Define a complete security baseline and monitor the baseline's rules. The definition of the baseline should be done in Hiera. The purpose of the module is to give the ability to setup a complete security baseline which not necessarily have to stick to industry security guides like the CIS benchmarks.
But it is passing if i change to this format:
-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation
-a always,exit -F arch=b64 -S execve -C euid!=uid -F auid!=unset -k user_emulation
Maybe it is just the way they construct their search pattern.
I am getting a fail on this rule: using Openscap Red Hat Enterprise Linux 8 Benchmark™, v2.0.0
class { 'cis_security_hardening::rules::auditd_user_emulation': enforce => true, }
Result: -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation
But it is passing if i change to this format: -a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation -a always,exit -F arch=b64 -S execve -C euid!=uid -F auid!=unset -k user_emulation
Maybe it is just the way they construct their search pattern.