File: template_OVAL_audit_rules_login_events

package info (click to toggle)
scap-security-guide 0.1.39-2
  • links: PTS, VCS
  • area: main
  • in suites: buster, sid
  • size: 31,836 kB
  • sloc: xml: 129,736; python: 7,462; sh: 3,796; makefile: 27
file content (47 lines) | stat: -rw-r--r-- 2,251 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
<def-group>
  <definition class="compliance" id="audit_rules_login_events_%NAME%" version="2">
    <metadata>
      <title>Record Attempts to Alter Login and Logout Events - %NAME%</title>
      <affected family="unix">
        <platform>Red Hat Enterprise Linux 7</platform>
        <platform>multi_platform_fedora</platform>
      </affected>
      <description>Audit rules should be configured to log successful and unsuccessful login and logout events.</description>
    </metadata>

    <criteria operator="OR">

      <!-- Test the augenrules case -->
      <criteria operator="AND">
        <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
        <criterion comment="audit augenrules %NAME%" test_ref="test_arle_%NAME%_augenrules" />
      </criteria>

      <!-- Test the auditctl case -->
      <criteria operator="AND">
        <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
        <criterion comment="audit auditctl %NAME%" test_ref="test_arle_%NAME%_auditctl" />
      </criteria>

    </criteria>
  </definition>

  <ind:textfilecontent54_test check="all" comment="audit augenrules %NAME%" id="test_arle_%NAME%_augenrules" version="1">
    <ind:object object_ref="object_arle_%NAME%_augenrules" />
  </ind:textfilecontent54_test>
  <ind:textfilecontent54_object id="object_arle_%NAME%_augenrules" version="1">
    <ind:filepath operation="pattern match">/etc/audit/rules\.d/.*\.rules</ind:filepath>
    <ind:pattern operation="pattern match">^\-w\s+%PATH%\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$</ind:pattern>
    <ind:instance datatype="int">1</ind:instance>
  </ind:textfilecontent54_object>

  <ind:textfilecontent54_test check="all" comment="audit auditctl %NAME%" id="test_arle_%NAME%_auditctl" version="1">
    <ind:object object_ref="object_arle_%NAME%_auditctl" />
  </ind:textfilecontent54_test>
  <ind:textfilecontent54_object id="object_arle_%NAME%_auditctl" version="1">
    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
    <ind:pattern operation="pattern match">^\-w\s+%PATH%\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$</ind:pattern>
    <ind:instance datatype="int">1</ind:instance>
  </ind:textfilecontent54_object>

</def-group>