The default check is as follows:
not exists 1 whose (0 < number of (((it as string) of column “filepath” of it) of (rows of statements (concatenation " and " of (“select * from filesystem where (type = ‘f’) and (path GLOB ‘/’ OR path GLOB ‘/’) and (filename GLOB '?’)”; “permission GLOB ‘???[sS]???’”; “permission GLOB ‘???[sS]???’”)) of sqlite database of (file it | error (“no file: " & it)) of concatenation “/” of (pathname of data folder of client; “__SCMData”; “fileresults.db”)) whose (true AND true)) whose (not ((number of substrings separated by “, " whose (it is not “”) whose (it as boolean) of it > 0) of concatenation “, " of (it as string) of (regex ((if it starts with “^” then it else “." & it) of (if it ends with “$” then it else if (it != “.+” and it != ".”) then (it & “.*”) else it) of (concatenation of (”^-a (always,exit|exit,always) -F path=”; item 1 of it; " -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged$”))) = item 0 of it) of ((lines of it) of files “/etc/audit/audit.rules”, (it)))))
I need to change the following section:
concatenation of ("^-a (always,exit|exit,always) -F path="; item 1 of it; " -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged$")
To instead to check for the following lines in the /etc/audit/audit.rules file:
-a exit,always -F arch=b64 -S clone -S fork -S vfork -S execve -S exit_group -k crowdstrike
-a exit,always -F arch=b32 -S clone -S fork -S vfork -S execve -S exit_group -k crowdstrike
The lines above is how they appear in the file. I have been trying the following regex with little success:
^-a (always,exit|exit,always) -F arch="; item 1 of it; " -S clone -S fork -S vfork -S execve -S exit_group -k crowdstrike
Could someone help me out with the regex?