{{% macro local_variable_modern_style(lvarid, arch) %}}
  <local_variable id="{{{ lvarid }}}" comment="The composite pattern used to detect if audit has been configured" datatype="string" version="1">
    <concat>
      <literal_component>^\-a\s+always,exit\s+\-F\s+arch={{{ arch }}}\s+\-F\s+{{{ FILTER_TYPE }}}=</literal_component>
  {{% if PATH_IS_VARIABLE %}}
      <variable_component var_ref="{{{ PATH }}}"/>
  {{% else %}}
      <literal_component>{{{ PATH_ESCAPED }}}</literal_component>
  {{% endif %}}
      <literal_component>\s+\-F\s+perm=\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</literal_component>
    </concat>
  </local_variable>
{{% endmacro %}}

<def-group>
  <definition class="compliance" id="{{{ rule_id }}}" version="1">
  {{% if PATH_IS_VARIABLE %}}
    {{{ oval_metadata("Check if actions on path specified in the '" ~ PATH ~ "' variable are configured to be audited", rule_title=rule_title) }}}
  {{% else %}}
    {{{ oval_metadata("Check if actions on '" ~ PATH ~ "' are configured to be audited", rule_title=rule_title) }}}
  {{% endif %}}

    <criteria operator="OR">

      <!-- Test the augenrules case -->
      <criteria operator="AND">
        <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
{{% if audit_watches_style == "modern" %}}
        <criterion comment="audit augenrules {{{ NAME }}}" test_ref="test_{{{ rule_id }}}_augenrules_32" />
        <criterion comment="audit augenrules {{{ NAME }}}" test_ref="test_{{{ rule_id }}}_augenrules_64" />
{{% else %}}
        <criterion comment="audit augenrules {{{ NAME }}}" test_ref="test_{{{ rule_id }}}_augenrules" />
{{% endif %}}
      </criteria>

      <!-- Test the auditctl case -->
      <criteria operator="AND">
        <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
{{% if audit_watches_style == "modern" %}}
        <criterion comment="audit auditctl {{{ NAME }}}" test_ref="test_{{{ rule_id }}}_auditctl_32" />
        <criterion comment="audit auditctl {{{ NAME }}}" test_ref="test_{{{ rule_id }}}_auditctl_64" />
{{% else %}}
        <criterion comment="audit auditctl {{{ NAME }}}" test_ref="test_{{{ rule_id }}}_auditctl" />
{{% endif %}}
      </criteria>

    </criteria>
  </definition>


{{% if audit_watches_style == "modern" %}}
  <ind:textfilecontent54_test check="all" comment="audit augenrules {{{ NAME }}} 32" id="test_{{{ rule_id }}}_augenrules_32" version="1">
    <ind:object object_ref="object_{{{ rule_id }}}_augenrules_32" />
  </ind:textfilecontent54_test>
  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_augenrules_32" version="1">
    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
    <ind:pattern operation="pattern match" var_ref="{{{ rule_id }}}_path_pattern_32"/>
    <ind:instance datatype="int">1</ind:instance>
  </ind:textfilecontent54_object>
  <ind:textfilecontent54_test check="all" comment="audit augenrules {{{ NAME }}} 64" id="test_{{{ rule_id }}}_augenrules_64" version="1">
    <ind:object object_ref="object_{{{ rule_id }}}_augenrules_64" />
  </ind:textfilecontent54_test>
  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_augenrules_64" version="1">
    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
    <ind:pattern operation="pattern match" var_ref="{{{ rule_id }}}_path_pattern_64"/>
    <ind:instance datatype="int">1</ind:instance>
  </ind:textfilecontent54_object>
  <ind:textfilecontent54_test check="all" comment="audit auditctl {{{ NAME }}} 32" id="test_{{{ rule_id }}}_auditctl_32" version="1">
    <ind:object object_ref="object_{{{ rule_id }}}_auditctl_32" />
  </ind:textfilecontent54_test>
  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_auditctl_32" version="1">
    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
    <ind:pattern operation="pattern match" var_ref="{{{ rule_id }}}_path_pattern_32" />
    <ind:instance datatype="int">1</ind:instance>
  </ind:textfilecontent54_object>
  <ind:textfilecontent54_test check="all" comment="audit auditctl {{{ NAME }}} 64" id="test_{{{ rule_id }}}_auditctl_64" version="1">
    <ind:object object_ref="object_{{{ rule_id }}}_auditctl_64" />
  </ind:textfilecontent54_test>
  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_auditctl_64" version="1">
    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
    <ind:pattern operation="pattern match" var_ref="{{{ rule_id }}}_path_pattern_64" />
    <ind:instance datatype="int">1</ind:instance>
  </ind:textfilecontent54_object>
  {{{ local_variable_modern_style(rule_id + "_path_pattern_32", "b32") }}}
  {{{ local_variable_modern_style(rule_id + "_path_pattern_64", "b64") }}}
{{% else %}}
  <ind:textfilecontent54_test check="all" comment="audit augenrules {{{ NAME }}}" id="test_{{{ rule_id }}}_augenrules" version="1">
    <ind:object object_ref="object_{{{ rule_id }}}_augenrules" />
  </ind:textfilecontent54_test>
  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_augenrules" version="1">
    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
    <ind:pattern operation="pattern match" var_ref="{{{ rule_id }}}_path_pattern"/>
    <ind:instance datatype="int">1</ind:instance>
  </ind:textfilecontent54_object>

  <ind:textfilecontent54_test check="all" comment="audit auditctl {{{ NAME }}}" id="test_{{{ rule_id }}}_auditctl" version="1">
    <ind:object object_ref="object_{{{ rule_id }}}_auditctl" />
  </ind:textfilecontent54_test>
  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_auditctl" version="1">
    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
    <ind:pattern operation="pattern match" var_ref="{{{ rule_id }}}_path_pattern" />
    <ind:instance datatype="int">1</ind:instance>
  </ind:textfilecontent54_object>
  <local_variable id="{{{ rule_id }}}_path_pattern" comment="The composite pattern used to detect if audit as been configured" datatype="string" version="1">
    <concat>
      <literal_component>^\-w[\s]+</literal_component>
  {{% if PATH_IS_VARIABLE %}}
      <variable_component var_ref="{{{ PATH }}}"/>
  {{% else %}}
      <literal_component>{{{ PATH_ESCAPED }}}</literal_component>
  {{% endif %}}
      <literal_component>[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</literal_component>
    </concat>
  </local_variable>
{{% endif %}}
  {{% if PATH_IS_VARIABLE %}}
  <external_variable id="{{{ PATH }}}" comment="variable specifying the path that should be watched by the audit watch" datatype="string" version="1"/>
  {{% endif %}}
</def-group>