Linux: Auditd Rule (v2)
Description
The Linux: Auditd Rule (v2) test is used to check the contents of audit configuration and audit log files by looking at individual blocks of text.
The textfilecontent54_object element is used by a textfilecontent54_test to define the specific block(s) of text of a file(s) to be evaluated. The textfilecontent54_object will only collect regular files on UNIX systems.
The set of files to be evaluated may be identified with either a complete filepath or a path and filename. Only one of these options may be selected.
The textfilecontent54_state element contains entities that are used to check the file path and name, as well as the text block in question and the value of the subexpressions.
Technical Details
Artifact Parameters
linux.auditd_rule_v2
Name |
Type |
Description |
|---|---|---|
existence |
string |
Existence requirement. |
rule |
string |
Audit rule to check. |
- NOTE: The
existenceparameter is governed by a constraint allowing only the following values: all_exist
any_exist
at_least_one_exists
none_satisfy
none_exist
only_one_exists
Supported Test Types
Null Test
Test Type Parameters
null_test_v1
Name |
Type |
Description |
|---|---|---|
N/A |
Generated Content
null_test_v1
XCCDF+AE
This is what the AE check looks like, inside a Rule, in the XCCDF.
<xccdf:check system="https://benchmarks.cisecurity.org/ae/0.5">
<xccdf:check-content>
<ae:artifact_expression id="xccdf_org.cisecurity.benchmarks_ae_[SECTION-NUMBER]">
<ae:artifact_oval_id>[ARTIFACT-OVAL-ID]</ae:artifact_oval_id>
<ae:title>[ARTIFACT-TITLE]</ae:title>
<ae:artifact type="[ARTIFACT-TYPE-NAME]">
<ae:parameters>
<ae:parameter dt="string" name="existence">[existence.value]</ae:parameter>
<ae:parameter dt="string" name="rule">[rule.value]</ae:parameter>
</ae:parameters>
</ae:artifact>
<ae:test type="[TEST-TYPE-NAME]">
<ae:parameters />
</ae:test>
<ae:profiles>
<ae:profile idref="xccdf_org.cisecurity.benchmarks_profile_Level_2" />
</ae:profiles>
</ae:artifact_expression>
</xccdf:check-content>
</xccdf:check>
SCAP
XCCDF
For linux.auditd_rule_v2 null_test_v1 artifacts, the XCCDF check looks like this. There is no Value element in the XCCDF for this artifact.
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref
href="[BENCHMARK-TITLE]-oval.xml"
name="oval:org.cisecurity.benchmarks.[PLATFORM]:def:[ARTIFACT-OVAL-ID]" />
</check>
OVAL
Test
<textfilecontent54_test
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
id="oval:org.cisecurity.benchmarks.[PLATFORM]:tst:[ARTIFACT-OVAL-ID]"
check_existence="at_least_one_exists"
check="all"
comment="[ARTIFACT-TITLE]"
version="1">
<object object_ref="oval:org.cisecurity.benchmarks.[PLATFORM]:obj:[ARTIFACT-OVAL-ID]" />
</textfilecontent54_test>
Object
<textfilecontent54_object
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
id="oval:org.cisecurity.benchmarks.[PLATFORM]:obj:[ARTIFACT-OVAL-ID]"
comment="[ARTIFACT-TITLE]"
version="1">
<path>/etc/audit/audit.rules</path>
<filename>[filename.value]</filename>
<pattern
datatype="[datatype.value]"
operation="pattern match">
[pattern.value]
</pattern>
<instance
datatype="int"
operation="equals">
1
</instance>
</textfilecontent54_object>
State
N/A
YAML
artifact-expression:
artifact-unique-id: "[ARTIFACT-OVAL-ID]"
artifact-title: "[ARTIFACT-TITLE]"
artifact:
type: "[ARTIFACT-TYPE-NAME]"
parameters:
- parameter:
name: "existence"
dt: "string"
value: "[existence.value]"
- parameter:
name: "rule"
dt: "string"
value: "[rule.value]"
test:
type: "[TEST-TYPE-NAME]"
parameters:
JSON
{
"artifact-expression": {
"artifact-unique-id": "[ARTIFACT-OVAL-ID]",
"artifact-title": "[ARTIFACT-TITLE]",
"artifact": {
"type": "[ARTIFACT-TYPE-NAME]",
"parameters": [
{
"parameter": {
"name": "existence",
"type": "string",
"value": "[existence.value]"
}
},
{
"parameter": {
"name": "rule",
"type": "string",
"value": "[rule.value]"
}
}
]
},
"test": {
"type": "[TEST-TYPE-NAME]",
"parameters": [
]
}
}
}