From 9a8473fe43748e303a959ffc6a2f9a86ed415d58 Mon Sep 17 00:00:00 2001
From: Alexander Bushkin <abushkin@abushkin-thinkpadt14gen4.rmtit.csb>
Date: Fri, 12 Jun 2026 15:34:57 +0200
Subject: [PATCH 1/3] Resolves JIRA issue CMP-4338: Updated the audit rules to
 properly handle the RHCOS4 audit system configuration (which supports
 rhel8-rhel10).

---
 shared/checks/oval/audit_rules_auditctl.xml   | 19 +++++++++++++++++++
 shared/checks/oval/audit_rules_augenrules.xml | 19 +++++++++++++++++++
 2 files changed, 38 insertions(+)

diff --git a/shared/checks/oval/audit_rules_auditctl.xml b/shared/checks/oval/audit_rules_auditctl.xml
index 27a4e5489599..5e916d897e7c 100644
--- a/shared/checks/oval/audit_rules_auditctl.xml
+++ b/shared/checks/oval/audit_rules_auditctl.xml
@@ -8,11 +8,30 @@
       <description>Test if auditctl is in use for audit rules.</description>
     </metadata>
 
+{{% if product in ['ocp4', 'rhcos4'] %}}
+    <criteria operator="OR">
+      <criterion comment="audit auditctl via audit-rules.service" test_ref="test_audit_rules_auditctl_service" />
+      <criterion comment="audit auditctl via auditd.service" test_ref="test_audit_rules_auditctl" />
+    </criteria>
+{{% else %}}
     <criteria>
       <criterion comment="audit auditctl" test_ref="test_audit_rules_auditctl" />
     </criteria>
+{{% endif %}}
   </definition>
 
+{{% if product in ['ocp4', 'rhcos4'] %}}
+  <!-- RHCOS on RHEL 10+: auditctl runs via a separate audit-rules.service -->
+  <ind:textfilecontent54_test check="all" comment="audit auditctl via audit-rules.service" id="test_audit_rules_auditctl_service" version="1">
+    <ind:object object_ref="object_audit_rules_auditctl_service" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_audit_rules_auditctl_service" version="1">
+    <ind:filepath>/usr/lib/systemd/system/audit-rules.service</ind:filepath>
+    <ind:pattern operation="pattern match">^ExecStart=\/sbin\/auditctl.*$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+{{% endif %}}
+
   <!-- Test the auditctl case -->
   <ind:textfilecontent54_test check="all" comment="audit auditctl" id="test_audit_rules_auditctl" version="1">
     <ind:object object_ref="object_audit_rules_auditctl" />
diff --git a/shared/checks/oval/audit_rules_augenrules.xml b/shared/checks/oval/audit_rules_augenrules.xml
index 7b46a1c9f136..570a0f23b65b 100644
--- a/shared/checks/oval/audit_rules_augenrules.xml
+++ b/shared/checks/oval/audit_rules_augenrules.xml
@@ -8,11 +8,30 @@
       <description>Test if augenrules is enabled for audit rules.</description>
     </metadata>
 
+{{% if product in ['ocp4', 'rhcos4'] %}}
+    <criteria operator="OR">
+      <criterion comment="audit augenrules via audit-rules.service" test_ref="test_audit_rules_augenrules_service" />
+      <criterion comment="audit augenrules via auditd.service" test_ref="test_audit_rules_augenrules" />
+    </criteria>
+{{% else %}}
     <criteria>
       <criterion comment="audit augenrules" test_ref="test_audit_rules_augenrules" />
     </criteria>
+{{% endif %}}
   </definition>
 
+{{% if product in ['ocp4', 'rhcos4'] %}}
+  <!-- RHCOS on RHEL 10+: augenrules runs via a separate audit-rules.service -->
+  <ind:textfilecontent54_test check="all" comment="audit augenrules via audit-rules.service" id="test_audit_rules_augenrules_service" version="1">
+    <ind:object object_ref="object_audit_rules_augenrules_service" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_audit_rules_augenrules_service" version="1">
+    <ind:filepath>/usr/lib/systemd/system/audit-rules.service</ind:filepath>
+    <ind:pattern operation="pattern match">^ExecStart=(\/usr|)?\/sbin\/augenrules.*$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+{{% endif %}}
+
   <!-- Test the augenrules case -->
   <ind:textfilecontent54_test check="all" comment="audit augenrules" id="test_audit_rules_augenrules" version="1">
     <ind:object object_ref="object_audit_rules_augenrules" />

From 440aa2cb3b2ec2a377d40e69bc0c4e3e830ca8b9 Mon Sep 17 00:00:00 2001
From: Alexander Bushkin <abushkin@abushkin-thinkpadt14gen4.rmtit.csb>
Date: Fri, 12 Jun 2026 15:57:30 +0200
Subject: [PATCH 2/3] Modified these files to fix the typo of having 'access'
 mispelled as 'acccess'. Doesn't currently break anything, but better to fix
 for correctness' sake.

---
 .../oval/shared.xml                              | 16 ++++++++--------
 .../oval/shared.xml                              | 16 ++++++++--------
 .../oval/shared.xml                              | 16 ++++++++--------
 .../oval/shared.xml                              | 10 +++++-----
 4 files changed, 29 insertions(+), 29 deletions(-)

diff --git a/applications/openshift/logging/directory_access_var_log_kube_audit/oval/shared.xml b/applications/openshift/logging/directory_access_var_log_kube_audit/oval/shared.xml
index f6137380bd5d..314f48ff17d2 100644
--- a/applications/openshift/logging/directory_access_var_log_kube_audit/oval/shared.xml
+++ b/applications/openshift/logging/directory_access_var_log_kube_audit/oval/shared.xml
@@ -7,13 +7,13 @@
       <!-- Test the augenrules case -->
       <criteria operator="AND">
         <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
-        <criterion comment="audit rule to record read access events to /var/log/kube-apiserver" test_ref="test_directory_acccess_var_log_kube_audit_augenrules" />
+        <criterion comment="audit rule to record read access events to /var/log/kube-apiserver" test_ref="test_directory_access_var_log_kube_audit_augenrules" />
       </criteria>
 
       <!-- OR test the auditctl case -->
       <criteria operator="AND">
         <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
-        <criterion comment="audit rule to record read access events to /var/log/kube-apiserver" test_ref="test_directory_acccess_var_log_kube_audit_auditctl" />
+        <criterion comment="audit rule to record read access events to /var/log/kube-apiserver" test_ref="test_directory_access_var_log_kube_audit_auditctl" />
       </criteria>
 
     </criteria>
@@ -26,10 +26,10 @@
 
   <!-- directory access /var/log/audit augenrule -->
   <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
- comment="defined audit rule must exist" id="test_directory_acccess_var_log_kube_audit_augenrules" version="1">
-    <ind:object object_ref="object_directory_acccess_var_log_kube_audit_augenrules" />
+ comment="defined audit rule must exist" id="test_directory_access_var_log_kube_audit_augenrules" version="1">
+    <ind:object object_ref="object_directory_access_var_log_kube_audit_augenrules" />
   </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_directory_acccess_var_log_kube_audit_augenrules" version="1">
+  <ind:textfilecontent54_object id="object_directory_access_var_log_kube_audit_augenrules" version="1">
     <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
     <ind:pattern operation="pattern match" var_ref="var_audit_rule_access_var_log_kube_audit_regex" />
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
@@ -38,10 +38,10 @@
 
   <!-- directory access /var/log/audit auditctl -->
   <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
- comment="defined audit rule must exist" id="test_directory_acccess_var_log_kube_audit_auditctl" version="1">
-    <ind:object object_ref="object_directory_acccess_var_log_kube_audit_auditctl" />
+ comment="defined audit rule must exist" id="test_directory_access_var_log_kube_audit_auditctl" version="1">
+    <ind:object object_ref="object_directory_access_var_log_kube_audit_auditctl" />
   </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_directory_acccess_var_log_kube_audit_auditctl" version="1">
+  <ind:textfilecontent54_object id="object_directory_access_var_log_kube_audit_auditctl" version="1">
     <ind:filepath>/etc/audit/audit.rules</ind:filepath>
     <ind:pattern operation="pattern match" var_ref="var_audit_rule_access_var_log_kube_audit_regex" />
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
diff --git a/applications/openshift/logging/directory_access_var_log_oauth_audit/oval/shared.xml b/applications/openshift/logging/directory_access_var_log_oauth_audit/oval/shared.xml
index c7f1506c2965..a1f75cfb451c 100644
--- a/applications/openshift/logging/directory_access_var_log_oauth_audit/oval/shared.xml
+++ b/applications/openshift/logging/directory_access_var_log_oauth_audit/oval/shared.xml
@@ -7,13 +7,13 @@
       <!-- Test the augenrules case -->
       <criteria operator="AND">
         <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
-        <criterion comment="audit rule to record read access events to /var/log/oauth-apiserver" test_ref="test_directory_acccess_var_log_oauth_audit_augenrules" />
+        <criterion comment="audit rule to record read access events to /var/log/oauth-apiserver" test_ref="test_directory_access_var_log_oauth_audit_augenrules" />
       </criteria>
 
       <!-- OR test the auditctl case -->
       <criteria operator="AND">
         <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
-        <criterion comment="audit rule to record read access events to /var/log/oauth-apiserver" test_ref="test_directory_acccess_var_log_oauth_audit_auditctl" />
+        <criterion comment="audit rule to record read access events to /var/log/oauth-apiserver" test_ref="test_directory_access_var_log_oauth_audit_auditctl" />
       </criteria>
 
     </criteria>
@@ -26,10 +26,10 @@
 
   <!-- directory access /var/log/audit augenrule -->
   <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
- comment="defined audit rule must exist" id="test_directory_acccess_var_log_oauth_audit_augenrules" version="1">
-    <ind:object object_ref="object_directory_acccess_var_log_oauth_audit_augenrules" />
+ comment="defined audit rule must exist" id="test_directory_access_var_log_oauth_audit_augenrules" version="1">
+    <ind:object object_ref="object_directory_access_var_log_oauth_audit_augenrules" />
   </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_directory_acccess_var_log_oauth_audit_augenrules" version="1">
+  <ind:textfilecontent54_object id="object_directory_access_var_log_oauth_audit_augenrules" version="1">
     <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
     <ind:pattern operation="pattern match" var_ref="var_audit_rule_access_var_log_oauth_audit_regex" />
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
@@ -38,10 +38,10 @@
 
   <!-- directory access /var/log/audit auditctl -->
   <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
- comment="defined audit rule must exist" id="test_directory_acccess_var_log_oauth_audit_auditctl" version="1">
-    <ind:object object_ref="object_directory_acccess_var_log_oauth_audit_auditctl" />
+ comment="defined audit rule must exist" id="test_directory_access_var_log_oauth_audit_auditctl" version="1">
+    <ind:object object_ref="object_directory_access_var_log_oauth_audit_auditctl" />
   </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_directory_acccess_var_log_oauth_audit_auditctl" version="1">
+  <ind:textfilecontent54_object id="object_directory_access_var_log_oauth_audit_auditctl" version="1">
     <ind:filepath>/etc/audit/audit.rules</ind:filepath>
     <ind:pattern operation="pattern match" var_ref="var_audit_rule_access_var_log_oauth_audit_regex" />
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
diff --git a/applications/openshift/logging/directory_access_var_log_ocp_audit/oval/shared.xml b/applications/openshift/logging/directory_access_var_log_ocp_audit/oval/shared.xml
index 579dde10725b..1af2c2d07fcd 100644
--- a/applications/openshift/logging/directory_access_var_log_ocp_audit/oval/shared.xml
+++ b/applications/openshift/logging/directory_access_var_log_ocp_audit/oval/shared.xml
@@ -7,13 +7,13 @@
       <!-- Test the augenrules case -->
       <criteria operator="AND">
         <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
-        <criterion comment="audit rule to record read access events to /var/log/openshift-apiserver" test_ref="test_directory_acccess_var_log_ocp_audit_augenrules" />
+        <criterion comment="audit rule to record read access events to /var/log/openshift-apiserver" test_ref="test_directory_access_var_log_ocp_audit_augenrules" />
       </criteria>
 
       <!-- OR test the auditctl case -->
       <criteria operator="AND">
         <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
-        <criterion comment="audit rule to record read access events to /var/log/openshift-apiserver" test_ref="test_directory_acccess_var_log_ocp_audit_auditctl" />
+        <criterion comment="audit rule to record read access events to /var/log/openshift-apiserver" test_ref="test_directory_access_var_log_ocp_audit_auditctl" />
       </criteria>
 
     </criteria>
@@ -26,10 +26,10 @@
 
   <!-- directory access /var/log/audit augenrule -->
   <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
- comment="defined audit rule must exist" id="test_directory_acccess_var_log_ocp_audit_augenrules" version="1">
-    <ind:object object_ref="object_directory_acccess_var_log_ocp_audit_augenrules" />
+ comment="defined audit rule must exist" id="test_directory_access_var_log_ocp_audit_augenrules" version="1">
+    <ind:object object_ref="object_directory_access_var_log_ocp_audit_augenrules" />
   </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_directory_acccess_var_log_ocp_audit_augenrules" version="1">
+  <ind:textfilecontent54_object id="object_directory_access_var_log_ocp_audit_augenrules" version="1">
     <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
     <ind:pattern operation="pattern match" var_ref="var_audit_rule_access_var_log_ocp_audit_regex" />
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
@@ -38,10 +38,10 @@
 
   <!-- directory access /var/log/audit auditctl -->
   <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
- comment="defined audit rule must exist" id="test_directory_acccess_var_log_ocp_audit_auditctl" version="1">
-    <ind:object object_ref="object_directory_acccess_var_log_ocp_audit_auditctl" />
+ comment="defined audit rule must exist" id="test_directory_access_var_log_ocp_audit_auditctl" version="1">
+    <ind:object object_ref="object_directory_access_var_log_ocp_audit_auditctl" />
   </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_directory_acccess_var_log_ocp_audit_auditctl" version="1">
+  <ind:textfilecontent54_object id="object_directory_access_var_log_ocp_audit_auditctl" version="1">
     <ind:filepath>/etc/audit/audit.rules</ind:filepath>
     <ind:pattern operation="pattern match" var_ref="var_audit_rule_access_var_log_ocp_audit_regex" />
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
diff --git a/linux_os/guide/auditing/auditd_configure_rules/directory_access_var_log_audit/oval/shared.xml b/linux_os/guide/auditing/auditd_configure_rules/directory_access_var_log_audit/oval/shared.xml
index 245224288fac..9fd0f27c9e9c 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/directory_access_var_log_audit/oval/shared.xml
+++ b/linux_os/guide/auditing/auditd_configure_rules/directory_access_var_log_audit/oval/shared.xml
@@ -30,7 +30,7 @@
     </criteria>
   </definition>
 
-{{% macro test_directory_acccess_var_log_audit(audit_tool, filepath, bits) %}}
+{{% macro test_directory_access_var_log_audit(audit_tool, filepath, bits) %}}
   <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit {{{ audit_tool }}} {{{ NAME }}}" id="test_{{{ rule_id }}}_{{{ audit_tool }}}_{{{ bits }}}bit" version="1">
     <ind:object object_ref="object_{{{ rule_id }}}_{{{ audit_tool }}}_{{{ bits }}}bit" />
   </ind:textfilecontent54_test>
@@ -41,9 +41,9 @@
   </ind:textfilecontent54_object>
 {{% endmacro %}}
 
-{{{ test_directory_acccess_var_log_audit("augenrules", "^/etc/audit/rules\.d/.*\.rules$", "32") }}}
-{{{ test_directory_acccess_var_log_audit("augenrules", "^/etc/audit/rules\.d/.*\.rules$", "64") }}}
-{{{ test_directory_acccess_var_log_audit("auditctl", "/etc/audit/audit.rules", "32") }}}
-{{{ test_directory_acccess_var_log_audit("auditctl", "/etc/audit/audit.rules", "64") }}}
+{{{ test_directory_access_var_log_audit("augenrules", "^/etc/audit/rules\.d/.*\.rules$", "32") }}}
+{{{ test_directory_access_var_log_audit("augenrules", "^/etc/audit/rules\.d/.*\.rules$", "64") }}}
+{{{ test_directory_access_var_log_audit("auditctl", "/etc/audit/audit.rules", "32") }}}
+{{{ test_directory_access_var_log_audit("auditctl", "/etc/audit/audit.rules", "64") }}}
 
 </def-group>

From c086a445b6483ac0cd2692768150cd71bd1f17b8 Mon Sep 17 00:00:00 2001
From: Alexander Bushkin <abushkin@abushkin-thinkpadt14gen4.rmtit.csb>
Date: Fri, 12 Jun 2026 17:35:18 +0200
Subject: [PATCH 3/3] Removed ocp4 tags from conditionals.

---
 shared/checks/oval/audit_rules_auditctl.xml   | 4 ++--
 shared/checks/oval/audit_rules_augenrules.xml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/shared/checks/oval/audit_rules_auditctl.xml b/shared/checks/oval/audit_rules_auditctl.xml
index 5e916d897e7c..a08a43310046 100644
--- a/shared/checks/oval/audit_rules_auditctl.xml
+++ b/shared/checks/oval/audit_rules_auditctl.xml
@@ -8,7 +8,7 @@
       <description>Test if auditctl is in use for audit rules.</description>
     </metadata>
 
-{{% if product in ['ocp4', 'rhcos4'] %}}
+{{% if product in ['rhcos4'] %}}
     <criteria operator="OR">
       <criterion comment="audit auditctl via audit-rules.service" test_ref="test_audit_rules_auditctl_service" />
       <criterion comment="audit auditctl via auditd.service" test_ref="test_audit_rules_auditctl" />
@@ -20,7 +20,7 @@
 {{% endif %}}
   </definition>
 
-{{% if product in ['ocp4', 'rhcos4'] %}}
+{{% if product in ['rhcos4'] %}}
   <!-- RHCOS on RHEL 10+: auditctl runs via a separate audit-rules.service -->
   <ind:textfilecontent54_test check="all" comment="audit auditctl via audit-rules.service" id="test_audit_rules_auditctl_service" version="1">
     <ind:object object_ref="object_audit_rules_auditctl_service" />
diff --git a/shared/checks/oval/audit_rules_augenrules.xml b/shared/checks/oval/audit_rules_augenrules.xml
index 570a0f23b65b..92620913a0d9 100644
--- a/shared/checks/oval/audit_rules_augenrules.xml
+++ b/shared/checks/oval/audit_rules_augenrules.xml
@@ -8,7 +8,7 @@
       <description>Test if augenrules is enabled for audit rules.</description>
     </metadata>
 
-{{% if product in ['ocp4', 'rhcos4'] %}}
+{{% if product in ['rhcos4'] %}}
     <criteria operator="OR">
       <criterion comment="audit augenrules via audit-rules.service" test_ref="test_audit_rules_augenrules_service" />
       <criterion comment="audit augenrules via auditd.service" test_ref="test_audit_rules_augenrules" />
@@ -20,7 +20,7 @@
 {{% endif %}}
   </definition>
 
-{{% if product in ['ocp4', 'rhcos4'] %}}
+{{% if product in ['rhcos4'] %}}
   <!-- RHCOS on RHEL 10+: augenrules runs via a separate audit-rules.service -->
   <ind:textfilecontent54_test check="all" comment="audit augenrules via audit-rules.service" id="test_audit_rules_augenrules_service" version="1">
     <ind:object object_ref="object_audit_rules_augenrules_service" />