Bug 1767054

this would be very useful for us to document for customers how to link the appropriate files via MachineConfig, for customers that need to meet FedRAMP moderate for instance. Instead of telling them to copy entire audit rules into MachineConfig files.

Upstream commit f515921 now places the audit rules in /usr/share/audit/sample-rules/
This is planned to be pulled in by the audit rebase bug 1757986.

audit-3.0-0.14.20191104git1c2f876 has been built to address this issue.

Successfully verified.

NEW (audit-3.0-0.15.20191104git1c2f876.el8)
===========================================

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Setup
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 16:33:07 ] :: [   PASS   ] :: Checking for the presence of audit rpm 
:: [ 16:33:07 ] :: [   LOG    ] :: Package versions:
:: [ 16:33:07 ] :: [   LOG    ] ::   audit-3.0-0.15.20191104git1c2f876.el8.x86_64
:: [ 16:33:14 ] :: [   PASS   ] :: Starting auditd service (Expected 0, got 0)
:: [ 16:33:14 ] :: [   PASS   ] :: Removing all rules (Expected 0, got 0)
:: [ 16:33:14 ] :: [   LOG    ] :: There are 34 rule files provided
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 7s
::   Assertions: 3 good, 0 bad
::   RESULT: PASS (Setup)


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Rules location
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/10-base-config.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/10-no-audit.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/11-loginuid.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/12-cont-fail.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/12-ignore-error.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/20-dont-audit.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/21-no32bit.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/22-ignore-chrony.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/23-ignore-filesystems.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/30-nispom.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/30-ospp-v42-1-create-failed.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/30-ospp-v42-1-create-success.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/30-ospp-v42-2-modify-failed.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/30-ospp-v42-2-modify-success.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/30-ospp-v42-3-access-failed.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/30-ospp-v42-3-access-success.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/30-ospp-v42-4-delete-failed.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/30-ospp-v42-4-delete-success.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-failed.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-success.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-failed.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-success.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/30-ospp-v42.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/30-pci-dss-v31.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/30-stig.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/31-privileged.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/32-power-abuse.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/40-local.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/41-containers.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/42-injection.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/43-module-load.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/70-einval.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/71-networking.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
:: [ 16:33:14 ] :: [   PASS   ] :: Checking /usr/share/audit/sample-rules/99-finalize.rules (Assert: '/usr/share/audit/sample-rules' should equal '/usr/share/audit/sample-rules')
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 0s
::   Assertions: 34 good, 0 bad
::   RESULT: PASS (Rules location)

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1812