ComplianceAsCode · ggbecker · Jan 23, 2025
diff --git a/...ure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix2_chkpwd/rule.yml b/...ure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix2_chkpwd/rule.yml
@@ -1,5 +1,7 @@
+{{%- set unix2_chkpwd_binary="/usr/sbin/unix2_chkpwd" %}}
 {{%- if product in ["sle15"] %}}
   {{%- set perm_x="-F perm=x " %}}
+  {{%- set unix2_chkpwd_binary="/sbin/unix2_chkpwd" %}}
 {{%- endif %}}
 
 documentation_complete: true
@@ -13,11 +15,11 @@ description: |-
     configured to use the <tt>augenrules</tt> program to read audit rules during
     daemon startup (the default), add a line of the following form to a file with
     suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    <pre>-a always,exit -F path=/sbin/unix2_chkpwd {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path={{{ unix2_chkpwd_binary }}} {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add a line of the following
     form to <tt>/etc/audit/audit.rules</tt>:
-    <pre>-a always,exit -F path=/sbin/unix2_chkpwd {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path={{{ unix2_chkpwd_binary }}} {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
 
 rationale: |-
     Misuse of privileged functions, either intentionally or unintentionally by
@@ -62,4 +64,5 @@ ocil: |-
 template:
     name: audit_rules_privileged_commands
     vars:
-        path: /sbin/unix2_chkpwd
+        path: "/usr/sbin/unix2_chkpwd"
+        path@sle15: "/sbin/unix2_chkpwd"
diff --git a/...eged_commands/audit_rules_privileged_commands_unix2_chkpwd/tests/only_chkpwd_rule.fail.sh b/...eged_commands/audit_rules_privileged_commands_unix2_chkpwd/tests/only_chkpwd_rule.fail.sh
@@ -1,4 +1,8 @@
 #!/bin/bash
 # packages = audit
-
-echo "-a always,exit -F path=/sbin/unix2_chkpwd -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules
+{{%- if 'sl' in product %}}
+    {{%- set unix2_chkpwd_wrong_binary="/usr/sbin/unix2_chkpwd" %}}
+{{%- else %}}
+    {{%- set unix2_chkpwd_wrong_binary="/sbin/unix2_chkpwd" %}}
+{{%- endif %}}
+echo "-a always,exit -F path={{{ unix2_chkpwd_wrong_binary }}} -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules
diff --git a/...gure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml b/...gure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml
@@ -1,4 +1,7 @@
-{{%- if product in ["fedora", "rhcos4", "sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204", "ubuntu2404"] or 'ol' in families or 'rhel' in product %}}  {{%- set perm_x="-F perm=x " %}}
+{{%- set unix_chkpwd_binary="/usr/sbin/unix_chkpwd" %}}
+{{%- if product in ["fedora", "rhcos4", "sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204", "ubuntu2404"] or 'ol' in families or 'rhel' in product %}}  
+    {{%- set perm_x="-F perm=x " %}}
+    {{%- set unix_chkpwd_binary="/sbin/unix_chkpwd" %}}
 {{%- endif %}}
 
 documentation_complete: true
@@ -12,11 +15,11 @@ description: |-
     configured to use the <tt>augenrules</tt> program to read audit rules during
     daemon startup (the default), add a line of the following form to a file with
     suffix <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
-    <pre>-a always,exit -F path=/usr/sbin/unix_chkpwd {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path={{{ unix_chkpwd_binary }}} {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add a line of the following
     form to <tt>/etc/audit/audit.rules</tt>:
-    <pre>-a always,exit -F path=/usr/sbin/unix_chkpwd {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
+    <pre>-a always,exit -F path={{{ unix_chkpwd_binary }}} {{{ perm_x }}}-F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
 
 rationale: |-
     Misuse of privileged functions, either intentionally or unintentionally by

diff --git a/...leged_commands/audit_rules_privileged_commands_unix_chkpwd/tests/only_chkpwd_rule.fail.sh b/...leged_commands/audit_rules_privileged_commands_unix_chkpwd/tests/only_chkpwd_rule.fail.sh
@@ -1,4 +1,8 @@
 #!/bin/bash
 # packages = audit
-
-echo "-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules
+{{%- if 'sl' in product %}}
+    {{%- set unix_chkpwd_wrong_binary="/usr/sbin/unix_chkpwd" %}}
+{{%- else %}}
+    {{%- set unix_chkpwd_wrong_binary="/sbin/unix_chkpwd" %}}
+{{%- endif %}}
+echo "-a always,exit -F path={{{ unix_chkpwd_wrong_binary }}} -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules