From 19e530183bff3dbf099138870ab8fae68063a887 Mon Sep 17 00:00:00 2001
From: Alexandre Skrzyniarz <alexandre.skrzyniarz@laposte.net>
Date: Thu, 20 Nov 2025 12:58:23 +0100
Subject: [PATCH 1/4] update audit_rules_networkconfig_modification for Debian

---
 .../audit_rules_networkconfig_modification/bash/shared.sh   | 5 +++++
 .../audit_rules_networkconfig_modification/oval/debian.xml  | 1 +
 .../audit_rules_networkconfig_modification/rule.yml         | 6 +++---
 3 files changed, 9 insertions(+), 3 deletions(-)
 create mode 120000 linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/debian.xml

diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh
index c0fe0755138f..373841ddb177 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/bash/shared.sh
@@ -33,6 +33,11 @@ done
 {{{ bash_fix_audit_watch_rule("augenrules", "/etc/network/", "wa", "audit_rules_networkconfig_modification") }}}
 {{{ bash_fix_audit_watch_rule("auditctl", "/etc/netplan/", "wa", "audit_rules_networkconfig_modification") }}}
 {{{ bash_fix_audit_watch_rule("augenrules", "/etc/netplan/", "wa", "audit_rules_networkconfig_modification") }}}
+{{% elif 'debian' in product -%}}
+{{{ bash_fix_audit_watch_rule("auditctl", "/etc/networks", "wa", "audit_rules_networkconfig_modification") }}}
+{{{ bash_fix_audit_watch_rule("augenrules", "/etc/networks", "wa", "audit_rules_networkconfig_modification") }}}
+{{{ bash_fix_audit_watch_rule("auditctl", "/etc/network/", "wa", "audit_rules_networkconfig_modification") }}}
+{{{ bash_fix_audit_watch_rule("augenrules", "/etc/network/", "wa", "audit_rules_networkconfig_modification") }}}
 {{% else -%}}
 {{{ bash_fix_audit_watch_rule("auditctl", "/etc/sysconfig/network", "wa", "audit_rules_networkconfig_modification") }}}
 {{{ bash_fix_audit_watch_rule("augenrules", "/etc/sysconfig/network", "wa", "audit_rules_networkconfig_modification") }}}
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/debian.xml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/debian.xml
new file mode 120000
index 000000000000..70f08ba8db12
--- /dev/null
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/debian.xml
@@ -0,0 +1 @@
+ubuntu.xml
\ No newline at end of file
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml
index 69b1eae5a846..4626ec550ce7 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml
@@ -16,7 +16,7 @@ description: |-
     {{% if product in ['ubuntu2404'] %}}
     -w /etc/netplan/ -p wa -k audit_rules_networkconfig_modification
     {{% endif %}}
-    {{% if 'ubuntu' in product -%}}
+    {{% if 'ubuntu' in product or 'debian' in product -%}}
     -w /etc/networks -p wa -k audit_rules_networkconfig_modification
     -w /etc/network/ -p wa -k audit_rules_networkconfig_modification</pre>
     {{% else -%}}
@@ -31,7 +31,7 @@ description: |-
     -w /etc/issue -p wa -k audit_rules_networkconfig_modification
     -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
     -w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-    {{% if 'ubuntu' in product -%}}
+    {{% if 'ubuntu' in product or 'debian' in product -%}}
     -w /etc/networks -p wa -k audit_rules_networkconfig_modification
     -w /etc/network/ -p wa -k audit_rules_networkconfig_modification</pre>
     {{% else -%}}
@@ -76,7 +76,7 @@ ocil: |-
     run the following command:
     {{% if product in ['ubuntu2404'] -%}}
     <pre>auditctl -l | grep -E '(/etc/issue|/etc/issue.net|/etc/hosts|/etc/networks|/etc/network/|/etc/netplan/)'</pre>
-    {{% elif 'ubuntu' in product -%}}
+    {{% elif 'ubuntu' in product or 'debian' in product -%}}
     <pre>auditctl -l | grep -E '(/etc/issue|/etc/issue.net|/etc/hosts|/etc/networks|/etc/network/)'</pre>
     {{% else -%}}
     <pre>auditctl -l | grep -E '(/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)'</pre>

From 286830128b1ecf521601c0c0bd989774a07eb571 Mon Sep 17 00:00:00 2001
From: Alexandre Skrzyniarz <alexandre.skrzyniarz@laposte.net>
Date: Thu, 20 Nov 2025 14:59:35 +0100
Subject: [PATCH 2/4] add audit package override for Debian products

---
 products/debian12/product.yml | 1 +
 products/debian13/product.yml | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/products/debian12/product.yml b/products/debian12/product.yml
index 3a6589be46be..f98d5a52706a 100644
--- a/products/debian12/product.yml
+++ b/products/debian12/product.yml
@@ -39,6 +39,7 @@ platform_package_overrides:
   pam: libpam-runtime
   shadow: login
   sssd: sssd-common
+  audit: auditd
 
 reference_uris:
   cis: 'https://www.cisecurity.org/benchmark/debian_linux/'
diff --git a/products/debian13/product.yml b/products/debian13/product.yml
index 91ae2cbee93e..379b4d89eb02 100644
--- a/products/debian13/product.yml
+++ b/products/debian13/product.yml
@@ -39,3 +39,5 @@ platform_package_overrides:
   pam: libpam-runtime
   shadow: login
   sssd: sssd-common
+  audit: auditd
+

From 43b5120ce73c9e851b866820124c0a11796b638f Mon Sep 17 00:00:00 2001
From: Alexandre Skrzyniarz <alexandre.skrzyniarz@laposte.net>
Date: Sat, 22 Nov 2025 11:22:05 +0100
Subject: [PATCH 3/4] update products stability data

---
 tests/data/product_stability/debian12.yml | 15 ++++++++-------
 tests/data/product_stability/debian13.yml | 15 ++++++++-------
 2 files changed, 16 insertions(+), 14 deletions(-)

diff --git a/tests/data/product_stability/debian12.yml b/tests/data/product_stability/debian12.yml
index 3c3cf42a76b0..abda39ef1b19 100644
--- a/tests/data/product_stability/debian12.yml
+++ b/tests/data/product_stability/debian12.yml
@@ -4,13 +4,13 @@ aide_bin_path: /usr/sbin/aide
 aide_conf_path: /etc/aide/aide.conf
 audisp_conf_path: /etc/audit
 audit_binaries:
-  - /sbin/auditctl
-  - /sbin/aureport
-  - /sbin/ausearch
-  - /sbin/autrace
-  - /sbin/auditd
-  - /sbin/audispd
-  - /sbin/augenrules
+- /sbin/auditctl
+- /sbin/aureport
+- /sbin/ausearch
+- /sbin/autrace
+- /sbin/auditd
+- /sbin/audispd
+- /sbin/augenrules
 audit_watches_style: legacy
 auid: 1000
 basic_properties_derived: true
@@ -49,6 +49,7 @@ pkg_manager: apt_get
 pkg_system: dpkg
 platform_package_overrides:
   aarch64_arch: null
+  audit: auditd
   gdm: gdm3
   grub2: grub2-common
   login_defs: login
diff --git a/tests/data/product_stability/debian13.yml b/tests/data/product_stability/debian13.yml
index 148957c3a685..731b58418825 100644
--- a/tests/data/product_stability/debian13.yml
+++ b/tests/data/product_stability/debian13.yml
@@ -4,13 +4,13 @@ aide_bin_path: /usr/sbin/aide
 aide_conf_path: /etc/aide/aide.conf
 audisp_conf_path: /etc/audit
 audit_binaries:
-  - /sbin/auditctl
-  - /sbin/aureport
-  - /sbin/ausearch
-  - /sbin/autrace
-  - /sbin/auditd
-  - /sbin/audispd
-  - /sbin/augenrules
+- /sbin/auditctl
+- /sbin/aureport
+- /sbin/ausearch
+- /sbin/autrace
+- /sbin/auditd
+- /sbin/audispd
+- /sbin/augenrules
 audit_watches_style: legacy
 auid: 1000
 basic_properties_derived: true
@@ -50,6 +50,7 @@ pkg_manager: apt_get
 pkg_system: dpkg
 platform_package_overrides:
   aarch64_arch: null
+  audit: auditd
   gdm: gdm3
   grub2: grub2-common
   login_defs: login

From 46bcdb2ddca1ecd0b750072089510b5a25628f38 Mon Sep 17 00:00:00 2001
From: Alexandre Skrzyniarz <alexandre.skrzyniarz@laposte.net>
Date: Wed, 3 Dec 2025 09:59:07 +0100
Subject: [PATCH 4/4] consolidate audit_rules_networking_modification OVAL
 checks into a single file

---
 .../oval/debian.xml                           |  1 -
 .../oval/shared.xml                           | 94 +++++--------------
 .../oval/ubuntu.xml                           | 57 -----------
 3 files changed, 24 insertions(+), 128 deletions(-)
 delete mode 120000 linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/debian.xml
 delete mode 100644 linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/ubuntu.xml

diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/debian.xml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/debian.xml
deleted file mode 120000
index 70f08ba8db12..000000000000
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/debian.xml
+++ /dev/null
@@ -1 +0,0 @@
-ubuntu.xml
\ No newline at end of file
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/shared.xml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/shared.xml
index 33c52dc56496..9d3a113a76fe 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/shared.xml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/shared.xml
@@ -1,3 +1,11 @@
+{{% if product in ['ubuntu2404'] %}}
+{{% set paths = ('/etc/issue', '/etc/issue.net', '/etc/hosts', '/etc/networks', '/etc/network/', '/etc/netplan/') %}}
+{{% elif 'ubuntu' in product or 'debian' in product %}}
+{{% set paths = ('/etc/issue', '/etc/issue.net', '/etc/hosts', '/etc/networks', '/etc/network/') %}}
+{{% else %}}
+{{% set paths = ('/etc/issue', '/etc/issue.net', '/etc/hosts', '/etc/sysconfig/network') %}}
+{{% endif %}}
+
 <def-group>
   <definition class="compliance" id="audit_rules_networkconfig_modification" version="1">
     {{{ oval_metadata("The network environment should not be modified by anything other than
@@ -8,10 +16,9 @@
       <!-- Test the augenrules case -->
       <criteria operator="AND">
         <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
-        <criterion comment="audit /etc/issue augenrules" test_ref="test_arnm_common_etc_issue_augenrules" />
-        <criterion comment="audit /etc/issue.net augenrules" test_ref="test_arnm_common_etc_issue_net_augenrules" />
-        <criterion comment="audit /etc/hosts augenrules" test_ref="test_arnm_common_etc_hosts_augenrules" />
-        <criterion comment="audit /etc/sysconfig/network augenrules" test_ref="test_arnm_common_etc_sysconfig_network_augenrules" />
+        {{% for path in paths %}}
+        <criterion comment="audit {{{ path }}} augenrules" test_ref="test_arnm_common_{{{ path | escape_id }}}_augenrules" />
+        {{% endfor %}}
         <extend_definition comment="audit augenrules sethostname" definition_ref="audit_rules_networkconfig_modification_hostname" />
         <extend_definition comment="audit augenrules setdomainname" definition_ref="audit_rules_networkconfig_modification_domainname" />
       </criteria>
@@ -19,10 +26,9 @@
       <!-- Test the auditctl case -->
       <criteria operator="AND">
         <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
-        <criterion comment="audit /etc/issue auditctl" test_ref="test_arnm_common_etc_issue_auditctl" />
-        <criterion comment="audit /etc/issue.net auditctl" test_ref="test_arnm_common_etc_issue_net_auditctl" />
-        <criterion comment="audit /etc/hosts auditctl" test_ref="test_arnm_common_etc_hosts_auditctl" />
-        <criterion comment="audit /etc/sysconfig/network auditctl" test_ref="test_arnm_common_etc_sysconfig_network_auditctl" />
+        {{% for path in paths %}}
+        <criterion comment="audit {{{ path }}} auditctl" test_ref="test_arnm_common_{{{ path | escape_id }}}_auditctl" />
+        {{% endfor %}}
         <extend_definition comment="audit augenrules sethostname" definition_ref="audit_rules_networkconfig_modification_hostname" />
         <extend_definition comment="audit augenrules setdomainname" definition_ref="audit_rules_networkconfig_modification_domainname" />
       </criteria>
@@ -30,76 +36,24 @@
     </criteria>
   </definition>
 
-  <ind:textfilecontent54_test check="all" comment="audit /etc/issue augenrules" id="test_arnm_common_etc_issue_augenrules" version="1">
-    <ind:object object_ref="object_arnm_common_etc_issue_augenrules" />
-  </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_arnm_common_etc_issue_augenrules" version="1">
-    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-    <ind:pattern operation="pattern match">^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" comment="audit /etc/issue.net augenrules" id="test_arnm_common_etc_issue_net_augenrules" version="1">
-    <ind:object object_ref="object_arnm_common_etc_issue_net_augenrules" />
-  </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_arnm_common_etc_issue_net_augenrules" version="1">
-    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-    <ind:pattern operation="pattern match">^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" comment="audit /etc/hosts augenrules" id="test_arnm_common_etc_hosts_augenrules" version="1">
-    <ind:object object_ref="object_arnm_common_etc_hosts_augenrules" />
-  </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_arnm_common_etc_hosts_augenrules" version="1">
-    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-    <ind:pattern operation="pattern match">^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" comment="audit /etc/sysconfig/network augenrules" id="test_arnm_common_etc_sysconfig_network_augenrules" version="1">
-    <ind:object object_ref="object_arnm_common_etc_sysconfig_network_augenrules" />
+  {{% for path in paths %}}
+  <ind:textfilecontent54_test check="all" comment="audit {{{ path }}} augenrules" id="test_arnm_common_{{{ path | escape_id }}}_augenrules" version="1">
+      <ind:object object_ref="obj_arnm_common_{{{ path | escape_id }}}_augenrules" />
   </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_arnm_common_etc_sysconfig_network_augenrules" version="1">
+  <ind:textfilecontent54_object id="obj_arnm_common_{{{ path | escape_id }}}_augenrules" version="1">
     <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-    <ind:pattern operation="pattern match">^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" comment="audit /etc/issue auditctl" id="test_arnm_common_etc_issue_auditctl" version="1">
-    <ind:object object_ref="object_arnm_common_etc_issue_auditctl" />
-  </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_arnm_common_etc_issue_auditctl" version="1">
-    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-    <ind:pattern operation="pattern match">^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" comment="audit /etc/issue.net auditctl" id="test_arnm_common_etc_issue_net_auditctl" version="1">
-    <ind:object object_ref="object_arnm_common_etc_issue_net_auditctl" />
-  </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_arnm_common_etc_issue_net_auditctl" version="1">
-    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-    <ind:pattern operation="pattern match">^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" comment="audit /etc/hosts auditctl" id="test_arnm_common_etc_hosts_auditctl" version="1">
-    <ind:object object_ref="object_arnm_common_etc_hosts_auditctl" />
-  </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_arnm_common_etc_hosts_auditctl" version="1">
-    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-    <ind:pattern operation="pattern match">^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
+    <ind:pattern operation="pattern match">^\-w[\s]+{{{ path | escape_regex }}}[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
-  <ind:textfilecontent54_test check="all" comment="audit /etc/sysconfig/network auditctl" id="test_arnm_common_etc_sysconfig_network_auditctl" version="1">
-    <ind:object object_ref="object_arnm_common_etc_sysconfig_network_auditctl" />
+  <ind:textfilecontent54_test check="all" comment="audit {{{ path }}} auditctl" id="test_arnm_common_{{{ path | escape_id }}}_auditctl" version="1">
+    <ind:object object_ref="obj_arnm_common_{{{ path | escape_id }}}_auditctl" />
   </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_arnm_common_etc_sysconfig_network_auditctl" version="1">
+  <ind:textfilecontent54_object id="obj_arnm_common_{{{ path | escape_id }}}_auditctl" version="1">
     <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-    <ind:pattern operation="pattern match">^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
+    <ind:pattern operation="pattern match">^\-w[\s]+{{{ path | escape_regex }}}[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
+  {{% endfor %}}
 
 </def-group>
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/ubuntu.xml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/ubuntu.xml
deleted file mode 100644
index 38fc92f0a7cc..000000000000
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/ubuntu.xml
+++ /dev/null
@@ -1,57 +0,0 @@
-{{% if product in ['ubuntu2404'] %}}
-{{% set paths = ('/etc/issue', '/etc/issue.net', '/etc/hosts', '/etc/networks', '/etc/network/', '/etc/netplan/') %}}
-{{% else %}}
-{{% set paths = ('/etc/issue', '/etc/issue.net', '/etc/hosts', '/etc/networks', '/etc/network/') %}}
-{{% endif %}}
-
-<def-group>
-  <definition class="compliance" id="audit_rules_networkconfig_modification" version="1">
-    {{{ oval_metadata("The network environment should not be modified by anything other than
-      administrator action. Any change to network parameters should be audited.", rule_title=rule_title) }}}
-
-    <criteria operator="OR">
-
-      <!-- Test the augenrules case -->
-      <criteria operator="AND">
-        <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
-        {{% for path in paths %}}
-        <criterion comment="audit {{{ path }}} augenrules" test_ref="test_arnm_common_{{{ path | escape_id }}}_augenrules" />
-        {{% endfor %}}
-        <extend_definition comment="audit augenrules sethostname" definition_ref="audit_rules_networkconfig_modification_hostname" />
-        <extend_definition comment="audit augenrules setdomainname" definition_ref="audit_rules_networkconfig_modification_domainname" />
-      </criteria>
-
-      <!-- Test the auditctl case -->
-      <criteria operator="AND">
-        <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
-        {{% for path in paths %}}
-        <criterion comment="audit {{{ path }}} auditctl" test_ref="test_arnm_common_{{{ path | escape_id }}}_auditctl" />
-        {{% endfor %}}
-        <extend_definition comment="audit augenrules sethostname" definition_ref="audit_rules_networkconfig_modification_hostname" />
-        <extend_definition comment="audit augenrules setdomainname" definition_ref="audit_rules_networkconfig_modification_domainname" />
-      </criteria>
-
-    </criteria>
-  </definition>
-
-  {{% for path in paths %}}
-  <ind:textfilecontent54_test check="all" comment="audit {{{ path }}} augenrules" id="test_arnm_common_{{{ path | escape_id }}}_augenrules" version="1">
-      <ind:object object_ref="obj_arnm_common_{{{ path | escape_id }}}_augenrules" />
-  </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="obj_arnm_common_{{{ path | escape_id }}}_augenrules" version="1">
-    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-    <ind:pattern operation="pattern match">^\-w[\s]+{{{ path | escape_regex }}}[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" comment="audit {{{ path }}} auditctl" id="test_arnm_common_{{{ path | escape_id }}}_auditctl" version="1">
-    <ind:object object_ref="obj_arnm_common_{{{ path | escape_id }}}_auditctl" />
-  </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="obj_arnm_common_{{{ path | escape_id }}}_auditctl" version="1">
-    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-    <ind:pattern operation="pattern match">^\-w[\s]+{{{ path | escape_regex }}}[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-  {{% endfor %}}
-
-</def-group>