ComplianceAsCode · jan-cerny · Mar 18, 2025 · Mar 19, 2025 · Mar 19, 2025 · Mar 19, 2025
diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
@@ -52,17 +52,6 @@
 
 -   Languages: Ansible, Bash, OVAL
 
-#### audit_rules_login_events
--   Checks if there are Audit rules that record attempts to alter logon
-    and logout events.
-
--   Parameters:
-
-    -   **path** - value of `-w` in the Audit rule, eg.
-        `/var/run/faillock`
-
--   Languages: Ansible, Bash, OVAL, Kubernetes
-
 #### audit_rules_path_syscall
 -   Check if there are Audit rules to record events that modify
     user/group information via a syscall on a specific file.
@@ -174,13 +163,17 @@
 
 #### audit_rules_watch
 -   Check if there are file system watches configured in audit rules for the given path.
+    Supports both legacy and modern watch style.
+    The style used is selected by the `audit_watches_style` product property.
 
 -   Parameters:
 
     -   **path** - path that should be part of the audit watch rule as a value
-        of `-w` argument, eg. `/etc/group`.
+        of `-w` (legacy) or the `-F path=` (modern) argument, eg. `/etc/group`.
+    -   **key** - The key in the the audit rules that is a part of `-k` (legacy) or `-F key` (modern). If this parameter isn't specified the rule ID is used as a key.
+    -   **path_is_variable** - whether the `path` argument isn't a path but it's an XCCDF Value name
 
--   Languages: Ansible, Bash, OVAL
+-   Languages: Ansible, Bash, Kubernetes, OVAL
 
 
 #### argument_value_in_line

diff --git a/...ting/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml b/...ting/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
@@ -10,12 +10,22 @@ description: |-
     default), add the following lines to a file with suffix <tt>.rules</tt> in the
     directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
     edits of files involved in storing logon events:
+{{% if audit_watches_style == "modern" %}}
+    <pre>-a always,exit -F arch=b32 -F path={{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -F perm=wa -F key=logins
+    -a always,exit -F arch=b64 -F path={{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -F perm=wa -F key=logins</pre>
+{{% else %}}
     <pre>-w {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -p wa -k logins</pre>
+{{% endif %}}
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following lines to
     <tt>/etc/audit/audit.rules</tt> file in order to watch for unattempted manual
     edits of files involved in storing logon events:
+{{% if audit_watches_style == "modern" %}}
+    <pre>-a always,exit -F arch=b32 -F path={{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -F perm=wa -F key=logins
+    -a always,exit -F arch=b64 -F path={{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -F perm=wa -F key=logins</pre>
+{{% else %}}
     <pre>-w {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -p wa -k logins</pre>
+{{% endif %}}
 
 rationale: |-
     Manual editing of these files may indicate nefarious activity, such
@@ -57,14 +67,19 @@ ocil: |-
     Verify {{{ full_name }}} generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command:
 
     $ sudo auditctl -l | grep {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}}
-
+{{% if audit_watches_style == "modern" %}}
+    -a always,exit -F arch=b32 -F path={{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -F perm=wa -F key=logins
+    -a always,exit -F arch=b64 -F path={{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -F perm=wa -F key=logins
+{{% else %}}
     -w {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -p wa -k logins
+{{% endif %}}
 
 template:
-    name: audit_rules_login_events
+    name: audit_rules_watch
     vars:
         path: var_accounts_passwords_pam_faillock_dir
         path_is_variable: "true"
+        key: logins
 
 
 fixtext: |-

diff --git a/...rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct.pass.sh b/...rules/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct.pass.sh
@@ -1,8 +1,10 @@
 #!/bin/bash
 # packages = audit
 # platform = multi_platform_all
+# variables = var_accounts_passwords_pam_faillock_dir=/var/log/faillock
 
 {{{ setup_auditctl_environment() }}}
 
 path="/var/log/faillock"
-. $SHARED/audit_rules_login_events/auditctl_correct.pass.sh
+style="{{{ audit_watches_style }}}"
+. $SHARED/audit_rules_watch/auditctl_correct.pass.sh
diff --git a/...s/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_cis.pass.sh b/...s/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_correct_cis.pass.sh
@@ -1,9 +1,10 @@
 #!/bin/bash
 # packages = audit
 # platform = multi_platform_rhel
-# profiles = xccdf_org.ssgproject.content_profile_cis
+# variables = var_accounts_passwords_pam_faillock_dir=/var/run/faillock
 
 {{{ setup_auditctl_environment() }}}
 
 path="/var/run/faillock"
-. $SHARED/audit_rules_login_events/auditctl_correct.pass.sh
+style="{{{ audit_watches_style }}}"
+. $SHARED/audit_rules_watch/auditctl_correct.pass.sh
diff --git a/..._events/audit_rules_login_events_faillock/tests/auditctl_correct_extra_permission.pass.sh b/..._events/audit_rules_login_events_faillock/tests/auditctl_correct_extra_permission.pass.sh
@@ -1,8 +1,10 @@
 #!/bin/bash
 # packages = audit
 # platform = multi_platform_all
+# variables = var_accounts_passwords_pam_faillock_dir=/var/log/faillock
 
 {{{ setup_auditctl_environment() }}}
 
 path="/var/log/faillock"
-. $SHARED/audit_rules_login_events/auditctl_correct_extra_permission.pass.sh
+style="{{{ audit_watches_style }}}"
+. $SHARED/audit_rules_watch/auditctl_correct_extra_permission.pass.sh
diff --git a/...nts/audit_rules_login_events_faillock/tests/auditctl_correct_extra_permission_cis.pass.sh b/...nts/audit_rules_login_events_faillock/tests/auditctl_correct_extra_permission_cis.pass.sh
@@ -1,9 +1,10 @@
 #!/bin/bash
 # packages = audit
 # platform = multi_platform_rhel
-# profiles = xccdf_org.ssgproject.content_profile_cis
+# variables = var_accounts_passwords_pam_faillock_dir=/var/run/faillock
 
 {{{ setup_auditctl_environment() }}}
 
 path="/var/run/faillock"
-. $SHARED/audit_rules_login_events/auditctl_correct_extra_permission.pass.sh
+style="{{{ audit_watches_style }}}"
+. $SHARED/audit_rules_watch/auditctl_correct_extra_permission.pass.sh
diff --git a/...login_events/audit_rules_login_events_faillock/tests/auditctl_correct_without_key.pass.sh b/...login_events/audit_rules_login_events_faillock/tests/auditctl_correct_without_key.pass.sh
@@ -1,8 +1,10 @@
 #!/bin/bash
 # packages = audit
 # platform = multi_platform_all
+# variables = var_accounts_passwords_pam_faillock_dir=/var/log/faillock
 
 {{{ setup_auditctl_environment() }}}
 
 path="/var/log/faillock"
-. $SHARED/audit_rules_login_events/auditctl_correct_without_key.pass.sh
+style="{{{ audit_watches_style }}}"
+. $SHARED/audit_rules_watch/auditctl_correct_without_key.pass.sh
diff --git a/...n_events/audit_rules_login_events_faillock/tests/auditctl_correct_without_key_cis.pass.sh b/...n_events/audit_rules_login_events_faillock/tests/auditctl_correct_without_key_cis.pass.sh
@@ -1,9 +1,10 @@
 #!/bin/bash
 # packages = audit
 # platform = multi_platform_rhel
-# profiles = xccdf_org.ssgproject.content_profile_cis
+# variables = var_accounts_passwords_pam_faillock_dir=/var/run/faillock
 
 {{{ setup_auditctl_environment() }}}
 
 path="/var/run/faillock"
-. $SHARED/audit_rules_login_events/auditctl_correct_without_key.pass.sh
+style="{{{ audit_watches_style }}}"
+. $SHARED/audit_rules_watch/auditctl_correct_without_key.pass.sh
diff --git a/...it_login_events/audit_rules_login_events_faillock/tests/auditctl_remove_all_rules.fail.sh b/...it_login_events/audit_rules_login_events_faillock/tests/auditctl_remove_all_rules.fail.sh
@@ -4,4 +4,4 @@
 
 {{{ setup_auditctl_environment() }}}
 
-. $SHARED/audit_rules_login_events/auditctl_remove_all_rules.fail.sh
+. $SHARED/audit_rules_watch/auditctl_remove_all_rules.fail.sh
diff --git a/...ogin_events/audit_rules_login_events_faillock/tests/auditctl_remove_all_rules_cis.fail.sh b/...ogin_events/audit_rules_login_events_faillock/tests/auditctl_remove_all_rules_cis.fail.sh
@@ -1,9 +1,10 @@
 #!/bin/bash
 # packages = audit
 # platform = multi_platform_rhel
-# profiles = xccdf_org.ssgproject.content_profile_cis
+# variables = var_accounts_passwords_pam_faillock_dir=/var/run/faillock
 
 {{{ setup_auditctl_environment() }}}
 
 path="/var/run/faillock"
-. $SHARED/audit_rules_login_events/auditctl_remove_all_rules.fail.sh
+style="{{{ audit_watches_style }}}"
+. $SHARED/audit_rules_watch/auditctl_remove_all_rules.fail.sh
diff --git a/...es/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule.fail.sh b/...es/audit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule.fail.sh
@@ -1,8 +1,10 @@
 #!/bin/bash
 # packages = audit
 # platform = multi_platform_all
+# variables = var_accounts_passwords_pam_faillock_dir=/var/log/faillock
 
 {{{ setup_auditctl_environment() }}}
 
 path="/var/log/faillock"
-. $SHARED/audit_rules_login_events/auditctl_wrong_rule.fail.sh
+style="{{{ audit_watches_style }}}"
+. $SHARED/audit_rules_watch/auditctl_wrong_rule.fail.sh
diff --git a/...udit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_cis.fail.sh b/...udit_login_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_cis.fail.sh
@@ -1,9 +1,10 @@
 #!/bin/bash
 # packages = audit
 # platform = multi_platform_rhel
-# profiles = xccdf_org.ssgproject.content_profile_cis
+# variables = var_accounts_passwords_pam_faillock_dir=/var/run/faillock
 
 {{{ setup_auditctl_environment() }}}
 
 path="/var/run/faillock"
-. $SHARED/audit_rules_login_events/auditctl_wrong_rule.fail.sh
+style="{{{ audit_watches_style }}}"
+. $SHARED/audit_rules_watch/auditctl_wrong_rule.fail.sh
diff --git a/...in_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_without_key.fail.sh b/...in_events/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_without_key.fail.sh
@@ -1,8 +1,10 @@
 #!/bin/bash
 # packages = audit
 # platform = multi_platform_all
+# variables = var_accounts_passwords_pam_faillock_dir=/var/log/faillock
 
 {{{ setup_auditctl_environment() }}}
 
 path="/var/log/faillock"
-. $SHARED/audit_rules_login_events/auditctl_wrong_rule_without_key.fail.sh
+style="{{{ audit_watches_style }}}"
+. $SHARED/audit_rules_watch/auditctl_wrong_rule_without_key.fail.sh
diff --git a/...vents/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_without_key_cis.fail.sh b/...vents/audit_rules_login_events_faillock/tests/auditctl_wrong_rule_without_key_cis.fail.sh
@@ -1,9 +1,10 @@
 #!/bin/bash
 # packages = audit
 # platform = multi_platform_rhel
-# profiles = xccdf_org.ssgproject.content_profile_cis
+# variables = var_accounts_passwords_pam_faillock_dir=/var/run/faillock
 
 {{{ setup_auditctl_environment() }}}
 
 path="/var/run/faillock"
-. $SHARED/audit_rules_login_events/auditctl_wrong_rule_without_key.fail.sh
+style="{{{ audit_watches_style }}}"
+. $SHARED/audit_rules_watch/auditctl_wrong_rule_without_key.fail.sh
diff --git a/...les/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct.pass.sh b/...les/audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct.pass.sh
@@ -1,6 +1,8 @@
 #!/bin/bash
 # packages = audit
 # platform = multi_platform_all
+# variables = var_accounts_passwords_pam_faillock_dir=/var/log/faillock
 
 path="/var/log/faillock"
-. $SHARED/audit_rules_login_events/augenrules_correct.pass.sh
+style="{{{ audit_watches_style }}}"
+. $SHARED/audit_rules_watch/augenrules_correct.pass.sh
diff --git a/...audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_cis.pass.sh b/...audit_login_events/audit_rules_login_events_faillock/tests/augenrules_correct_cis.pass.sh
@@ -1,7 +1,8 @@
 #!/bin/bash
 # packages = audit
 # platform = multi_platform_rhel
-# profiles = xccdf_org.ssgproject.content_profile_cis
+# variables = var_accounts_passwords_pam_faillock_dir=/var/run/faillock
 
 path="/var/run/faillock"
-. $SHARED/audit_rules_login_events/augenrules_correct.pass.sh
+style="{{{ audit_watches_style }}}"
+. $SHARED/audit_rules_watch/augenrules_correct.pass.sh
diff --git a/...vents/audit_rules_login_events_faillock/tests/augenrules_correct_extra_permission.pass.sh b/...vents/audit_rules_login_events_faillock/tests/augenrules_correct_extra_permission.pass.sh
@@ -1,6 +1,8 @@
 #!/bin/bash
 # packages = audit
 # platform = multi_platform_all
+# variables = var_accounts_passwords_pam_faillock_dir=/var/log/faillock
 
 path="/var/log/faillock"
-. $SHARED/audit_rules_login_events/augenrules_correct_extra_permission.pass.sh
+style="{{{ audit_watches_style }}}"
+. $SHARED/audit_rules_watch/augenrules_correct_extra_permission.pass.sh
diff --git a/...s/audit_rules_login_events_faillock/tests/augenrules_correct_extra_permission_cis.pass.sh b/...s/audit_rules_login_events_faillock/tests/augenrules_correct_extra_permission_cis.pass.sh
@@ -1,7 +1,8 @@
 #!/bin/bash
 # packages = audit
 # platform = multi_platform_rhel
-# profiles = xccdf_org.ssgproject.content_profile_cis
+# variables = var_accounts_passwords_pam_faillock_dir=/var/run/faillock
 
 path="/var/run/faillock"
-. $SHARED/audit_rules_login_events/augenrules_correct_extra_permission.pass.sh
+style="{{{ audit_watches_style }}}"
+. $SHARED/audit_rules_watch/augenrules_correct_extra_permission.pass.sh
diff --git a/...gin_events/audit_rules_login_events_faillock/tests/augenrules_correct_without_key.pass.sh b/...gin_events/audit_rules_login_events_faillock/tests/augenrules_correct_without_key.pass.sh
@@ -1,6 +1,8 @@
 #!/bin/bash
 # packages = audit
 # platform = multi_platform_all
+# variables = var_accounts_passwords_pam_faillock_dir=/var/log/faillock
 
 path="/var/log/faillock"
-. $SHARED/audit_rules_login_events/augenrules_correct_without_key.pass.sh
+style="{{{ audit_watches_style }}}"
+. $SHARED/audit_rules_watch/augenrules_correct_without_key.pass.sh
diff --git a/...events/audit_rules_login_events_faillock/tests/augenrules_correct_without_key_cis.pass.sh b/...events/audit_rules_login_events_faillock/tests/augenrules_correct_without_key_cis.pass.sh
@@ -1,7 +1,8 @@
 #!/bin/bash
 # packages = audit
 # platform = multi_platform_rhel
-# profiles = xccdf_org.ssgproject.content_profile_cis
+# variables = var_accounts_passwords_pam_faillock_dir=/var/run/faillock
 
 path="/var/run/faillock"
-. $SHARED/audit_rules_login_events/augenrules_correct_without_key.pass.sh
+style="{{{ audit_watches_style }}}"
+. $SHARED/audit_rules_watch/augenrules_correct_without_key.pass.sh
diff --git a/..._login_events/audit_rules_login_events_faillock/tests/augenrules_remove_all_rules.fail.sh b/..._login_events/audit_rules_login_events_faillock/tests/augenrules_remove_all_rules.fail.sh
@@ -2,4 +2,4 @@
 # packages = audit
 # platform = multi_platform_all
 
-. $SHARED/audit_rules_login_events/augenrules_remove_all_rules.fail.sh
+. $SHARED/audit_rules_watch/augenrules_remove_all_rules.fail.sh
diff --git a/...in_events/audit_rules_login_events_faillock/tests/augenrules_remove_all_rules_cis.fail.sh b/...in_events/audit_rules_login_events_faillock/tests/augenrules_remove_all_rules_cis.fail.sh
@@ -1,7 +1,8 @@
 #!/bin/bash
 # packages = audit
 # platform = multi_platform_rhel
-# profiles = xccdf_org.ssgproject.content_profile_cis
+# variables = var_accounts_passwords_pam_faillock_dir=/var/run/faillock
 
 path="/var/run/faillock"
-. $SHARED/audit_rules_login_events/augenrules_remove_all_rules.fail.sh
+style="{{{ audit_watches_style }}}"
+. $SHARED/audit_rules_watch/augenrules_remove_all_rules.fail.sh
diff --git a/.../audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule.fail.sh b/.../audit_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule.fail.sh
@@ -1,6 +1,8 @@
 #!/bin/bash
 # packages = audit
 # platform = multi_platform_all
+# variables = var_accounts_passwords_pam_faillock_dir=/var/log/faillock
 
 path="/var/log/faillock"
-. $SHARED/audit_rules_login_events/augenrules_wrong_rule.fail.sh
+style="{{{ audit_watches_style }}}"
+. $SHARED/audit_rules_watch/augenrules_wrong_rule.fail.sh
diff --git a/...it_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule_cis.fail.sh b/...it_login_events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule_cis.fail.sh
@@ -1,7 +1,8 @@
 #!/bin/bash
 # packages = audit
 # platform = multi_platform_rhel
-# profiles = xccdf_org.ssgproject.content_profile_cis
+# variables = var_accounts_passwords_pam_faillock_dir=/var/run/faillock
 
 path="/var/run/faillock"
-. $SHARED/audit_rules_login_events/augenrules_wrong_rule.fail.sh
+style="{{{ audit_watches_style }}}"
+. $SHARED/audit_rules_watch/augenrules_wrong_rule.fail.sh
diff --git a/..._events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule_without_key.fail.sh b/..._events/audit_rules_login_events_faillock/tests/augenrules_wrong_rule_without_key.fail.sh
@@ -1,6 +1,8 @@
 #!/bin/bash
 # packages = audit
 # platform = multi_platform_all
+# variables = var_accounts_passwords_pam_faillock_dir=/var/log/faillock
 
 path="/var/log/faillock"
-. $SHARED/audit_rules_login_events/augenrules_wrong_rule_without_key.fail.sh
+style="{{{ audit_watches_style }}}"
+. $SHARED/audit_rules_watch/augenrules_wrong_rule_without_key.fail.sh
diff --git a/...nts/audit_rules_login_events_faillock/tests/augenrules_wrong_rule_without_key_cis.fail.sh b/...nts/audit_rules_login_events_faillock/tests/augenrules_wrong_rule_without_key_cis.fail.sh
@@ -1,7 +1,8 @@
 #!/bin/bash
 # packages = audit
 # platform = multi_platform_rhel
-# profiles = xccdf_org.ssgproject.content_profile_cis
+# variables = var_accounts_passwords_pam_faillock_dir=/var/run/faillock
 
 path="/var/run/faillock"
-. $SHARED/audit_rules_login_events/augenrules_wrong_rule_without_key.fail.sh
+style="{{{ audit_watches_style }}}"
+. $SHARED/audit_rules_watch/augenrules_wrong_rule_without_key.fail.sh
diff --git a/...iting/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillog/rule.yml b/...iting/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillog/rule.yml
@@ -51,6 +51,7 @@ ocil: |-
     # sudo systemctl restart auditd.service
 
 template:
-    name: audit_rules_login_events
+    name: audit_rules_watch
     vars:
         path: /var/log/faillog
+        key: logins
diff --git a/...onfigure_rules/audit_login_events/audit_rules_login_events_lastlog/policy/stig/shared.yml b/...onfigure_rules/audit_login_events/audit_rules_login_events_lastlog/policy/stig/shared.yml
@@ -8,17 +8,25 @@ checktext: |-
     Verify {{{ full_name }}} generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command:
 
     $ sudo auditctl -l | grep /var/log/lastlog
-
+{{% if audit_watches_style == "modern" %}}
+    -a always,exit -F arch=b32 -F path=/var/log/lastlog -F perm=wa -F key=logins
+    -a always,exit -F arch=b64 -F path=/var/log/lastlog -F perm=wa -F key=logins
+{{% else %}}
     -w /var/log/lastlog -p wa -k logins
+{{% endif %}}
 
     If the command does not return a line, or the line is commented out, this is a finding.
 
 fixtext: |-
     Configure {{{ full_name }}} to generate audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog".
 
     Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":
-
+{{% if audit_watches_style == "modern" %}}
+    -a always,exit -F arch=b32 -F path=/var/log/lastlog -F perm=wa -F key=logins
+    -a always,exit -F arch=b64 -F path=/var/log/lastlog -F perm=wa -F key=logins
+{{% else %}}
     -w /var/log/lastlog -p wa -k logins
+{{% endif %}}
 
     The audit daemon must be restarted for the changes to take effect.
Original file line number	Diff line number	Diff line change
		@@ -4,4 +4,4 @@

		{{{ setup_auditctl_environment() }}}

		. $SHARED/audit_rules_login_events/auditctl_remove_all_rules.fail.sh
		. $SHARED/audit_rules_watch/auditctl_remove_all_rules.fail.sh