I realized there were some bugs in the checks I created the other day, when checking for rules that monitor multiple syscalls. The check was looking for strings like -S syscall1 -S syscall2 (which is the format when inspecting the rules files on disk) but they were failing because the auditd.lines resource (and auditctl -l) return this in the form -S syscall1,syscall2.
I also realized that I could make better use of the auditd resource and its fields, to better express the intent behind these checks, and the rules they are inspecting, rather than just simply comparing strings.
I realized there were some bugs in the checks I created the other day, when checking for rules that monitor multiple syscalls. The check was looking for strings like
-S syscall1 -S syscall2(which is the format when inspecting the rules files on disk) but they were failing because theauditd.linesresource (andauditctl -l) return this in the form-S syscall1,syscall2.I also realized that I could make better use of the
auditdresource and its fields, to better express the intent behind these checks, and the rules they are inspecting, rather than just simply comparing strings.