{{{ oval_metadata("Audit rules about the read events to /var/log/kube-apiserver", rule_title=rule_title) }}} ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+dir=/var/log/kube-apiserver/)[\s]+(?:-F[\s]+perm=r)[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1