+++ This bug was initially created as a clone of Bug #2232607 +++

Description of problem:
anssi_bp28_high profile's audit rules are invalid on aarch64 architecture.

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.69-1.el8

How reproducible:
deterministic

Steps to Reproduce:
1. Remediate installed system using ANSSI High profile:
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_anssi_bp28_high --progress --remediate /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
2. Examine auditd service status

Actual results:

1. systemctl status -l auditd
   ● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2023-08-17 09:43:05 EDT; 8min ago
   Docs: man:auditd(8)
   https://github.com/linux-audit/audit-documentation
   Process: 769 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE)
   Process: 759 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
   Main PID: 766 (auditd)
   Tasks: 2 (limit: 8799)
   Memory: 7.6M
   CGroup: /system.slice/auditd.service
   └─766 /sbin/auditd

Aug 17 09:43:04 hpe-apollo-cn99xx-14-vm-30.khw4.lab.eng.bos.redhat.com systemd[1]: Starting Security Auditing Service...
Aug 17 09:43:04 hpe-apollo-cn99xx-14-vm-30.khw4.lab.eng.bos.redhat.com auditd[766]: No plugins found, not dispatching events
Aug 17 09:43:04 hpe-apollo-cn99xx-14-vm-30.khw4.lab.eng.bos.redhat.com auditd[766]: Init complete, auditd 3.0.7 listening for events (startup state enable)
Aug 17 09:43:05 hpe-apollo-cn99xx-14-vm-30.khw4.lab.eng.bos.redhat.com augenrules[801]: Syscall name unknown: creat
Aug 17 09:43:05 hpe-apollo-cn99xx-14-vm-30.khw4.lab.eng.bos.redhat.com augenrules[801]: There was an error in line 7 of /etc/audit/audit.rules
====

1. augenrules --load
   Syscall name unknown: creat
   There was an error in line 7 of /etc/audit/audit.rules
   ====

1. head -n7 /etc/audit/audit.rules
   1. This file is automatically generated from /etc/audit/rules.d
      -D

-w /etc/selinux/ -p wa -k MAC-policy
-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
====

Even after removing the offending line there are still other errors so audit rules on aarch64 architecture need to be revisited and fixed.

Expected results:
`augenrules --load` successfully loads all configured audit rules.

Additional info:

— Additional comment from Matus Marhefka on 2023-08-17 14:05:46 UTC —

This issue was hidden as we are also missing service_auditd_enabled rule in the profile, the rule needs to be added into all ANSSI profiles which configure audit.

— Additional comment from Vojtech Polasek on 2023-08-21 08:16:46 UTC —

Analysis:

• add service_auditd_enabled into the ANSSI profiles which use Audit rules
• analyze rules used in ANSSI profiles and find out problematic rules which prevent Audit from starting on aarch64 platform. Then, create new / modify existing rules to make them working on aarch64.