OPENSCAP-4921 - Change audit watches for ARLE

[jan-cerny]

In RHEL 10, audit recommends to use a new type of audit rules for watches of login events. Old style watch rules are slower, for inspiration check:
linux-audit/audit-userspace@614f7d1#diff-358ef6b204ee1b214ce4c8f9bdca09612bc86ed3de442374dd910d243ea33fa7R107

Our templates audit_rules_login_events and audit_rules_watch are similar. This PR merges them to a single template audit_rules_watch. Then, it converts rules using the audit_rules_login_events template to use the audit_rules_watch template instead. This activity reduces code duplication. Also, this change makes it easier to convert rules to use the modern audit watches.

We extend the audit_rules_watch template to use and support the new type of audit watches.

Using the new type of watches will be configured by product property audit_watches_style which can be set to modern or legacy. The default value is legacy. It will be set to modern in rhel10 product and other products will use legacy.

We won't change audit_rules_login_events and audit_rules_login_events_faillog because these rules aren't used in RHEL 10.

We also update the test scenarios to cover both styles of audit watches.

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff.
Due to the excessive size of the diff, it has been trimmed to fit the 65535-character limit.

Click here to see the trimmed diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
@@ -25,7 +25,9 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
+
     if grep -q -P -- "^[\s]*-w[\s]+/etc/selinux/" "$audit_rules_file"
+
     then
         # Rule is found => verify yet if existing rule definition contains
         # all of the required access type bits
@@ -33,7 +35,9 @@
         # Define BRE whitespace class shortcut
         sp="[[:space:]]"
         # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/selinux/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/selinux/$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
         # Split required access bits string into characters array
         # (to check bit's presence for one bit at a time)
         for access_bit in $(echo "wa" | grep -o .)
@@ -49,12 +53,16 @@
         done
         # Propagate the updated rule's access bits (original + the required
         # ones) back into the /etc/audit/audit.rules file for that rule
+
         sed -i "s#\($sp*-w$sp\+/etc/selinux/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
     else
         # Rule isn't present yet. Append it at the end of $audit_rules_file file
         # with proper key
 
+
         echo "-w /etc/selinux/ -p wa -k MAC-policy" >> "$audit_rules_file"
+
     fi
 done
 # Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -73,7 +81,9 @@
 # If the audit is 'augenrules', then check if rule is already defined
 # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
 # If rule isn't defined, add '/etc/audit/rules.d/MAC-policy.rules' to list of files for inspection.
+
 readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/selinux/" /etc/audit/rules.d/*.rules)
+
 
 # For each of the matched entries
 for match in "${matches[@]}"
@@ -102,7 +112,9 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
+
     if grep -q -P -- "^[\s]*-w[\s]+/etc/selinux/" "$audit_rules_file"
+
     then
         # Rule is found => verify yet if existing rule definition contains
         # all of the required access type bits
@@ -110,7 +122,9 @@
         # Define BRE whitespace class shortcut
         sp="[[:space:]]"
         # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/selinux/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/selinux/$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
         # Split required access bits string into characters array
         # (to check bit's presence for one bit at a time)
         for access_bit in $(echo "wa" | grep -o .)
@@ -126,12 +140,16 @@
         done
         # Propagate the updated rule's access bits (original + the required
         # ones) back into the /etc/audit/audit.rules file for that rule
+
         sed -i "s#\($sp*-w$sp\+/etc/selinux/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
     else
         # Rule isn't present yet. Append it at the end of $audit_rules_file file
         # with proper key
 
+
         echo "-w /etc/selinux/ -p wa -k MAC-policy" >> "$audit_rules_file"
+
     fi
 done
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
@@ -18,7 +18,8 @@
   - reboot_required
   - restrict_strategy
 
-- name: Check if watch rule for /etc/selinux/ already exists in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Mandatory Access Controls - Check if
+    watch rule for /etc/selinux/ already exists in /etc/audit/rules.d/
   find:
     paths: /etc/audit/rules.d
     contains: ^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+
@@ -44,7 +45,8 @@
   - reboot_required
   - restrict_strategy
 
-- name: Search /etc/audit/rules.d for other rules with specified key MAC-policy
+- name: Record Events that Modify the System's Mandatory Access Controls - Search
+    /etc/audit/rules.d for other rules with specified key MAC-policy
   find:
     paths: /etc/audit/rules.d
     contains: ^.*(?:-F key=|-k\s+)MAC-policy$
@@ -72,7 +74,8 @@
   - reboot_required
   - restrict_strategy
 
-- name: Use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule
+- name: Record Events that Modify the System's Mandatory Access Controls - Use /etc/audit/rules.d/MAC-policy.rules
+    as the recipient for the rule
   set_fact:
     all_files:
     - /etc/audit/rules.d/MAC-policy.rules
@@ -98,7 +101,8 @@
   - reboot_required
   - restrict_strategy
 
-- name: Use matched file as the recipient for the rule
+- name: Record Events that Modify the System's Mandatory Access Controls - Use matched
+    file as the recipient for the rule
   set_fact:
     all_files:
     - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
@@ -124,7 +128,8 @@
   - reboot_required
   - restrict_strategy
 
-- name: Add watch rule for /etc/selinux/ in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Mandatory Access Controls - Add watch
+    rule for /etc/selinux/ in /etc/audit/rules.d/
   lineinfile:
     path: '{{ all_files[0] }}'
     line: -w /etc/selinux/ -p wa -k MAC-policy
@@ -152,7 +157,8 @@
   - reboot_required
   - restrict_strategy
 
-- name: Check if watch rule for /etc/selinux/ already exists in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Mandatory Access Controls - Check if
+    watch rule for /etc/selinux/ already exists in /etc/audit/audit.rules
   find:
     paths: /etc/audit/
     contains: ^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+
@@ -178,7 +184,8 @@
   - reboot_required
   - restrict_strategy
 
-- name: Add watch rule for /etc/selinux/ in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Mandatory Access Controls - Add watch
+    rule for /etc/selinux/ in /etc/audit/audit.rules
   lineinfile:
     line: -w /etc/selinux/ -p wa -k MAC-policy
     state: present

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
@@ -25,7 +25,9 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
+
     if grep -q -P -- "^[\s]*-w[\s]+/usr/share/selinux/" "$audit_rules_file"
+
     then
         # Rule is found => verify yet if existing rule definition contains
         # all of the required access type bits
@@ -33,7 +35,9 @@
         # Define BRE whitespace class shortcut
         sp="[[:space:]]"
         # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/share/selinux/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/share/selinux/$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
         # Split required access bits string into characters array
         # (to check bit's presence for one bit at a time)
         for access_bit in $(echo "wa" | grep -o .)
@@ -49,12 +53,16 @@
         done
         # Propagate the updated rule's access bits (original + the required
         # ones) back into the /etc/audit/audit.rules file for that rule
+
         sed -i "s#\($sp*-w$sp\+/usr/share/selinux/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
     else
         # Rule isn't present yet. Append it at the end of $audit_rules_file file
         # with proper key
 
+
         echo "-w /usr/share/selinux/ -p wa -k MAC-policy" >> "$audit_rules_file"
+
     fi
 done
 # Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -73,7 +81,9 @@
 # If the audit is 'augenrules', then check if rule is already defined
 # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
 # If rule isn't defined, add '/etc/audit/rules.d/MAC-policy.rules' to list of files for inspection.
+
 readarray -t matches < <(grep -HP "[\s]*-w[\s]+/usr/share/selinux/" /etc/audit/rules.d/*.rules)
+
 
 # For each of the matched entries
 for match in "${matches[@]}"
@@ -102,7 +112,9 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
+
     if grep -q -P -- "^[\s]*-w[\s]+/usr/share/selinux/" "$audit_rules_file"
+
     then
         # Rule is found => verify yet if existing rule definition contains
         # all of the required access type bits
@@ -110,7 +122,9 @@
         # Define BRE whitespace class shortcut
         sp="[[:space:]]"
         # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/share/selinux/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/usr/share/selinux/$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
         # Split required access bits string into characters array
         # (to check bit's presence for one bit at a time)
         for access_bit in $(echo "wa" | grep -o .)
@@ -126,12 +140,16 @@
         done
         # Propagate the updated rule's access bits (original + the required
         # ones) back into the /etc/audit/audit.rules file for that rule
+
         sed -i "s#\($sp*-w$sp\+/usr/share/selinux/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
     else
         # Rule isn't present yet. Append it at the end of $audit_rules_file file
         # with proper key
 
+
         echo "-w /usr/share/selinux/ -p wa -k MAC-policy" >> "$audit_rules_file"
+
     fi
 done
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
@@ -15,7 +15,8 @@
   - reboot_required
   - restrict_strategy
 
-- name: Check if watch rule for /usr/share/selinux/ already exists in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Mandatory Access Controls in usr/share
+    - Check if watch rule for /usr/share/selinux/ already exists in /etc/audit/rules.d/
   find:
     paths: /etc/audit/rules.d
     contains: ^\s*-w\s+/usr/share/selinux/\s+-p\s+wa(\s|$)+
@@ -38,7 +39,8 @@
   - reboot_required
   - restrict_strategy
 
-- name: Search /etc/audit/rules.d for other rules with specified key MAC-policy
+- name: Record Events that Modify the System's Mandatory Access Controls in usr/share
+    - Search /etc/audit/rules.d for other rules with specified key MAC-policy
   find:
     paths: /etc/audit/rules.d
     contains: ^.*(?:-F key=|-k\s+)MAC-policy$
@@ -63,7 +65,8 @@
   - reboot_required
   - restrict_strategy
 
-- name: Use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule
+- name: Record Events that Modify the System's Mandatory Access Controls in usr/share
+    - Use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule
   set_fact:
     all_files:
     - /etc/audit/rules.d/MAC-policy.rules
@@ -86,7 +89,8 @@
   - reboot_required
   - restrict_strategy
 
-- name: Use matched file as the recipient for the rule
+- name: Record Events that Modify the System's Mandatory Access Controls in usr/share
+    - Use matched file as the recipient for the rule
   set_fact:
     all_files:
     - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
@@ -109,7 +113,8 @@
   - reboot_required
   - restrict_strategy
 
-- name: Add watch rule for /usr/share/selinux/ in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Mandatory Access Controls in usr/share
+    - Add watch rule for /usr/share/selinux/ in /etc/audit/rules.d/
   lineinfile:
     path: '{{ all_files[0] }}'
     line: -w /usr/share/selinux/ -p wa -k MAC-policy
@@ -134,7 +139,8 @@
   - reboot_required
   - restrict_strategy
 
-- name: Check if watch rule for /usr/share/selinux/ already exists in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Mandatory Access Controls in usr/share
+    - Check if watch rule for /usr/share/selinux/ already exists in /etc/audit/audit.rules
   find:
     paths: /etc/audit/
     contains: ^\s*-w\s+/usr/share/selinux/\s+-p\s+wa(\s|$)+
@@ -157,7 +163,8 @@
   - reboot_required
   - restrict_strategy
 
-- name: Add watch rule for /usr/share/selinux/ in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Mandatory Access Controls in usr/share
+    - Add watch rule for /usr/share/selinux/ in /etc/audit/audit.rules
   lineinfile:
     line: -w /usr/share/selinux/ -p wa -k MAC-policy
     state: present

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
@@ -346,7 +346,9 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
+
     if grep -q -P -- "^[\s]*-w[\s]+/etc/issue" "$audit_rules_file"
+
     then
         # Rule is found => verify yet if existing rule definition contains
         # all of the required access type bits
@@ -354,7 +356,9 @@
         # Define BRE whitespace class shortcut
         sp="[[:space:]]"
         # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
         # Split required access bits string into characters array
         # (to check bit's presence for one bit at a time)
         for access_bit in $(echo "wa" | grep -o .)
@@ -370,12 +374,16 @@
         done
         # Propagate the updated rule's access bits (original + the required
         # ones) back into the /etc/audit/audit.rules file for that rule
+
         sed -i "s#\($sp*-w$sp\+/etc/issue$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
     else
         # Rule isn't present yet. Append it at the end of $audit_rules_file file
         # with proper key
 
+
         echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
+
     fi
 done
 # Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -394,7 +402,9 @@
 # If the audit is 'augenrules', then check if rule is already defined
 # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
 # If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
+
 readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/issue" /etc/audit/rules.d/*.rules)
+
 
 # For each of the matched entries
 for match in "${matches[@]}"
@@ -423,7 +433,9 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
+
     if grep -q -P -- "^[\s]*-w[\s]+/etc/issue" "$audit_rules_file"
+
     then
         # Rule is found => verify yet if existing rule definition contains
         # all of the required access type bits
@@ -431,7 +443,9 @@
         # Define BRE whitespace class shortcut
         sp="[[:space:]]"
         # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
         # Split required access bits string into characters array
         # (to check bit's presence for one bit at a time)
         for access_bit in $(echo "wa" | grep -o .)
@@ -447,12 +461,16 @@
         done
         # Propagate the updated rule's access bits (original + the required
         # ones) back into the /etc/audit/audit.rules file for that rule
+
         sed -i "s#\($sp*-w$sp\+/etc/issue$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
     else
         # Rule isn't present yet. Append it at the end of $audit_rules_file file
         # with proper key
 
+
         echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
+
     fi
 done
 # Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -478,7 +496,9 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
+
     if grep -q -P -- "^[\s]*-w[\s]+/etc/issue.net" "$audit_rules_file"
+
     then
         # Rule is found => verify yet if existing rule definition contains
         # all of the required access type bits
@@ -486,7 +506,9 @@
         # Define BRE whitespace class shortcut
         sp="[[:space:]]"
         # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
         # Split required access bits string into characters array
         # (to check bit's presence for one bit at a time)
         for access_bit in $(echo "wa" | grep -o .)
@@ -502,12 +524,16 @@
         done
         # Propagate the updated rule's access bits (original + the required
         # ones) back into the /etc/audit/audit.rules file for that rule
+
         sed -i "s#\($sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
     else
         # Rule isn't present yet. Append it at the end of $audit_rules_file file
         # with proper key
 
+
         echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
+
     fi
 done
 # Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -526,7 +552,9 @@
 # If the audit is 'augenrules', then check if rule is already defined
 # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
 # If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
+
 readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/issue.net" /etc/audit/rules.d/*.rules)
+
 
 # For each of the matched entries
 for match in "${matches[@]}"
@@ -555,7 +583,9 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
+
     if grep -q -P -- "^[\s]*-w[\s]+/etc/issue.net" "$audit_rules_file"
+
     then
         # Rule is found => verify yet if existing rule definition contains
         # all of the required access type bits
@@ -563,7 +593,9 @@
         # Define BRE whitespace class shortcut
         sp="[[:space:]]"
         # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
         # Split required access bits string into characters array
         # (to check bit's presence for one bit at a time)
         for access_bit in $(echo "wa" | grep -o .)
@@ -579,12 +611,16 @@
         done
         # Propagate the updated rule's access bits (original + the required
         # ones) back into the /etc/audit/audit.rules file for that rule
+
         sed -i "s#\($sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
     else
         # Rule isn't present yet. Append it at the end of $audit_rules_file file
         # with proper key
 
+
         echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
+
     fi
 done
 # Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -610,7 +646,9 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
+
     if grep -q -P -- "^[\s]*-w[\s]+/etc/hosts" "$audit_rules_file"
+
     then
         # Rule is found => verify yet if existing rule definition contains
         # all of the required access type bits
@@ -618,7 +656,9 @@
         # Define BRE whitespace class shortcut
         sp="[[:space:]]"
         # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
         # Split required access bits string into characters array
         # (to check bit's presence for one bit at a time)
         for access_bit in $(echo "wa" | grep -o .)
@@ -634,12 +674,16 @@
         done
         # Propagate the updated rule's access bits (original + the required
         # ones) back into the /etc/audit/audit.rules file for that rule
+
         sed -i "s#\($sp*-w$sp\+/etc/hosts$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
     else
         # Rule isn't present yet. Append it at the end of $audit_rules_file file
         # with proper key
 
+
         echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
+
     fi
 done
 # Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -658,7 +702,9 @@
 # If the audit is 'augenrules', then check if rule is already defined
 # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
 # If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
+
 readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/hosts" /etc/audit/rules.d/*.rules)
+
 
 # For each of the matched entries
 for match in "${matches[@]}"
@@ -687,7 +733,9 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
+
     if grep -q -P -- "^[\s]*-w[\s]+/etc/hosts" "$audit_rules_file"
+
     then
         # Rule is found => verify yet if existing rule definition contains
         # all of the required access type bits
@@ -695,7 +743,9 @@
         # Define BRE whitespace class shortcut
         sp="[[:space:]]"
         # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
         # Split required access bits string into characters array
         # (to check bit's presence for one bit at a time)
         for access_bit in $(echo "wa" | grep -o .)
@@ -711,12 +761,16 @@
         done
         # Propagate the updated rule's access bits (original + the required
         # ones) back into the /etc/audit/audit.rules file for that rule
+
         sed -i "s#\($sp*-w$sp\+/etc/hosts$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
     else
         # Rule isn't present yet. Append it at the end of $audit_rules_file file
         # with proper key
 
+
         echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
+
     fi
 done
 
@@ -743,7 +797,9 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
+
     if grep -q -P -- "^[\s]*-w[\s]+/etc/sysconfig/network" "$audit_rules_file"
+
     then
         # Rule is found => verify yet if existing rule definition contains
         # all of the required access type bits
@@ -751,7 +807,9 @@
         # Define BRE whitespace class shortcut
         sp="[[:space:]]"
         # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
         # Split required access bits string into characters array
         # (to check bit's presence for one bit at a time)
         for access_bit in $(echo "wa" | grep -o .)
@@ -767,12 +825,16 @@
         done
         # Propagate the updated rule's access bits (original + the required
         # ones) back into the /etc/audit/audit.rules file for that rule
+
         sed -i "s#\($sp*-w$sp\+/etc/sysconfig/network$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
     else
         # Rule isn't present yet. Append it at the end of $audit_rules_file file
         # with proper key
 
+
         echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
+
     fi
 done
 # Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -791,7 +853,9 @@
 # If the audit is 'augenrules', then check if rule is already defined
 # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
 # If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
+
 readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sysconfig/network" /etc/audit/rules.d/*.rules)
+
 
 # For each of the matched entries
 for match in "${matches[@]}"
@@ -820,7 +884,9 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
+
     if grep -q -P -- "^[\s]*-w[\s]+/etc/sysconfig/network" "$audit_rules_file"
+
     then
         # Rule is found => verify yet if existing rule definition contains
         # all of the required access type bits
@@ -828,7 +894,9 @@
         # Define BRE whitespace class shortcut
         sp="[[:space:]]"
         # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
         # Split required access bits string into characters array
         # (to check bit's presence for one bit at a time)
         for access_bit in $(echo "wa" | grep -o .)
@@ -844,12 +912,16 @@
         done
         # Propagate the updated rule's access bits (original + the required
         # ones) back into the /etc/audit/audit.rules file for that rule
+
         sed -i "s#\($sp*-w$sp\+/etc/sysconfig/network$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
     else
         # Rule isn't present yet. Append it at the end of $audit_rules_file file
         # with proper key
 
+
         echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
+
     fi
 done
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
@@ -336,7 +336,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Check if watch rule for /etc/issue already exists in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Network Environment - Check if watch
+    rule for /etc/issue already exists in /etc/audit/rules.d/
   find:
     paths: /etc/audit/rules.d
     contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+
@@ -363,7 +364,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification
+- name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d
+    for other rules with specified key audit_rules_networkconfig_modification
   find:
     paths: /etc/audit/rules.d
     contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
@@ -392,8 +394,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the
-    recipient for the rule
+- name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
+    as the recipient for the rule
   set_fact:
     all_files:
     - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
@@ -420,7 +422,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Use matched file as the recipient for the rule
+- name: Record Events that Modify the System's Network Environment - Use matched file
+    as the recipient for the rule
   set_fact:
     all_files:
     - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
@@ -447,7 +450,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Add watch rule for /etc/issue in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Network Environment - Add watch rule
+    for /etc/issue in /etc/audit/rules.d/
   lineinfile:
     path: '{{ all_files[0] }}'
     line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification
@@ -476,7 +480,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Check if watch rule for /etc/issue already exists in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Network Environment - Check if watch
+    rule for /etc/issue already exists in /etc/audit/audit.rules
   find:
     paths: /etc/audit/
     contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+
@@ -503,7 +508,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Add watch rule for /etc/issue in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Network Environment - Add watch rule
+    for /etc/issue in /etc/audit/audit.rules
   lineinfile:
     line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification
     state: present
@@ -533,7 +539,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Network Environment - Check if watch
+    rule for /etc/issue.net already exists in /etc/audit/rules.d/
   find:
     paths: /etc/audit/rules.d
     contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+
@@ -560,7 +567,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification
+- name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d
+    for other rules with specified key audit_rules_networkconfig_modification
   find:
     paths: /etc/audit/rules.d
     contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
@@ -589,8 +597,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the
-    recipient for the rule
+- name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
+    as the recipient for the rule
   set_fact:
     all_files:
     - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
@@ -617,7 +625,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Use matched file as the recipient for the rule
+- name: Record Events that Modify the System's Network Environment - Use matched file
+    as the recipient for the rule
   set_fact:
     all_files:
     - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
@@ -644,7 +653,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Add watch rule for /etc/issue.net in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Network Environment - Add watch rule
+    for /etc/issue.net in /etc/audit/rules.d/
   lineinfile:
     path: '{{ all_files[0] }}'
     line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
@@ -673,7 +683,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Network Environment - Check if watch
+    rule for /etc/issue.net already exists in /etc/audit/audit.rules
   find:
     paths: /etc/audit/
     contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+
@@ -700,7 +711,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Add watch rule for /etc/issue.net in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Network Environment - Add watch rule
+    for /etc/issue.net in /etc/audit/audit.rules
   lineinfile:
     line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
     state: present
@@ -730,7 +742,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Check if watch rule for /etc/hosts already exists in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Network Environment - Check if watch
+    rule for /etc/hosts already exists in /etc/audit/rules.d/
   find:
     paths: /etc/audit/rules.d
     contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+
@@ -757,7 +770,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification
+- name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d
+    for other rules with specified key audit_rules_networkconfig_modification
   find:
     paths: /etc/audit/rules.d
     contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
@@ -786,8 +800,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the
-    recipient for the rule
+- name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
+    as the recipient for the rule
   set_fact:
     all_files:
     - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
@@ -814,7 +828,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Use matched file as the recipient for the rule
+- name: Record Events that Modify the System's Network Environment - Use matched file
+    as the recipient for the rule
   set_fact:
     all_files:
     - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
@@ -841,7 +856,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Add watch rule for /etc/hosts in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Network Environment - Add watch rule
+    for /etc/hosts in /etc/audit/rules.d/
   lineinfile:
     path: '{{ all_files[0] }}'
     line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification
@@ -870,7 +886,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Check if watch rule for /etc/hosts already exists in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Network Environment - Check if watch
+    rule for /etc/hosts already exists in /etc/audit/audit.rules
   find:
     paths: /etc/audit/
     contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+
@@ -897,7 +914,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Add watch rule for /etc/hosts in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Network Environment - Add watch rule
+    for /etc/hosts in /etc/audit/audit.rules
   lineinfile:
     line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification
     state: present
@@ -927,7 +945,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Network Environment - Check if watch
+    rule for /etc/sysconfig/network already exists in /etc/audit/rules.d/
   find:
     paths: /etc/audit/rules.d
     contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+
@@ -954,7 +973,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification
+- name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d
+    for other rules with specified key audit_rules_networkconfig_modification
   find:
     paths: /etc/audit/rules.d
     contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
@@ -983,8 +1003,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the
-    recipient for the rule
+- name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
+    as the recipient for the rule
   set_fact:
     all_files:
     - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
@@ -1011,7 +1031,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Use matched file as the recipient for the rule
+- name: Record Events that Modify the System's Network Environment - Use matched file
+    as the recipient for the rule
   set_fact:
     all_files:
     - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
@@ -1038,7 +1059,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Add watch rule for /etc/sysconfig/network in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Network Environment - Add watch rule
+    for /etc/sysconfig/network in /etc/audit/rules.d/
   lineinfile:
     path: '{{ all_files[0] }}'
     line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
@@ -1067,7 +1089,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Network Environment - Check if watch
+    rule for /etc/sysconfig/network already exists in /etc/audit/audit.rules
   find:
     paths: /etc/audit/
     contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+
@@ -1094,7 +1117,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Add watch rule for /etc/sysconfig/network in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Network Environment - Add watch rule
+    for /etc/sysconfig/network in /etc/audit/audit.rules
   lineinfile:
     line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
     state: present

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification_network_scripts' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification_network_scripts
+++ xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification_network_scripts
@@ -1,5 +1,12 @@
 # Remediation is applicable only in certain platforms
 if rpm --quiet -q audit && rpm --quiet -q kernel; then
+
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+
+
+
+
+
 
 # Create a list of audit *.rules files that should be inspected for presence and correctness
 # of a particular audit rule. The scheme is as follows:
@@ -24,7 +31,9 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
+
     if grep -q -P -- "^[\s]*-w[\s]+/etc/sysconfig/network-scripts" "$audit_rules_file"
+
     then
         # Rule is found => verify yet if existing rule definition contains
         # all of the required access type bits
@@ -32,7 +41,9 @@
         # Define BRE whitespace class shortcut
         sp="[[:space:]]"
         # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network-scripts $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network-scripts$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
         # Split required access bits string into characters array
         # (to check bit's presence for one bit at a time)
         for access_bit in $(echo "wa" | grep -o .)
@@ -48,12 +59,16 @@
         done
         # Propagate the updated rule's access bits (original + the required
         # ones) back into the /etc/audit/audit.rules file for that rule
+
         sed -i "s#\($sp*-w$sp\+/etc/sysconfig/network-scripts$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
     else
         # Rule isn't present yet. Append it at the end of $audit_rules_file file
         # with proper key
 
+
         echo "-w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts" >> "$audit_rules_file"
+
     fi
 done
 # Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -72,7 +87,9 @@
 # If the audit is 'augenrules', then check if rule is already defined
 # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
 # If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification_network_scripts.rules' to list of files for inspection.
+
 readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sysconfig/network-scripts" /etc/audit/rules.d/*.rules)
+
 
 # For each of the matched entries
 for match in "${matches[@]}"
@@ -101,7 +118,9 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
+
     if grep -q -P -- "^[\s]*-w[\s]+/etc/sysconfig/network-scripts" "$audit_rules_file"
+
     then
         # Rule is found => verify yet if existing rule definition contains
         # all of the required access type bits
@@ -109,7 +128,9 @@
         # Define BRE whitespace class shortcut
         sp="[[:space:]]"
         # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network-scripts $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network-scripts$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
         # Split required access bits string into characters array
         # (to check bit's presence for one bit at a time)
         for access_bit in $(echo "wa" | grep -o .)
@@ -125,12 +146,16 @@
         done
         # Propagate the updated rule's access bits (original + the required
         # ones) back into the /etc/audit/audit.rules file for that rule
+
         sed -i "s#\($sp*-w$sp\+/etc/sysconfig/network-scripts$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+
     else
         # Rule isn't present yet. Append it at the end of $audit_rules_file file
         # with proper key
 
+
         echo "-w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts" >> "$audit_rules_file"
+
     fi
 done
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification_network_scripts' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification_network_scripts
+++ xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification_network_scripts
@@ -10,7 +10,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Check if watch rule for /etc/sysconfig/network-scripts already exists in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Network Environment - Check if watch
+    rule for /etc/sysconfig/network-scripts already exists in /etc/audit/rules.d/
   find:
     paths: /etc/audit/rules.d
     contains: ^\s*-w\s+/etc/sysconfig/network-scripts\s+-p\s+wa(\s|$)+
@@ -28,7 +29,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification_network_scripts
+- name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d
+    for other rules with specified key audit_rules_networkconfig_modification_network_scripts
   find:
     paths: /etc/audit/rules.d
     contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification_network_scripts$
@@ -48,7 +50,7 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification_network_scripts.rules
+- name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification_network_scripts.rules
     as the recipient for the rule
   set_fact:
     all_files:
@@ -67,7 +69,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Use matched file as the recipient for the rule
+- name: Record Events that Modify the System's Network Environment - Use matched file
+    as the recipient for the rule
   set_fact:
     all_files:
     - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
@@ -85,7 +88,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Add watch rule for /etc/sysconfig/network-scripts in /etc/audit/rules.d/
+- name: Record Events that Modify the System's Network Environment - Add watch rule
+    for /etc/sysconfig/network-scripts in /etc/audit/rules.d/
   lineinfile:
     path: '{{ all_files[0] }}'
     line: -w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts
@@ -105,7 +109,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Check if watch rule for /etc/sysconfig/network-scripts already exists in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Network Environment - Check if watch
+    rule for /etc/sysconfig/network-scripts already exists in /etc/audit/audit.rules
   find:
     paths: /etc/audit/
     contains: ^\s*-w\s+/etc/sysconfig/network-scripts\s+-p\s+wa(\s|$)+
@@ -123,7 +128,8 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Add watch rule for /etc/sysconfig/network-scripts in /etc/audit/audit.rules
+- name: Record Events that Modify the System's Network Environment - Add watch rule
+    for /etc/sysconfig/network-scripts in /etc/audit/audit.rules
   lineinfile:
     line: -w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts
     state: present

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_session_events' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_session_events
+++ xccdf_org.ssgproject.content_rule_audit_rules_session_events
@@ -25,36 +25,44 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
+
     if grep -q -P -- "^[\s]*-w[\s]+/var/run/utmp" "$audit_rules_file"
-    then
-        # Rule is found => verify yet if existing rule definition contains
-        # all of the required access type bits
-
-        # Define BRE whitespace class shortcut
-        sp="[[:space:]]"
-        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/run/utmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
-        # Split required access bits string into characters array
-        # (to check bit's presence for one bit at a time)
-        for access_bit in $(echo "wa" | grep -o .)
-        do
-            # For each from the required access bits (e.g. 'w', 'a') check
-            # if they are already present in current access bits for rule.
-            # If not, append that bit at the end
-            if ! grep -q "$access_bit" <<< "$current_access_bits"
-            then
-                # Concatenate the existing mask with the missing bit
-                current_access_bits="$current_access_bits$access_bit"
-            fi
-        done
-        # Propagate the updated rule's access bits (original + the required
-        # ones) back into the /etc/audit/audit.rules file for that rule
+
+    then
+        # Rule is found => verify yet if existing rule definition contains
+        # all of the required access type bits
+
+        # Define BRE whitespace class shortcut
+        sp="[[:space:]]"
+        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/run/utmp$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+        # Split required access bits string into characters array
+        # (to check bit's presence for one bit at a time)
+        for access_bit in $(echo "wa" | grep -o .)
+        do
+            # For each from the required access bits (e.g. 'w', 'a') check
+            # if they are already present in current access bits for rule.
+            # If not, append that bit at the end
+            if ! grep -q "$access_bit" <<< "$current_access_bits"
+            then
+                # Concatenate the existing mask with the missing bit
+                current_access_bits="$current_access_bits$access_bit"
+            fi
+        done
+        # Propagate the updated rule's access bits (original + the required
+        # ones) back into the /etc/audit/audit.rules file for that rule
+
         sed -i "s#\($sp*-w$sp\+/var/run/utmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
-    else
-        # Rule isn't present yet. Append it at the end of $audit_rules_file file
-        # with proper key
+
+    else
+        # Rule isn't present yet. Append it at the end of $audit_rules_file file
+        # with proper key
+
 
         echo "-w /var/run/utmp -p wa -k session" >> "$audit_rules_file"
+
     fi
 done
 # Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -73,7 +81,9 @@
 # If the audit is 'augenrules', then check if rule is already defined
 # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
 # If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection.
+
 readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/run/utmp" /etc/audit/rules.d/*.rules)
+
 
 # For each of the matched entries
 for match in "${matches[@]}"
@@ -102,36 +112,44 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
+
     if grep -q -P -- "^[\s]*-w[\s]+/var/run/utmp" "$audit_rules_file"
-    then
-        # Rule is found => verify yet if existing rule definition contains
-        # all of the required access type bits
-
-        # Define BRE whitespace class shortcut
-        sp="[[:space:]]"
-        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/run/utmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
-        # Split required access bits string into characters array
-        # (to check bit's presence for one bit at a time)
-        for access_bit in $(echo "wa" | grep -o .)
-        do
-            # For each from the required access bits (e.g. 'w', 'a') check
-            # if they are already present in current access bits for rule.
-            # If not, append that bit at the end
-            if ! grep -q "$access_bit" <<< "$current_access_bits"
-            then
-                # Concatenate the existing mask with the missing bit
-                current_access_bits="$current_access_bits$access_bit"
-            fi
-        done
-        # Propagate the updated rule's access bits (original + the required
-        # ones) back into the /etc/audit/audit.rules file for that rule
+
+    then
+        # Rule is found => verify yet if existing rule definition contains
+        # all of the required access type bits
+
+        # Define BRE whitespace class shortcut
+        sp="[[:space:]]"
+        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/run/utmp$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+        # Split required access bits string into characters array
+        # (to check bit's presence for one bit at a time)
+        for access_bit in $(echo "wa" | grep -o .)
+        do
+            # For each from the required access bits (e.g. 'w', 'a') check
+            # if they are already present in current access bits for rule.
+            # If not, append that bit at the end
+            if ! grep -q "$access_bit" <<< "$current_access_bits"
+            then
+                # Concatenate the existing mask with the missing bit
+                current_access_bits="$current_access_bits$access_bit"
+            fi
+        done
+        # Propagate the updated rule's access bits (original + the required
+        # ones) back into the /etc/audit/audit.rules file for that rule
+
         sed -i "s#\($sp*-w$sp\+/var/run/utmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
-    else
-        # Rule isn't present yet. Append it at the end of $audit_rules_file file
-        # with proper key
+
+    else
+        # Rule isn't present yet. Append it at the end of $audit_rules_file file
+        # with proper key
+
 
         echo "-w /var/run/utmp -p wa -k session" >> "$audit_rules_file"
+
     fi
 done
 # Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -157,36 +175,44 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
+
     if grep -q -P -- "^[\s]*-w[\s]+/var/log/btmp" "$audit_rules_file"
-    then
-        # Rule is found => verify yet if existing rule definition contains
-        # all of the required access type bits
-
-        # Define BRE whitespace class shortcut
-        sp="[[:space:]]"
-        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/btmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
-        # Split required access bits string into characters array
-        # (to check bit's presence for one bit at a time)
-        for access_bit in $(echo "wa" | grep -o .)
-        do
-            # For each from the required access bits (e.g. 'w', 'a') check
-            # if they are already present in current access bits for rule.
-            # If not, append that bit at the end
-            if ! grep -q "$access_bit" <<< "$current_access_bits"
-            then
-                # Concatenate the existing mask with the missing bit
-                current_access_bits="$current_access_bits$access_bit"
-            fi
-        done
-        # Propagate the updated rule's access bits (original + the required
-        # ones) back into the /etc/audit/audit.rules file for that rule
+
+    then
+        # Rule is found => verify yet if existing rule definition contains
+        # all of the required access type bits
+
+        # Define BRE whitespace class shortcut
+        sp="[[:space:]]"
+        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/btmp$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+        # Split required access bits string into characters array
+        # (to check bit's presence for one bit at a time)
+        for access_bit in $(echo "wa" | grep -o .)
+        do
+            # For each from the required access bits (e.g. 'w', 'a') check
+            # if they are already present in current access bits for rule.
+            # If not, append that bit at the end
+            if ! grep -q "$access_bit" <<< "$current_access_bits"
+            then
+                # Concatenate the existing mask with the missing bit
+                current_access_bits="$current_access_bits$access_bit"
+            fi
+        done
+        # Propagate the updated rule's access bits (original + the required
+        # ones) back into the /etc/audit/audit.rules file for that rule
+
         sed -i "s#\($sp*-w$sp\+/var/log/btmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
-    else
-        # Rule isn't present yet. Append it at the end of $audit_rules_file file
-        # with proper key
+
+    else
+        # Rule isn't present yet. Append it at the end of $audit_rules_file file
+        # with proper key
+
 
         echo "-w /var/log/btmp -p wa -k session" >> "$audit_rules_file"
+
     fi
 done
 # Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -205,7 +231,9 @@
 # If the audit is 'augenrules', then check if rule is already defined
 # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
 # If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection.
+
 readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/btmp" /etc/audit/rules.d/*.rules)
+
 
 # For each of the matched entries
 for match in "${matches[@]}"
@@ -234,36 +262,44 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
+
     if grep -q -P -- "^[\s]*-w[\s]+/var/log/btmp" "$audit_rules_file"
-    then
-        # Rule is found => verify yet if existing rule definition contains
-        # all of the required access type bits
-
-        # Define BRE whitespace class shortcut
-        sp="[[:space:]]"
-        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/btmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
-        # Split required access bits string into characters array
-        # (to check bit's presence for one bit at a time)
-        for access_bit in $(echo "wa" | grep -o .)
-        do
-            # For each from the required access bits (e.g. 'w', 'a') check
-            # if they are already present in current access bits for rule.
-            # If not, append that bit at the end
-            if ! grep -q "$access_bit" <<< "$current_access_bits"
-            then
-                # Concatenate the existing mask with the missing bit
-                current_access_bits="$current_access_bits$access_bit"
-            fi
-        done
-        # Propagate the updated rule's access bits (original + the required
-        # ones) back into the /etc/audit/audit.rules file for that rule
+
+    then
+        # Rule is found => verify yet if existing rule definition contains
+        # all of the required access type bits
+
+        # Define BRE whitespace class shortcut
+        sp="[[:space:]]"
+        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/btmp$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+        # Split required access bits string into characters array
+        # (to check bit's presence for one bit at a time)
+        for access_bit in $(echo "wa" | grep -o .)
+        do
+            # For each from the required access bits (e.g. 'w', 'a') check
+            # if they are already present in current access bits for rule.
+            # If not, append that bit at the end
+            if ! grep -q "$access_bit" <<< "$current_access_bits"
+            then
+                # Concatenate the existing mask with the missing bit
+                current_access_bits="$current_access_bits$access_bit"
+            fi
+        done
+        # Propagate the updated rule's access bits (original + the required
+        # ones) back into the /etc/audit/audit.rules file for that rule
+
         sed -i "s#\($sp*-w$sp\+/var/log/btmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
-    else
-        # Rule isn't present yet. Append it at the end of $audit_rules_file file
-        # with proper key
+
+    else
+        # Rule isn't present yet. Append it at the end of $audit_rules_file file
+        # with proper key
+
 
         echo "-w /var/log/btmp -p wa -k session" >> "$audit_rules_file"
+
     fi
 done
 # Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -289,36 +325,44 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
     # Check if audit watch file system object rule for given path already present
+
     if grep -q -P -- "^[\s]*-w[\s]+/var/log/wtmp" "$audit_rules_file"
-    then
-        # Rule is found => verify yet if existing rule definition contains
-        # all of the required access type bits
-
-        # Define BRE whitespace class shortcut
-        sp="[[:space:]]"
-        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
-        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/wtmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
-        # Split required access bits string into characters array
-        # (to check bit's presence for one bit at a time)
-        for access_bit in $(echo "wa" | grep -o .)
-        do
-            # For each from the required access bits (e.g. 'w', 'a') check
-            # if they are already present in current access bits for rule.
-            # If not, append that bit at the end
-            if ! grep -q "$access_bit" <<< "$current_access_bits"
-            then
-                # Concatenate the existing mask with the missing bit
-                current_access_bits="$current_access_bits$access_bit"
-            fi
-        done
-        # Propagate the updated rule's access bits (original + the required
-        # ones) back into the /etc/audit/audit.rules file for that rule
+
+    then
+        # Rule is found => verify yet if existing rule definition contains
+        # all of the required access type bits
+
+        # Define BRE whitespace class shortcut
+        sp="[[:space:]]"
+        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+
+        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/wtmp$sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+
+        # Split required access bits string into characters array
+        # (to check bit's presence for one bit at a time)
+        for access_bit in $(echo "wa" | grep -o .)
+        do
+            # For each from the required access bits (e.g. 'w', 'a') check
+            # if they are already present in current access bits for rule.
+            # If not, append that bit at the end
+            if ! grep -q "$access_bit" <<< "$current_access_bits"
+            then
+                # Concatenate the existing mask with the missing bit
+                current_access_bits="$current_access_bits$access_bit"
+

... The diff is trimmed here ...

[codeclimate]

Code Climate has analyzed commit 5ac74db and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 62.0% (0.1% change).

View more on Code Climate.

[Xeicker]

LGTM

[Mab879]

I ran the Automatus tests got the following

$ ./automatus.py rule --datastream ../build/ssg-rhel10-ds.xml --libvirt qemu:///system automatus_rhel10 --remediate-using bash audit_rules_privileged_commands_rmmod
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/mburket/review/ComplianceAsCode/content/tests/logs/rule-custom-2025-03-21-1359/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_rmmod
INFO - Script correct_rules.pass.sh using profile (all) OK
INFO - Script correct_rules_without_key.pass.sh using profile (all) OK
INFO - Script rules_not_there.fail.sh using profile (all) OK
INFO - Script wrong_rules.fail.sh using profile (all) OK
ERROR - Rule evaluation resulted in fail, instead of expected pass during final stage
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_rmmod'.```

$ ./automatus.py rule --datastream ../build/ssg-rhel10-ds.xml --libvirt qemu:///system automatus_rhel10 --remediate-using bash audit_rules_privileged_commands_insmod
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/mburket/review/ComplianceAsCode/content/tests/logs/rule-custom-2025-03-21-1403/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_insmod
INFO - Script correct_rules.pass.sh using profile (all) OK
INFO - Script correct_rules_without_key.pass.sh using profile (all) OK
INFO - Script rules_not_there.fail.sh using profile (all) OK
INFO - Script wrong_rules.fail.sh using profile (all) OK
ERROR - Rule evaluation resulted in fail, instead of expected pass during final stage
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_insmod'.