diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/bash/shared.sh
index cd61de6dfe3..d0371afcb3d 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/bash/shared.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/bash/shared.sh
@@ -10,14 +10,27 @@ SYSCALL=""
KEY="privileged"
SYSCALL_GROUPING=""
-FILTER_NODEV=$(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
-PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | grep -Pv "noexec|nosuid|/proc($|/.*$)" | awk '{ print $1 }')
-for PARTITION in $PARTITIONS; do
- PRIV_CMDS=$(find "${PARTITION}" -xdev -perm /6000 -type f 2>/dev/null)
- for PRIV_CMD in $PRIV_CMDS; do
- OTHER_FILTERS="-F path=$PRIV_CMD -F perm=x"
+function add_audit_rule()
+{
+ local PRIV_CMD="$1"
+ local OTHER_FILTERS="-F path=$PRIV_CMD -F perm=x"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
{{{ bash_fix_audit_syscall_rule("augenrules", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") | indent(4) }}}
{{{ bash_fix_audit_syscall_rule("auditctl", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") | indent(4) }}}
+}
+
+if {{{ bash_bootc_build() }}} ; then
+ PRIV_CMDS=$(find / -perm /6000 -type f -not -path "/sysroot/*" 2>/dev/null)
+ for PRIV_CMD in $PRIV_CMDS; do
+ add_audit_rule $PRIV_CMD
+ done
+else
+ FILTER_NODEV=$(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
+ PARTITIONS=$(findmnt -n -l -k -it "$FILTER_NODEV" | grep -Pv "noexec|nosuid|/proc($|/.*$)" | awk '{ print $1 }')
+ for PARTITION in $PARTITIONS; do
+ PRIV_CMDS=$(find "${PARTITION}" -xdev -perm /6000 -type f 2>/dev/null)
+ for PRIV_CMD in $PRIV_CMDS; do
+ add_audit_rule $PRIV_CMD
+ done
done
-done
+fi
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml
index 35cc22cf784..b7b8ab2028a 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml
@@ -5,26 +5,50 @@
-
-
+
+
+
+
+
+
+
+
+
+
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
- ^/dev/.*$
+ ^(/dev/.*|composefs)$
@@ -64,6 +88,11 @@
^/var/tmp/dracut.*
+
+ ^/sysroot/.*$
+
+
@@ -123,11 +181,22 @@
1
state_unprivileged_commands
+
+ ^/etc/audit/rules\.d/.*\.rules$
+
+ 1
+ state_unprivileged_commands_bootc
+
+
+
+
+
+
+
+
@@ -142,11 +217,21 @@
+
+
+
+
+
+
+
+
+
+
+
+
@@ -163,6 +254,13 @@
1
state_unprivileged_commands
+
+ /etc/audit/audit.rules
+
+ 1
+ state_unprivileged_commands_bootc
+
+
+
+
+
@@ -177,11 +281,21 @@
+
+
+
+
+
+
+
+
+
+
+
+