1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163
|
<def-group>
<definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
{{{ oval_metadata("Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.") }}}
<criteria operator="OR">
<!-- Test the augenrules case -->
<criteria operator="AND">
<extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
<criterion comment="audit augenrules 32-bit file eacces" test_ref="test_32bit_arufm_eacces_{{{ NAME }}}_augenrules" />
<criterion comment="audit augenrules 32-bit file eperm" test_ref="test_32bit_arufm_eperm_{{{ NAME }}}_augenrules" />
<criteria operator="OR">
<!-- System either isn't 64-bit => we just check presence of the 32-bit version of the EACCES / EPERM rules-->
<extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
<!-- Or system is 64-bit => in that case we also need to verify the presence of 64-bit versions of the rules -->
<criteria operator="AND">
<criterion comment="audit augenrules 64-bit file eacces" test_ref="test_64bit_arufm_eacces_{{{ NAME }}}_augenrules" />
<criterion comment="audit augenrules 64-bit file eperm" test_ref="test_64bit_arufm_eperm_{{{ NAME }}}_augenrules" />
</criteria>
</criteria>
</criteria>
<!-- OR test the auditctl case -->
<criteria operator="AND">
<extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
<criterion comment="audit auditctl 32-bit file eacces" test_ref="test_32bit_arufm_eacces_{{{ NAME }}}_auditctl" />
<criterion comment="audit auditctl 32-bit file eperm" test_ref="test_32bit_arufm_eperm_{{{ NAME }}}_auditctl" />
<criteria operator="OR">
<!-- System either isn't 64-bit => we just check presence of the 32-bit version of the EACCES / EPERM rules -->
<extend_definition comment="64-bit_system" definition_ref="system_info_architecture_64bit" negate="true" />
<!-- Or system is 64-bit => in that case we also need to verify the presence of 64-bit versions of the rules -->
<criteria operator="AND">
<criterion comment="audit auditctl 64-bit file eacces" test_ref="test_64bit_arufm_eacces_{{{ NAME }}}_auditctl" />
<criterion comment="audit auditctl 64-bit file eperm" test_ref="test_64bit_arufm_eperm_{{{ NAME }}}_auditctl" />
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<!-- General rule boiler plate -->
<constant_variable id="var_32bit_arufm_{{{ NAME }}}_head" version="1" datatype="string" comment="audit rule arch and syscal">
<value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*</value>
</constant_variable>
<constant_variable id="var_64bit_arufm_{{{ NAME }}}_head" version="1" datatype="string" comment="audit rule arch and syscal">
<value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*</value>
</constant_variable>
<constant_variable id="var_arufm_{{{ NAME }}}_tail" version="1" datatype="string" comment="audit rule auid and key">
<value>[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
</constant_variable>
<!-- 32bit EACCES rules -->
<local_variable id="var_32bit_arufm_eacces_{{{ NAME }}}_regex" version="1" datatype="string" comment="Expression to match 32bit {{{ NAME }}} EACCES syscall">
<concat>
<variable_component var_ref="var_32bit_arufm_{{{ NAME }}}_head" />
<literal_component>(?:-F\s+exit=-EACCES)</literal_component>
<variable_component var_ref="var_arufm_{{{ NAME }}}_tail" />
</concat>
</local_variable>
<!-- 32bit EPERM rules -->
<local_variable id="var_32bit_arufm_eperm_{{{ NAME }}}_regex" version="1" datatype="string" comment="Expression to match 32bit {{{ NAME }}} EPERM EACCES syscall">
<concat>
<variable_component var_ref="var_32bit_arufm_{{{ NAME }}}_head" />
<literal_component>(?:-F\s+exit=-EPERM)</literal_component>
<variable_component var_ref="var_arufm_{{{ NAME }}}_tail" />
</concat>
</local_variable>
<!-- 64bit EACCES rules -->
<local_variable id="var_64bit_arufm_eacces_{{{ NAME }}}_regex" version="1" datatype="string" comment="Expression to match 64bit {{{ NAME }}} EACCES syscall">
<concat>
<variable_component var_ref="var_64bit_arufm_{{{ NAME }}}_head" />
<literal_component>(?:-F\s+exit=-EACCES)</literal_component>
<variable_component var_ref="var_arufm_{{{ NAME }}}_tail" />
</concat>
</local_variable>
<!-- 64bit EPERM rules -->
<local_variable id="var_64bit_arufm_eperm_{{{ NAME }}}_regex" version="1" datatype="string" comment="Expression to match 64bit {{{ NAME }}} EPERM syscall">
<concat>
<variable_component var_ref="var_64bit_arufm_{{{ NAME }}}_head" />
<literal_component>(?:-F\s+exit=-EPERM)</literal_component>
<variable_component var_ref="var_arufm_{{{ NAME }}}_tail" />
</concat>
</local_variable>
<ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eacces" id="test_32bit_arufm_eacces_{{{ NAME }}}_augenrules" version="1">
<ind:object object_ref="object_32bit_arufm_eacces_{{{ NAME }}}_augenrules" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_32bit_arufm_eacces_{{{ NAME }}}_augenrules" version="1">
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
<ind:pattern operation="pattern match" var_ref="var_32bit_arufm_eacces_{{{ NAME }}}_regex" />
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eperm" id="test_32bit_arufm_eperm_{{{ NAME }}}_augenrules" version="1">
<ind:object object_ref="object_32bit_arufm_eperm_{{{ NAME }}}_augenrules" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_32bit_arufm_eperm_{{{ NAME }}}_augenrules" version="1">
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
<ind:pattern operation="pattern match" var_ref="var_32bit_arufm_eperm_{{{ NAME }}}_regex" />
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eacces" id="test_64bit_arufm_eacces_{{{ NAME }}}_augenrules" version="1">
<ind:object object_ref="object_64bit_arufm_eacces_{{{ NAME }}}_augenrules" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_64bit_arufm_eacces_{{{ NAME }}}_augenrules" version="1">
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
<ind:pattern operation="pattern match" var_ref="var_64bit_arufm_eacces_{{{ NAME }}}_regex" />
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eperm" id="test_64bit_arufm_eperm_{{{ NAME }}}_augenrules" version="1">
<ind:object object_ref="object_64bit_arufm_eperm_{{{ NAME }}}_augenrules" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_64bit_arufm_eperm_{{{ NAME }}}_augenrules" version="1">
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
<ind:pattern operation="pattern match" var_ref="var_64bit_arufm_eperm_{{{ NAME }}}_regex" />
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eacces" id="test_32bit_arufm_eacces_{{{ NAME }}}_auditctl" version="1">
<ind:object object_ref="object_32bit_arufm_eacces_{{{ NAME }}}_auditctl" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_32bit_arufm_eacces_{{{ NAME }}}_auditctl" version="1">
<ind:filepath>/etc/audit/audit.rules</ind:filepath>
<ind:pattern operation="pattern match" var_ref="var_32bit_arufm_eacces_{{{ NAME }}}_regex" />
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eperm" id="test_32bit_arufm_eperm_{{{ NAME }}}_auditctl" version="1">
<ind:object object_ref="object_32bit_arufm_eperm_{{{ NAME }}}_auditctl" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_32bit_arufm_eperm_{{{ NAME }}}_auditctl" version="1">
<ind:filepath>/etc/audit/audit.rules</ind:filepath>
<ind:pattern operation="pattern match" var_ref="var_32bit_arufm_eperm_{{{ NAME }}}_regex" />
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eacces" id="test_64bit_arufm_eacces_{{{ NAME }}}_auditctl" version="1">
<ind:object object_ref="object_64bit_arufm_eacces_{{{ NAME }}}_auditctl" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_64bit_arufm_eacces_{{{ NAME }}}_auditctl" version="1">
<ind:filepath>/etc/audit/audit.rules</ind:filepath>
<ind:pattern operation="pattern match" var_ref="var_64bit_arufm_eacces_{{{ NAME }}}_regex" />
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eperm" id="test_64bit_arufm_eperm_{{{ NAME }}}_auditctl" version="1">
<ind:object object_ref="object_64bit_arufm_eperm_{{{ NAME }}}_auditctl" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_64bit_arufm_eperm_{{{ NAME }}}_auditctl" version="1">
<ind:filepath>/etc/audit/audit.rules</ind:filepath>
<ind:pattern operation="pattern match" var_ref="var_64bit_arufm_eperm_{{{ NAME }}}_regex" />
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
|