Update PSC Content for RHEL 9

linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount/policy/stig/shared.yml

@@ -7,11 +7,9 @@ vuldiscussion: |-
 checktext: |-
     Verify that {{{ full_name }}} generates an audit record for all uses of the "umount" and system call with the following command:
 
-    $ sudo grep "umount" /etc/audit/audit.*
+    $ sudo auditctl -l | grep b32 | grep 'umount\b'
 
-    If the system is configured to audit this activity, it will return a line like the following:
-
-    -a always,exit -F arch=b32 -S umount -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-umount
+    -a always,exit -F arch=b32 -S umount -F auid>={{{ uid_min }}} -F auid!=-1 -F key=privileged-umount
 
     If the command does not return a line, or the line is commented out, this is a finding.
 
@@ -20,5 +18,6 @@ fixtext: |-
 
     -a always,exit -F arch=b32 -S umount -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-umount
 
-    The audit daemon must be restarted for the changes to take effect.
+    To load the rules to the kernel immediately, use the following command:
 
+    $ sudo augenrules --load

linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/policy/stig/shared.yml

@@ -5,19 +5,21 @@ vuldiscussion: |-
     The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
 
 checktext: |-
-    To determine if the system is configured to audit calls to the  umount2 system call, run the following command:
+    To determine if the system is configured to audit calls to the umount2 system call, run the following command:
 
-    $ sudo grep "umount2" /etc/audit/audit.*
+    $ sudo auditctl -l | grep umount2
 
-    If the system is configured to audit this activity, it will return a line.
+    -a always,exit -F arch=b64 -S umount2 -F auid>={{{ uid_min }}} -F auid!=-1 -F key=privileged-umount
+    -a always,exit -F arch=b32 -S umount2 -F auid>={{{ uid_min }}} -F auid!=-1 -F key=privileged-umount
 
     If no line is returned, this is a finding.
 
 fixtext: |-
-    Configure the audit system to generate an audit event for any successful/unsuccessful use of the "umount2" system call by adding or updating the following rules in "/etc/audit/audit.rules" and adding the following rules to "/etc/audit/rules.d/perm_mod.rules" or updating the existing rules in files in the "/etc/audit/rules.d/" directory:
+    Configure the audit system to generate an audit event for any successful/unsuccessful use of the "umount2" system call by adding or updating the following rules in a file in "/etc/audit/rules.d".
 
-    -a always,exit -F arch=b32 -S umount2 -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
-    -a always,exit -F arch=b64 -S umount2 -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b32 -S umount2 -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-umount
+    -a always,exit -F arch=b64 -S umount2 -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-umount
 
-    The audit daemon must be restarted for the changes to take effect.
+    To load the rules to the kernel immediately, use the following command:
 
+    $ sudo augenrules --load

linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/policy/stig/shared.yml

@@ -15,7 +15,7 @@ checktext: |-
 
     $ sudo auditctl -l | grep chacl
 
-    -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
+    -a always,exit -S all -F path=/usr/bin/chacl -F perm=x -F auid>={{{ uid_min }}} -F auid!=-1 -F key=perm_mod
 
     If the command does not return a line, or the line is commented out, this is a finding.
 
@@ -24,5 +24,6 @@ fixtext: |-
 
     -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
 
-    The audit daemon must be restarted for the changes to take effect.
+    To load the rules to the kernel immediately, use the following command:
 
+    $ sudo augenrules --load

linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/policy/stig/shared.yml

@@ -15,7 +15,7 @@ checktext: |-
 
     $ sudo auditctl -l | grep setfacl
 
-    -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
+    -a always,exit -S all -F path=/usr/bin/setfacl -F perm=x -F auid>={{{ uid_min }}} -F auid!=-1 -F key=perm_mod
 
     If the command does not return a line, or the line is commented out, this is a finding.
 
@@ -24,5 +24,6 @@ fixtext: |-
 
     -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
 
-    The audit daemon must be restarted for the changes to take effect.
+    To load the rules to the kernel immediately, use the following command:
 
+    $ sudo augenrules --load

linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/policy/stig/shared.yml

@@ -15,7 +15,7 @@ checktext: |-
 
     $ sudo auditctl -l | grep chcon
 
-    -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
+    -a always,exit -S all -F path=/usr/bin/chcon -F perm=x -F auid>={{{ uid_min }}} -F auid!=-1 -F key=perm_mod
 
     If the command does not return a line, or the line is commented out, this is a finding.
 
@@ -24,5 +24,6 @@ fixtext: |-
 
     -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
 
-    The audit daemon must be restarted for the changes to take effect.
+    To load the rules to the kernel immediately, use the following command:
 
+    $ sudo augenrules --load

linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/policy/stig/shared.yml

@@ -15,7 +15,7 @@ checktext: |-
 
     $ sudo auditctl -l | grep semanage
 
-    -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-unix-update
+    -a always,exit -S all -F path=/usr/sbin/semanage -F perm=x -F auid>={{{ uid_min }}} -F auid!=-1 -F key=privileged-unix-update
 
     If the command does not return a line, or the line is commented out, this is a finding.
 
@@ -24,5 +24,6 @@ fixtext: |-
 
     -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-unix-update
 
-    The audit daemon must be restarted for the changes to take effect.
+    To load the rules to the kernel immediately, use the following command:
 
+    $ sudo augenrules --load

linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/policy/stig/shared.yml

@@ -15,7 +15,7 @@ checktext: |-
 
     $ sudo auditctl -l | grep setfiles
 
-    -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-unix-update
+    -a always,exit -S all -F path=/usr/sbin/setfiles -F perm=x -F auid>={{{ uid_min }}} -F auid!=-1 -F key=privileged-unix-update
 
     If the command does not return a line, or the line is commented out, this is a finding.
 
@@ -24,5 +24,6 @@ fixtext: |-
 
     -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-unix-update
 
-    The audit daemon must be restarted for the changes to take effect.
+    To load the rules to the kernel immediately, use the following command:
 
+    $ sudo augenrules --load

linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/policy/stig/shared.yml

@@ -15,7 +15,7 @@ checktext: |-
 
     $ sudo auditctl -l | grep setsebool
 
-     -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -F key=privileged
+    -a always,exit -S all -F path=/usr/sbin/setsebool -F perm=x -F auid>={{{ uid_min }}} -F auid!=-1 -F key=privileged
 
     If the command does not return a line, or the line is commented out, this is a finding.
 
@@ -24,5 +24,6 @@ fixtext: |-
 
     -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -F key=privileged
 
-    The audit daemon must be restarted for the changes to take effect.
+    To load the rules to the kernel immediately, use the following command:
 
+    $ sudo augenrules --load

linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/policy/stig/shared.yml

@@ -15,8 +15,8 @@ checktext: |-
 
     $ sudo auditctl -l | grep delete_module
 
-    -a always,exit -F arch=b32 -S delete_module -F auid>={{{ uid_min }}} -F auid!=unset -k module_chng
-    -a always,exit -F arch=b64 -S delete_module -F auid>={{{ uid_min }}} -F auid!=unset -k module_chng
+    -a always,exit -F arch=b32 -S delete_module -F auid>={{{ uid_min }}} -F auid!=-1 -F key=module_chng
+    -a always,exit -F arch=b64 -S delete_module -F auid>={{{ uid_min }}} -F auid!=-1 -F key=module_chng
 
     If both the "b32" and "b64" audit rules are not defined for the "delete_module" system call, or any of the lines returned are commented out, this is a finding.
 
@@ -26,5 +26,6 @@ fixtext: |-
     -a always,exit -F arch=b32 -S delete_module -F auid>={{{ uid_min }}} -F auid!=unset -k module_chng
     -a always,exit -F arch=b64 -S delete_module -F auid>={{{ uid_min }}} -F auid!=unset -k module_chng
 
-    The audit daemon must be restarted for the changes to take effect.
+    To load the rules to the kernel immediately, use the following command:
 
+    $ sudo augenrules --load

linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/policy/stig/shared.yml

@@ -22,3 +22,4 @@ fixtext: |-
 
     The audit daemon must be restarted for the changes to take effect.
 
+    $ sudo service auditd restart

linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/policy/stig/shared.yml

@@ -22,3 +22,4 @@ fixtext: |-
 
     The audit daemon must be restarted for the changes to take effect.
 
+    $ sudo service auditd restart

linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/policy/stig/shared.yml

@@ -11,7 +11,7 @@ checktext: |-
 
     -w /var/log/tallylog -p wa -k logins
 
-    If the command does not return a line, or the line is commented out, this is a finding.
+    If the command does not return a line, or the line is commented out, is a finding.
 
 fixtext: |-
     Configure {{{ full_name }}} to generate audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/tallylog".
@@ -21,4 +21,3 @@ fixtext: |-
     -w /var/log/tallylog -p wa -k logins
 
     The audit daemon must be restarted for the changes to take effect.
-

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_privileged_commands_init/policy/stig/shared.yml

@@ -7,9 +7,9 @@ vuldiscussion: |-
 checktext: |-
     Verify that {{{ full_name }}} is configured to audit the execution of the "init" command with the following command:
 
-    $ sudo auditctl -l | grep init
+    $ sudo auditctl -l | grep /usr/sbin/init
 
-    -a always,exit -F path=/usr/sbin/init -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-init
+    -a always,exit -S all -F path=/usr/sbin/init -F perm=x -F auid>={{{ uid_min }}} -F auid!=-1 -F key=privileged-init
 
     If the command does not return a line, or the line is commented out, this is a finding.
 
@@ -18,5 +18,6 @@ fixtext: |-
 
     -a always,exit -F path=/usr/sbin/init -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-init
 
-    The audit daemon must be restarted for the changes to take effect.
+    To load the rules to the kernel immediately, use the following command:
 
+    $ sudo augenrules --load

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_privileged_commands_poweroff/policy/stig/shared.yml

@@ -9,7 +9,7 @@ checktext: |-
 
     $ sudo auditctl -l | grep poweroff
 
-    -a always,exit -F path=/usr/sbin/poweroff -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-poweroff
+    -a always,exit -S all -F path=/usr/sbin/poweroff -F perm=x -F auid>={{{ uid_min }}} -F auid!=-1 -F key=privileged-poweroff
 
     If the command does not return a line, or the line is commented out, this is a finding.
 
@@ -18,5 +18,6 @@ fixtext: |-
 
     -a always,exit -F path=/usr/sbin/poweroff -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-poweroff
 
-    The audit daemon must be restarted for the changes to take effect.
+    To load the rules to the kernel immediately, use the following command:
 
+    $ sudo augenrules --load

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_privileged_commands_reboot/policy/stig/shared.yml

@@ -9,7 +9,7 @@ checktext: |-
 
     $ sudo auditctl -l | grep reboot
 
-    -a always,exit -F path=/usr/sbin/reboot -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-reboot
+    -a always,exit -S all -F path=/usr/sbin/reboot -F perm=x -F auid>={{{ uid_min }}} -F auid!=-1 -F key=privileged-reboot
 
     If the command does not return a line, or the line is commented out, this is a finding.
 
@@ -18,5 +18,6 @@ fixtext: |-
 
     -a always,exit -F path=/usr/sbin/reboot -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-reboot
 
-    The audit daemon must be restarted for the changes to take effect.
+    To load the rules to the kernel immediately, use the following command:
 
+    $ sudo augenrules --load

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_privileged_commands_shutdown/policy/stig/shared.yml

@@ -7,9 +7,9 @@ vuldiscussion: |-
 checktext: |-
     Verify that {{{ full_name }}} is configured to audit the execution of the "shutdown" command with the following command:
 
-    $ sudo auditctl -l | grep shutdown
+    $ sudo cat /etc/audit/rules.d/* | grep shutdown
 
-    -a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-shutdown
+    -a always,exit -S all -F path=/usr/sbin/shutdown -F perm=x -F auid>={{{ uid_min }}} -F auid!=-1 -F key=privileged-shutdown
 
     If the command does not return a line, or the line is commented out, this is a finding.
 
@@ -18,5 +18,6 @@ fixtext: |-
 
     -a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-shutdown
 
-    The audit daemon must be restarted for the changes to take effect.
+    To load the rules to the kernel immediately, use the following command:
 
+    $ sudo augenrules --load

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/policy/stig/shared.yml

@@ -15,7 +15,7 @@ checktext: |-
 
     $ sudo auditctl -l | grep chage
 
-    -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-chage
+    -a always,exit -S all -F path=/usr/bin/chage -F perm=x -F auid>={{{ uid_min }}} -F auid!=-1 -F key=privileged-chage
 
     If the command does not return a line, or the line is commented out, this is a finding.
 
@@ -24,5 +24,6 @@ fixtext: |-
 
     -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-chage
 
-    The audit daemon must be restarted for the changes to take effect.
+    To load the rules to the kernel immediately, use the following command:
 
+    $ sudo augenrules --load

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/policy/stig/shared.yml

@@ -15,7 +15,7 @@ checktext: |-
 
     $ sudo auditctl -l | grep chsh
 
-    -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k priv_cmd
+    -a always,exit -S all -F path=/usr/bin/chsh -F perm=x -F auid>={{{ uid_min }}} -F auid!=-1 -F key=priv_cmd
 
     If the command does not return a line, or the line is commented out, this is a finding.
 
@@ -24,5 +24,6 @@ fixtext: |-
 
     -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k priv_cmd
 
-    The audit daemon must be restarted for the changes to take effect.
+    To load the rules to the kernel immediately, use the following command:
 
+    $ sudo augenrules --load

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/policy/stig/shared.yml

@@ -15,7 +15,7 @@ checktext: |-
 
     $ sudo auditctl -l | grep crontab
 
-    -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-crontab
+    -a always,exit -S all -F path=/usr/bin/crontab -F perm=x -F auid>={{{ uid_min }}} -F auid!=-1 -F key=privileged-crontab
 
     If the command does not return a line, or the line is commented out, this is a finding.
 
@@ -24,5 +24,6 @@ fixtext: |-
 
     -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-crontab
 
-    The audit daemon must be restarted for the changes to take effect.
+    To load the rules to the kernel immediately, use the following command:
 
+    $ sudo augenrules --load

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/policy/stig/shared.yml

@@ -15,7 +15,7 @@ checktext: |-
 
     $ sudo auditctl -l | grep gpasswd
 
-    -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-gpasswd
+    -a always,exit -S all -F path=/usr/bin/gpasswd -F perm=x -F auid>={{{ uid_min }}} -F auid!=-1 -F key=privileged-gpasswd
 
     If the command does not return a line, or the line is commented out, this is a finding.
 
@@ -24,5 +24,6 @@ fixtext: |-
 
     -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-gpasswd
 
-    The audit daemon must be restarted for the changes to take effect.
+    To load the rules to the kernel immediately, use the following command:
 
+    $ sudo augenrules --load

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/policy/stig/shared.yml

@@ -15,7 +15,7 @@ checktext: |-
 
     $ sudo auditctl -l | grep kmod
 
-    -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k modules
+    -a always,exit -S all -F path=/usr/bin/kmod -F perm=x -F auid>={{{ uid_min }}} -F auid!=-1 -F key=modules
 
     If the command does not return a line, or the line is commented out, this is a finding.
 
@@ -24,5 +24,6 @@ fixtext: |-
 
     -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k modules
 
-    The audit daemon must be restarted for the changes to take effect.
+    To load the rules to the kernel immediately, use the following command:
 
+    $ sudo augenrules --load

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/policy/stig/shared.yml

@@ -15,7 +15,7 @@ checktext: |-
 
     $ sudo auditctl -l | grep /usr/bin/mount
 
-    -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-mount
+    -a always,exit -S all -F path=/usr/bin/mount -F perm=x -F auid>={{{ uid_min }}} -F auid!=-1 -F key=privileged-mount
 
     If the command does not return a line, or the line is commented out, this is a finding.
 
@@ -24,5 +24,6 @@ fixtext: |-
 
     -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-mount
 
-    The audit daemon must be restarted for the changes to take effect.
+    To load the rules to the kernel immediately, use the following command:
 
+    $ sudo augenrules --load

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/policy/stig/shared.yml

@@ -15,7 +15,7 @@ checktext: |-
 
     $ sudo auditctl -l | grep newgrp
 
-    -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k priv_cmd
+    -a always,exit -S all -F path=/usr/bin/newgrp -F perm=x -F auid>={{{ uid_min }}} -F auid!=-1 -F key=priv_cmd
 
     If the command does not return a line, or the line is commented out, this is a finding.
 
@@ -24,5 +24,6 @@ fixtext: |-
 
     -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k priv_cmd
 
-    The audit daemon must be restarted for the changes to take effect.
+    To load the rules to the kernel immediately, use the following command:
 
+    $ sudo augenrules --load