diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix2_chkpwd/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix2_chkpwd/rule.yml
index c3cf8b7948b..e85174300d0 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix2_chkpwd/rule.yml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix2_chkpwd/rule.yml
@@ -1,5 +1,7 @@
+{{%- set unix2_chkpwd_binary="/usr/sbin/unix2_chkpwd" %}}
{{%- if product in ["sle15"] %}}
{{%- set perm_x="-F perm=x " %}}
+ {{%- set unix2_chkpwd_binary="/sbin/unix2_chkpwd" %}}
{{%- endif %}}
documentation_complete: true
@@ -13,11 +15,11 @@ description: |-
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
- -a always,exit -F path=/sbin/unix2_chkpwd {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ -a always,exit -F path={{{ unix2_chkpwd_binary }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
- -a always,exit -F path=/sbin/unix2_chkpwd {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ -a always,exit -F path={{{ unix2_chkpwd_binary }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
rationale: |-
Misuse of privileged functions, either intentionally or unintentionally by
@@ -62,4 +64,5 @@ ocil: |-
template:
name: audit_rules_privileged_commands
vars:
- path: /sbin/unix2_chkpwd
+ path: "/usr/sbin/unix2_chkpwd"
+ path@sle15: "/sbin/unix2_chkpwd"
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix2_chkpwd/tests/only_chkpwd_rule.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix2_chkpwd/tests/only_chkpwd_rule.fail.sh
index 8c682a6db61..83b26bcab1b 100755
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix2_chkpwd/tests/only_chkpwd_rule.fail.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix2_chkpwd/tests/only_chkpwd_rule.fail.sh
@@ -1,4 +1,8 @@
#!/bin/bash
# packages = audit
-
-echo "-a always,exit -F path=/sbin/unix2_chkpwd -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules
+{{%- if 'sl' in product %}}
+ {{%- set unix2_chkpwd_wrong_binary="/usr/sbin/unix2_chkpwd" %}}
+{{%- else %}}
+ {{%- set unix2_chkpwd_wrong_binary="/sbin/unix2_chkpwd" %}}
+{{%- endif %}}
+echo "-a always,exit -F path={{{ unix2_chkpwd_wrong_binary }}} -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml
index 9ea98ba2143..d01d81fca0b 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml
@@ -1,4 +1,7 @@
-{{%- if product in ["fedora", "rhcos4", "sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204", "ubuntu2404"] or 'ol' in families or 'rhel' in product %}} {{%- set perm_x="-F perm=x " %}}
+{{%- set unix_chkpwd_binary="/usr/sbin/unix_chkpwd" %}}
+{{%- if product in ["fedora", "rhcos4", "sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204", "ubuntu2404"] or 'ol' in families or 'rhel' in product %}}
+ {{%- set perm_x="-F perm=x " %}}
+ {{%- set unix_chkpwd_binary="/sbin/unix_chkpwd" %}}
{{%- endif %}}
documentation_complete: true
@@ -12,11 +15,11 @@ description: |-
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
- -a always,exit -F path=/usr/sbin/unix_chkpwd {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ -a always,exit -F path={{{ unix_chkpwd_binary }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
- -a always,exit -F path=/usr/sbin/unix_chkpwd {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
+ -a always,exit -F path={{{ unix_chkpwd_binary }}} {{{ perm_x }}}-F auid>={{{ auid }}} -F auid!=unset -F key=privileged
rationale: |-
Misuse of privileged functions, either intentionally or unintentionally by
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/tests/only_chkpwd_rule.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/tests/only_chkpwd_rule.fail.sh
index 62cf88daa33..9805e500c2e 100755
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/tests/only_chkpwd_rule.fail.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/tests/only_chkpwd_rule.fail.sh
@@ -1,4 +1,8 @@
#!/bin/bash
# packages = audit
-
-echo "-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules
+{{%- if 'sl' in product %}}
+ {{%- set unix_chkpwd_wrong_binary="/usr/sbin/unix_chkpwd" %}}
+{{%- else %}}
+ {{%- set unix_chkpwd_wrong_binary="/sbin/unix_chkpwd" %}}
+{{%- endif %}}
+echo "-a always,exit -F path={{{ unix_chkpwd_wrong_binary }}} -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules