OVALFileLinker from SCAP Security Guide ssg: [0, 1, 80], python: 3.10.12 5.11.2 2025-11-24T17:59:05 Ensure auditd Collects Information on the Use of Privileged Commands Ubuntu 22.04 Audit rules about the information on the use of privileged commands are enabled. Test if auditctl is in use for audit rules Ubuntu 22.04 Test if auditctl is in use for audit rules. Test if augenrules is enabled for audit rules Ubuntu 22.04 Test if augenrules is enabled for audit rules. Ubuntu 22.04 Bootable container or bootc system ^(?!/proc(/.*|$)).*$ oval:ssg-state_audit_rules_privileged_commands_dev_partitons:ste:1 oval:ssg-state_audit_rules_privileged_commands_nosuid_partitons:ste:1 oval:ssg-state_audit_rules_privileged_commands_noexec_partitons:ste:1 ^\w+ oval:ssg-state_setuid_or_setgid_set:ste:1 oval:ssg-state_dracut_tmp_files:ste:1 / ^\w+ oval:ssg-state_setuid_or_setgid_set:ste:1 oval:ssg-state_dracut_tmp_files:ste:1 oval:ssg-state_audit_rules_privileged_commands_sysroot:ste:1 oval:ssg-var_audit_rules_privileged_commands_priv_cmds_count:var:1 oval:ssg-var_audit_rules_privileged_commands_priv_cmds_count_bootc:var:1 ^/etc/audit/rules\.d/.*\.rules$ 1 oval:ssg-state_unprivileged_commands:ste:1 ^/etc/audit/rules\.d/.*\.rules$ 1 oval:ssg-state_unprivileged_commands_bootc:ste:1 /etc/audit/audit.rules 1 oval:ssg-state_unprivileged_commands:ste:1 /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1 /usr/lib/systemd/system/auditd.service ^(ExecStartPost=\-\/sbin\/augenrules.*$|Requires=augenrules.service) 1 kernel rpm-ostree bootc openshift-kubelet /run/ostree-booted /ostree ^(/dev/.*|composefs)$ nosuid noexec true true ^/var/tmp/dracut.* ^/sysroot/.*$ /ostree symbolic link ^[\s]*-a always,exit (?:-F path=([\S]+))+(?: -F perm=x)? -F auid>=1000 -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$