.-.-.-.-.-

PKQ��\����''5sample-rules/30-ospp-v42-6-owner-change-success.rulesnu�[���## Successful ownership change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
PKQ��\M� V<<sample-rules/30-ospp-v42.rulesnu�[���## The purpose of these rules is to meet the requirements for Operating
## System Protection Profile (OSPP)v4.2. These rules depends on having
## the following rule files copied to /etc/audit/rules.d:
##
## 10-base-config.rules, 11-loginuid.rules,
## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
## 30-ospp-v42-5-perm-change-failed.rules,
## 30-ospp-v42-5-perm-change-success.rules,
## 30-ospp-v42-6-owner-change-failed.rules,
## 30-ospp-v42-6-owner-change-success.rules
##
## original copies may be found in /usr/share/audit/sample-rules/

## User add delete modify. This is covered by pam. However, someone could
## open a file and directly create or modify a user, so we'll watch passwd and
## shadow for writes
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify

## User enable and disable. This is entirely handled by pam.

## Group add delete modify. This is covered by pam. However, someone could
## open a file and directly create or modify a user, so we'll watch group and
## gshadow for writes
-a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify

## Use of special rights for config changes. This would be use of setuid
## programs that relate to user accts. This is not all setuid apps because
## requirements are only for ones that affect system configuration.
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes

## Privilege escalation via su or sudo. This is entirely handled by pam.
## Special case for systemd-run. It is not audit aware, specifically watch it
-a always,exit -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
## Special case for pkexec. It is not audit aware, specifically watch it
-a always,exit -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation

## Watch for configuration changes to privilege escalation.
-a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
-a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes

## Audit log access
-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
## Attempts to Alter Process and Session Initiation Information
-a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session

## Attempts to modify MAC controls
-a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy

## Software updates. This is entirely handled by rpm.

## System start and shutdown. This is entirely handled by systemd

## Kernel Module loading. This is handled in 43-module-load.rules

## Application invocation. The requirements list an optional requirement
## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
## state results from that policy. This would be handled entirely by
## that daemon.

PKQ��\���aa!sample-rules/30-pci-dss-v31.rulesnu�[���## The purpose of these rules is to meet the pci-dss v3.1 auditing requirements
## These rules depends on having 10-base-config.rules & 99-finalize.rules
## installed.

## 10.1 Implement audit trails to link all access to individual user.
##  This requirement is implicitly met

## 10.2.1 Implement audit trails to detect user accesses to cardholder data
## This would require a watch on the database that excludes the daemon's
## access. This rule is commented out due to needing a path name
#-a always,exit -F path=path-to-db -F auid>=1000 -F auid!=unset -F uid!=daemon-acct -F perm=r -F key=10.2.1-cardholder-access

## 10.2.2 Log administrative action. To meet this, you need to enable tty
## logging. The pam config below should be placed into su and sudo pam stacks.
## session   required pam_tty_audit.so disable=* enable=root

## Special case for systemd-run. It is not audit aware, specifically watch it
-a always,exit -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
## Special case for pkexec. It is not audit aware, specifically watch it
-a always,exit -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation

## Watch for configuration changes to privilege escalation.
-a always,exit -F path=/etc/sudoers -F perm=wa -F key=10.2.2-priv-config-changes
-a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=10.2.2-priv-config-changes

## 10.2.3 Access to all audit trails.
-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=10.2.3-access-audit-trail
-a always,exit -F path=/usr/sbin/ausearch -F perm=x -F key=10.2.3-access-audit-trail
-a always,exit -F path=/usr/sbin/aureport -F perm=x -F key=10.2.3-access-audit-trail
-a always,exit -F path=/usr/sbin/aulast -F perm=x -F key=10.2.3-access-audit-trail
-a always,exit -F path=/usr/sbin/aulastlogin -F perm=x -F key=10.2.3-access-audit-trail
-a always,exit -F path=/usr/sbin/auvirt -F perm=x -F key=10.2.3-access-audit-trail

## 10.2.4 Invalid logical access attempts. This is naturally met by pam. You
## can find these events with: ausearch --start today -m user_login -sv no -i

## 10.2.5.a Use of I&A mechanisms is logged. Pam naturally handles this.
## you can find the events with:
##   ausearch --start today -m user_auth,user_chauthtok -i

## 10.2.5.b All elevation of privileges is logged
-a always,exit -F arch=b64 -S setuid -F a0=0 -F exe=/usr/bin/su -F key=10.2.5.b-elevated-privs-session
-a always,exit -F arch=b32 -S setuid -F a0=0 -F exe=/usr/bin/su -F key=10.2.5.b-elevated-privs-session
-a always,exit -F arch=b64 -S setresuid -F a0=0 -F exe=/usr/bin/sudo -F key=10.2.5.b-elevated-privs-session
-a always,exit -F arch=b32 -S setresuid -F a0=0 -F exe=/usr/bin/sudo -F key=10.2.5.b-elevated-privs-session
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=10.2.5.b-elevated-privs-setuid
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=10.2.5.b-elevated-privs-setuid

## 10.2.5.c All changes, additions, or deletions to any account are logged
## This is implicitly covered by shadow-utils. We will place some rules
## in case someone tries to hand edit the trusted databases
-a always,exit -F path=/etc/group -F perm=wa -F key=10.2.5.c-accounts
-a always,exit -F path=/etc/passwd -F perm=wa -F key=10.2.5.c-accounts
-a always,exit -F path=/etc/gshadow -F perm=wa -F key=10.2.5.c-accounts
-a always,exit -F path=/etc/shadow -F perm=wa -F key=10.2.5.c-accounts
-a always,exit -F path=/etc/security/opasswd -F perm=wa -F key=10.2.5.c-accounts

## 10.2.6 Verify the following are logged:
## Initialization of audit logs
## Stopping or pausing of audit logs.
## These are handled implicitly by auditd

## 10.2.7 Creation and deletion of system-level objects
## This requirement seems to be database table related and not audit

## 10.3 Record at least the following audit trail entries
## 10.3.1 through 10.3.6 are implicitly met by the audit system.

## 10.4.2b Time data is protected.
## We will place rules to check time synchronization
-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=10.4.2b-time-change
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=10.4.2b-time-change
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=10.4.2b-time-change
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=10.4.2b-time-change
# Introduced in 2.6.39, commented out because it can make false positives
#-a always,exit -F arch=b32 -S clock_adjtime -F key=10.4.2b-time-change
#-a always,exit -F arch=b64 -S clock_adjtime -F key=10.4.2b-time-change
-w /etc/localtime -p wa -k 10.4.2b-time-change

## 10.5 Secure audit trails so they cannot be altered
## The audit system protects audit logs by virtue of being the root user.
## That means that no normal user can tamper with the audit trail. If for
## some reason you suspect that admins may be malicious or that their acct
## could be compromised, then enable the remote logging plugin and get the
## logs off the system to assure that there is an unaltered copy.

## 10.5.1 Limit viewing of audit trails to those with a job-related need.
## The audit daemon by default limits viewing of the audit trail to root.
## If someone that is not an admin has a job related need to see logs, then
## create a unique group for people with this need and set the log_group 
## configuration item in auditd.conf

## 10.5.2 Protect audit trail files from unauthorized modifications.
## See discussion in 10.5 above

## 10.5.3 Promptly back up audit trail files to a centralized log server
## See discussion in 10.5 above

## 10.5.4 Write logs for external-facing technologies onto a secure,
## centralized, internal log serve
## See discussion in 10.5 above

## 10.5.5 Use file-integrity monitoring or change-detection software on logs
-a always,exit -F dir=/var/log/audit/ -F perm=wa -F key=10.5.5-modification-audit

## Feel free to add watches on other critical logs
# -a always,exit -F path=path-to-log -F perm=wa -F key=10.5.5-modification-log

PKQ��\A�-sample-rules/30-stig.rulesnu�[���## The purpose of these rules is to meet the stig auditing requirements
## These rules depends on having 10-base-config.rules & 99-finalize.rules
## installed.

## NOTE:
## 1) if this is being used on a 32 bit machine, comment out the b64 lines
## 2) These rules assume that login under the root account is not allowed.
## 3) It is also assumed that 1000 represents the first usable user account. To
##    be sure, look at UID_MIN in /etc/login.defs.
## 4) If these rules generate too much spurious data for your tastes, limit the
##    syscall file rules with a directory, like -F dir=/etc
## 5) You can search for the results on the key fields in the rules
##
##
## (GEN002880: CAT II) The IAO will ensure the auditing software can
## record the following for each audit event: 
##- Date and time of the event 
##- Userid that initiated the event 
##- Type of event 
##- Success or failure of the event 
##- For I&A events, the origin of the request (e.g., terminal ID) 
##- For events that introduce an object into a user’s address space, and
##  for object deletion events, the name of the object, and in MLS
##  systems, the object’s security level.
##
## Things that could affect time
-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
# Introduced in 2.6.39, commented out because it can make false positives
#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
-w /etc/localtime -p wa -k time-change

## Things that affect identity
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity

## Things that could affect system locale
-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/hostname -p wa -k system-locale
-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale

## Things that could affect MAC policy
-a always,exit -F dir=/etc/selinux/ -F perm=wa -F key=MAC-policy

## (GEN002900: CAT III) The IAO will ensure audit files are retained at
## least one year; systems containing SAMI will be retained for five years.
##
## Site action - no action in config files

## (GEN002920: CAT III) The IAO will ensure audit files are backed up
## no less than weekly onto a different system than the system being
## audited or backup media.  
##
## Can be done with cron script

## (GEN002700: CAT I) (Previously – G095) The SA will ensure audit data
## files have permissions of 640, or more restrictive.
##
## Done automatically by auditd

## (GEN002720-GEN002840: CAT II) (Previously – G100-G106) The SA will
## configure the auditing system to audit the following events for all
## users and root:
##
## - Logon (unsuccessful and successful) and logout (successful)
##
## Handled by pam, sshd, login, and gdm
## Might also want to watch these files if needing extra information
#-w /var/log/tallylog -p wa -k logins
#-w /var/run/faillock/ -p wa -k logins
#-w /var/log/lastlog -p wa -k logins

##- Process and session initiation (unsuccessful and successful)
##
## The session initiation is audited by pam without any rules needed.
## Might also want to watch this file if needing extra information
#-w /var/run/utmp -p wa -k session
#-w /var/log/btmp -p wa -k session
#-w /var/log/wtmp -p wa -k session

##- Discretionary access control permission modification (unsuccessful
## and successful use of chown/chmod)
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

##- Unauthorized access attempts to files (unsuccessful) 
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

##- Use of print command (unsuccessful and successful)

##- Export to media (successful)
## You have to mount media before using it. You must disable all automounting
## so that its done manually in order to get the correct user requesting the
## export
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=export
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=export

##- System startup and shutdown (unsuccessful and successful)

##- Files and programs deleted by the user (successful and unsuccessful)
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete

##- All system administration actions 
##- All security personnel actions
## 
## Look for pam_tty_audit and add it to your login entry point's pam configs.
## If that is not found, use sudo which should be patched to record its
## commands to the audit system. Do not allow unrestricted root shells or
## sudo cannot record the action.
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions

## (GEN002860: CAT II) (Previously – G674) The SA and/or IAO will
##ensure old audit logs are closed and new audit logs are started daily.
##
## Site action. Can be assisted by a cron job

PKQ��\�_���� sample-rules/31-privileged.rulesnu�[���##- Use of privileged commands (unsuccessful and successful)
## You can run the following commands to generate the rules:
#find /bin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' > priv.rules
#find /sbin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' >> priv.rules
#find /usr/bin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' >> priv.rules
#find /usr/sbin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' >> priv.rules
#filecap /bin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $2 }' >> priv.rules
#filecap /sbin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $2 }' >> priv.rules
#filecap /usr/bin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $2 }' >> priv.rules
#filecap /usr/sbin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $2 }' >> priv.rules

PKQ��\O�����!sample-rules/32-power-abuse.rulesnu�[���## The purpose of this rule is to detect when an admin may be abusing power
## by looking in user's home dir.
-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=unset -C auid!=obj_uid -F key=power-abuse

PKQ��\31�F��sample-rules/40-local.rulesnu�[���## Put your own watches after this point
# -a exit,always -F path=file -F perm=rwxa -F key=text
# -a exit,always -F dir=directory -F perm=rwxa -F key=text

PKQ��\���� sample-rules/41-containers.rulesnu�[���## Use these rules if you want to log container events
## watch for container creation
-a always,exit -F arch=b32 -S clone -F a0&0x7C020000 -F key=container-create
-a always,exit -F arch=b64 -S clone -F a0&0x7C020000 -F key=container-create

## watch for containers that may change their configuration
-a always,exit -F arch=b32 -S unshare,setns -F key=container-config
-a always,exit -F arch=b64 -S unshare,setns -F key=container-config

PKQ��\�;���sample-rules/42-injection.rulesnu�[���## These rules watch for code injection by the ptrace facility.
## This could indicate someone trying to do something bad or
## just debugging

#-a always,exit -F arch=b32 -S ptrace -F key=tracing
-a always,exit -F arch=b64 -S ptrace -F key=tracing
-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection
-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection
-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection

PKQ��\�B}��!sample-rules/43-module-load.rulesnu�[���## These rules watch for kernel module insertion. By monitoring
## the syscall, we do not need any watches on programs.
-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
-a always,exit -F arch=b32 -S delete_module -F key=module-unload
-a always,exit -F arch=b64 -S delete_module -F key=module-unload
PKQ��\}h�HH sample-rules/44-installers.rulesnu�[���# These rules watch for invocation of things known to install software

-a always,exit -F perm=x -F path=/usr/bin/dnf-3 -F key=software-installer
-a always,exit -F perm=x -F path=/usr/bin/yum -F key=software-installer
-a always,exit -F perm=x -F path=/usr/bin/pip -F key=software-installer
-a always,exit -F perm=x -F path=/usr/bin/npm -F key=software-installer
-a always,exit -F perm=x -F path=/usr/bin/cpan -F key=software-installer
-a always,exit -F perm=x -F path=/usr/bin/gem -F key=software-installer
-a always,exit -F perm=x -F path=/usr/bin/luarocks -F key=software-installer
PKQ��\�!�FFsample-rules/70-einval.rulesnu�[���## These are rules are to locate poorly written programs.
## Its never planned to waste time on a syscall with incorrect parameters
## This is more of a debugging step than something people should run with
## in production.
-a never,exit -F arch=b64 -S rt_sigreturn
-a always,exit -S all -F exit=-EINVAL -F key=einval-retcode
PKQ��\�uN�� sample-rules/71-networking.rulesnu�[���## This is to check if the system is making or receiving connections
## externally
-a always,exit -F arch=b64 -S accept,connect -F key=external-access
PKQ��\i>Q�VVsample-rules/99-finalize.rulesnu�[���## Make the configuration immutable - reboot is required to change audit rules
#-e 2

PKQ��\�g��sample-rules/README-rulesnu�[���This group of rules are meant to be used with the augenrules program.
The augenrules program expects rules to be located in /etc/audit/rules.d/
The rules will get processed in a specific order based on their natural
sort order. To make things easier to use, the files in this directory are
organized into groups with the following meanings:

10 - Kernel and auditctl configuration
20 - Rules that could match general rules but we want a different match
30 - Main rules
40 - Optional rules
50 - Server Specific rules
70 - System local rules
90 - Finalize (immutable)

There is one set of rules, 31-privileged.rules, that should be regenerated.
There is a script in the comments of that file. You can uncomment the commands
and run the script and then rename the resulting file.

The rules are not meant to be used all at once. They are pieces of a policy
that should be thought out and individual files copied to /etc/audit/rules.d/
For example, if you wanted to set a system up in the STIG configuration, copy
rules 10-base-config, 30-stig, 31-privileged, and 99-finalize. You can add
more if you like. Also, not all arches have the same syscalls. It is expected
that the rules be fine tuned for the arch they are deployed on. For example,
aarch64 does not have the open syscall. It should just be deleted from the
rules.

Once you have the rules in the rules.d directory, you can load them by running
augenrules --load

PKQ��\Rp��!sample-rules/10-base-config.rulesnu�[���## First rule - delete all
-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192

## This determine how long to wait in burst of events
--backlog_wait_time 60000

## Set failure mode to syslog
-f 1

PKQ��\�I�nsample-rules/10-no-audit.rulesnu�[���## This set of rules is to suppress the performance effects of the
## audit system. The result is that you only get hardwired events.
-D

## This suppresses syscall auditing for all tasks started
## with this rule in effect.  Remove it if you need syscall
## auditing.
-a task,never

PKQ��\N���]]sample-rules/11-loginuid.rulesnu�[���## Make the loginuid immutable. This prevents tampering with the auid.
--loginuid-immutable

PKQ��\^���MMsample-rules/12-cont-fail.rulesnu�[���## This rule will cause auditctl to continue loading rules when it runs
## across an unsupported field or a rule with a syntax error however it will
## report an error at exit. The normal action is to report the line and
## issue with the rule and exit immediately with an error to get the admin's
## attention to fix the rules.

-c
PKQ��\����GG"sample-rules/12-ignore-error.rulesnu�[���## This rule will cause auditctl to continue loading rules when it runs
## across an unsupported field or a rule with a syntax error but exit with
## success reason code. The normal action is to report the line and issue with
## the rule and exit immediately with an error to get the admin's attention to
## fix the rules.

-i
PKQ��\�|: sample-rules/20-dont-audit.rulesnu�[���## This is for don't audit rules. We put these early because audit
### is a first match wins system. Uncomment the rules you want.

## Cron jobs fill the logs with stuff we normally don't want
#-a never,user -F subj_type=crond_t

## This prevents chrony from overwhelming the logs
#-a never,exit -F arch=x86_64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t

### This is not very interesting and wastes a lot of space if
### the server is public facing
#-a always,exclude -F msgtype=CRYPTO_KEY_USER

PKQ��\}���sample-rules/21-no32bit.rulesnu�[���## If you are on a 64 bit platform, everything _should_ be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
-a always,exit -F arch=b32 -S all -F key=32bit-abi
PKQ��\Uf#��#sample-rules/22-ignore-chrony.rulesnu�[���## This rule suppresses the time-change event when chrony does time updates
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
-a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
PKQ��\�c��(sample-rules/23-ignore-filesystems.rulesnu�[���# This rule suppresses events that originate on the below file systems.
# Typically you would use this in conjunction with rules to monitor
# kernel modules. The filesystem listed are known to cause hundreds of
# path records during kernel module load. As an aside, if you do see the
# tracefs or debugfs module load and this is a production system, you really
# should look into why its getting loaded and prevent it if possible.
-a never,filesystem -F fstype=tracefs
-a never,filesystem -F fstype=debugfs
PKQ��\u&�~OOsample-rules/30-nispom.rulesnu�[���## This file contains a sample audit configuration intended to
## meet the NISPOM Chapter 8 rules. This rule depends on having
## 10-base-config.rules & 99-finalize.rules installed.

## Audit 1, 1(a) Enough information to determine the date and time of
## action (e.g., common network time), the system locale of the action,
## the system entity that initiated or completed the action, the resources
## involved, and the action involved.

## Things that could affect time
-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
# Introduced in 2.6.39, commented out because it can make false positives
#-a always,exit -F arch=b32 -S clock_adjtime -F key=time-change
#-a always,exit -F arch=b64 -S clock_adjtime -F key=time-change
-w /etc/localtime -p wa -k time-change

## Things that could affect system locale
-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/hostname -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale

## Audit 1, 1(b) Successful and unsuccessful logons and logoffs.
## This is covered by patches to login, gdm, and openssh
## Might also want to watch these files if needing extra information
#-w /var/log/tallylog -p wa -k logins
#-w /var/run/faillock/ -p wa -k logins
#-w /var/log/lastlog -p wa -k logins
#-w /var/log/btmp -p wa -k logins
#-w /var/run/utmp -p wa -k logins

## Audit 1, 1(c) Successful and unsuccessful accesses to
## security-relevant objects and directories, including
## creation, open, close, modification, and deletion.

## unsuccessful creation
-a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -F key=creation
-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -F key=creation
-a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -F key=creation
-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -F key=creation

## unsuccessful open
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F key=open
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F key=open
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F key=open
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F key=open

## unsuccessful close
-a always,exit -F arch=b32 -S close -F exit=-EIO -F key=close
-a always,exit -F arch=b64 -S close -F exit=-EIO -F key=close

## unsuccessful modifications
-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -F key=mods
-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -F key=mods
-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -F key=mods
-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -F key=mods

## unsuccessful deletion
-a always,exit -F arch=b32 -S unlink,rmdir,unlinkat -F exit=-EACCES -F key=delete
-a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F exit=-EACCES -F key=delete
-a always,exit -F arch=b32 -S unlink,rmdir,unlinkat -F exit=-EPERM -F key=delete
-a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F exit=-EPERM -F key=delete

## Audit 1, 1(d) Changes in user authenticators.
## Covered by patches to libpam, passwd, and shadow-utils
## Might also want to watch these files for changes
-w /etc/group -p wa -k auth
-w /etc/passwd -p wa -k auth
-w /etc/gshadow -p wa -k auth
-w /etc/shadow -p wa -k auth
-w /etc/security/opasswd -p wa -k auth

## Audit 1, 1(e) The blocking or blacklisting of a user ID,
## terminal, or access port and the reason for the action.
## Covered by patches to pam_tally2 or pam_faillock and pam_limits

## Audit 1, 1(f) Denial of access resulting from an excessive
## number of unsuccessful logon attempts.
## Covered by patches to pam_tally2 or pam_faillock

## Audit 1, 2 Audit Trail Protection. The contents of audit trails
## shall be protected against unauthorized access, modification,
## or deletion.
## This should be covered by file permissions, but we can watch it
## to see any activity
-w /var/log/audit/ -k audit-logs

PKQ��\����.sample-rules/30-ospp-v42-1-create-failed.rulesnu�[���## Unsuccessful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
PKQ��\8�~��/sample-rules/30-ospp-v42-1-create-success.rulesnu�[���## Successful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
PKQ��\+kZFnn.sample-rules/30-ospp-v42-2-modify-failed.rulesnu�[���## Unsuccessful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
PKQ��\���::/sample-rules/30-ospp-v42-2-modify-success.rulesnu�[���## Successful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
PKQ��\]�3tqq.sample-rules/30-ospp-v42-3-access-failed.rulesnu�[���## Unsuccessful file access (any other opens) This has to go last.
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
PKQ��\;�؏�/sample-rules/30-ospp-v42-3-access-success.rulesnu�[���## Successful file access (any other opens) This has to go last.
## These next two are likely to result in a whole lot of events
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
PKQ��\e���22.sample-rules/30-ospp-v42-4-delete-failed.rulesnu�[���## Unsuccessful file delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
PKQ��\�{v�/sample-rules/30-ospp-v42-4-delete-success.rulesnu�[���## Successful file delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
PKQ��\���`003sample-rules/30-ospp-v42-5-perm-change-failed.rulesnu�[���## Unsuccessful permission change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
PKQ��\XRs֞�4sample-rules/30-ospp-v42-5-perm-change-success.rulesnu�[���## Successful permission change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
PKQ��\�6!cCC4sample-rules/30-ospp-v42-6-owner-change-failed.rulesnu�[���## Unsuccessful ownership change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
PK�B�\`��o�/�/sotruss-lib.sonuȯ��ELF>�
@(@8	@�� �� � � �� � ��888DD���  S�td���  P�tdlllLLQ�tdR�td�� � 88GNU���|�=�Dכ�E~����GNUGNU��A"��X!BE��2�:��|����qX�.����(�闒o�U }v��]
���*� p!������, R!F"��  2p���  �`u��  �pd��P __gmon_start___ITM_deregisterTMCloneTable_ITM_registerTMCloneTable__cxa_finalizestrncmpstrchrla_versiongetenvgetpidfcntlfdopensetlinebufdupstrtoulstrlen__stpcpysnprintferror__stack_chk_failla_objopenbasename__progname__progname_fullla_symbind64warnxla_x86_64_gnu_pltenterfprintfla_x86_64_gnu_pltexitlibc.so.6program_invocation_short_nameprogram_invocation_name_edata__bss_start_endGLIBC_2.4GLIBC_2.2.5Hii
�ui	�� @� � � � � � � � �      (  0  8  @  H  	P  
X  `  h  
p  x  �  �  �  �  �  �  ��H��H�� H��t��H����5� �%� ��h�������h��������h�������h�������h�������h�������h�������h��q������h��a������h	��Q������h
��A������h��1������h��!������h
��������h��������h������h�������h��������h��������%� D���%� D���%� D���%� D���%� D���%� D���%} D���%u D���%m D���%e D���%] D���%U D���%M D���%E D���%= D���%5 D���%- D���%% D���% DH�= H� H9�tH�. H��t	�����H�=� H�5� H)�H��H��H��?H�H�tH� H��t��fD�����=� u+UH�=� H��tH�=� �Y����d����} ]������w����AUA��ATI��UH��SH��H����H�XH��L��H�������u�+<:t*��t&�:H���!���H��u�H��1�[]A\A]��H��D��[]A\A]�f.���UH��AWAVAUATSH��dH�%(H�E�1����;H�=��W���H�� H��t	�8�RH�=��6���H�� H��t	�8�H�=�����1�H��t1Ҁ8��H�=��] ��H������A��H��t	�;���1 H�=�����I��H��t	�8��1�1����������tLH�5u���n���H�� H��tH������H�M�dH3%(��OH�e�[A\A]A^A_]���������t���1�H�u�H���:���H�U��:�i���Ic�H9��]����;���@H�e �����H�U ���H��I������H��H��H��H%�H)�H���H��H9�tH��H��$�H9�u��t	H)�H�L�H��L��I���R���H��H��t�;uIc�H�F�
1�����1����BL���K������t�� L�����@L���t�����H��1�������^���ff.���H�=L �NAWAVAUATUSH��8L�gM���A�<$�H�|$L��H�T$���L��H�D$ �i����8H�D$��H�|$����H�-� H�� H�D$(H�D$L�p8M����E1�E1���A�}/u
I��8/LE�H��t.1��}t#I�6H��H�4$�s���H�4$�H��H������A	�H��t-1��;t#I�6H��H�4$�A���H�4$�H��H������A	�M�vM��tM���x���M�.�M��LDl$A�}��H�D$L�(H����E1�}t2H�T$ �L��H���}���H�T$(H�t$H��A���c���A	�E	�D����H��t:1��;t0H�T$ �L��H���6���H�T$(H�t$H�߹������	�D	�H��8[]A\A]A^A_�f�H�y L�(H�D$L�(H���J���H�D$H�PD�����:DD��m���f.�H�9 H�H�D$�!���@H�9 L� ���f�1��DL�l$E1�����ff.���UH��SL��H��A�uJ�� ��u�H�EH��[]���t�1�H�=j����� ��t�H�EH��[]�H�=1�������AWAVI��AUI��ATUH��SH��HE�M�dH�%(H�D$81��9 M�H �D$)L��$�M�@(H�\$)L��$���usA��ARH��H��AQL�
|I�MH�5�APLD�M�1�AWH�=� �&���I�$H�� H�EH�t$8dH34%(uaH��H[]A\A]A^A_��L�D$L�L$L�T$D�\$�W���H��H��Hc�1����L�D$L�L$L�T$D�\$�B����@�����AVAUATI��UH��SH�� �
4 M�1dH�%(H�D$1�L�l$P�D$	H�\$	��uNAVM�$H��H�5�AUH�M1�L�
xH�=�
 �3���XZ1�H�t$dH34%(u/H�� []A\A]A^�f����H�8�H��Hc�1�����������H��H���cannot handle interface version %ucannot trace PLT enter (bind-now enabled)cannot trace PLT exit (bind-now enabled)%s%15s -> %-15s:%s%s(0x%lx, 0x%lx, 0x%lx)
SOTRUSS_FROMLISTSOTRUSS_TOLISTSOTRUSS_EXITSOTRUSS_WHICHSOTRUSS_OUTNAME.%ldw*%5ld: %s%15s -> %-15s:%s%s - 0x%lx
;H��d�����d����� t���������� zRx�$H�@FJw�?:*3$"D`�0H\8���vB�E�D �D(�G0B
(C ABBHD(D ABB,�l����E�C
M�����'
Dd����uT�B�B �B(�A0�A8�Dp�
8A0A(B BBBJp������Hp������4@��pE�D�G ^
AAHe
AAA\x��� F�B�E �E(�A0�D8�D�H�L�T�K�X�X
8A0A(B BBBHL�����F�B�B �D(�D0�DPnXP`ZXAPV
0A(A BBBC#!

"	@� H
(� � ����o�0�
�  �8	`�	���o���o0���o�o����o� 0@P`p�������� 0@PGA$3a15GA$3p1113P%GA*GA$annobin gcc 8.5.0 20210514GA$plugin name: gcc-annobinGA$running gcc 8.5.0 20210514GA*GA*GA!
GA*FORTIFY�GA+GLIBCXX_ASSERTIONSGA*GOW*GA*cf_protectionGA+omit_frame_pointerGA+stack_clashGA!stack_realign
GA*FORTIFY�P�GA+GLIBCXX_ASSERTIONSsotruss-lib.so-2.28-251.el8_10.31.x86_64.debug�X%��7zXZ�ִF!t/��'[]?�E�h=��ڊ�2N���K� ��Д���~X�o�[��H˕d��-bj�$�c�%��'bd<	�{i>���QKC'hZ��R��'({2)�w�c��x�E����D��J!T�:�Y���VB��6S�@�������ʋ�s�^�
�>w�[��`���c��ߜxxI�*�Jp�7�O��!��j"R0C�֗��E�x���!�)��.o?�������'���*)�yʦ�Ɛ�N<�����`��.8*��5F��},�x�Aj-��0(R�_��^�;N��A������!G@A7
�{@�ރ��,4��U��=�d��l��
k�,\q�85�����@E޺ɒ�M;5�A؅,m���Υ�s'��3�]RK�1�+I��[�|P"���#�1BTK<��S<�������^�Q�>7(�.'��d��>�,��\�q� 0^�^7�������N��*�J,ϵ[�*���~P�)���o�汸o<2A��_u�~
)�1Aa �a�d�����]5&��v���w��ٔѼ�Q�иj��bd�r��A��k�*�	JTqLr���:�N��,�R�ϞvD>~�&G|;��Z��Cv��)w�=�!ֶ��L�%E�y��Wp}��4ެ)5u�2T��c�E�%�94ey6����1k��F�e���Vu2���KB���Ÿk�tfA��>����yݞ�a�A�L^䁯M�݌�-	�?H�B	�y�/b99����e�l��`[��x�Q���p�H�j(����n���v�/ Hq�*Ƒ������2��>lf���[H1��/9��{D�/!z�]X�콈�d�����s$��L��ڱ�g�YZ.shstrtab.note.gnu.build-id.note.ABI-tag.note.gnu.property.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rela.dyn.rela.plt.init.plt.sec.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.data.rel.ro.dynamic.got.got.plt.bss.gnu.build.attributes.gnu_debuglink.gnu_debugdata88$\\ ,�� ?���o��DI��HQ00�Y���o��Ff���o000u``�B8	8	���  @�``0��
�
��((
�2881�llL���(C����� ��� ��� ��� ���� �0�   ��  � (� `� H�"4*,#��&9PKQ��\����''5sample-rules/30-ospp-v42-6-owner-change-success.rulesnu�[���PKQ��\M� V<<�sample-rules/30-ospp-v42.rulesnu�[���PKQ��\���aa!sample-rules/30-pci-dss-v31.rulesnu�[���PKQ��\A�-�2sample-rules/30-stig.rulesnu�[���PKQ��\�_���� 0Nsample-rules/31-privileged.rulesnu�[���PKQ��\O�����!2Tsample-rules/32-power-abuse.rulesnu�[���PKQ��\31�F��XUsample-rules/40-local.rulesnu�[���PKQ��\���� ?Vsample-rules/41-containers.rulesnu�[���PKQ��\�;���FXsample-rules/42-injection.rulesnu�[���PKQ��\�B}��!5[sample-rules/43-module-load.rulesnu�[���PKQ��\}h�HH ]sample-rules/44-installers.rulesnu�[���PKQ��\�!�FF�_sample-rules/70-einval.rulesnu�[���PKQ��\�uN�� >asample-rules/71-networking.rulesnu�[���PKQ��\i>Q�VV%bsample-rules/99-finalize.rulesnu�[���PKQ��\�g���bsample-rules/README-rulesnu�[���PKQ��\Rp��!�hsample-rules/10-base-config.rulesnu�[���PKQ��\�I�n�isample-rules/10-no-audit.rulesnu�[���PKQ��\N���]]Nksample-rules/11-loginuid.rulesnu�[���PKQ��\^���MM�ksample-rules/12-cont-fail.rulesnu�[���PKQ��\����GG"�msample-rules/12-ignore-error.rulesnu�[���PKQ��\�|: .osample-rules/20-dont-audit.rulesnu�[���PKQ��\}����qsample-rules/21-no32bit.rulesnu�[���PKQ��\Uf#��#�rsample-rules/22-ignore-chrony.rulesnu�[���PKQ��\�c��(1tsample-rules/23-ignore-filesystems.rulesnu�[���PKQ��\u&�~OO�vsample-rules/30-nispom.rulesnu�[���PKQ��\����.�sample-rules/30-ospp-v42-1-create-failed.rulesnu�[���PKQ��\8�~��/Y�sample-rules/30-ospp-v42-1-create-success.rulesnu�[���PKQ��\+kZFnn.��sample-rules/30-ospp-v42-2-modify-failed.rulesnu�[���PKQ��\���::/n�sample-rules/30-ospp-v42-2-modify-success.rulesnu�[���PKQ��\]�3tqq.�sample-rules/30-ospp-v42-3-access-failed.rulesnu�[���PKQ��\;�؏�/֠sample-rules/30-ospp-v42-3-access-success.rulesnu�[���PKQ��\e���22.Ģsample-rules/30-ospp-v42-4-delete-failed.rulesnu�[���PKQ��\�{v�/T�sample-rules/30-ospp-v42-4-delete-success.rulesnu�[���PKQ��\���`003Ϧsample-rules/30-ospp-v42-5-perm-change-failed.rulesnu�[���PKQ��\XRs֞�4b�sample-rules/30-ospp-v42-5-perm-change-success.rulesnu�[���PKQ��\�6!cCC4d�sample-rules/30-ospp-v42-6-owner-change-failed.rulesnu�[���PK�B�\`��o�/�/�sotruss-lib.sonuȯ��PK%%|�

/home/emeraadmin/www/node_modules/liftup/../map-cache/../../4d695/audit.zip