From 8cd7d765c52737bc334599be7fd923299cef19c2 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Wed, 26 Feb 2025 12:26:58 +0000
Subject: [PATCH] updated layout

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 templates/audit/99_auditd.rules.j2 | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2
index 66ef19d..4d9c0d3 100644
--- a/templates/audit/99_auditd.rules.j2
+++ b/templates/audit/99_auditd.rules.j2
@@ -37,6 +37,7 @@
 {% for syscall in syscalls  %}
 {% if syscall in supported_syscalls %}
 {{ arch_syscalls.append(syscall) }}
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F a0=0x0 -k time-change
 -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F a0=0x0 -k time-change
 {% endif %}
 {% endfor %}
@@ -50,8 +51,8 @@
 {{ arch_syscalls.append(syscall) }}
 {% endif %}
 {% endfor %}
--a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }}  -k system-locale
--a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }}  -k system-locale
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k system-locale
 -w /etc/issue -p wa -k system-locale
 -w /etc/issue.net -p wa -k system-locale
 -w /etc/hosts -p wa -k system-locale
@@ -178,7 +179,7 @@
 -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_chng
 {% endif %}
 {% if rhel9cis_rule_6_3_3_17 %}
--a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k priv_chng
+-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_chng
 {% endif %}
 {% if rhel9cis_rule_6_3_3_18 %}
 -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k usermod