1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
|
<def-group>
<definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
{{{ oval_metadata("Audit rules about the information on the unsuccessful use of " + SYSCALL + " O_CREAT is enabled.") }}}
<criteria operator="OR">
<!-- Test the augenrules case -->
<criteria operator="AND">
<extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
<criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit {{{ POS }}}&0100 eacces augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eacces_augenrules" />
<criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit {{{ POS }}}&0100 eperm augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eperm_augenrules" />
<criteria operator="OR">
<!-- System either isn't 64-bit => we just check presence of the 32-bit version of the EACCES / EPERM rules-->
<extend_definition comment="64-bit system" definition_ref="system_info_architecture_64bit" negate="true" />
<!-- Or system is 64-bit => in that case we also need to verify the presence of 64-bit versions of the rules -->
<criteria operator="AND">
<criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit {{{ POS }}}&0100 eacces augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eacces_augenrules" />
<criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit {{{ POS }}}&0100 eperm augenrules exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eperm_augenrules" />
</criteria>
</criteria>
</criteria>
<!-- OR test the auditctl case -->
<criteria operator="AND">
<extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
<criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit {{{ POS }}}&0100 eacces auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eacces_auditctl" />
<criterion comment="Verify audit rule {{{ SYSCALL }}} 32bit {{{ POS }}}&0100 eperm auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eperm_auditctl" />
<criteria operator="OR">
<!-- System either isn't 64-bit => we just check presence of the 32-bit version of the EACCES / EPERM rules -->
<extend_definition comment="64-bit_system" definition_ref="system_info_architecture_64bit" negate="true" />
<!-- Or system is 64-bit => in that case we also need to verify the presence of 64-bit versions of the rules -->
<criteria operator="AND">
<criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit {{{ POS }}}&0100 eacces auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eacces_auditctl" />
<criterion comment="Verify audit rule {{{ SYSCALL }}} 64bit {{{ POS }}}&0100 eperm auditctl exists" test_ref="test_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eperm_auditctl" />
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<!-- General rule boiler plate -->
<constant_variable id="var_audit_rule_{{{ SYSCALL }}}_o_creat_32bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
<value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*({{{ SYSCALL }}})(?:,[\S]+)*)[\s]+</value>
</constant_variable>
<constant_variable id="var_audit_rule_{{{ SYSCALL }}}_o_creat_64bit_head" version="1" datatype="string" comment="audit rule arch and syscal">
<value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*({{{ SYSCALL }}})(?:,[\S]+)*)[\s]+</value>
</constant_variable>
<constant_variable id="var_audit_rule_{{{ SYSCALL }}}_o_creat_tail" version="1" datatype="string" comment="audit rule auid and key">
<value>[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</value>
</constant_variable>
<!-- Regex to match anything between targeted rules -->
<constant_variable id="var_audit_rule_{{{ SYSCALL }}}_o_creat_separator_regex" version="1" datatype="string" comment="audit rule auid and key">
<value>(?:[^.]|\.\s)*</value>
</constant_variable>
<!-- 32bit EACCES rules -->
<local_variable id="var_audit_rule_{{{ SYSCALL }}}_o_creat_32bit_a20100_eacces_regex" version="1" datatype="string" comment="Expression to match 32bit {{{ SYSCALL }}} O_CREAT EACCES syscall">
<concat>
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_32bit_head" />
<literal_component>(?:-F\s+{{{ POS }}}&0100)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_tail" />
</concat>
</local_variable>
<!-- 32bit EPERM rules -->
<local_variable id="var_audit_rule_{{{ SYSCALL }}}_o_creat_32bit_a20100_eperm_regex" version="1" datatype="string" comment="Expression to match 32bit {{{ SYSCALL }}} O_CREAT EPERM syscall">
<concat>
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_32bit_head" />
<literal_component>(?:-F\s+{{{ POS }}}&0100)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_tail" />
</concat>
</local_variable>
<!-- 64bit EACCES rules -->
<local_variable id="var_audit_rule_{{{ SYSCALL }}}_o_creat_64bit_a20100_eacces_regex" version="1" datatype="string" comment="Expression to match 64bit {{{ SYSCALL }}} O_CREAT EACCES syscall">
<concat>
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_64bit_head" />
<literal_component>(?:-F\s+{{{ POS }}}&0100)[\s]+(?:-F\s+exit=-EACCES)</literal_component>
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_tail" />
</concat>
</local_variable>
<!-- 64bit EPERM rules -->
<local_variable id="var_audit_rule_{{{ SYSCALL }}}_o_creat_64bit_a20100_eperm_regex" version="1" datatype="string" comment="Expression to match 32bit {{{ SYSCALL }}} O_CREAT EPERM syscall">
<concat>
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_64bit_head" />
<literal_component>(?:-F\s+{{{ POS }}}&0100)[\s]+(?:-F\s+exit=-EPERM)</literal_component>
<variable_component var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_tail" />
</concat>
</local_variable>
<!-- 32bit EACCES augenrules objects -->
<ind:textfilecontent54_test check="all" check_existence="only_one_exists"
comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eacces_augenrules" version="1">
<ind:object object_ref="object_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eacces_augenrules" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eacces_augenrules" version="1">
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
<ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_32bit_a20100_eacces_regex" />
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<!-- 32bit EPERM augenrules objects -->
<ind:textfilecontent54_test check="all" check_existence="only_one_exists"
comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eperm_augenrules" version="1">
<ind:object object_ref="object_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eperm_augenrules" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eperm_augenrules" version="1">
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
<ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_32bit_a20100_eperm_regex" />
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<!-- 64bit EACCES augenrules objects -->
<ind:textfilecontent54_test check="all" check_existence="only_one_exists"
comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eacces_augenrules" version="1">
<ind:object object_ref="object_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eacces_augenrules" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eacces_augenrules" version="1">
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
<ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_64bit_a20100_eacces_regex" />
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<!-- 64bit EPERM augenrules objects -->
<ind:textfilecontent54_test check="all" check_existence="only_one_exists"
comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eperm_augenrules" version="1">
<ind:object object_ref="object_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eperm_augenrules" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eperm_augenrules" version="1">
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
<ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_64bit_a20100_eperm_regex" />
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<!-- 32bit EACCES auditctl objects -->
<ind:textfilecontent54_test check="all" check_existence="only_one_exists"
comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eacces_auditctl" version="1">
<ind:object object_ref="object_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eacces_auditctl" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eacces_auditctl" version="1">
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
<ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_32bit_a20100_eacces_regex" />
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<!-- 32bit EPERM auditctl objects -->
<ind:textfilecontent54_test check="all" check_existence="only_one_exists"
comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eperm_auditctl" version="1">
<ind:object object_ref="object_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eperm_auditctl" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_o_creat_32bit_a20100_eperm_auditctl" version="1">
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
<ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_32bit_a20100_eperm_regex" />
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<!-- 64bit EACCES auditctl objects -->
<ind:textfilecontent54_test check="all" check_existence="only_one_exists"
comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eacces_auditctl" version="1">
<ind:object object_ref="object_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eacces_auditctl" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eacces_auditctl" version="1">
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
<ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_64bit_a20100_eacces_regex" />
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<!-- 64bit EPERM auditctl objects -->
<ind:textfilecontent54_test check="all" check_existence="only_one_exists"
comment="defined audit rule must exist" id="test_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eperm_auditctl" version="1">
<ind:object object_ref="object_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eperm_auditctl" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_arufm_{{{ SYSCALL }}}_o_creat_64bit_a20100_eperm_auditctl" version="1">
<ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
<ind:pattern operation="pattern match" var_ref="var_audit_rule_{{{ SYSCALL }}}_o_creat_64bit_a20100_eperm_regex" />
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
|
