audit: Filter-out unavailable AArch64 syscalls

[ta/infra-ansible.git] / roles / audit / templates / 43-module-load.rules.j2

## These rules watch for kernel module insertion
{%- set S_create_module = '-S create_module' %}
{%- set S_kexec_file_load = '-S kexec_file_load' %}
{# Filter syscalls not available on certain platforms #}
{% if ansible_architecture in ['aarch64'] %}
    {%- set S_create_module = '' %}
    {%- set S_kexec_file_load = '' %}
{% endif %}
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module {{ S_create_module }} -S finit_module {{ S_kexec_file_load }} -S kexec_load -k modules
-a always,exit -F arch=b32 -S init_module -S delete_module {{ S_create_module }} -S finit_module -k modules