forked from ComplianceAsCode/content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtemplate_OVAL_audit_rules_file_deletion_events
70 lines (61 loc) · 4.98 KB
/
template_OVAL_audit_rules_file_deletion_events
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
<def-group>
<definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
{{{ oval_metadata("The deletion of files should be audited.") }}}
<criteria operator="OR">
<!-- Test the augenrules case -->
<criteria operator="AND">
<extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
<criterion comment="audit augenrules 32-bit {{{ NAME }}}" test_ref="test_32bit_ardm_{{{ NAME }}}_augenrules" />
<criteria operator="OR">
<!-- System either isn't 64-bit => we just check presence of 32-bit version of {{{ NAME }}} audit DAC rule -->
<extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
<!-- Or system is 64-bit => in that case we also need to verify the presence of 64-bit version of {{{ NAME }}} audit DAC rule -->
<criterion comment="audit augenrules 64-bit {{{ NAME }}}" test_ref="test_64bit_ardm_{{{ NAME }}}_augenrules" />
</criteria>
</criteria>
<!-- OR test the auditctl case -->
<criteria operator="AND">
<extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
<criterion comment="audit auditctl 32-bit {{{ NAME }}}" test_ref="test_32bit_ardm_{{{ NAME }}}_auditctl" />
<criteria operator="OR">
<!-- System either isn't 64-bit => we just check presence of 32-bit version of the {{{ NAME }}} audit DAC rule -->
<extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
<!-- Or system is 64-bit => in that case we also need to verify the presence of 64-bit version of {{{ NAME }}} audit DAC rule -->
<criterion comment="audit auditctl 64-bit {{{ NAME }}}" test_ref="test_64bit_ardm_{{{ NAME }}}_auditctl" />
</criteria>
</criteria>
</criteria>
</definition>
<ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit {{{ NAME }}}" id="test_32bit_ardm_{{{ NAME }}}_augenrules" version="1">
<ind:object object_ref="object_32bit_ardm_{{{ NAME }}}_augenrules" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_32bit_ardm_{{{ NAME }}}_augenrules" version="1">
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit {{{ NAME }}}" id="test_64bit_ardm_{{{ NAME }}}_augenrules" version="1">
<ind:object object_ref="object_64bit_ardm_{{{ NAME }}}_augenrules" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_64bit_ardm_{{{ NAME }}}_augenrules" version="1">
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit {{{ NAME }}}" id="test_32bit_ardm_{{{ NAME }}}_auditctl" version="1">
<ind:object object_ref="object_32bit_ardm_{{{ NAME }}}_auditctl" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_32bit_ardm_{{{ NAME }}}_auditctl" version="1">
<ind:filepath>/etc/audit/audit.rules</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit {{{ NAME }}}" id="test_64bit_ardm_{{{ NAME }}}_auditctl" version="1">
<ind:object object_ref="object_64bit_ardm_{{{ NAME }}}_auditctl" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_64bit_ardm_{{{ NAME }}}_auditctl" version="1">
<ind:filepath>/etc/audit/audit.rules</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>