Skip to content

query_module audit syscall is not part of the right grouping /scanning/audit-rules-syscalls-grouping #14055

New issue
New issue
Closed
#14059
Closed
query_module audit syscall is not part of the right grouping /scanning/audit-rules-syscalls-grouping#14055
#14059
Assignees
jan-cerny
Labels
productization-issueIssue found in upstream stabilization process.
@ggbecker

Description

@ggbecker
ggbecker
opened on Oct 29, 2025

Description of problem:

It seems that we after we merged #14024 the remediation is not embedding correctly the audit line to the right group of syscalls

I believe we need to add the syscall_grouping attribute to the rules that are using this new template and propagate this to the ansible and bash template code, for example:

https://github.com/ComplianceAsCode/content/blob/master/shared/templates/audit_rules_kernel_module_loading/ansible.template#L41

There are two occurrences in this file and look the bash template as well.

There probably needs to have a python preprocessing for this template similarly as in https://github.com/ComplianceAsCode/content/blob/master/shared/templates/audit_rules_file_deletion_events/template.py

This is the resulting audit file

-a always,exit -F arch=b32 -S init_module,delete_module,finit_module -F auid>=1000 -F auid!=-1 -F key=modules
-a always,exit -F arch=b64 -S init_module,delete_module,finit_module -F auid>=1000 -F auid!=-1 -F key=modules
-a always,exit -F arch=b32 -S create_module -F auid>=1000 -F auid!=-1 -F key=modules
-a always,exit -F arch=b64 -S create_module -F auid>=1000 -F auid!=-1 -F key=modules
-a always,exit -F arch=b32 -S query_module -F auid>=1000 -F auid!=-1 -F key=modules
-a always,exit -F arch=b64 -S query_module -F auid>=1000 -F auid!=-1 -F key=modules

The output of contest:

2025-10-28 10:15:14 test.py:89: verify_syscalls_grouped_in_audit_rules:51: Searching for audit syscalls group: init_module,delete_module,query_module,finit_module
2025-10-28 10:15:14 test.py:89: verify_syscalls_grouped_in_audit_rules:52: Matching audit rules:
2025-10-28 10:15:14 test.py:89: verify_syscalls_grouped_in_audit_rules:65: No matching audit rules found!
2025-10-28 10:15:14 test.py:92: lib.results.report_plain:238: FAIL init_module,delete_module,query_module,finit_module

Here is the contest code for this test: https://github.com/RHSecurityCompliance/contest/blob/main/scanning/audit-rules-syscalls-grouping/test.py#L9

Double check if the create_module syscall should also be part of the same group (modules)

SCAP Security Guide Version:

473e9e9

Operating System Version:

RHEL8/9/10

Expected Results:

At least the query_module line should be embedded into the line -a always,exit -F arch=b64 -S init_module,delete_module,finit_module -F auid>=1000 -F auid!=-1 -F key=modules

Metadata

Metadata

Assignees

Labels

productization-issueIssue found in upstream stabilization process.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions