File: oval.template

package info (click to toggle)
scap-security-guide 0.1.76-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 110,644 kB
  • sloc: xml: 241,883; sh: 73,777; python: 32,527; makefile: 27
file content (163 lines) | stat: -rw-r--r-- 10,272 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
<def-group>
  <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
    {{{ oval_metadata("Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.") }}}

    <criteria operator="OR">

      <!-- Test the augenrules case -->
      <criteria operator="AND">
        <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
        <criterion comment="audit augenrules 32-bit file eacces" test_ref="test_32bit_arufm_eacces_{{{ NAME }}}_augenrules" />
        <criterion comment="audit augenrules 32-bit file eperm" test_ref="test_32bit_arufm_eperm_{{{ NAME }}}_augenrules" />
        <criteria operator="OR">
          <!-- System either isn't 64-bit => we just check presence of the 32-bit version of the EACCES / EPERM rules-->
          <extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
          <!-- Or system is 64-bit => in that case we also need to verify the presence of 64-bit versions of the rules -->
          <criteria operator="AND">
            <criterion comment="audit augenrules 64-bit file eacces" test_ref="test_64bit_arufm_eacces_{{{ NAME }}}_augenrules" />
            <criterion comment="audit augenrules 64-bit file eperm" test_ref="test_64bit_arufm_eperm_{{{ NAME }}}_augenrules" />
          </criteria>
        </criteria>
      </criteria>

      <!-- OR test the auditctl case -->
      <criteria operator="AND">
        <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
        <criterion comment="audit auditctl 32-bit file eacces" test_ref="test_32bit_arufm_eacces_{{{ NAME }}}_auditctl" />
        <criterion comment="audit auditctl 32-bit file eperm" test_ref="test_32bit_arufm_eperm_{{{ NAME }}}_auditctl" />
        <criteria operator="OR">
          <!-- System either isn't 64-bit => we just check presence of the 32-bit version of the EACCES / EPERM rules -->
          <extend_definition comment="64-bit_system" definition_ref="system_info_architecture_64bit" negate="true" />
          <!-- Or system is 64-bit => in that case we also need to verify the presence of 64-bit versions of the rules -->
          <criteria operator="AND">
            <criterion comment="audit auditctl 64-bit file eacces" test_ref="test_64bit_arufm_eacces_{{{ NAME }}}_auditctl" />
            <criterion comment="audit auditctl 64-bit file eperm" test_ref="test_64bit_arufm_eperm_{{{ NAME }}}_auditctl" />
          </criteria>
        </criteria>
      </criteria>

    </criteria>
  </definition>


  <!-- General rule boiler plate -->
  <constant_variable id="var_32bit_arufm_{{{ NAME }}}_head" version="1" datatype="string" comment="audit rule arch and syscal">
      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</value>
  </constant_variable>
  <constant_variable id="var_64bit_arufm_{{{ NAME }}}_head" version="1" datatype="string" comment="audit rule arch and syscal">
      <value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</value>
  </constant_variable>
  <constant_variable id="var_arufm_{{{ NAME }}}_tail" version="1" datatype="string" comment="audit rule auid and key">
    <value>[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
  </constant_variable>

  <!-- 32bit EACCES rules -->
  <local_variable id="var_32bit_arufm_eacces_{{{ NAME }}}_regex" version="1" datatype="string" comment="Expression to match 32bit {{{ NAME }}} EACCES syscall">
    <concat>
      <variable_component var_ref="var_32bit_arufm_{{{ NAME }}}_head" />
      <literal_component>(?:-F\s+exit=-EACCES)</literal_component>
      <variable_component var_ref="var_arufm_{{{ NAME }}}_tail" />
    </concat>
  </local_variable>

  <!-- 32bit EPERM rules -->
  <local_variable id="var_32bit_arufm_eperm_{{{ NAME }}}_regex" version="1" datatype="string" comment="Expression to match 32bit {{{ NAME }}} EPERM EACCES syscall">
    <concat>
      <variable_component var_ref="var_32bit_arufm_{{{ NAME }}}_head" />
      <literal_component>(?:-F\s+exit=-EPERM)</literal_component>
      <variable_component var_ref="var_arufm_{{{ NAME }}}_tail" />
    </concat>
  </local_variable>

  <!-- 64bit EACCES rules -->
  <local_variable id="var_64bit_arufm_eacces_{{{ NAME }}}_regex" version="1" datatype="string" comment="Expression to match 64bit {{{ NAME }}} EACCES syscall">
    <concat>
      <variable_component var_ref="var_64bit_arufm_{{{ NAME }}}_head" />
      <literal_component>(?:-F\s+exit=-EACCES)</literal_component>
      <variable_component var_ref="var_arufm_{{{ NAME }}}_tail" />
    </concat>
  </local_variable>

  <!-- 64bit EPERM rules -->
  <local_variable id="var_64bit_arufm_eperm_{{{ NAME }}}_regex" version="1" datatype="string" comment="Expression to match 64bit {{{ NAME }}} EPERM syscall">
    <concat>
      <variable_component var_ref="var_64bit_arufm_{{{ NAME }}}_head" />
      <literal_component>(?:-F\s+exit=-EPERM)</literal_component>
      <variable_component var_ref="var_arufm_{{{ NAME }}}_tail" />
    </concat>
  </local_variable>


  <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eacces" id="test_32bit_arufm_eacces_{{{ NAME }}}_augenrules" version="1">
    <ind:object object_ref="object_32bit_arufm_eacces_{{{ NAME }}}_augenrules" />
  </ind:textfilecontent54_test>
  <ind:textfilecontent54_object id="object_32bit_arufm_eacces_{{{ NAME }}}_augenrules" version="1">
    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
    <ind:pattern operation="pattern match" var_ref="var_32bit_arufm_eacces_{{{ NAME }}}_regex" />
    <ind:instance datatype="int">1</ind:instance>
  </ind:textfilecontent54_object>

  <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eperm" id="test_32bit_arufm_eperm_{{{ NAME }}}_augenrules" version="1">
    <ind:object object_ref="object_32bit_arufm_eperm_{{{ NAME }}}_augenrules" />
  </ind:textfilecontent54_test>
  <ind:textfilecontent54_object id="object_32bit_arufm_eperm_{{{ NAME }}}_augenrules" version="1">
    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
    <ind:pattern operation="pattern match" var_ref="var_32bit_arufm_eperm_{{{ NAME }}}_regex" />
    <ind:instance datatype="int">1</ind:instance>
  </ind:textfilecontent54_object>

  <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eacces" id="test_64bit_arufm_eacces_{{{ NAME }}}_augenrules" version="1">
    <ind:object object_ref="object_64bit_arufm_eacces_{{{ NAME }}}_augenrules" />
  </ind:textfilecontent54_test>
  <ind:textfilecontent54_object id="object_64bit_arufm_eacces_{{{ NAME }}}_augenrules" version="1">
    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
    <ind:pattern operation="pattern match" var_ref="var_64bit_arufm_eacces_{{{ NAME }}}_regex" />
    <ind:instance datatype="int">1</ind:instance>
  </ind:textfilecontent54_object>

  <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eperm" id="test_64bit_arufm_eperm_{{{ NAME }}}_augenrules" version="1">
    <ind:object object_ref="object_64bit_arufm_eperm_{{{ NAME }}}_augenrules" />
  </ind:textfilecontent54_test>
  <ind:textfilecontent54_object id="object_64bit_arufm_eperm_{{{ NAME }}}_augenrules" version="1">
    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
    <ind:pattern operation="pattern match" var_ref="var_64bit_arufm_eperm_{{{ NAME }}}_regex" />
    <ind:instance datatype="int">1</ind:instance>
  </ind:textfilecontent54_object>

  <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eacces" id="test_32bit_arufm_eacces_{{{ NAME }}}_auditctl" version="1">
    <ind:object object_ref="object_32bit_arufm_eacces_{{{ NAME }}}_auditctl" />
  </ind:textfilecontent54_test>
  <ind:textfilecontent54_object id="object_32bit_arufm_eacces_{{{ NAME }}}_auditctl" version="1">
    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
    <ind:pattern operation="pattern match" var_ref="var_32bit_arufm_eacces_{{{ NAME }}}_regex" />
    <ind:instance datatype="int">1</ind:instance>
  </ind:textfilecontent54_object>

  <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eperm" id="test_32bit_arufm_eperm_{{{ NAME }}}_auditctl" version="1">
    <ind:object object_ref="object_32bit_arufm_eperm_{{{ NAME }}}_auditctl" />
  </ind:textfilecontent54_test>
  <ind:textfilecontent54_object id="object_32bit_arufm_eperm_{{{ NAME }}}_auditctl" version="1">
    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
    <ind:pattern operation="pattern match" var_ref="var_32bit_arufm_eperm_{{{ NAME }}}_regex" />
    <ind:instance datatype="int">1</ind:instance>
  </ind:textfilecontent54_object>

  <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eacces" id="test_64bit_arufm_eacces_{{{ NAME }}}_auditctl" version="1">
    <ind:object object_ref="object_64bit_arufm_eacces_{{{ NAME }}}_auditctl" />
  </ind:textfilecontent54_test>
  <ind:textfilecontent54_object id="object_64bit_arufm_eacces_{{{ NAME }}}_auditctl" version="1">
    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
    <ind:pattern operation="pattern match" var_ref="var_64bit_arufm_eacces_{{{ NAME }}}_regex" />
    <ind:instance datatype="int">1</ind:instance>
  </ind:textfilecontent54_object>

  <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eperm" id="test_64bit_arufm_eperm_{{{ NAME }}}_auditctl" version="1">
    <ind:object object_ref="object_64bit_arufm_eperm_{{{ NAME }}}_auditctl" />
  </ind:textfilecontent54_test>
  <ind:textfilecontent54_object id="object_64bit_arufm_eperm_{{{ NAME }}}_auditctl" version="1">
    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
    <ind:pattern operation="pattern match" var_ref="var_64bit_arufm_eperm_{{{ NAME }}}_regex" />
    <ind:instance datatype="int">1</ind:instance>
  </ind:textfilecontent54_object>

</def-group>