From 3c66b3f83c6ba757d25b7d509d0449afa714404c Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Mon, 25 Jul 2022 15:25:39 +0100
Subject: [PATCH] updated rule

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/auditd.yml                             | 5 +++--
 templates/audit/98_auditd_exception.rules.j2 | 4 ++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/tasks/auditd.yml b/tasks/auditd.yml
index 7d9e937..837c7e1 100644
--- a/tasks/auditd.yml
+++ b/tasks/auditd.yml
@@ -8,7 +8,6 @@
   register: audit_rules_updated
   notify: restart auditd
 
-
 - name: POST | Set up auditd user logging exceptions
   template:
     src: audit/98_auditd_exception.rules.j2
@@ -17,7 +16,9 @@
     group: root
     mode: 0600
   notify: restart auditd
-  when: allow_auditd_uid_user_exclusions
+  when:
+      - allow_auditd_uid_user_exclusions
+      - rhel9cis_auditd_uid_exclude | length > 0
 
 - name: POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable
   block:
diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2
index b3bace1..4bc8909 100644
--- a/templates/audit/98_auditd_exception.rules.j2
+++ b/templates/audit/98_auditd_exception.rules.j2
@@ -1,8 +1,8 @@
 ## This file is managed by Ansible, YOUR CHANGED WILL BE LOST!
 
 # This file contains users whose actions are not logged by auditd
-{% if allow_auditd_uid_user_exclusions %}
-{% for user in rhel8cis_auditd_uid_exclude %}
+{% if allow_auditd_uid_user_exclusions %} 
+{% for user in rhel9cis_auditd_uid_exclude %}
 -F uid!={{ user }}
 {% endfor %}
 {% endif %}
\ No newline at end of file