Ordered audit rules

Change-Id: Idb705cfab5cebb4568109f9b25a6087b9a667d1b
Closes-PROD: https://mirantis.jira.com/browse/PROD-21187
diff --git a/README.rst b/README.rst
index b9df62f..6e81855 100644
--- a/README.rst
+++ b/README.rst
@@ -71,7 +71,8 @@
         enabled: 0
         bufsize: 8192
       rules:
-        some_rule_key:
+        1:
+          key: some_rule_key
           enabled: true
           rule_list:
             - '-w /etc/passwd -p wa'
diff --git a/auditd/files/auditd.rules.conf b/auditd/files/auditd.rules.conf
index 8012bcb..031b268 100644
--- a/auditd/files/auditd.rules.conf
+++ b/auditd/files/auditd.rules.conf
@@ -1,38 +1,36 @@
 {%- from "auditd/map.jinja" import rules with context %}
 {%- set filter_fs = rules.get('filter_fs', []) -%}
 {%- set filter_paths = rules.get('filter_paths', []) -%}
+{%- set auid = rules.get('auid', 1000) -%}
 
 -D
 {%- set bufsize = rules.get('options', {}).get('bufsize', 8192) %}
 -b {{ bufsize }}
 
-{%- set ruledict = rules.get('rules', {}) %}
-{%- if ruledict|length > 0 %}
-# Rules
-{%- for rulegroup, options in ruledict.items() %}
-# {{ rulegroup }} section
-{%- if options.get('enabled', false) -%}
-{%- for rule in options.get('rule_list', []) %}
-{{ rule }} -k {{ rulegroup }}
-{%- endfor %}
-{%- endif %}
-{%- endfor %}
-{%- endif %}
-
-{# Dynamically generated list of binaries which have sgid/suid bit #}
-{# It can be extended via the auditd.rules.rules.privileged.rule_list #}
-{%- if pillar.auditd.rules.rules.privileged is defined -%}
-{%-   if ruledict.privileged.get('enabled') -%}
-{%-     set privileged_list = salt['auditd.find_privileged'](filter_fs=filter_fs,filter_paths=filter_paths) -%}
-# Dinamically generated list of privileged files
-{%-     for bin in privileged_list -%}
-{%-         set rule = '-a always,exit -F path='+ bin +' -F perm=x -F auid>=1000 -F auid!=4294967295' -%}
-{%-         if rule not in ruledict.get('privileged', {}).get('rule_list', []) %}
-{{ rule + ' -k privileged' }}
+# Rules (might be empty)
+{%- for _, ruleblock in rules.get('rules', {})|dictsort %}
+{%-   if ruleblock.get('enabled', false) %}
+{%-     set rules = ruleblock.get('rule_list', []) %}
+{%-     set rulekey = ruleblock['key'] %}
+{%-     if rulekey == 'privileged' -%}
+{# Generate suid/sgid binaries list dynamically.
+This behavior can not be changed but the list can be extended via the corresponding pillar. #}
+{%-       set privileged_list = salt['auditd.find_privileged'](filter_fs=filter_fs,filter_paths=filter_paths) -%}
+{%-       for bin in privileged_list -%}
+{%-         set rule = '-a always,exit -F path='+ bin +' -F perm=x -F auid>='~ auid ~' -F auid!=4294967295' -%}
+{%-         if rule not in rules %}
+{%-           do rules.append(rule) %}
 {%-         endif %}
-{%-     endfor -%}
-{%-   endif -%}
-{%- endif %}
+{%-       endfor %}
+{%-     endif %}
+{%     if rules|length > 0 %}
+# "{{ rulekey }}" section
+{%-       for rule in rules %}
+{{ rule }} -k {{ rulekey }}
+{%-       endfor %}
+{%-     endif %}
+{%-   endif %}
+{%- endfor %}
 
 # Enabled
 {%- set enabled = rules.get('options', {}).get('enabled', 0) %}
diff --git a/metadata/service/rules/ciscat.yml b/metadata/service/rules/ciscat.yml
index 2417e1c..fca89c3 100644
--- a/metadata/service/rules/ciscat.yml
+++ b/metadata/service/rules/ciscat.yml
@@ -25,90 +25,104 @@
         enabled: 2
         bufsize: 8192
       rules:
-        MAC_policy:
+        100:
+          key: MAC_policy
           enabled: true
           rule_list:
-            - '-w /etc/apparmor/ -p wa'
-            - '-w /etc/apparmor.d/ -p wa'
-        access:
+          - '-w /etc/apparmor/ -p wa'
+          - '-w /etc/apparmor.d/ -p wa'
+        110:
+          key: access
           enabled: true
           rule_list:
-            - '-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295'
-            - '-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295'
-            - '-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295'
-            - '-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295'
-        actions:
+          - '-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295'
+          - '-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295'
+          - '-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295'
+          - '-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295'
+        120:
+          key: actions
           enabled: true
           rule_list:
-            - '-w /var/log/sudo.log -p wa'
-        delete:
+          - '-w /var/log/sudo.log -p wa'
+        130:
+          key: delete
           enabled: true
           rule_list:
-            - '-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295'
-            - '-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295'
-        identity:
+          - '-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295'
+          - '-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295'
+        140:
+          key: identity
           enabled: true
           rule_list:
-            - '-w /etc/group -p wa'
-            - '-w /etc/passwd -p wa'
-            - '-w /etc/gshadow -p wa'
-            - '-w /etc/shadow -p wa'
-            - '-w /etc/security/opasswd -p wa'
-        logins:
+          - '-w /etc/group -p wa'
+          - '-w /etc/passwd -p wa'
+          - '-w /etc/gshadow -p wa'
+          - '-w /etc/shadow -p wa'
+          - '-w /etc/security/opasswd -p wa'
+        150:
+          key: logins
           enabled: true
           rule_list:
-            - '-w /var/log/faillog -p wa'
-            - '-w /var/log/lastlog -p wa'
-            - '-w /var/log/tallylog -p wa'
-        modules:
+          - '-w /var/log/faillog -p wa'
+          - '-w /var/log/lastlog -p wa'
+          - '-w /var/log/tallylog -p wa'
+        160:
+          key: modules
           enabled: true
           rule_list:
-            - '-w /sbin/insmod -p x'
-            - '-w /sbin/rmmod -p x'
-            - '-w /sbin/modprobe -p x'
-            - '-a always,exit -F arch=b64 -S init_module -S delete_module'
-        mounts:
+          - '-w /sbin/insmod -p x'
+          - '-w /sbin/rmmod -p x'
+          - '-w /sbin/modprobe -p x'
+          - '-a always,exit -F arch=b64 -S init_module -S delete_module'
+        170:
+          key: mounts
           enabled: true
           rule_list:
-            - '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295'
-            - '-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295'
-        perm_mod:
+          - '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295'
+          - '-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295'
+        180:
+          key: perm_mod
           enabled: true
           rule_list:
-            - '-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295'
-            - '-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295'
-            - '-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295'
-            - '-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295'
-            - '-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295'
-            - '-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295'
-        privileged:
+          - '-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295'
+          - '-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295'
+          - '-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295'
+          - '-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295'
+          - '-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295'
+          - '-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295'
+        190:
+          key: privileged
           enabled: true
-        scope:
+        200:
+          key: scope
           enabled: true
           rule_list:
-            - '-w /etc/sudoers -p wa'
-            - '-w /etc/sudoers.d -p wa'
-        session:
+          - '-w /etc/sudoers -p wa'
+          - '-w /etc/sudoers.d -p wa'
+        210:
+          key: session
           enabled: true
           rule_list:
-            - '-w /var/run/utmp -p wa'
-            - '-w /var/log/wtmp -p wa'
-            - '-w /var/log/btmp -p wa'
-        system_locale:
+          - '-w /var/run/utmp -p wa'
+          - '-w /var/log/wtmp -p wa'
+          - '-w /var/log/btmp -p wa'
+        220:
+          key: system_locale
           enabled: true
           rule_list:
-            - '-a always,exit -F arch=b64 -S sethostname -S setdomainname'
-            - '-a always,exit -F arch=b32 -S sethostname -S setdomainname'
-            - '-w /etc/issue -p wa'
-            - '-w /etc/issue.net -p wa'
-            - '-w /etc/hosts -p wa'
-            - '-w /etc/network -p wa'
-            - '-w /etc/networks -p wa'
-        time_change:
+          - '-a always,exit -F arch=b64 -S sethostname -S setdomainname'
+          - '-a always,exit -F arch=b32 -S sethostname -S setdomainname'
+          - '-w /etc/issue -p wa'
+          - '-w /etc/issue.net -p wa'
+          - '-w /etc/hosts -p wa'
+          - '-w /etc/network -p wa'
+          - '-w /etc/networks -p wa'
+        230:
+          key: time_change
           enabled: true
           rule_list:
-            - '-a always,exit -F arch=b64 -S adjtimex -S settimeofday'
-            - '-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime'
-            - '-a always,exit -F arch=b64 -S clock_settime'
-            - '-a always,exit -F arch=b32 -S clock_settime'
-            - '-w /etc/localtime -p wa'
+          - '-a always,exit -F arch=b64 -S adjtimex -S settimeofday'
+          - '-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime'
+          - '-a always,exit -F arch=b64 -S clock_settime'
+          - '-a always,exit -F arch=b32 -S clock_settime'
+          - '-w /etc/localtime -p wa'
diff --git a/tests/pillar/rules.sls b/tests/pillar/rules.sls
index 2e4bb0d..e77aff2 100644
--- a/tests/pillar/rules.sls
+++ b/tests/pillar/rules.sls
@@ -29,7 +29,8 @@
       enabled: 0
       bufzise: 4096
     rules:
-      host_conf:
+      1:
+        key: host_conf
         enabled: true
         rule_list:
           - '-w /etc/host.conf -p wa'