Module/Rule.nxFileLine/Convert/Data.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
# Copyright (c) Microsoft Corporation. All rights reserved.
# Licensed under the MIT License.

<#
    This is used to centralize the regEx patterns, note that the backslashes are
    escaped, a single "\s" would be represented as "\\s"
#>

data regularExpression
{
    ConvertFrom-StringData -StringData @'
        nxFileLineContainsLine = #\\s+(?:(?:sudo\\s)*(?:e)*grep|more|cat).*\\s+(?<filePath>(?!\\/etc\\/redhat-release)(?!\\/etc\\/issue)\\/[\\w.\\/-]*\\/[\\w.\\/-]*).*\\n(?<setting>.*\\n|.*\\n.*\\n|.*\\n.*\\n.*\\n|.*\\n.*\\n.*\\n.*\\n|.*\\n.*\\n.*\\n.*\\n.*\\n|.*\\n.*\\n.*\\n.*\\n.*\\n.*\\n.*\\n)If.*this is a finding
        nxFileLineContainsLineYumConf = #\\s+(?:grep|more|cat).*\\s+\\/etc\\/yum.conf\\s+(?<setting>.*)
        nxFileLineContainsLineAuditUbuntu = \\s*sudo\\s*aud(i)*tctl\\s*-l\\s*\\|.*\\n(?<setting>.*\\n|.*\\n.*\\n|.*\\n.*\\n.*\\n|.*\\n.*\\n.*\\n.*\\n|.*\\n.*\\n.*\\n.*\\n.*\\n)If.*this is a finding
        nxFileLineContainsLineExclude = The result must contain the following line:|If\\s+.*commented\\s+(?:out|line).*|#\\s+cat\\s+\\/etc\\/redhat-release|^The\\s+command\\s+will\\s+return\\s+the\\s+banner.*|^Check\\s+the\\s+specified\\s+banner\\s+file.*
        nxFileLineFilePathAudit = #\\s+grep.*(?<auditPath>\\/etc\\/audit\\/audit\\.rules).*
        nxFileLineFilePathUbuntuBanner = (?<ubuntuBanner>You are accessing a U.S. Government \\(USG\\) [^"]+(?<=details.))
        nxFileLineFilePathAuditUbuntu = \\s*sudo\\s*(?<auditPathUbuntu>aud(i)*tctl\\s*-l\\s*\\|)
        nxFileLineFilePathBannerUbuntu = Ubuntu.*#\\sgrep\\s-i\\sbanner\\s(?<bannerPathUbuntu>\\/[\\w.\\/-]*\\/[\\w.\\/-]*)
        nxFileLineFilePathTftp = #\\s+grep.*(?<tftpPath>\\/etc\\/xinetd\\.d\\/tftp).*
        nxFileLineFilePathRescue = #\\s+grep.*(?<rescuePath>\\/usr\\/lib\\/systemd\\/system\\/rescue\\.service).*
        nxFileLineFilePath = #\\s+(?:(?:sudo\\s)*(?:e)*grep|more|cat).*\\s+(?<filePath>(?!\\/etc\\/redhat-release)\\/[\\w.\\/-]*\\/[\\w.\\/-]*)
        nxFileLineFooterDetection = ^If\\s+.*$
'@

}

<#
    The doesNotContainPattern variable is used by Get-nxFileLineDoesNotContainPattern
#>

data doesNotContainPattern
{
    @{
        'active = yes'                                                                                                                   = '\s*active\s*=\s*no|active=yes|#\s*active\s*=.*'
        'Unattended-Upgrade::Remove-Unused-Dependencies "true";'                                                                         = '\s*Unattended-Upgrade::Remove-Unused-Dependencies\s*("false"|false|true).*|#\s*Unattended-Upgrade::Remove-Unused-Dependencies.*'
        'Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";'                                                                      = '\s*Unattended-Upgrade::Remove-Unused-Kernel-Packages\s*("false"|false|true).*|#\s*Unattended-Upgrade::Remove-Unused-Kernel-Packages.*'
        'session required pam_lastlog.so showfailed'                                                                                     = '^\s*session\s*(?!required)\w*\s*pam_lastlog\.so.*|#\s*session\s*\w*\s*pam_lastlog\.so.*|^\s*session(?:\t+|\s{2,})required(?:\t+|\s{2,})pam_lastlog\.so.*'
        'ucredit=-1'                                                                                                                     = '^#\s*ucredit.*$|^ucredit\s*=\s*(?!-1\b)\w*$'
        'ucredit = -1'                                                                                                                   = '^#\s*ucredit.*$|^ucredit\s*=\s*(?!-1\b)\w*$'
        'lcredit=-1'                                                                                                                     = '^#\s*lcredit.*$|^lcredit\s*=\s*(?!-1\b)\w*$'
        'lcredit = -1'                                                                                                                   = '^#\s*lcredit.*$|^lcredit\s*=\s*(?!-1\b)\w*$'
        'dcredit=-1'                                                                                                                     = '^#\s*dcredit.*$|^dcredit\s*=\s*(?!-1\b)\w*$'
        'dcredit = -1'                                                                                                                   = '^#\s*dcredit.*$|^dcredit\s*=\s*(?!-1\b)\w*$'
        'difok = 8'                                                                                                                      = '^\s*difok\s*=\s*(-|)[0-7]$|#\s*difok\s*=.*|difok\s+=\s+.*' # Org
        'difok=8'                                                                                                                        = '^\s*difok\s*=\s*(-|)[0-7]$|#\s*difok\s*=.*|difok\s+=\s+.*' # Org
        'PASS_MIN_DAYS 1'                                                                                                                = '^\s*PASS_MIN_DAYS\s*[0]*$|#\s*PASS_MIN_DAYS.*' # Org
        'PASS_MAX_DAYS 60'                                                                                                               = '^\s*PASS_MAX_DAYS\s*([0-9]|[1-5][0-9])$|#\s*PASS_MAX_DAYS.*' # Org
        'minlen=15'                                                                                                                      = '^\s*minlen\s*=\s*([0-9]|[1][1-4])$|#\s*minlen.*' # Org
        'minlen = 15'                                                                                                                    = '^\s*minlen\s*=\s*([0-9]|[1][1-4])$|#\s*minlen.*' # Org
        'dictcheck=1'                                                                                                                    = '^\s*dictcheck\s*=\s*((?!1)|[1]\d+)\d*$|#\s*dictcheck.*'
        'enforcing = 1'                                                                                                                  = '^\s*enforcing\s*=\s*((?!1)|[1]\d+)\d*$|#\s*enforcing.*'
        'ocredit=-1'                                                                                                                     = '^#\s*ocredit.*$|^ocredit\s*=\s*(?!-1)\w*$'
        'ocredit = -1'                                                                                                                   = '^#\s*ocredit.*$|^ocredit\s*=\s*(?!-1)\w*$'
        '* hard maxlogins 10'                                                                                                            = '^\s*\*\s*hard\s*maxlogins\s*([1][1-9]|[2-9]\d+|[1-9][0-9]\d+)$|^#\s*\*\s*hard\s*maxlogins.*'
        'TMOUT=900'                                                                                                                      = '^\s*TMOUT\s*=\s*[0-8]?[0-9]?[0-9]?$|^#\s*TMOUT.*' # Org
        'readonly TMOUT'                                                                                                                 = '^\s*readonly\s+(?!TMOUT\b).*$|^\s*#\s*readonly.*$' # Org
        'export TMOUT'                                                                                                                   = '^\s*export\s+(?!TMOUT\b).*$|^\s*#\s*export.*$' # Org
        'ClientAliveInterval 600'                                                                                                        = '^\s*ClientAliveInterval\s*[0-5]?[0-9]?[0-9]?\s*$|^#\s*ClientAliveInterval.*|^\s*ClientAliveInterval\s*$'
        'Protocol 2'                                                                                                                     = '^#\s*Protocol.*$|^Protocol\s*(?!2\b)\w*$'
        'ClientAliveCountMax 0'                                                                                                          = '^#\s*ClientAliveCountMax.*$|^ClientAliveCountMax\s*(?!0\b)\w*$'
        'ClientAliveCountMax 1'                                                                                                          = '^#\s*ClientAliveCountMax.*$|^ClientAliveCountMax\s*(?!1\b)\w*$'
        'PermitEmptyPasswords no'                                                                                                        = '^#\s*PermitEmptyPasswords.*$|^PermitEmptyPasswords\s*(?!no\b)\w*$'
        'PermitUserEnvironment no'                                                                                                       = '^#\s*PermitUserEnvironment.*$|^PermitUserEnvironment\s*(?!no\b)\w*$'
        'UMASK 077'                                                                                                                      = '^\s*UMASK(?!\s077\b)\s*\d*\s*$|^#\s*UMASK.*'
        'MACs hmac-sha2-512,hmac-sha2-256'                                                                                               = '#\s*MACs.*|\s*MACs\s*hmac-(?!sha2-512).*'
        'minclass = 4'                                                                                                                   = 'DynamicallyGeneratedDoesNotContainPattern'
        'FAIL_DELAY 4'                                                                                                                   = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'                                              = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod'                                              = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'                                = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S creat F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'                                  = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S create_module -k module-change'                                                                   = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S delete_module -k module-change'                                                                   = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid'                                                          = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid'                                                          = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'                                             = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod'                                           = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'                                             = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod'                                           = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S finit_module -k module-change'                                                                    = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'                                       = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'                                          = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'                            = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'                             = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S init_module -k module-change'                                                                     = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'                                             = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'                                       = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'                                          = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount'                                      = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'                                 = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'                                  = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'                    = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'                     = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'                               = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'                                = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'                                        = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=4294967295 -k delete'                                               = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'                                             = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'                                                = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'                                           = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'                             = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'                              = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=4294967295 -k delete'                                               = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete'                                             = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'                                              = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod'                                              = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'                                = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'                                 = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S create_module -k module-change'                                                                   = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S delete_module -k module-change'                                                                   = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid'                                                          = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid'                                                          = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'                                             = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod'                                           = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'                                             = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod'                                           = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S finit_module -k module-change'                                                                    = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'                                       = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'                                          = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'                            = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'                             = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S init_module -k module-change'                                                                     = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'                                             = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'                                       = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'                                          = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount'                                      = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'                                 = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'                                  = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'                    = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'                     = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'                               = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'                                = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'                                        = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=4294967295 -k delete'                                               = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'                                             = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'                                                = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'                                           = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'                             = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'                              = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=4294967295 -k delete'                                               = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete'                                             = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=4294967295 -k privileged-passwd'                                   = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'                              = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'                               = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=4294967295 -k privileged-cron'                                   = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd'                                 = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount'                                    = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'                             = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd'                                  = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'                                 = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'                               = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=4294967295 -k privileged-mount'                                   = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=4294967295 -k privileged-ssh'                    = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=4294967295 -k privileged-pam'                       = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'                              = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'                             = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'                          = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'                          = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'                         = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd'                            = 'DynamicallyGeneratedDoesNotContainPattern'
        '-a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=4294967295 -k privileged-passwd'                             = 'DynamicallyGeneratedDoesNotContainPattern'
        'action_mail_acct = root'                                                                                                        = 'DynamicallyGeneratedDoesNotContainPattern'
        'AutomaticLoginEnable=false'                                                                                                     = 'DynamicallyGeneratedDoesNotContainPattern'
        'banner /etc/issue'                                                                                                              = 'DynamicallyGeneratedDoesNotContainPattern'
        'banner-message-enable=true'                                                                                                     = 'DynamicallyGeneratedDoesNotContainPattern'
        'cert_policy = ca, ocsp_on, signature;'                                                                                          = 'DynamicallyGeneratedDoesNotContainPattern'
        'Ciphers aes256-ctr,aes192-ctr,aes128-ctr'                                                                                       = '^#\s*Ciphers.*|^\s*Ciphers\s*aes128-ctr.*|^\s*Ciphers\s*aes192-ctr.*'
        'clean_requirements_on_remove=1'                                                                                                 = 'DynamicallyGeneratedDoesNotContainPattern'
        'Compression delayed'                                                                                                            = '^#\s*Compression.*$|^Compression\s*(?!delayed\b)\w*$'
        'CREATE_HOME yes'                                                                                                                = '^#\s*CREATE_HOME.*$|^CREATE_HOME\s*(?!yes\b)\w*$|^CREATE_HOME\t.*'
        'crypt_style = sha512'                                                                                                           = 'DynamicallyGeneratedDoesNotContainPattern'
        'direction = out'                                                                                                                = 'DynamicallyGeneratedDoesNotContainPattern'
        'disk_full_action = single'                                                                                                      = 'DynamicallyGeneratedDoesNotContainPattern'
        'enable_krb5 = yes'                                                                                                              = 'DynamicallyGeneratedDoesNotContainPattern'
        'ENCRYPT_METHOD SHA512'                                                                                                          = 'DynamicallyGeneratedDoesNotContainPattern'
        'ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"'                                        = 'DynamicallyGeneratedDoesNotContainPattern'
        'format = string'                                                                                                                = 'DynamicallyGeneratedDoesNotContainPattern'
        'gpgcheck=1'                                                                                                                     = 'DynamicallyGeneratedDoesNotContainPattern'
        'GSSAPIAuthentication no'                                                                                                        = '^#\s*GSSAPIAuthentication.*$|^GSSAPIAuthentication\s*(?!no\b)\w*$'
        'HostbasedAuthentication no'                                                                                                     = '^#\s*HostbasedAuthentication.*$|^HostbasedAuthentication\s*(?!no\b)\w*$'
        'idle-activation-enabled=true'                                                                                                   = 'DynamicallyGeneratedDoesNotContainPattern'
        'IgnoreRhosts yes'                                                                                                               = '^#\s*IgnoreRhosts.*$|^IgnoreRhosts\s*(?!yes\b)\w*$'
        'IgnoreUserKnownHosts yes'                                                                                                       = '^#\s*IgnoreUserKnownHosts.*$|^IgnoreUserKnownHosts\s*(?!yes\b)\w*$'
        'INACTIVE=0'                                                                                                                     = '^#\s*INACTIVE.*$|^INACTIVE\s*=\s*(?!0\b)[-]*\w*$'
        'KerberosAuthentication no'                                                                                                      = '^#\s*KerberosAuthentication.*$|^KerberosAuthentication\s*(?!no\b)\w*$'
        'localpkg_gpgcheck=1'                                                                                                            = 'DynamicallyGeneratedDoesNotContainPattern'
        'lock-enabled=true'                                                                                                              = 'DynamicallyGeneratedDoesNotContainPattern'
        'maxclassrepeat = 4'                                                                                                             = 'DynamicallyGeneratedDoesNotContainPattern'
        'maxrepeat = 3'                                                                                                                  = 'DynamicallyGeneratedDoesNotContainPattern'
        'name_format = hostname'                                                                                                         = '^#\s*name_format.*$|^name_format\s*=\s*(?!hostname$)\w*$'
        'network_failure_action = syslog'                                                                                                = 'DynamicallyGeneratedDoesNotContainPattern'
        'overflow_action = syslog'                                                                                                       = '^#\s*overflow_action.*$|^overflow_action\s*=\s*(?!syslog$)\w*$'
        'password substack system-auth'                                                                                                  = '^\s*password(?:\t*|\s*)substack\tsystem-auth\s*$|^#\s*password\s*substack\s*system-auth.*'
        'path = /sbin/audisp-remote'                                                                                                     = 'DynamicallyGeneratedDoesNotContainPattern'
        'PermitRootLogin no'                                                                                                             = '^#\s*PermitRootLogin.*$|^PermitRootLogin\s*(?!no\b)\w*$'
        'PrintLastLog yes'                                                                                                               = '^#\s*PrintLastLog.*$|^PrintLastLog\s*(?!yes\b)\w*$'
        'remote_server = 10.0.21.1'                                                                                                      = 'DynamicallyGeneratedDoesNotContainPattern'
        'RhostsRSAAuthentication no'                                                                                                     = '^#\s*RhostsRSAAuthentication.*$|^RhostsRSAAuthentication\s*(?!no\b)\w*$'
        'SELINUX=enforcing'                                                                                                              = '^#\s*SELINUX.*$|^SELINUX\s*=\s*(?!enforcing\b)\w*$'
        'SELINUXTYPE=targeted'                                                                                                           = '^#\s*SELINUXTYPE.*$|^SELINUXTYPE\s*=\s*(?!targeted\b)\w*$'
        'server_args = -s /var/lib/tftpboot'                                                                                             = 'DynamicallyGeneratedDoesNotContainPattern'
        'space_left_action = email'                                                                                                      = '^#\s*space_left_action.*$|^space_left_action\s*=\s*(?!email$)\w*$'
        'StrictModes yes'                                                                                                                = '^#\s*StrictModes.*$|^StrictModes\s*(?!yes\b)\w*$'
        'There should be at least three lines returned.'                                                                                 = 'DynamicallyGeneratedDoesNotContainPattern'
        'This command will return the banner keyword and the name of the file that contains the ssh banner (in this case "/etc/issue").' = 'DynamicallyGeneratedDoesNotContainPattern'
        'TimedLoginEnable=false'                                                                                                         = 'DynamicallyGeneratedDoesNotContainPattern'
        'type = always'                                                                                                                  = 'DynamicallyGeneratedDoesNotContainPattern'
        'UsePrivilegeSeparation sandbox'                                                                                                 = '^#\s*UsePrivilegeSeparation.*$|^UsePrivilegeSeparation\s*(?!sandbox\b)\w*$'
        '-w /etc/group -p wa -k identity'                                                                                                = 'DynamicallyGeneratedDoesNotContainPattern'
        '-w /etc/gshadow -p wa -k identity'                                                                                              = 'DynamicallyGeneratedDoesNotContainPattern'
        '-w /etc/passwd -p wa -k identity'                                                                                               = 'DynamicallyGeneratedDoesNotContainPattern'
        '-w /etc/security/opasswd -p wa -k identity'                                                                                     = 'DynamicallyGeneratedDoesNotContainPattern'
        '-w /etc/shadow -p wa -k identity'                                                                                               = 'DynamicallyGeneratedDoesNotContainPattern'
        '-w /etc/sudoers -p wa -k privileged-actions'                                                                                    = 'DynamicallyGeneratedDoesNotContainPattern'
        '-w /etc/sudoers.d/ -p wa -k privileged-actions'                                                                                 = 'DynamicallyGeneratedDoesNotContainPattern'
        '-w /usr/bin/kmod -p x -F auid!=4294967295 -k module-change'                                                                     = 'DynamicallyGeneratedDoesNotContainPattern'
        '-w /var/log/lastlog -p wa -k logins'                                                                                            = 'DynamicallyGeneratedDoesNotContainPattern'
        '-w /var/run/faillock -p wa -k logins'                                                                                           = 'DynamicallyGeneratedDoesNotContainPattern'
        'X11Forwarding yes'                                                                                                              = '^#\s*X11Forwarding.*$|^X11Forwarding\s*(?!yes\b)\w*$'
        'X11Forwarding no'                                                                                                               = '^#\s*X11Forwarding.*$|^X11Forwarding\s*(?!no\b)\w*$'
    }
}