Checked out audit_rules_kernel_module_loading_init

Too many disruptive changes to cherry pick.

Only in master:
- 91023c9|2023-11-02|2023-11-08 Review and update pcidss_4 requirement 10.2.1.7 [Marcus Burghardt]
- 3a89685|2023-10-31|2023-10-31 Merge pull request ComplianceAsCode#11193 from Mab879/add_rhel9_stig [GitHub]
- 2df3231|2023-10-18|2023-10-27 Copy Debian11 product to Debian12 [Paul Rensing]
- 2804dfb|2023-10-17|2023-10-18 Add rule for RHEL-09-654080 [Matthew Burket]
- 92e7882|2023-08-02|2023-09-12 Fix UBTU-20-010179 to use proper parameters and key [Dexter Le]
- c493b4d|2023-05-22|2023-07-19 SRG-APP-000504-CTR-001280: Red Hat Enterprise Linux CoreOS (RHCOS) must be configured to audit the loading and unloading of dynamic kernel modules [Jakub Hrozek]
- bdcd7c9|2023-05-22|2023-07-19 SRG-APP-000495-CTR-001235: audit records when successful/unsuccessful attempts to modify privileges occur [Jakub Hrozek]
- 29f415f|2023-05-05|2023-07-06 products/anolis23: supports Anolis OS 23 [YuQing]
- ec2bfe8|2023-05-28|2023-05-28 fix: uid_min: use it in audit auid checks, out jinja macro [Markus Linnala]
- 8fe3315|2023-04-21|2023-05-15 Update jinja conditionals that apply to any ol [Edgar Aguilar]
- 4f18ae7|2023-04-17|2023-04-18 Ensure that all files in the repo end with a newline [Matthew Burket]
- acc24a1|2023-04-11|2023-04-11 Merge pull request ComplianceAsCode#10334 from vojtapolasek/anssi_20_upstream [GitHub]
- 0c5d7b9|2023-03-30|2023-03-30 Drop Req prefix from pcidss4 reference ids [teacup-on-rockingchair]
- d6338b6|2023-03-19|2023-03-26 Extract rules from SLE15 profile to PCI-DSS v4 control file [teacup-on-rockingchair]
- 209fc25|2023-03-08|2023-03-23 add anssi references to rules [Vojtech Polasek]
- 5ae4bfd|2023-03-14|2023-03-14 Remove vmmsrg references from rules [Matthew Burket]
- e3886d4|2023-01-19|2023-01-19 Include CIS RHEL9 reference in Logging related rules [Marcus Burghardt]
- 9f273f2|2022-12-08|2022-12-14 ubuntu2204: cis_level2_server: Add cis references [Eduardo Barretto]
- 3d711c8|2022-11-30|2022-11-30 Merge pull request ComplianceAsCode#9897 from litios/master [GitHub]
- 795f076|2022-11-28|2022-11-28 Update rule tests to rely on platform_package_overrides + add needed alternatives to products [David Fernandez Gonzalez]
- 15abac6|2022-11-25|2022-11-25 Recognize all 64bit architectures in audit rules [Milan Lysonek]
- 5f2250d|2022-11-04|2022-11-07 products/anolis8: supports Anolis OS 8 [YiLin.Li]
- 2e2af47|2022-09-30|2022-10-04 Import STIG content for RHEL9 [Matthew Burket]
- e02980a|2022-09-19|2022-09-19 Remove Debian 9 from products [Matthew Burket]
- fd54c29|2022-08-31|2022-09-01 Add ol7 platform to existing required tests [Edgar Aguilar]
- 95f767a|2022-08-19|2022-08-22 Tag Ubuntu CIS reference for 22.04 [Juan Antonio Osorio]
- 7f5b811|2022-08-19|2022-08-22 Tag rules applicable to ubuntu2004 as applicable to ubuntu2204 too [Juan Antonio Osorio]
- 16e89ad|2022-08-10|2022-08-11 Add the AUID filters on audit kernel module rules [Federico Ramirez]
- a29edee|2022-08-03|2022-08-03 Add the AUID filters on audit kernel module rules [Watson Sato]
- b020fd2|2022-07-28|2022-07-30 ssg/constants.py: fix the alinux3 full name error [YiLin.Li]
- 95cfa85|2022-07-15|2022-07-15 Update RHEL8 CIS refereces for logging and auditing rules [Marcus Burghardt]
- 41ea38b|2022-07-08|2022-07-08 Remove WRLinux 1019 product [Matthew Burket]
- 1b538df|2022-05-11|2022-06-16 Update references in OL8 STIG rules [Edgar Aguilar]
- 7a25ff4|2022-04-15|2022-06-08 products/alinux2 && controls: Add CIS Alibaba Cloud Linux (Aliyun Linux) 2 profiles [YiLin.Li]
- 32c8074|2022-05-24|2022-05-26 Add fixtext and srg_requirement to audit_rules_kernel_module_loading_init [Matthew Burket]
- fa81eb1|2022-04-06|2022-04-06 Merge pull request ComplianceAsCode#8327 from Xeicker/ol08-00-030390 [GitHub]
- c0ae24e|2022-04-04|2022-04-04 Update ansible in audit_rules_kernel_module rules [Edgar Aguilar]
- de702fb|2022-04-04|2022-04-04 Update tests in audit_rules_kernel_module rules [Edgar Aguilar]
- 55f2f34|2022-03-30|2022-03-30 Update tests in audit_rules_kernel_module rules [Edgar Aguilar]
- fa8680a|2022-03-22|2022-03-22 Group init_module and finit_module audit rules. [Yavor Georgiev]
- c8b9548|2022-03-09|2022-03-10 Add auid criteria to rules required by rhel8 [Edgar Aguilar]
- a62d887|2022-03-09|2022-03-10 Add auid criteria to rule to meet OL08-00-030360 [Edgar Aguilar]
- fb60278|2022-01-20|2022-01-25 Add OL9 prodtype to rules part of standard profile [Federico Ramirez]
- f2530de|2021-11-19|2021-11-29 Add OL8 STIG IDs [Federico Ramirez]
- a59d63a|2021-11-02|2021-11-02 Run ./utils/fix_rules.py sort_prodtypes [Matthew Burket]
- f59b8db|2021-10-08|2021-10-08 Add support for Debian 11 [Marco De Donno]
- 5ad8290|2021-08-20|2021-09-08 Completed CIS Chapters 4-6 Build currently failing. [Nico Truzzolino]
- 2214054|2021-08-26|2021-08-30 Converted function calls to macro invocations; removed the old function; fixed comment in macro file [Jiri Odehnal]

Only in focal:
- 782f6c4|2021-08-31|2021-09-01 Add packages entry to auditd tests [richardmaciel-canonical]
- f44e014|2021-08-17|2021-09-01 Fix auditd tests as the package is not installed by default in Ubuntu [richardmaciel-canonical]
- 60345d7|2021-08-24|2021-08-25 Automatically add Ubuntu to existing shared fixes [Richard Maciel Costa]
- 51c80e3|2021-07-08|2021-08-25 Manually add missing disa & srg references [Richard Maciel Costa]

linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml

@@ -1,48 +1,60 @@
-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_ol,multi_platform_ubuntu
 # reboot = false
 # complexity = low
 # disruption = low
 # strategy = configure
 
+{{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}}
+{{% set auid_filters = "-F auid>=" ~ auid ~ " -F auid!=unset" %}}
+{{% else %}}
+{{% set auid_filters = "" %}}
+{{% endif %}}
+
 # What architecture are we on?
 
 - name: Set architecture for audit init_module tasks
   set_fact:
-    audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
+    audit_arch: "b64"
+  when:
+  - ansible_architecture == "aarch64" or
+    ansible_architecture == "ppc64" or
+    ansible_architecture == "ppc64le" or
+    ansible_architecture == "s390x" or
+    ansible_architecture == "x86_64"
 
-- name: Perform remediation of Audit rules for init_module for x86 platform
+- name: Perform remediation of Audit rules for init_module for 32bit platform
   block:
     {{{ ansible_audit_augenrules_add_syscall_rule(
       action_arch_filters="-a always,exit -F arch=b32",
       other_filters="",
-      auid_filters="",
+      auid_filters=auid_filters,
       syscalls=["init_module"],
       key="module-change",
       syscall_grouping=["init_module","finit_module"],
       )|indent(4) }}}
     {{{ ansible_audit_auditctl_add_syscall_rule(
       action_arch_filters="-a always,exit -F arch=b32",
       other_filters="",
-      auid_filters="",
+      auid_filters=auid_filters,
       syscalls=["init_module"],
       key="module-change",
       syscall_grouping=["init_module","finit_module"],
       )|indent(4) }}}
 
-- name: Perform remediation of Audit rules for init_module for x86_64 platform
+- name: Perform remediation of Audit rules for init_module for 64bit platform
   block:
     {{{ ansible_audit_augenrules_add_syscall_rule(
       action_arch_filters="-a always,exit -F arch=b64",
       other_filters="",
-      auid_filters="",
+      auid_filters=auid_filters,
       syscalls=["init_module"],
       key="module-change",
       syscall_grouping=["init_module","finit_module"],
       )|indent(4) }}}
     {{{ ansible_audit_auditctl_add_syscall_rule(
       action_arch_filters="-a always,exit -F arch=b64",
       other_filters="",
-      auid_filters="",
+      auid_filters=auid_filters,
       syscalls=["init_module"],
       key="module-change",
       syscall_grouping=["init_module","finit_module"],

linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/bash/shared.sh

@@ -1,8 +1,5 @@
 # platform = multi_platform_all
 
-# Include source function library.
-. /usr/share/scap-security-guide/remediation_functions
-
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system
 # Note: 32-bit and 64-bit kernel syscall numbers not always line up =>
@@ -15,11 +12,15 @@ for ARCH in "${RULE_ARCHS[@]}"
 do
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 	OTHER_FILTERS=""
+	{{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}}
+	AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset"
+	{{% else %}}
 	AUID_FILTERS=""
+	{{% endif %}}
 	SYSCALL="init_module"
 	KEY="modules"
 	SYSCALL_GROUPING="init_module finit_module"
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
-	fix_audit_syscall_rule "augenrules" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
-	fix_audit_syscall_rule "auditctl" "$ACTION_ARCH_FILTERS" "$OTHER_FILTERS" "$AUID_FILTERS" "$SYSCALL" "$SYSCALL_GROUPING" "$KEY"
+	{{{ bash_fix_audit_syscall_rule("augenrules", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") }}}
+	{{{ bash_fix_audit_syscall_rule("auditctl", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") }}}
 done

linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/kubernetes/shared.yml

@@ -12,4 +12,4 @@ spec:
           source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20init_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%20-k%20module-change%0A
         mode: 0600
         path: /etc/audit/rules.d/75-kernel-module-loading-init.rules
-        overwrite: true
+        overwrite: true

linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/oval/shared.xml

@@ -36,7 +36,11 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_32bit_ardm_init_module_augenrules" version="1">
     <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}}
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>={{{ uid_min }}}[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    {{% else %}}
     <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    {{% endif %}}
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
@@ -45,7 +49,11 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_64bit_ardm_init_module_augenrules" version="1">
     <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}}
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>={{{ uid_min }}}[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    {{% else %}}
     <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    {{% endif %}}
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
@@ -54,7 +62,11 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_32bit_ardm_init_module_auditctl" version="1">
     <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}}
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>={{{ uid_min }}}[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    {{% else %}}
     <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    {{% endif %}}
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
@@ -63,7 +75,11 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_64bit_ardm_init_module_auditctl" version="1">
     <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}}
+    <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>={{{ uid_min }}}[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    {{% else %}}
     <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
+    {{% endif %}}
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 

linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/policy/stig/shared.yml

@@ -0,0 +1,16 @@
+srg_requirement: |-
+    {{{ full_name }}} Must Provide Audit Record Generation Capability For Dod-Defined Auditable Events For All Operating System Components.
+
+vuldiscussion: |-
+    The addition of kernel modules can be used to alter the behavior of
+    the kernel and potentially introduce malicious code into kernel space. It is important
+    to have an audit trail of modules that have been introduced into the kernel.
+
+checktext: |-
+    To determine if the system is configured to audit calls to the
+     init_module  system call, run the following command:
+     $ sudo grep "init_module" /etc/audit/audit.*
+    If the system is configured to audit this activity, it will return a line.
+
+
+    If no line is returned, then this is a finding.

linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml

@@ -1,13 +1,17 @@
 documentation_complete: true
 
-prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
+prodtype: alinux2,alinux3,anolis23,anolis8,debian10,debian11,debian12,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
 
 title: 'Ensure auditd Collects Information on Kernel Module Loading - init_module'
 
 description: |-
     To capture kernel module loading events, use following line, setting ARCH to
     either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
+    {{% if "ol" in product or 'rhel' in product or 'ubuntu' in product %}}
+    <pre>-a always,exit -F arch=<i>ARCH</i> -S init_module -F auid>={{{ uid_min }}} -F auid!=unset -F key=modules</pre>
+    {{% else %}}
     <pre>-a always,exit -F arch=<i>ARCH</i> -S init_module -F key=modules</pre>
+    {{% endif %}}
 
     Place to add the line depends on a way <tt>auditd</tt> daemon is configured. If it is configured
     to use the <tt>augenrules</tt> program (the default), add the line to a file with suffix
@@ -30,14 +34,21 @@ identifiers:
     cce@rhel9: CCE-90835-0
     cce@sle12: CCE-83130-5
     cce@sle15: CCE-85750-8
+
 references:
+    anssi: BP28(R73)
     cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9
+    cis@alinux2: 4.1.17
     cis@rhel7: 4.1.16
-    cis@rhel8: 4.1.15
+    cis@rhel8: 4.1.3.19
+    cis@rhel9: 4.1.3.19
+    cis@sle12: 4.1.16
+    cis@sle15: 4.1.16
     cis@ubuntu2004: 4.1.16
+    cis@ubuntu2204: 4.1.3.19
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
-    disa: CCI-000130,CCI-000169,CCI-000172,CCI-002884
+    disa: CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
@@ -47,13 +58,19 @@ references:
     nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.2.7
-    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222
+    srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222,SRG-APP-000495-CTR-001235,SRG-APP-000504-CTR-001280
     stigid@ol7: OL07-00-030820
+    stigid@ol8: OL08-00-030360
     stigid@rhel7: RHEL-07-030820
     stigid@rhel8: RHEL-08-030360
-    stigid@sle12: SLES-12-020750
-    stigid@sle15: SLES-15-030540
+    stigid@rhel9: RHEL-09-654080
+    stigid@sle12: SLES-12-020740
+    stigid@sle15: SLES-15-030530
     stigid@ubuntu2004: UBTU-20-010179
-    vmmsrg: SRG-OS-000477-VMM-001970
 
 {{{ complete_ocil_entry_audit_syscall(syscall="init_module") }}}
+
+fixtext: |-
+    {{{ fixtext_audit_rules("init_module", "module_chng") | indent(4) }}}
+
+srg_requirement: '{{{ srg_requirement_audit_command("init_module") }}}'

linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/tests/correct_rules.pass.sh

@@ -1,7 +1,10 @@
 #!/bin/bash
+# packages = audit
 
-# packages = {{{ ssgts_package("audit") }}}
-
+{{% if "ol" in product or 'rhel' in product %}}
+echo "-a always,exit -F arch=b32 -S init_module -F auid>={{{ uid_min }}} -F auid!=unset -k modules" >> /etc/audit/rules.d/modules.rules
+echo "-a always,exit -F arch=b64 -S init_module -F auid>={{{ uid_min }}} -F auid!=unset -k modules" >> /etc/audit/rules.d/modules.rules
+{{% else %}}
 echo "-a always,exit -F arch=b32 -S init_module -k modules" >> /etc/audit/rules.d/modules.rules
 echo "-a always,exit -F arch=b64 -S init_module -k modules" >> /etc/audit/rules.d/modules.rules
-
+{{% endif %}}

linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/tests/default.fail.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 # remediation = bash
-# packages = {{{ ssgts_package("audit") }}}
+# packages = audit
 
 rm -f /etc/audit/rules.d/*
 > /etc/audit/audit.rules

linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/tests/missing_auid_filter.fail.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 8
+# packages = audit
+
+rm -f /etc/audit/rules.d/*
+
+echo "-a always,exit -F arch=b32 -S init_module -k modules" >> /etc/audit/rules.d/modules.rules
+echo "-a always,exit -F arch=b64 -S init_module -k modules" >> /etc/audit/rules.d/modules.rules

linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/tests/ocp4/e2e.yml

@@ -1,3 +1,3 @@
 ---
 default_result: FAIL
-result_after_remediation: PASS
+result_after_remediation: PASS