File: oval.template

package info (click to toggle)
scap-security-guide 0.1.76-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 110,644 kB
  • sloc: xml: 241,883; sh: 73,777; python: 32,527; makefile: 27
file content (42 lines) | stat: -rw-r--r-- 2,575 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
 
{{%- if product in [ "debian12", "fedora", "ol7", "ol8", "ol9", "ol10", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204", "ubuntu2404"] %}}
  {{%- set perm_x="(?:[\s]+-F[\s]+perm=x)" %}}
{{%- endif %}}
<def-group>
  <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
    {{{ oval_metadata("Audit rules about the information on the use of " + NAME + " is enabled.") }}}

    <criteria operator="OR">

      <!-- Test the augenrules case -->
      <criteria operator="AND">
        <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
        <criterion comment="audit augenrules {{{ NAME }}}" test_ref="test_{{{ ID }}}_augenrules" />
      </criteria>

      <!-- Test the auditctl case -->
      <criteria operator="AND">
        <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
        <criterion comment="audit auditctl {{{ NAME }}}" test_ref="test_{{{ ID }}}_auditctl" />
      </criteria>
    </criteria>
  </definition>

  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules {{{ NAME }}}" id="test_{{{ ID }}}_augenrules" version="1">
    <ind:object object_ref="object_{{{ ID }}}_augenrules" />
  </ind:textfilecontent54_test>
  <ind:textfilecontent54_object id="object_{{{ ID }}}_augenrules" version="1">
    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}{{{ perm_x }}}[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
  </ind:textfilecontent54_object>

  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl {{{ NAME }}}" id="test_{{{ ID }}}_auditctl" version="1">
    <ind:object object_ref="object_{{{ ID }}}_auditctl" />
  </ind:textfilecontent54_test>
  <ind:textfilecontent54_object id="object_{{{ ID }}}_auditctl" version="1">
    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}{{{ perm_x }}}[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
  </ind:textfilecontent54_object>

</def-group>