>From 65ecb3adaeff4e5e4aafb055cd2e6a13fd3cd39c Mon Sep 17 00:00:00 2001
From: Shawn Wells <shawn@redhat.com>
Date: Sat, 25 Feb 2012 17:24:52 -0500
Subject: [PATCH 23/24] Updated audit_dac_actions to watch umask settings
 - Updated audit_dac_actions to watch for umask settings
 - Also updated audit_rules_dac_modification.xml for the check

---
 .../input/checks/audit_rules_dac_modification.xml  |   10 ++++++++++
 rhel6/src/input/system/auditing.xml                |    1 +
 2 files changed, 11 insertions(+), 0 deletions(-)

diff --git a/rhel6/src/input/checks/audit_rules_dac_modification.xml b/rhel6/src/input/checks/audit_rules_dac_modification.xml
index 6227308..c5792ed 100644
--- a/rhel6/src/input/checks/audit_rules_dac_modification.xml
+++ b/rhel6/src/input/checks/audit_rules_dac_modification.xml
@@ -30,6 +30,16 @@
     <ind:pattern operation="pattern match">^\-a\s+always,exit\s+(\-F\s+arch=(b64|b32)\s+)?\-S\s+chown\s+\-S\s+fchown\s+\-S\s+fchownat\s+\-S\s+lchown\s+\-F\s+auid>=500\s+\-F\s+auid!=4294967295\s+\-k\s+[-\w]+\s*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="dac modification umask" id="test_audit_rules_dac_modification_umask" version="1">
+    <ind:object object_ref="object_audit_rules_dac_modification_umask" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_audit_rules_dac_modification_umask" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">^\-a\s+always,exit\s+\(\-F\s+arch=(b64|b32)\s+)?\-S\s+umask\s+\-F\s+auid>=500\s+\-F\s+auid!=4294967295\s+\-k\s+[-\w]+\s*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
   <ind:textfilecontent54_test check="all" comment="dac modification attr" id="test_audit_rules_dac_modification_attr" version="1">
     <ind:object object_ref="object_audit_rules_dac_modification_attr" />
   </ind:textfilecontent54_test>
diff --git a/rhel6/src/input/system/auditing.xml b/rhel6/src/input/system/auditing.xml
index a8d7b67..d01c5fb 100644
--- a/rhel6/src/input/system/auditing.xml
+++ b/rhel6/src/input/system/auditing.xml
@@ -294,6 +294,7 @@ anything other than administrator action. All changes to MAC policy should be au
 -a always,exit -F arch=ARCH -S setxattr -S lsetxattr \
     -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr \
     -F auid&gt;=500 -F auid!=4294967295 -k audit_dac_actions</pre>
+-a always,exit -F arch=ARCH -S umask -F auid&gt;=500 -F auid!=4294967295 -k audit_dac_actions    
 <br />
 Additionally, if you are on a 32-bit system add the following audit rule:
 <pre>-a always,exit -F arch=b32 -S fchown32 -S chown32 -S lchown32</pre>
-- 
1.7.1