/30-ospp-v42-6-owner-change-success.rules
54c0d5
@@ -0,0 +1,3 @@
54c0d5
+## Successful ownership change
54c0d5
+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
54c0d5
+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
54c0d5
diff --git a/tests/shared/audit/30-ospp-v42.rules b/tests/shared/audit/30-ospp-v42.rules
54c0d5
new file mode 100644
54c0d5
index 000000000..3dced1725
54c0d5
--- /dev/null
54c0d5
+++ b/tests/shared/audit/30-ospp-v42.rules
54c0d5
@@ -0,0 +1,80 @@
54c0d5
+## The purpose of these rules is to meet the requirements for Operating
54c0d5
+## System Protection Profile (OSPP)v4.2. These rules depends on having
54c0d5
+## the following rule files copied to /etc/audit/rules.d:
54c0d5
+##
54c0d5
+## 10-base-config.rules, 11-loginuid.rules,
54c0d5
+## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
54c0d5
+## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
54c0d5
+## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
54c0d5
+## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
54c0d5
+## 30-ospp-v42-5-perm-change-failed.rules,
54c0d5
+## 30-ospp-v42-5-perm-change-success.rules,
54c0d5
+## 30-ospp-v42-6-owner-change-failed.rules,
54c0d5
+## 30-ospp-v42-6-owner-change-success.rules
54c0d5
+##
54c0d5
+## original copies may be found in /usr/share/audit/sample-rules/
54c0d5
+
54c0d5
+
54c0d5
+## User add delete modify. This is covered by pam. However, someone could
54c0d5
+## open a file and directly create or modify a user, so we'll watch passwd and
54c0d5
+## shadow for writes
54c0d5
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
54c0d5
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
54c0d5
+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
54c0d5
+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
54c0d5
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
54c0d5
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
54c0d5
+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
54c0d5
+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
54c0d5
+
54c0d5
+## User enable and disable. This is entirely handled by pam.
54c0d5
+
54c0d5
+## Group add delete modify. This is covered by pam. However, someone could
54c0d5
+## open a file and directly create or modify a user, so we'll watch group and
54c0d5
+## gshadow for writes
54c0d5
+-a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
54c0d5
+-a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
54c0d5
+-a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
54c0d5
+-a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
54c0d5
+
54c0d5
+
54c0d5
+## Use of special rights for config changes. This would be use of setuid
54c0d5
+## programs that relate to user accts. This is not all setuid apps because
54c0d5
+## requirements are only for ones that affect system configuration.
54c0d5
+-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
54c0d5
+-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
54c0d5
+-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
54c0d5
+-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
54c0d5
+-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
54c0d5
+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
54c0d5
+-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
54c0d5
+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
54c0d5
+-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
54c0d5
+-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
54c0d5
+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
54c0d5
+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
54c0d5
+-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
54c0d5
+
54c0d5
+## Privilege escalation via su or sudo. This is entirely handled by pam.
54c0d5
+
54c0d5
+## Audit log access
54c0d5
+-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
54c0d5
+## Attempts to Alter Process and Session Initiation Information
54c0d5
+-a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
54c0d5
+-a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
54c0d5
+-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
54c0d5
+
54c0d5
+## Attempts to modify MAC controls
54c0d5
+-a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
54c0d5
+
54c0d5
+## Software updates. This is entirely handled by rpm.
54c0d5
+
54c0d5
+## System start and shutdown. This is entirely handled by systemd
54c0d5
+
54c0d5
+## Kernel Module loading. This is handled in 43-module-load.rules
54c0d5
+
54c0d5
+## Application invocation. The requirements list an optional requirement
54c0d5
+## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
54c0d5
+## state results from that policy. This would be handled entirely by
54c0d5
+## that daemon.
54c0d5
+
54c0d5
diff --git a/tests/shared/audit/43-module-load.rules b/tests/shared/audit/43-module-load.rules
54c0d5
new file mode 100644
54c0d5
index 000000000..890750744
54c0d5
--- /dev/null
54c0d5
+++ b/tests/shared/audit/43-module-load.rules
54c0d5
@@ -0,0 +1,6 @@
54c0d5
+## These rules watch for kernel module insertion. By monitoring
54c0d5
+## the syscall, we do not need any watches on programs.
54c0d5
+-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
54c0d5
+-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
54c0d5
+-a always,exit -F arch=b32 -S delete_module -F key=module-unload
54c0d5
+-a always,exit -F arch=b64 -S delete_module -F key=module-unload
54c0d5
-- 
54c0d5
2.21.1
54c0d5