scap-security-guide/SOURCES/scap-security-guide-0.1.49-split-audit-rules.patch
2021-09-10 04:18:38 +00:00

1952 lines
102 KiB
Diff

From dd25ef669719bffe40f3024dbc949e421779f106 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 9 Dec 2019 16:25:50 +0100
Subject: [PATCH] Split audit rules for OSPP
---
docs/manual/developer_guide.adoc | 7 +
.../policy_rules/audit_access_failed/rule.yml | 53 +++++++
.../tests/correct_rules.pass.sh | 1 +
.../audit_access_success/rule.yml | 58 ++++++++
.../tests/correct_rules.pass.sh | 1 +
.../audit_basic_configuration/rule.yml | 66 +++++++++
.../tests/correct_rules.pass.sh | 3 +
.../tests/file_missing.fail.sh | 3 +
.../tests/file_not_identical.fail.sh | 4 +
.../policy_rules/audit_create_failed/rule.yml | 66 +++++++++
.../tests/correct_rules.pass.sh | 1 +
.../audit_create_success/rule.yml | 59 ++++++++
.../tests/correct_rules.pass.sh | 1 +
.../policy_rules/audit_delete_failed/rule.yml | 58 ++++++++
.../tests/correct_rules.pass.sh | 1 +
.../audit_delete_success/rule.yml | 57 ++++++++
.../tests/correct_rules.pass.sh | 1 +
.../tests/failed_delete_rules.fail.sh | 1 +
.../tests/no_rule.fail.sh | 1 +
.../audit_immutable_login_uids/rule.yml | 54 +++++++
.../tests/correct_rules.pass.sh | 1 +
.../policy_rules/audit_modify_failed/rule.yml | 66 +++++++++
.../tests/correct_rules.pass.sh | 1 +
.../audit_modify_success/rule.yml | 61 ++++++++
.../tests/correct_rules.pass.sh | 1 +
.../policy_rules/audit_module_load/rule.yml | 58 ++++++++
.../tests/correct_rules.pass.sh | 1 +
.../policy_rules/audit_ospp_general/rule.yml | 138 ++++++++++++++++++
.../tests/correct_rules.pass.sh | 1 +
.../audit_owner_change_failed/rule.yml | 59 ++++++++
.../tests/correct_rules.pass.sh | 1 +
.../audit_owner_change_success/rule.yml | 60 ++++++++
.../tests/correct_rules.pass.sh | 1 +
.../audit_perm_change_failed/rule.yml | 58 ++++++++
.../tests/correct_rules.pass.sh | 1 +
.../audit_perm_change_success/rule.yml | 57 ++++++++
.../tests/correct_rules.pass.sh | 1 +
.../audit_rules_for_ospp/oval/shared.xml | 8 +-
rhel8/profiles/ospp.profile | 17 ++-
shared/macros-ansible.jinja | 15 ++
shared/macros-bash.jinja | 11 ++
shared/macros-oval.jinja | 41 ++++++
shared/references/cce-redhat-avail.txt | 11 --
.../template_ANSIBLE_audit_file_contents | 11 ++
.../template_BASH_audit_file_contents | 14 ++
.../template_OVAL_audit_file_contents | 7 +
ssg/templates.py | 20 +++
tests/shared/audit/10-base-config.rules | 13 ++
tests/shared/audit/11-loginuid.rules | 3 +
.../audit/30-ospp-v42-1-create-failed.rules | 13 ++
.../audit/30-ospp-v42-1-create-success.rules | 7 +
.../audit/30-ospp-v42-2-modify-failed.rules | 13 ++
.../audit/30-ospp-v42-2-modify-success.rules | 7 +
.../audit/30-ospp-v42-3-access-failed.rules | 5 +
.../audit/30-ospp-v42-3-access-success.rules | 4 +
.../audit/30-ospp-v42-4-delete-failed.rules | 5 +
.../audit/30-ospp-v42-4-delete-success.rules | 3 +
.../30-ospp-v42-5-perm-change-failed.rules | 5 +
.../30-ospp-v42-5-perm-change-success.rules | 3 +
.../30-ospp-v42-6-owner-change-failed.rules | 5 +
.../30-ospp-v42-6-owner-change-success.rules | 3 +
tests/shared/audit/30-ospp-v42.rules | 80 ++++++++++
tests/shared/audit/43-module-load.rules | 6 +
63 files changed, 1376 insertions(+), 16 deletions(-)
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_failed/tests/correct_rules.pass.sh
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_success/tests/correct_rules.pass.sh
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/correct_rules.pass.sh
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_missing.fail.sh
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_not_identical.fail.sh
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_failed/tests/correct_rules.pass.sh
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_success/tests/correct_rules.pass.sh
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_failed/tests/correct_rules.pass.sh
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/correct_rules.pass.sh
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/failed_delete_rules.fail.sh
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/no_rule.fail.sh
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/tests/correct_rules.pass.sh
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_failed/tests/correct_rules.pass.sh
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_success/tests/correct_rules.pass.sh
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_module_load/tests/correct_rules.pass.sh
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/tests/correct_rules.pass.sh
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/tests/correct_rules.pass.sh
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/tests/correct_rules.pass.sh
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml
create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/tests/correct_rules.pass.sh
create mode 100644 shared/templates/template_ANSIBLE_audit_file_contents
create mode 100644 shared/templates/template_BASH_audit_file_contents
create mode 100644 shared/templates/template_OVAL_audit_file_contents
create mode 100644 tests/shared/audit/10-base-config.rules
create mode 100644 tests/shared/audit/11-loginuid.rules
create mode 100644 tests/shared/audit/30-ospp-v42-1-create-failed.rules
create mode 100644 tests/shared/audit/30-ospp-v42-1-create-success.rules
create mode 100644 tests/shared/audit/30-ospp-v42-2-modify-failed.rules
create mode 100644 tests/shared/audit/30-ospp-v42-2-modify-success.rules
create mode 100644 tests/shared/audit/30-ospp-v42-3-access-failed.rules
create mode 100644 tests/shared/audit/30-ospp-v42-3-access-success.rules
create mode 100644 tests/shared/audit/30-ospp-v42-4-delete-failed.rules
create mode 100644 tests/shared/audit/30-ospp-v42-4-delete-success.rules
create mode 100644 tests/shared/audit/30-ospp-v42-5-perm-change-failed.rules
create mode 100644 tests/shared/audit/30-ospp-v42-5-perm-change-success.rules
create mode 100644 tests/shared/audit/30-ospp-v42-6-owner-change-failed.rules
create mode 100644 tests/shared/audit/30-ospp-v42-6-owner-change-success.rules
create mode 100644 tests/shared/audit/30-ospp-v42.rules
create mode 100644 tests/shared/audit/43-module-load.rules
diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc
index 4cccea23d..76c1c1021 100644
--- a/docs/manual/developer_guide.adoc
+++ b/docs/manual/developer_guide.adoc
@@ -1449,6 +1449,13 @@ audit_rules_privileged_commands::
** *path* - the path of the privileged command - eg. `/usr/bin/mount`
* Languages: Ansible, Bash, OVAL
+audit_file_contents::
+* Ensure that audit `.rules` file specified by parameter `filepath` contains the contents specified in parameter `contents`.
+* Parameters:
+** *filepath* - path to audit rules file, e.g.: `/etc/audit/rules.d/10-base-config.rules`
+** *contents* - expected contents of the file
+* Languages: Ansible, Bash, OVAL
+
audit_rules_unsuccessful_file_modification::
* Ensure there is an Audit rule to record unsuccessful attempts to access files
* Parameters:
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
new file mode 100644
index 000000000..6172751f1
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
@@ -0,0 +1,53 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Configure auditing of unsuccessful file accesses'
+
+{{% set file_contents_audit_access_failed =
+"## Unsuccessful file access (any other opens) This has to go last.
+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
+" %}}
+
+description: |-
+ Ensure that unsuccessful attempts to access a file are audited.
+
+ The following rules configure audit as described above:
+ <pre>{{{ file_contents_audit_access_failed|indent }}} </pre>
+
+ Load new Audit rules into kernel by running:
+ <pre>augenrules --load</pre>
+
+ Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
+
+
+rationale: |-
+ Unsuccessful attempts to access a file might be signs of malicious activity happening within the system. Auditing of such activities helps in their monitoring and investigation.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82833-5
+
+references:
+ ospp: FAU_GEN.1.1.c
+ nist: AU-2(a)
+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205
+
+ocil_clause: 'the file does not exist or the content differs'
+
+ocil: |-
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
+ <pre>cat /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules</pre>
+ The output has to be exactly as follows:
+ <pre>{{{ file_contents_audit_access_failed|indent }}} </pre>
+
+template:
+ name: audit_file_contents
+ vars:
+ filepath: /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
+ contents: |+
+ {{{ file_contents_audit_access_failed|indent(12) }}}
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/tests/correct_rules.pass.sh
new file mode 100644
index 000000000..ce7c7a0dd
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/tests/correct_rules.pass.sh
@@ -0,0 +1 @@
+cp $SHARED/audit/30-ospp-v42-3-access-failed.rules /etc/audit/rules.d/
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
new file mode 100644
index 000000000..8d0625a1d
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
@@ -0,0 +1,58 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Configure auditing of successful file accesses'
+
+{{% set file_contents_audit_access_success =
+"## Successful file access (any other opens) This has to go last.
+## These next two are likely to result in a whole lot of events
+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-access
+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-access
+" %}}
+
+description: |-
+ Ensure that successful attempts to access a file are audited.
+
+ The following rules configure audit as described above:
+ <pre>{{{ file_contents_audit_access_success|indent }}} </pre>
+
+ The <tt>Audit</tt> package provides pre-configured rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42-3-access-success.rules</tt>.
+ To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
+ <pre>
+ cp /usr/share/audit/sample-rules/30-ospp-v42-3-access-success.rules /etc/audit/rules.d/
+ </pre>
+
+ Load new Audit rules into kernel by running:
+ <pre>augenrules --load</pre>
+
+ Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
+
+
+rationale: |-
+ Auditing of successful attempts to access a file helps in investigation of activities performed on the system.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82834-3
+
+references:
+ ospp: FAU_GEN.1.1.c
+ nist: AU-2(a)
+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205
+
+ocil_clause: 'the file does not exist or the content differs'
+
+ocil: |-
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
+ <pre>cat /etc/audit/rules.d/30-ospp-v42-3-access-success.rules</pre>
+ The output has to be exactly as follows:
+ <pre>{{{ file_contents_audit_access_success|indent }}} </pre>
+
+template:
+ name: audit_file_contents
+ vars:
+ filepath: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
+ contents: |+
+ {{{ file_contents_audit_access_success|indent(12) }}}
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_access_success/tests/correct_rules.pass.sh
new file mode 100644
index 000000000..7092f2c47
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/tests/correct_rules.pass.sh
@@ -0,0 +1 @@
+cp $SHARED/audit/30-ospp-v42-3-access-success.rules /etc/audit/rules.d/
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
new file mode 100644
index 000000000..24cac20a2
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
@@ -0,0 +1,66 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Configure basic parameters of Audit system'
+
+{{% set file_contents_audit_base_config =
+"## First rule - delete all
+-D
+
+## Increase the buffers to survive stress events.
+## Make this bigger for busy systems
+-b 8192
+
+## This determine how long to wait in burst of events
+--backlog_wait_time 60000
+
+## Set failure mode to syslog
+-f 1
+
+" %}}
+
+description: |-
+ Perform basic configuration of Audit system.
+ Make sure that any previously defined rules are cleared, the auditing system is configured to handle sudden bursts of events, and in cases of failure, messages are configured to be directed to system log.
+
+ The following rules configure audit as described above:
+ <pre>{{{ file_contents_audit_base_config|indent }}} </pre>
+
+ The <tt>Audit</tt> package provides pre-configured rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/10-base-config.rules</tt>.
+ To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
+ <pre>
+ cp /usr/share/audit/sample-rules/10-base-config.rules /etc/audit/rules.d/
+ </pre>
+
+ Load new Audit rules into kernel by running:
+ <pre>augenrules --load</pre>
+
+
+rationale: |-
+ Without basic configurations, audit may not perform as expected. It may not be able to correctly handle events under stressful conditions, or log events in case of failure.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82827-7
+
+references:
+ ospp: FAU_GEN.1.1.c
+ nist: AU-2(a)
+ srg: SRG-OS-000365-GPOS-00152,SRG-OS-000475-GPOS-00220
+
+ocil_clause: 'the file does not exist or the content differs'
+
+ocil: |-
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
+ <pre>cat /etc/audit/rules.d/10-base-config.rules</pre>
+ The output has to be exactly as follows:
+ <pre>{{{ file_contents_audit_base_config|indent }}} </pre>
+
+template:
+ name: audit_file_contents
+ vars:
+ filepath: /etc/audit/rules.d/10-base-config.rules
+ contents: |+
+ {{{ file_contents_audit_base_config|indent(12) }}}
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/correct_rules.pass.sh
new file mode 100644
index 000000000..2335ce458
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/correct_rules.pass.sh
@@ -0,0 +1,3 @@
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+cp $SHARED/audit/10-base-config.rules /etc/audit/rules.d/
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_missing.fail.sh b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_missing.fail.sh
new file mode 100644
index 000000000..aa506a736
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_missing.fail.sh
@@ -0,0 +1,3 @@
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+rm -f /etc/audit/rules.d/10-base-config.rules
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_not_identical.fail.sh b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_not_identical.fail.sh
new file mode 100644
index 000000000..4e7ce04c5
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_not_identical.fail.sh
@@ -0,0 +1,4 @@
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+cp /usr/share/audit/sample-rules/10-base-config.rules /etc/audit/rules.d/
+echo "some additional text" >> /etc/audit/rules.d/10-base-config.rules
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml
new file mode 100644
index 000000000..7cd677661
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml
@@ -0,0 +1,66 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Configure auditing of unsuccessful file creations'
+
+{{% set file_contents_audit_create_failed =
+"## Unsuccessful file creation (open with O_CREAT)
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S open -F a1&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S open -F a1&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S open -F a1&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S open -F a1&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
+" %}}
+
+description: |-
+ Ensure that unsuccessful attempts to create a file are audited.
+
+ The following rules configure audit as described above:
+ <pre>{{{ file_contents_audit_create_failed|indent }}} </pre>
+
+ The <tt>Audit</tt> package provides pre-configured rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42-1-create-failed.rules</tt>.
+ To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
+ <pre>
+ cp /usr/share/audit/sample-rules/30-ospp-v42-1-create-failed.rules /etc/audit/rules.d/
+ </pre>
+
+ Load new Audit rules into kernel by running:
+ <pre>augenrules --load</pre>
+
+ Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
+
+rationale: |-
+ Unsuccessful file creations might be a sign of a malicious action being performed on the system. Keeping log of such events helps in monitoring and investigation of such actions.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82374-0
+
+references:
+ ospp: FAU_GEN.1.1.c
+ nist: AU-2(a)
+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205
+
+ocil_clause: 'the file does not exist or the content differs'
+
+ocil: |-
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
+ <pre>cat /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules</pre>
+ The output has to be exactly as follows:
+ <pre>{{{ file_contents_audit_create_failed|indent }}} </pre>
+
+template:
+ name: audit_file_contents
+ vars:
+ filepath: /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
+ contents: |+
+ {{{ file_contents_audit_create_failed|indent(12) }}}
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/tests/correct_rules.pass.sh
new file mode 100644
index 000000000..9a7fe431a
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/tests/correct_rules.pass.sh
@@ -0,0 +1 @@
+cp $SHARED/audit/30-ospp-v42-1-create-failed.rules /etc/audit/rules.d/
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml
new file mode 100644
index 000000000..4c933ec50
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml
@@ -0,0 +1,59 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Configure auditing of successful file creations'
+
+{{% set file_contents_audit_create_success =
+"## Successful file creation (open with O_CREAT)
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
+-a always,exit -F arch=b32 -S open -F a1&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
+-a always,exit -F arch=b64 -S open -F a1&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
+-a always,exit -F arch=b32 -S creat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
+-a always,exit -F arch=b64 -S creat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
+" %}}
+
+description: |-
+ Ensure that successful attempts to create a file are audited.
+
+ The following rules configure audit as described above:
+ <pre>{{{ file_contents_audit_create_success |indent }}} </pre>
+
+ The <tt>Audit</tt> package provides pre-configured rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42-1-create-success.rules</tt>.
+ To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
+ <pre>
+ cp /usr/share/audit/sample-rules/30-ospp-v42-1-create-success.rules /etc/audit/rules.d/
+ </pre>
+
+ Load new Audit rules into kernel by running:
+ <pre>augenrules --load</pre>
+
+
+rationale: |-
+ Auditing of successful attempts to create a file helps in investigation of actions which happened on the system.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82829-3
+
+references:
+ ospp: FAU_GEN.1.1.c
+ nist: AU-2(a)
+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205
+
+ocil_clause: 'the file does not exist or the content differs'
+
+ocil: |-
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
+ <pre>cat /etc/audit/rules.d/30-ospp-v42-1-create-success.rules</pre>
+ The output has to be exactly as follows:
+ <pre>{{{ file_contents_audit_create_success|indent }}} </pre>
+
+template:
+ name: audit_file_contents
+ vars:
+ filepath: /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
+ contents: |+
+ {{{ file_contents_audit_create_success|indent(12) }}}
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_create_success/tests/correct_rules.pass.sh
new file mode 100644
index 000000000..dcc4afe73
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success/tests/correct_rules.pass.sh
@@ -0,0 +1 @@
+cp $SHARED/audit/30-ospp-v42-1-create-success.rules /etc/audit/rules.d/
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
new file mode 100644
index 000000000..b9084f217
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
@@ -0,0 +1,58 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Configure auditing of unsuccessful file deletions'
+
+{{% set file_contents_audit_delete_failed =
+"## Unsuccessful file delete
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete
+" %}}
+
+description: |-
+ Ensure that unsuccessful attempts to delete a file are audited.
+
+ The following rules configure audit as described above:
+ <pre>{{{ file_contents_audit_delete_failed|indent }}} </pre>
+
+ The <tt>Audit</tt> package provides pre-configured rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42-4-delete-failed.rules</tt>.
+ To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
+ <pre>
+ cp /usr/share/audit/sample-rules/30-ospp-v42-4-delete-failed.rules /etc/audit/rules.d/
+ </pre>
+
+ Load new Audit rules into kernel by running:
+ <pre>augenrules --load</pre>
+
+ Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
+
+rationale: |-
+ Unsuccessful attempts to delete a file might be signs of malicious activities. Auditing of such events help in monitoring and investigating of such activities.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82835-0
+
+references:
+ ospp: FAU_GEN.1.1.c
+ nist: AU-2(a)
+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-OS-000467-GPOS-00211
+
+ocil_clause: 'the file does not exist or the content differs'
+
+ocil: |-
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
+ <pre>cat /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules</pre>
+ The output has to be exactly as follows:
+ <pre>{{{ file_contents_audit_delete_failed|indent }}} </pre>
+
+template:
+ name: audit_file_contents
+ vars:
+ filepath: /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
+ contents: |+
+ {{{ file_contents_audit_delete_failed|indent(12) }}}
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/tests/correct_rules.pass.sh
new file mode 100644
index 000000000..9ae890203
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/tests/correct_rules.pass.sh
@@ -0,0 +1 @@
+cp $SHARED/audit/30-ospp-v42-4-delete-failed.rules /etc/audit/rules.d/
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml
new file mode 100644
index 000000000..7d445d751
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml
@@ -0,0 +1,57 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Configure auditing of successful file deletions'
+
+{{% set file_contents_audit_delete_success =
+"## Successful file delete
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-delete
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-delete
+" %}}
+
+description: |-
+ Ensure that successful attempts to delete a file are audited.
+
+ The following rules configure audit as described above:
+ <pre>{{{ file_contents_audit_delete_success|indent }}} </pre>
+
+ The <tt>Audit</tt> package provides pre-configured rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42-4-delete-success.rules</tt>.
+ To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
+ <pre>
+ cp /usr/share/audit/sample-rules/30-ospp-v42-4-delete-success.rules /etc/audit/rules.d/
+ </pre>
+
+ Load new Audit rules into kernel by running:
+ <pre>augenrules --load</pre>
+
+ Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
+
+
+rationale: |-
+ Auditing of successful attempts to delete a file may help in monitoring and investigation of activities performed on the system.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82836-8
+
+references:
+ ospp: FAU_GEN.1.1.c
+ nist: AU-2(a)
+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-OS-000467-GPOS-00211
+
+ocil_clause: 'the file does not exist or the content differs'
+
+ocil: |-
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
+ <pre>cat /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules</pre>
+ The output has to be exactly as follows:
+ <pre>{{{ file_contents_audit_delete_success|indent }}} </pre>
+
+template:
+ name: audit_file_contents
+ vars:
+ filepath: /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
+ contents: |+
+ {{{ file_contents_audit_delete_success|indent(12) }}}
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/correct_rules.pass.sh
new file mode 100644
index 000000000..0a348baf6
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/correct_rules.pass.sh
@@ -0,0 +1 @@
+cp $SHARED/audit/30-ospp-v42-4-delete-success.rules /etc/audit/rules.d/
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/failed_delete_rules.fail.sh b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/failed_delete_rules.fail.sh
new file mode 100644
index 000000000..9ae890203
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/failed_delete_rules.fail.sh
@@ -0,0 +1 @@
+cp $SHARED/audit/30-ospp-v42-4-delete-failed.rules /etc/audit/rules.d/
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/no_rule.fail.sh b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/no_rule.fail.sh
new file mode 100644
index 000000000..3acb94ab6
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/no_rule.fail.sh
@@ -0,0 +1 @@
+rm -f /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules.
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
new file mode 100644
index 000000000..eb87848e8
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
@@ -0,0 +1,54 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Configure immutable Audit login UIDs'
+
+{{% set file_contents_audit_immutable_login =
+"## Make the loginuid immutable. This prevents tampering with the auid.
+--loginuid-immutable
+
+" %}}
+
+description: |-
+ Configure kernel to prevent modification of login UIDs once they are set. Changing login UUIDs while this configuration is enforced requires special capabilities which are not available to unprivileged users.
+
+ The following rules configure audit as described above:
+ <pre>{{{ file_contents_audit_immutable_login|indent }}} </pre>
+
+ The <tt>Audit</tt> provides pre-configured rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/11-loginuid.rules</tt>.
+ To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
+ <pre>
+ cp /usr/share/audit/sample-rules/11-loginuid.rules /etc/audit/rules.d/
+ </pre>
+
+ Load new Audit rules into kernel by running:
+ <pre>augenrules --load</pre>
+
+rationale: |-
+ If modification of login UIDs is not prevented, they can be changed by unprivileged users and make auditing complicated or impossible.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82828-5
+
+references:
+ ospp: FAU_GEN.1.1.c
+ nist: AU-2(a)
+ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220
+
+ocil_clause: 'the file does not exist or the content differs'
+
+ocil: |-
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
+ <pre>cat /etc/audit/rules.d/11-loginuid.rules</pre>
+ The output has to be exactly as follows:
+ <pre>{{{ file_contents_audit_immutable_login|indent }}} </pre>
+
+template:
+ name: audit_file_contents
+ vars:
+ filepath: /etc/audit/rules.d/11-loginuid.rules
+ contents: |+
+ {{{ file_contents_audit_immutable_login|indent(12) }}}
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/tests/correct_rules.pass.sh
new file mode 100644
index 000000000..42178a67d
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/tests/correct_rules.pass.sh
@@ -0,0 +1 @@
+cp $SHARED/audit/11-loginuid.rules /etc/audit/rules.d/
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml
new file mode 100644
index 000000000..e9a24d9f5
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml
@@ -0,0 +1,66 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Configure auditing of unsuccessful file modifications'
+
+{{% set file_contents_audit_modify_failed =
+"## Unsuccessful file modifications (open for write or truncate)
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+" %}}
+
+description: |-
+ Ensure that unsuccessful attempts to modify a file are audited.
+
+ The following rules configure audit as described above:
+ <pre>{{{ file_contents_audit_modify_failed|indent }}} </pre>
+
+ The <tt>Audit</tt> package provides pre-configured rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42-2-modify-failed.rules</tt>.
+ To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
+ <pre>
+ cp /usr/share/audit/sample-rules/30-ospp-v42-2-modify-failed.rules /etc/audit/rules.d/
+ </pre>
+
+ Load new Audit rules into kernel by running:
+ <pre>augenrules --load</pre>
+
+ Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
+
+rationale: |-
+ Unsuccessful file modifications might be a sign of a malicious action being performed on the system. Auditing of such events helps in detection and investigation of such actions.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82830-1
+
+references:
+ ospp: FAU_GEN.1.1.c
+ nist: AU-2(a)
+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205
+
+ocil_clause: 'the file does not exist or the content differs'
+
+ocil: |-
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
+ <pre>cat /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules</pre>
+ The output has to be exactly as follows:
+ <pre>{{{ file_contents_audit_modify_failed|indent }}} </pre>
+
+template:
+ name: audit_file_contents
+ vars:
+ filepath: /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
+ contents: |+
+ {{{ file_contents_audit_modify_failed|indent(12) }}}
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/tests/correct_rules.pass.sh
new file mode 100644
index 000000000..58a11a63c
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/tests/correct_rules.pass.sh
@@ -0,0 +1 @@
+cp $SHARED/audit/30-ospp-v42-2-modify-failed.rules /etc/audit/rules.d/
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml
new file mode 100644
index 000000000..71c313ece
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml
@@ -0,0 +1,61 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Configure auditing of successful file modifications'
+
+{{% set file_contents_audit_modify_success =
+"## Successful file modifications (open for write or truncate)
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;01003 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-modification
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;01003 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-modification
+-a always,exit -F arch=b32 -S open -F a1&amp;01003 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-modification
+-a always,exit -F arch=b64 -S open -F a1&amp;01003 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-modification
+-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-modification
+-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-modification
+" %}}
+
+description: |-
+ Ensure that successful attempts to modify a file are audited.
+
+ The following rules configure audit as described above:
+ <pre>{{{ file_contents_audit_modify_success|indent }}} </pre>
+
+ The <tt>Audit</tt> package provides pre-configured rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42-2-modify-success.rules</tt>.
+ To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
+ <pre>
+ cp /usr/share/audit/sample-rules/30-ospp-v42-2-modify-success.rules /etc/audit/rules.d/
+ </pre>
+
+ Load new Audit rules into kernel by running:
+ <pre>augenrules --load</pre>
+
+ Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
+
+
+rationale: |-
+ Auditing of successful attempts to modify a file helps in investigation of actions which happened on the system.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82832-7
+
+references:
+ ospp: FAU_GEN.1.1.c
+ nist: AU-2(a)
+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205
+
+ocil_clause: 'the file does not exist or the content differs'
+
+ocil: |-
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
+ <pre>cat /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules</pre>
+ The output has to be exactly as follows:
+ <pre>{{{ file_contents_audit_modify_success|indent }}} </pre>
+
+template:
+ name: audit_file_contents
+ vars:
+ filepath: /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
+ contents: |+
+ {{{ file_contents_audit_modify_success|indent(12) }}}
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/tests/correct_rules.pass.sh
new file mode 100644
index 000000000..163ffa5db
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/tests/correct_rules.pass.sh
@@ -0,0 +1 @@
+cp $SHARED/audit/30-ospp-v42-2-modify-success.rules /etc/audit/rules.d/
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml
new file mode 100644
index 000000000..30be01ce0
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml
@@ -0,0 +1,58 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Configure auditing of loading and unloading of kernel modules'
+
+{{% set file_contents_audit_module_load =
+"## These rules watch for kernel module insertion. By monitoring
+## the syscall, we do not need any watches on programs.
+-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
+-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
+-a always,exit -F arch=b32 -S delete_module -F key=module-unload
+-a always,exit -F arch=b64 -S delete_module -F key=module-unload
+" %}}
+
+description: |-
+ Ensure that loading and unloading of kernel modules is audited.
+
+ The following rules configure audit as described above:
+ <pre>{{{ file_contents_audit_module_load|indent }}} </pre>
+
+ The <tt>Audit</tt> package provides pre-configured rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/43-module-load.rules</tt>.
+ To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
+ <pre>
+ cp /usr/share/audit/sample-rules/43-module-load.rules /etc/audit/rules.d/
+ </pre>
+
+ Load new Audit rules into kernel by running:
+ <pre>augenrules --load</pre>
+
+
+rationale: |-
+ Loading of a malicious kernel module introduces a risk to the system, as the module has access to sensitive data and perform actions at the operating system kernel level. Having such events audited helps in monitoring and investigating of malicious activities.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82838-4
+
+references:
+ ospp: FAU_GEN.1.1.c
+ nist: AU-2(a)
+ srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222,SRG-OS-000475-GPOS-00220
+
+ocil_clause: 'the file does not exist or the content differs'
+
+ocil: |-
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
+ <pre>cat /etc/audit/rules.d/43-module-load.rules</pre>
+ The output has to be exactly as follows:
+ <pre>{{{ file_contents_audit_module_load|indent }}} </pre>
+
+template:
+ name: audit_file_contents
+ vars:
+ filepath: /etc/audit/rules.d/43-module-load.rules
+ contents: |+
+ {{{ file_contents_audit_module_load|indent(12) }}}
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_module_load/tests/correct_rules.pass.sh
new file mode 100644
index 000000000..c2d651e4c
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load/tests/correct_rules.pass.sh
@@ -0,0 +1 @@
+cp $SHARED/audit/43-module-load.rules /etc/audit/rules.d/
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
new file mode 100644
index 000000000..0649e0682
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
@@ -0,0 +1,138 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Perform general configuration of Audit for OSPP'
+
+{{% set file_contents_audit_ospp_general =
+"## The purpose of these rules is to meet the requirements for Operating
+## System Protection Profile (OSPP)v4.2. These rules depends on having
+## the following rule files copied to /etc/audit/rules.d:
+##
+## 10-base-config.rules, 11-loginuid.rules,
+## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
+## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
+## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
+## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
+## 30-ospp-v42-5-perm-change-failed.rules,
+## 30-ospp-v42-5-perm-change-success.rules,
+## 30-ospp-v42-6-owner-change-failed.rules,
+## 30-ospp-v42-6-owner-change-success.rules
+##
+## original copies may be found in /usr/share/audit/sample-rules/
+
+
+## User add delete modify. This is covered by pam. However, someone could
+## open a file and directly create or modify a user, so we'll watch passwd and
+## shadow for writes
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -S open -F a1&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -S open -F a1&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify
+
+## User enable and disable. This is entirely handled by pam.
+
+## Group add delete modify. This is covered by pam. However, someone could
+## open a file and directly create or modify a user, so we'll watch group and
+## gshadow for writes
+-a always,exit -F path=/etc/passwd -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F path=/etc/shadow -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F path=/etc/group -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F path=/etc/gshadow -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=group-modify
+
+
+## Use of special rights for config changes. This would be use of setuid
+## programs that relate to user accts. This is not all setuid apps because
+## requirements are only for ones that affect system configuration.
+-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/bin/mount -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/bin/umount -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/bin/at -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
+
+## Privilege escalation via su or sudo. This is entirely handled by pam.
+
+## Audit log access
+-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid&gt;=1000 -F auid!=unset -F key=access-audit-trail
+## Attempts to Alter Process and Session Initiation Information
+-a always,exit -F path=/var/run/utmp -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=session
+-a always,exit -F path=/var/log/btmp -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=session
+-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=session
+
+## Attempts to modify MAC controls
+-a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=MAC-policy
+
+## Software updates. This is entirely handled by rpm.
+
+## System start and shutdown. This is entirely handled by systemd
+
+## Kernel Module loading. This is handled in 43-module-load.rules
+
+## Application invocation. The requirements list an optional requirement
+## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
+## state results from that policy. This would be handled entirely by
+## that daemon.
+
+" %}}
+
+description: |-
+ Configure some basic <tt>Audit</tt> parameters specific for OSPP profile.
+ In particular, configure <tt>Audit</tt> to watch for direct modification of files storing system user and group information, and usage of applications with special rights which can change system configuration.
+ Further audited events include access to audit log it self, attempts to Alter Process and Session Initiation Information, and attempts to modify MAC controls.
+
+
+ The following rules configure audit as described above:
+ <pre>{{{ file_contents_audit_ospp_general|indent }}} </pre>
+
+ The <tt>Audit</tt> package provides pre-configured rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42.rules</tt>.
+ To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
+ <pre>
+ cp /usr/share/audit/sample-rules/30-ospp-v42.rules /etc/audit/rules.d/
+ </pre>
+
+ Load new Audit rules into kernel by running:
+ <pre>augenrules --load</pre>
+
+ Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
+
+
+
+rationale: |-
+ Auditing of events listed in the description provides data for monitoring and investigation of potentially malicious events e.g. tampering with <tt>Audit</tt> logs, malicious access to files storing information about system users and groups etc.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82373-2
+
+references:
+ ospp: FAU_GEN.1.1.c
+ nist: AU-2(a)
+ srg: SRG-OS-000004-GPOS-00004,SRG-OS-000241-GPOS-00091,SRG-OS-000476-GPOS-00221,SRG-OS-000327-GPOS-00127,SRG-OS-000475-GPOS-00220,SRG-OS-000239-GPOS-00089,SRG-OS-000274-GPOS-00104,SRG-OS-000275-GPOS-00105,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121
+
+ocil_clause: 'the file does not exist or the content differs'
+
+ocil: |-
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
+ <pre>cat /etc/audit/rules.d/30-ospp-v42.rules</pre>
+ The output has to be exactly as follows:
+ <pre>{{{ file_contents_audit_ospp_general|indent }}} </pre>
+
+template:
+ name: audit_file_contents
+ vars:
+ filepath: /etc/audit/rules.d/30-ospp-v42.rules
+ contents: |+
+ {{{ file_contents_audit_ospp_general|indent(12) }}}
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh
new file mode 100644
index 000000000..dcf3a88a6
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh
@@ -0,0 +1 @@
+cp $SHARED/audit/30-ospp-v42.rules /etc/audit/rules.d/
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml
new file mode 100644
index 000000000..1068fb8a9
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml
@@ -0,0 +1,59 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Configure auditing of unsuccessful ownership changes'
+
+{{% set file_contents_audit_owner_change_failed =
+"## Unsuccessful ownership change
+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change
+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change
+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change
+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change
+" %}}
+
+description: |-
+ Ensure that unsuccessful attempts to change an ownership of files or directories are audited.
+
+ The following rules configure audit as described above:
+ <pre>{{{ file_contents_audit_owner_change_failed|indent }}} </pre>
+
+ The <tt>Audit</tt> package provides pre-configured rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-failed.rules</tt>.
+ To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
+ <pre>
+ cp /usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-failed.rules /etc/audit/rules.d/
+ </pre>
+
+ Load new Audit rules into kernel by running:
+ <pre>augenrules --load</pre>
+
+ Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
+
+
+rationale: |-
+ Unsuccessful attempts to change an ownership of files or directories might be signs of a malicious activity. Having such events audited helps in monitoring and investigation of such activities.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82384-9
+
+references:
+ ospp: FAU_GEN.1.1.c
+ nist: AU-2(a)
+ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033
+
+ocil_clause: 'the file does not exist or the content differs'
+
+ocil: |-
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
+ <pre>cat /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules</pre>
+ The output has to be exactly as follows:
+ <pre>{{{ file_contents_audit_owner_change_failed|indent }}} </pre>
+
+template:
+ name: audit_file_contents
+ vars:
+ filepath: /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
+ contents: |+
+ {{{ file_contents_audit_owner_change_failed|indent(12) }}}
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/tests/correct_rules.pass.sh
new file mode 100644
index 000000000..b5227b4c5
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/tests/correct_rules.pass.sh
@@ -0,0 +1 @@
+cp $SHARED/audit/30-ospp-v42-6-owner-change-failed.rules /etc/audit/rules.d/
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml
new file mode 100644
index 000000000..6ffa0e4fc
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml
@@ -0,0 +1,60 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Configure auditing of successful ownership changes'
+
+{{% set file_contents_audit_owner_change_success =
+"## Successful ownership change
+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-owner-change
+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-owner-change
+" %}}
+
+description: |-
+ Ensure that successful attempts to change an ownership of files or directories are audited.
+
+ The following rules configure audit as described above:
+ <pre>{{{ file_contents_audit_owner_change_success|indent }}} </pre>
+
+ The <tt>Audit</tt> package provides pre-configured rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-success.rules</tt>.
+ To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
+ <pre>
+ cp /usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-success.rules /etc/audit/rules.d/
+ </pre>
+
+ The file has the following SHA-256 checksum:
+ <pre>7eb41a6aaf6737c2571b6424fae7fa53af4b41a9115b6c5732a5778ccd9900ad</pre>
+
+ Load new Audit rules into kernel by running:
+ <pre>augenrules --load</pre>
+
+ Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
+
+
+rationale: |-
+ Auditing of successful ownership changes of files or directories helps in monitoring or investingating of activities performed on the system.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82385-6
+
+references:
+ ospp: FAU_GEN.1.1.c
+ nist: AU-2(a)
+ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033
+
+ocil_clause: 'the file does not exist or the content differs'
+
+ocil: |-
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
+ <pre>cat /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules</pre>
+ The output has to be exactly as follows:
+ <pre>{{{ file_contents_audit_owner_change_success|indent }}} </pre>
+
+template:
+ name: audit_file_contents
+ vars:
+ filepath: /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
+ contents: |+
+ {{{ file_contents_audit_owner_change_success|indent(12) }}}
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/tests/correct_rules.pass.sh
new file mode 100644
index 000000000..27eaf4a1f
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/tests/correct_rules.pass.sh
@@ -0,0 +1 @@
+cp $SHARED/audit/30-ospp-v42-6-owner-change-success.rules /etc/audit/rules.d/
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml
new file mode 100644
index 000000000..7be6299cb
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml
@@ -0,0 +1,58 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Configure auditing of unsuccessful permission changes'
+
+{{% set file_contents_audit_perm_change_failed =
+"## Unsuccessful permission change
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-perm-change
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-perm-change
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-perm-change
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-perm-change
+" %}}
+
+description: |-
+ Ensure that unsuccessful attempts to change file or directory permissions are audited.
+
+ The following rules configure audit as described above:
+ <pre>{{{ file_contents_audit_perm_change_failed|indent }}} </pre>
+
+ The <tt>Audit</tt> package provides pre-configured rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-failed.rules</tt>.
+ To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
+ <pre>
+ cp /usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-failed.rules /etc/audit/rules.d/
+ </pre>
+
+ Load new Audit rules into kernel by running:
+ <pre>augenrules --load</pre>
+
+ Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
+
+rationale: |-
+ Unsuccessful attempts to change permissions of files or directories might be signs of malicious activity. Having such events audited helps in monitoring and investigation of such activities.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82837-6
+
+references:
+ ospp: FAU_GEN.1.1.c
+ nist: AU-2(a)
+ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033
+
+ocil_clause: 'the file does not exist or the content differs'
+
+ocil: |-
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
+ <pre>cat /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules</pre>
+ The output has to be exactly as follows:
+ <pre>{{{ file_contents_audit_perm_change_failed|indent }}} </pre>
+
+template:
+ name: audit_file_contents
+ vars:
+ filepath: /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
+ contents: |+
+ {{{ file_contents_audit_perm_change_failed|indent(12) }}}
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/tests/correct_rules.pass.sh
new file mode 100644
index 000000000..149fda66d
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/tests/correct_rules.pass.sh
@@ -0,0 +1 @@
+cp $SHARED/audit/30-ospp-v42-5-perm-change-failed.rules /etc/audit/rules.d/
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml
new file mode 100644
index 000000000..e2a247370
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml
@@ -0,0 +1,57 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Configure auditing of successful permission changes'
+
+{{% set file_contents_audit_perm_change_success =
+"## Successful permission change
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-perm-change
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-perm-change
+" %}}
+
+description: |-
+ Ensure that successful attempts to modify permissions of iles or directories are audited.
+
+ The following rules configure audit as described above:
+ <pre>{{{ file_contents_audit_perm_change_success|indent }}} </pre>
+
+ The <tt>Audit</tt> package provides pre-configured rules in <tt>/usr/share/audit/sample-rules</tt>. The above content can be found in <tt>/usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-success.rules</tt>.
+ To deploy this configuration, it is recommended to copy it over to the <tt>/etc/audit/rules.d/</tt> directory:
+ <pre>
+ cp /usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-success.rules /etc/audit/rules.d/
+ </pre>
+
+ Load new Audit rules into kernel by running:
+ <pre>augenrules --load</pre>
+
+ Note: This rule utilizes a file provided by <tt>Audit</tt> package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
+
+
+rationale: |-
+ Auditing successful file or directory permission changes helps in monitoring and investigating of activities performed on the system.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82383-1
+
+references:
+ ospp: FAU_GEN.1.1.c
+ nist: AU-2(a)
+ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033
+
+ocil_clause: 'the file does not exist or the content differs'
+
+ocil: |-
+ To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
+ <pre>cat /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules</pre>
+ The output has to be exactly as follows:
+ <pre>{{{ file_contents_audit_perm_change_success|indent }}} </pre>
+
+template:
+ name: audit_file_contents
+ vars:
+ filepath: /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
+ contents: |+
+ {{{ file_contents_audit_perm_change_success|indent(12) }}}
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/tests/correct_rules.pass.sh
new file mode 100644
index 000000000..cfa6c3f90
--- /dev/null
+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/tests/correct_rules.pass.sh
@@ -0,0 +1 @@
+cp $SHARED/audit/30-ospp-v42-5-perm-change-success.rules /etc/audit/rules.d/
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/oval/shared.xml b/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/oval/shared.xml
index 9e5b6032f..d25ea0840 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/oval/shared.xml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/oval/shared.xml
@@ -1,15 +1,15 @@
{{% macro audit_file_compare_criterion(file_id) %}}
- <criterion comment="check {{{ file_id }}}.rules file" test_ref="test_compare_{{{ file_id }}}" />
+ <criterion comment="check {{{ file_id }}}.rules file" test_ref="test_compare_{{{ file_id }}}_old" />
{{% endmacro %}}
{{% macro audit_file_compare_test(file_id) %}}
<ind:textfilecontent54_test check="all" check_existence="all_exist"
comment="Compare {{{ file_id }}}.rules file in /etc/audit/rules.d against file in /usr/share/doc/audit/"
- id="test_compare_{{{ file_id }}}" version="1">
- <ind:object object_ref="object_etc_{{{ file_id }}}" />
+ id="test_compare_{{{ file_id }}}_old" version="1">
+ <ind:object object_ref="object_etc_{{{ file_id }}}_old" />
<ind:state state_ref="state_doc_{{{ file_id }}}" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_etc_{{{ file_id }}}" version="1">
+ <ind:textfilecontent54_object id="object_etc_{{{ file_id }}}_old" version="1">
<ind:filepath>/etc/audit/rules.d/{{{ file_id }}}.rules</ind:filepath>
<ind:pattern operation="pattern match">(?:.*\n)*</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index ef3ced501..5d3713ec7 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -377,7 +377,22 @@ selections:
## AU-2(a) / FAU_GEN.1.1.c
## Audit Kernel Module Loading and Unloading Events (Success/Failure)
## AU-2(a) / FAU_GEN.1.1.c
- - audit_rules_for_ospp
+ - audit_basic_configuration
+ - audit_immutable_login_uids
+ - audit_create_failed
+ - audit_create_success
+ - audit_modify_failed
+ - audit_modify_success
+ - audit_access_failed
+ - audit_access_success
+ - audit_delete_failed
+ - audit_delete_success
+ - audit_perm_change_failed
+ - audit_perm_change_success
+ - audit_owner_change_failed
+ - audit_owner_change_success
+ - audit_ospp_general
+ - audit_module_load
## Enable Automatic Software Updates
## SI-2 / FMT_MOF_EXT.1
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index f752e7a2b..c7fa22113 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -202,3 +202,18 @@
{{%- macro ansible_coredump_config_set(msg='', parameter='', value='') %}}
{{{ ansible_set_config_file(msg, "/etc/systemd/coredump.conf", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
{{%- endmacro %}}
+
+{{#
+ Generates an Ansible task that puts 'contents' into a file at 'filepath'
+ Parameters:
+ - filepath - filepath of the file to check
+ - contents - contents that should be in the file
+#}}
+{{%- macro ansible_file_contents(filepath='', contents='') %}}
+- name: "Put contents into {{{ filepath }}} according to policy"
+ copy:
+ dest: "{{{ filepath }}}"
+ content: |+
+ {{{ contents|indent(8) }}}
+ force: yes
+{{%- endmacro %}}
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index dc7fd2558..bc522fc1e 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -509,3 +509,14 @@ if ! grep -qE '^\s*account\s+required\s+pam_faillock\.so.*$' "{{{ pam_file }}}"
sed -E -i --follow-symlinks '/^\s*account\s*required\s*pam_unix.so/i account required pam_faillock.so' "{{{ pam_file }}}"
fi
{{%- endmacro -%}}
+
+{{#
+ Generates bash script code that puts 'contents' into a file at 'filepath'
+ Parameters:
+ - filepath - filepath of the file to check
+ - contents - contents that should be in the file
+#}}
+{{%- macro bash_file_contents(filepath='', contents='') %}}
+cat << 'EOF' > {{{ filepath }}}
+{{{ contents }}}EOF
+{{%- endmacro %}}
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
index 5f391efdc..11752785f 100644
--- a/shared/macros-oval.jinja
+++ b/shared/macros-oval.jinja
@@ -448,3 +448,44 @@
<unix:command_line operation="pattern match">^.*[\s]+{{{ option }}}=.*({{{ value }}}).*([\s]+.*$|$)</unix:command_line>
</unix:process58_state>
{{%- endmacro -%}}
+
+{{#
+ Macro which generates OVAL definition, test and object that check for contents
+ of the file.
+ Parameters:
+ - filepath - filepath of the file to check
+ - contents - contents that should be in the file
+#}}
+{{%- macro oval_file_contents(filepath='', filepath_id='', contents='') -%}}
+ <def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ <metadata>
+ <title>Check that contents of {{{ filepath }}} are as expected</title>
+ {{{- oval_affected(products) }}}
+ <description>Inspects the contents of {{{ filepath }}}</description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion comment="Check contents of file" test_ref="test_whole_file_contents_{{{ filepath_id }}}" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="Tests if contents of {{{ filepath }}} is exactly what is defined in rule description"
+ id="test_whole_file_contents_{{{ filepath_id }}}" version="1">
+ <ind:object object_ref="object_whole_file_contents_{{{ filepath_id }}}" />
+ <ind:state state_ref="state_whole_file_contents_{{{ filepath_id }}}" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="object_whole_file_contents_{{{ filepath_id }}}" version="1">
+ <ind:behaviors singleline="true" multiline="false" />
+ <ind:filepath>{{{ filepath }}}</ind:filepath>
+ <ind:pattern operation="pattern match">^.*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state id="state_whole_file_contents_{{{ filepath_id }}}" version="1">
+ <ind:text operation="equals">{{{ contents }}}</ind:text>
+ </ind:textfilecontent54_state>
+
+ </def-group>
+{{%- endmacro %}}
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 1733872df..a961f0ec0 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -103,17 +103,6 @@ CCE-82823-6
CCE-82824-4
CCE-82825-1
CCE-82826-9
-CCE-82827-7
-CCE-82828-5
-CCE-82829-3
-CCE-82830-1
-CCE-82832-7
-CCE-82833-5
-CCE-82834-3
-CCE-82835-0
-CCE-82836-8
-CCE-82837-6
-CCE-82838-4
CCE-82839-2
CCE-82841-8
CCE-82842-6
diff --git a/shared/templates/template_ANSIBLE_audit_file_contents b/shared/templates/template_ANSIBLE_audit_file_contents
new file mode 100644
index 000000000..c28527454
--- /dev/null
+++ b/shared/templates/template_ANSIBLE_audit_file_contents
@@ -0,0 +1,11 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{
+ ansible_file_contents(
+ filepath=FILEPATH,
+ contents=CONTENTS,
+ )
+}}}
diff --git a/shared/templates/template_BASH_audit_file_contents b/shared/templates/template_BASH_audit_file_contents
new file mode 100644
index 000000000..f264be6f1
--- /dev/null
+++ b/shared/templates/template_BASH_audit_file_contents
@@ -0,0 +1,14 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{
+ bash_file_contents(
+ filepath=FILEPATH,
+ contents=CONTENTS,
+ )
+}}}
+
+augenrules --load
diff --git a/shared/templates/template_OVAL_audit_file_contents b/shared/templates/template_OVAL_audit_file_contents
new file mode 100644
index 000000000..02e1b661d
--- /dev/null
+++ b/shared/templates/template_OVAL_audit_file_contents
@@ -0,0 +1,7 @@
+{{{
+ oval_file_contents(
+ filepath=FILEPATH,
+ filepath_id=FILEPATH_ID,
+ contents=CONTENTS
+ )
+}}}
diff --git a/ssg/templates.py b/ssg/templates.py
index 8a96c8ed4..e5ed4890b 100644
--- a/ssg/templates.py
+++ b/ssg/templates.py
@@ -1,8 +1,10 @@
+from __future__ import absolute_import
from __future__ import print_function
import os
import sys
import re
+from xml.sax.saxutils import unescape
import ssg.build_yaml
@@ -93,6 +95,10 @@ def audit_rules_privileged_commands(data, lang):
data["path"] = path.replace("/", "\\/")
return data
+@template(["ansible", "bash", "oval"])
+def audit_rules_rule_file(data, lang):
+ return data
+
@template(["ansible", "bash", "oval"])
def audit_rules_unsuccessful_file_modification(data, lang):
@@ -124,6 +130,20 @@ def audit_rules_usergroup_modification(data, lang):
return data
+@template(["ansible", "bash", "oval"])
+def audit_file_contents(data, lang):
+ if lang == "oval":
+ pathid = re.sub(r'[-\./]', '_', data["filepath"])
+ # remove root slash made into '_'
+ pathid = pathid[1:]
+ data["filepath_id"] = pathid
+
+ # The build system converts "<",">" and "&" for us
+ if lang == "bash" or lang == "ansible":
+ data["contents"] = unescape(data["contents"])
+ return data
+
+
def _file_owner_groupowner_permissions_regex(data):
data["is_directory"] = data["filepath"].endswith("/")
if "missing_file_pass" not in data:
diff --git a/tests/shared/audit/10-base-config.rules b/tests/shared/audit/10-base-config.rules
new file mode 100644
index 000000000..b86d66f9d
--- /dev/null
+++ b/tests/shared/audit/10-base-config.rules
@@ -0,0 +1,13 @@
+## First rule - delete all
+-D
+
+## Increase the buffers to survive stress events.
+## Make this bigger for busy systems
+-b 8192
+
+## This determine how long to wait in burst of events
+--backlog_wait_time 60000
+
+## Set failure mode to syslog
+-f 1
+
diff --git a/tests/shared/audit/11-loginuid.rules b/tests/shared/audit/11-loginuid.rules
new file mode 100644
index 000000000..9b0a3e98a
--- /dev/null
+++ b/tests/shared/audit/11-loginuid.rules
@@ -0,0 +1,3 @@
+## Make the loginuid immutable. This prevents tampering with the auid.
+--loginuid-immutable
+
diff --git a/tests/shared/audit/30-ospp-v42-1-create-failed.rules b/tests/shared/audit/30-ospp-v42-1-create-failed.rules
new file mode 100644
index 000000000..6aca1b943
--- /dev/null
+++ b/tests/shared/audit/30-ospp-v42-1-create-failed.rules
@@ -0,0 +1,13 @@
+## Unsuccessful file creation (open with O_CREAT)
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
diff --git a/tests/shared/audit/30-ospp-v42-1-create-success.rules b/tests/shared/audit/30-ospp-v42-1-create-success.rules
new file mode 100644
index 000000000..4141e3c60
--- /dev/null
+++ b/tests/shared/audit/30-ospp-v42-1-create-success.rules
@@ -0,0 +1,7 @@
+## Successful file creation (open with O_CREAT)
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
+-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
+-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
diff --git a/tests/shared/audit/30-ospp-v42-2-modify-failed.rules b/tests/shared/audit/30-ospp-v42-2-modify-failed.rules
new file mode 100644
index 000000000..ffe5bfd61
--- /dev/null
+++ b/tests/shared/audit/30-ospp-v42-2-modify-failed.rules
@@ -0,0 +1,13 @@
+## Unsuccessful file modifications (open for write or truncate)
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
diff --git a/tests/shared/audit/30-ospp-v42-2-modify-success.rules b/tests/shared/audit/30-ospp-v42-2-modify-success.rules
new file mode 100644
index 000000000..5617e018a
--- /dev/null
+++ b/tests/shared/audit/30-ospp-v42-2-modify-success.rules
@@ -0,0 +1,7 @@
+## Successful file modifications (open for write or truncate)
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
+-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
+-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
+-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
+-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
diff --git a/tests/shared/audit/30-ospp-v42-3-access-failed.rules b/tests/shared/audit/30-ospp-v42-3-access-failed.rules
new file mode 100644
index 000000000..a5aad3a95
--- /dev/null
+++ b/tests/shared/audit/30-ospp-v42-3-access-failed.rules
@@ -0,0 +1,5 @@
+## Unsuccessful file access (any other opens) This has to go last.
+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
diff --git a/tests/shared/audit/30-ospp-v42-3-access-success.rules b/tests/shared/audit/30-ospp-v42-3-access-success.rules
new file mode 100644
index 000000000..0c8a6b657
--- /dev/null
+++ b/tests/shared/audit/30-ospp-v42-3-access-success.rules
@@ -0,0 +1,4 @@
+## Successful file access (any other opens) This has to go last.
+## These next two are likely to result in a whole lot of events
+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
diff --git a/tests/shared/audit/30-ospp-v42-4-delete-failed.rules b/tests/shared/audit/30-ospp-v42-4-delete-failed.rules
new file mode 100644
index 000000000..946c9cc17
--- /dev/null
+++ b/tests/shared/audit/30-ospp-v42-4-delete-failed.rules
@@ -0,0 +1,5 @@
+## Unsuccessful file delete
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
diff --git a/tests/shared/audit/30-ospp-v42-4-delete-success.rules b/tests/shared/audit/30-ospp-v42-4-delete-success.rules
new file mode 100644
index 000000000..7955cdf85
--- /dev/null
+++ b/tests/shared/audit/30-ospp-v42-4-delete-success.rules
@@ -0,0 +1,3 @@
+## Successful file delete
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
diff --git a/tests/shared/audit/30-ospp-v42-5-perm-change-failed.rules b/tests/shared/audit/30-ospp-v42-5-perm-change-failed.rules
new file mode 100644
index 000000000..49b9299d5
--- /dev/null
+++ b/tests/shared/audit/30-ospp-v42-5-perm-change-failed.rules
@@ -0,0 +1,5 @@
+## Unsuccessful permission change
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
diff --git a/tests/shared/audit/30-ospp-v42-5-perm-change-success.rules b/tests/shared/audit/30-ospp-v42-5-perm-change-success.rules
new file mode 100644
index 000000000..52cbac873
--- /dev/null
+++ b/tests/shared/audit/30-ospp-v42-5-perm-change-success.rules
@@ -0,0 +1,3 @@
+## Successful permission change
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
diff --git a/tests/shared/audit/30-ospp-v42-6-owner-change-failed.rules b/tests/shared/audit/30-ospp-v42-6-owner-change-failed.rules
new file mode 100644
index 000000000..44e7148c2
--- /dev/null
+++ b/tests/shared/audit/30-ospp-v42-6-owner-change-failed.rules
@@ -0,0 +1,5 @@
+## Unsuccessful ownership change
+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
diff --git a/tests/shared/audit/30-ospp-v42-6-owner-change-success.rules b/tests/shared/audit/30-ospp-v42-6-owner-change-success.rules
new file mode 100644
index 000000000..056b706fc
--- /dev/null
+++ b/tests/shared/audit/30-ospp-v42-6-owner-change-success.rules
@@ -0,0 +1,3 @@
+## Successful ownership change
+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
diff --git a/tests/shared/audit/30-ospp-v42.rules b/tests/shared/audit/30-ospp-v42.rules
new file mode 100644
index 000000000..3dced1725
--- /dev/null
+++ b/tests/shared/audit/30-ospp-v42.rules
@@ -0,0 +1,80 @@
+## The purpose of these rules is to meet the requirements for Operating
+## System Protection Profile (OSPP)v4.2. These rules depends on having
+## the following rule files copied to /etc/audit/rules.d:
+##
+## 10-base-config.rules, 11-loginuid.rules,
+## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
+## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
+## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
+## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
+## 30-ospp-v42-5-perm-change-failed.rules,
+## 30-ospp-v42-5-perm-change-success.rules,
+## 30-ospp-v42-6-owner-change-failed.rules,
+## 30-ospp-v42-6-owner-change-success.rules
+##
+## original copies may be found in /usr/share/audit/sample-rules/
+
+
+## User add delete modify. This is covered by pam. However, someone could
+## open a file and directly create or modify a user, so we'll watch passwd and
+## shadow for writes
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+
+## User enable and disable. This is entirely handled by pam.
+
+## Group add delete modify. This is covered by pam. However, someone could
+## open a file and directly create or modify a user, so we'll watch group and
+## gshadow for writes
+-a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+
+
+## Use of special rights for config changes. This would be use of setuid
+## programs that relate to user accts. This is not all setuid apps because
+## requirements are only for ones that affect system configuration.
+-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+
+## Privilege escalation via su or sudo. This is entirely handled by pam.
+
+## Audit log access
+-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
+## Attempts to Alter Process and Session Initiation Information
+-a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
+-a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
+-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
+
+## Attempts to modify MAC controls
+-a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
+
+## Software updates. This is entirely handled by rpm.
+
+## System start and shutdown. This is entirely handled by systemd
+
+## Kernel Module loading. This is handled in 43-module-load.rules
+
+## Application invocation. The requirements list an optional requirement
+## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
+## state results from that policy. This would be handled entirely by
+## that daemon.
+
diff --git a/tests/shared/audit/43-module-load.rules b/tests/shared/audit/43-module-load.rules
new file mode 100644
index 000000000..890750744
--- /dev/null
+++ b/tests/shared/audit/43-module-load.rules
@@ -0,0 +1,6 @@
+## These rules watch for kernel module insertion. By monitoring
+## the syscall, we do not need any watches on programs.
+-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
+-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
+-a always,exit -F arch=b32 -S delete_module -F key=module-unload
+-a always,exit -F arch=b64 -S delete_module -F key=module-unload
--
2.21.1