Improve regex detection of the augenrules from systemd service file.

RHEL10 /usr/lib/systemd/system/audit-rules.service content now has the following: ExecStart=/usr/sbin/augenrules --load So the regex had to be updated to accept /usr but also /sbin in case the other binary is used which should be still acceptable.
ComplianceAsCode · Jan 22, 2025 · 0337848 · 0337848
1 parent 3d99d2a
commit 0337848
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/shared/checks/oval/audit_rules_augenrules.xml b/shared/checks/oval/audit_rules_augenrules.xml
@@ -20,7 +20,7 @@
   <ind:textfilecontent54_object id="object_audit_rules_augenrules" version="1">
   {{% if product in ['rhel10', 'ol10']  %}}
     <ind:filepath>/usr/lib/systemd/system/audit-rules.service</ind:filepath>
-    <ind:pattern operation="pattern match">^ExecStart=\/sbin\/augenrules.*$</ind:pattern>
+    <ind:pattern operation="pattern match">^ExecStart=(\/usr|)?\/sbin\/augenrules.*$</ind:pattern>
   {{% else %}}
     <ind:filepath>/usr/lib/systemd/system/auditd.service</ind:filepath>
     <ind:pattern operation="pattern match">^(ExecStartPost=\-\/sbin\/augenrules.*$|Requires=augenrules.service)</ind:pattern>