diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index c162bc0..b9e632c 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -11,11 +11,11 @@ {% if rhel9cis_rule_6_3_3_2 %} {% set syscalls = ["execve"] %} {% set arch_syscalls = [] %} -{% for syscall in syscalls %} +{%- for syscall in syscalls %} {% if syscall in supported_syscalls %} -{{ arch_syscalls.append( syscall) }} +{{ arch_syscalls.append(syscall) }} {% endif %} -{% endfor %} +{% endfor -%} -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation {% endif %} @@ -26,7 +26,7 @@ {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} -{{ arch_syscalls.append( syscall) }} +{{ arch_syscalls.append(syscall) }} {% endif %} {% endfor %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k time-change @@ -38,7 +38,7 @@ {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} -{{ arch_syscalls.append( syscall) }} +{{ arch_syscalls.append(syscall) }} {% endif %} {% endfor %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale @@ -59,13 +59,13 @@ {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} -{{ arch_syscalls.append( syscall) }} +{{ arch_syscalls.append(syscall) }} {% endif %} {% endfor %} --a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k access --a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k access --a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k access --a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k access +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access {% endif %} {% if rhel9cis_rule_6_3_3_8 %} -w /etc/group -p wa -k identity @@ -82,61 +82,61 @@ {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} -{{ arch_syscalls.append( syscall) }} +{{ arch_syscalls.append(syscall) }} {% endif %} {% endfor %} --a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod {% set syscalls = ["chown","fchown","lchown","fchownat"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} -{{ arch_syscalls.append( syscall) }} +{{ arch_syscalls.append(syscall) }} {% endif %} {% endfor %} --a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod {% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} -{{ arch_syscalls.append( syscall) }} +{{ arch_syscalls.append(syscall) }} {% endif %} {% endfor %} --a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod {% set syscalls = ["chmod","fchmod","fchmodat"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} -{{ arch_syscalls.append( syscall) }} +{{ arch_syscalls.append(syscall) }} {% endif %} {% endfor %} --a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k perm_mod +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod {% set syscalls = ["chown","fchown","lchown","fchownat"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} -{{ arch_syscalls.append( syscall) }} +{{ arch_syscalls.append(syscall) }} {% endif %} {% endfor %} --a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k perm_mod +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod {% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} -{{ arch_syscalls.append( syscall) }} +{{ arch_syscalls.append(syscall) }} {% endif %} {% endfor %} --a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k perm_mod +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod {% endif %} {% if rhel9cis_rule_6_3_3_10 %} {% set syscalls = ["mount"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} -{{ arch_syscalls.append( syscall) }} +{{ arch_syscalls.append(syscall) }} {% endif %} {% endfor %} --a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k mounts --a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k mounts +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts {% endif %} {% if rhel9cis_rule_6_3_3_11 %} -w /var/run/utmp -p wa -k session @@ -155,8 +155,8 @@ {{ arch_syscalls.append( syscall) }} {% endif %} {% endfor %} --a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k delete --a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=unset -k delete +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k delete +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k delete {% endif %} {% if rhel9cis_rule_6_3_3_14 %} -w /etc/selinux -p wa -k MAC-policy @@ -175,7 +175,7 @@ -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k usermod {% endif %} {% if rhel9cis_rule_6_3_3_19 %} --a always,exit -F path=/usr/bin/kmod -F perm=x -F auid=>{{ prelim_min_int_uid }} -F auid!=-1 -k kernel_modules +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules {% set syscalls = ["init_module","finit_module","delete_module","create_module","query_module"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} @@ -183,7 +183,7 @@ {{ arch_syscalls.append( syscall) }} {% endif %} {% endfor %} --a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid=>{{ prelim_min_int_uid }} -F auid!=-1 -k kernel_modules +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules {% endif %} {% if rhel9cis_rule_6_3_3_20 %} -e 2