From e1191cb2c4adf01b6027e204aedb8ac839a8ea88 Mon Sep 17 00:00:00 2001
From: rchikov <rumen.chikov@suse.com>
Date: Mon, 5 Jun 2023 15:35:29 +0200
Subject: [PATCH 1/2] Fix in audit_rules_systadmin_actions and new rule
 audit_rules_sysadmin_scope

---
 controls/anssi.yml                            |  1 +
 controls/cis_sle12.yml                        |  4 +-
 controls/cis_sle15.yml                        |  4 +-
 controls/pcidss_3.yml                         |  1 +
 controls/pcidss_4.yml                         |  1 +
 .../audit_rules_sudoers_d/oval/shared.xml     |  2 +-
 .../ansible/shared.yml                        |  4 +-
 .../bash/shared.sh                            |  2 +-
 .../oval/shared.xml                           |  2 +-
 .../ansible/shared.yml                        | 10 +++
 .../audit_rules_sysadmin_scope/bash/shared.sh |  9 +++
 .../oval/shared.xml                           | 54 ++++++++++++++++
 .../audit_rules_sysadmin_scope/rule.yml       | 62 +++++++++++++++++++
 .../tests/correct.pass.sh                     |  4 ++
 .../tests/correct_without_key.pass.sh         |  4 ++
 .../tests/empty.fail.sh                       |  4 ++
 .../tests/missing_slash.fail.sh               |  4 ++
 .../tests/ocp4/e2e.yml                        |  3 +
 products/sle15/profiles/hipaa.profile         |  1 +
 shared/references/cce-sle12-avail.txt         |  1 -
 shared/references/cce-sle15-avail.txt         |  1 -
 21 files changed, 169 insertions(+), 9 deletions(-)
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/ansible/shared.yml
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/bash/shared.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/oval/shared.xml
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/rule.yml
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/correct.pass.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/correct_without_key.pass.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/empty.fail.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/missing_slash.fail.sh
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/ocp4/e2e.yml

diff --git a/controls/anssi.yml b/controls/anssi.yml
index 35e111d11b7..ff0a4ae0bc5 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -1362,6 +1362,7 @@ controls:
       The logging of the system activity must be done through the auditd service.
     status: automated
     rules:
+    - audit_rules_sysadmin_scope
     - audit_rules_sysadmin_actions
 
     - audit_rules_login_events_faillock
diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml
index d89700c00ea..2bb781a4740 100644
--- a/controls/cis_sle12.yml
+++ b/controls/cis_sle12.yml
@@ -1275,7 +1275,9 @@ controls:
     levels:
       - l2_server
       - l2_workstation
-    status: manual # missing rule for sudoers scope
+    status: automated
+    rules:
+      - audit_rules_sysadmin_scope
 
   - id: 4.1.15
     title: Ensure system administrator actions (sudolog) are collected (Automated)
diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml
index b30c995503a..756e509d823 100644
--- a/controls/cis_sle15.yml
+++ b/controls/cis_sle15.yml
@@ -1469,7 +1469,9 @@ controls:
     levels:
       - l2_server
       - l2_workstation
-    status: manual # missing rule for sudoers scope
+    status: automated 
+    rules:
+      - audit_rules_sysadmin_scope
 
   - id: 4.1.15
     title: Ensure system administrator actions (sudolog) are collected (Automated)
diff --git a/controls/pcidss_3.yml b/controls/pcidss_3.yml
index 5d149460dde..e786b401222 100644
--- a/controls/pcidss_3.yml
+++ b/controls/pcidss_3.yml
@@ -1852,6 +1852,7 @@ controls:
     status: automated
     rules:
       - audit_rules_privileged_commands
+      - audit_rules_sysadmin_scope
       - audit_rules_sysadmin_actions
 
   - id: Req-10.2.3
diff --git a/controls/pcidss_4.yml b/controls/pcidss_4.yml
index b5e269f1464..d3822bd8fc3 100644
--- a/controls/pcidss_4.yml
+++ b/controls/pcidss_4.yml
@@ -2073,6 +2073,7 @@ controls:
         status: automated
         rules:
           - audit_rules_privileged_commands
+          - audit_rules_sysadmin_scope
           - audit_rules_sysadmin_actions
 
       - id: 10.2.1.3
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/oval/shared.xml
index 9759902c62b..d80e8f42a16 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/oval/shared.xml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/oval/shared.xml
@@ -1,5 +1,5 @@
 <def-group>
-  <definition class="compliance" id="audit_rules_sudoers_d" version="1">
+  <definition class="compliance" id="{{{ rule_id }}}"  version="1">
     {{{ oval_metadata("Audit actions taken by system administrators on the system - /etc/sudoers.d/.") }}}
     <criteria operator="OR">
       <criteria operator="AND">
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/ansible/shared.yml
index 5a883c3cbb0..0c2a780f020 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/ansible/shared.yml
@@ -4,7 +4,7 @@
 # complexity = low
 # disruption = low
 
-{{{ ansible_audit_augenrules_add_watch_rule(path='/etc/sudoers', permissions='wa', key='actions') }}}
 {{{ ansible_audit_auditctl_add_watch_rule(path='/etc/sudoers', permissions='wa', key='actions') }}}
-{{{ ansible_audit_augenrules_add_watch_rule(path='/etc/sudoers.d/', permissions='wa', key='actions') }}}
+{{{ ansible_audit_augenrules_add_watch_rule(path='/etc/sudoers', permissions='wa', key='actions') }}}
 {{{ ansible_audit_auditctl_add_watch_rule(path='/etc/sudoers.d/', permissions='wa', key='actions') }}}
+{{{ ansible_audit_augenrules_add_watch_rule(path='/etc/sudoers.d/', permissions='wa', key='actions') }}}
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh
index fcde9d3aa27..1c9e46c28ac 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh
@@ -1,8 +1,8 @@
 # platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+
 {{{ bash_fix_audit_watch_rule("auditctl", "/etc/sudoers", "wa", "actions") }}}
 {{{ bash_fix_audit_watch_rule("augenrules", "/etc/sudoers", "wa", "actions") }}}
-
 {{{ bash_fix_audit_watch_rule("auditctl", "/etc/sudoers.d/", "wa", "actions") }}}
 {{{ bash_fix_audit_watch_rule("augenrules", "/etc/sudoers.d/", "wa", "actions") }}}
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/oval/shared.xml
index ad5a6e05285..6a45913c72a 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/oval/shared.xml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/oval/shared.xml
@@ -1,5 +1,5 @@
 <def-group>
-  <definition class="compliance" id="audit_rules_sysadmin_actions" version="1">
+  <definition class="compliance" id="{{{ rule_id }}}"  version="1">
     {{{ oval_metadata("Audit actions taken by system administrators on the system.") }}}
     <criteria operator="OR">
       <criteria operator="AND">
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/ansible/shared.yml
new file mode 100644
index 00000000000..8782641a948
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/ansible/shared.yml
@@ -0,0 +1,10 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_audit_auditctl_add_watch_rule(path='/etc/sudoers', permissions='wa', key='scope') }}}
+{{{ ansible_audit_augenrules_add_watch_rule(path='/etc/sudoers', permissions='wa', key='scope') }}}
+{{{ ansible_audit_auditctl_add_watch_rule(path='/etc/sudoers.d/', permissions='wa', key='scope') }}}
+{{{ ansible_audit_augenrules_add_watch_rule(path='/etc/sudoers.d/', permissions='wa', key='scope') }}}
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/bash/shared.sh
new file mode 100644
index 00000000000..1eb6827f11a
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_sle
+
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+
+{{{ bash_fix_audit_watch_rule("auditctl", "/etc/sudoers", "wa", "scope") }}}
+{{{ bash_fix_audit_watch_rule("augenrules", "/etc/sudoers", "wa", "scope") }}}
+{{{ bash_fix_audit_watch_rule("auditctl", "/etc/sudoers.d/", "wa", "scope") }}}
+{{{ bash_fix_audit_watch_rule("augenrules", "/etc/sudoers.d/", "wa", "scope") }}}
+
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/oval/shared.xml
new file mode 100644
index 00000000000..571c2fd11a1
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/oval/shared.xml
@@ -0,0 +1,54 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}"  version="1">
+    {{{ oval_metadata("Audit changes of system administrators scope on the system.") }}}
+    <criteria operator="OR">
+      <criteria operator="AND">
+        <extend_definition comment="aud_scope augenrules" definition_ref="audit_rules_augenrules" />
+        <criterion comment="aud_scope augenrules sudoers" test_ref="test_aud_scope_rules_sysadmin_actions_sudoers_augenrules" />
+        <criterion comment="aud_scope augenrules sudoers_d" test_ref="test_aud_scope_rules_sysadmin_actions_sudoers_d_augenrules" />
+      </criteria>
+      <criteria operator="AND">
+        <extend_definition comment="aud_scope auditctl" definition_ref="audit_rules_auditctl" />
+        <criterion comment="aud_scope auditctl sudoers" test_ref="test_aud_scope_rules_sysadmin_actions_sudoers_auditctl" />
+        <criterion comment="aud_scope auditctl sudoers_d" test_ref="test_aud_scope_rules_sysadmin_actions_sudoers_d_auditctl" />
+      </criteria>
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" comment="aud_scope augenrules sudoers" id="test_aud_scope_rules_sysadmin_actions_sudoers_augenrules" version="1">
+    <ind:object object_ref="object_aud_scope_rules_sysadmin_actions_sudoers_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_aud_scope_rules_sysadmin_actions_sudoers_augenrules" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\bwa[[:space:]]*-k[[:space:]]scope\b$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="aud_scope augenrules sudoers" id="test_aud_scope_rules_sysadmin_actions_sudoers_d_augenrules" version="1">
+    <ind:object object_ref="object_aud_scope_rules_sysadmin_actions_sudoers_d_augenrules" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_aud_scope_rules_sysadmin_actions_sudoers_d_augenrules" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\bwa[[:space:]]*-k[[:space:]]scope\b$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="aud_scope auditctl sudoers" id="test_aud_scope_rules_sysadmin_actions_sudoers_auditctl" version="1">
+    <ind:object object_ref="object_aud_scope_rules_sysadmin_actions_sudoers_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_aud_scope_rules_sysadmin_actions_sudoers_auditctl" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\bwa[[:space:]]*-k[[:space:]]scope\b$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="aud_scope auditctl sudoers" id="test_aud_scope_rules_sysadmin_actions_sudoers_d_auditctl" version="1">
+    <ind:object object_ref="object_aud_scope_rules_sysadmin_actions_sudoers_d_auditctl" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_aud_scope_rules_sysadmin_actions_sudoers_d_auditctl" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\bwa[[:space:]]*-k[[:space:]]scope\b$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/rule.yml
new file mode 100644
index 00000000000..2a870a937e3
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/rule.yml
@@ -0,0 +1,62 @@
+documentation_complete: true
+
+prodtype: sle12,sle15
+
+title: 'Ensure auditd Collects System Administrator Scope'
+
+description: |-
+    Monitor changes in scope for system administrators, when the system is 
+    configured to to force system administrators to log in as themselves first 
+    and then use the sudo command to execute privileged commands.
+    If the <tt>auditd</tt> daemon is configured to use the
+    <tt>augenrules</tt> program to read audit rules during daemon startup (the default),
+    add the following line to a file with suffix <tt>.rules</tt> in the directory
+    <tt>/etc/audit/rules.d</tt>:
+    <pre>-w /etc/sudoers -p wa -k scope
+    -w /etc/sudoers.d/ -p wa -k scope</pre>
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+    utility to read audit rules during daemon startup, add the following line to
+    <tt>/etc/audit/audit.rules</tt> file:
+    <pre>-w /etc/sudoers -p wa -k scope
+    -w /etc/sudoers.d/ -p wa -k scope</pre>
+
+rationale: |-
+    Changes in the /etc/sudoers file, or a file in the /etc/sudoers.d/ directory 
+    can indicate that an unauthorized change has been made to scope of system 
+    administrator activity.
+
+severity: medium
+
+identifiers:
+    cce@sle12: CCE-92355-7
+    cce@sle15: CCE-92551-1
+
+references:
+    anssi: BP28(R73)
+    cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9
+    cis@sle12: 4.1.14
+    cis@sle15: 4.1.14
+    cjis: 5.4.1.1
+    cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
+    cui: 3.1.7
+    disa: CCI-000126,CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884
+    hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
+    isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
+    isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
+    iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
+    nist: AC-2(7)(b),AU-2(d),AU-12(c),AC-6(9),CM-6(a)
+    nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
+    nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a)
+    ospp: FAU_GEN.1.1.c
+    pcidss: Req-10.2.2,Req-10.2.5.b
+    pcidss4: "10.2.1.5,10.2.2"
+    srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221
+
+
+ocil_clause: 'there is not output'
+
+ocil: |-
+    To verify that auditing is configured for system administrator actions, run the following commands:
+    <pre>$ sudo grep scope /etc/audit/rules.d/*.rules</pre>
+    or 
+    <pre>$ auditctl -l | grep scope</pre>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/correct.pass.sh
new file mode 100644
index 00000000000..be8fc3b8209
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/correct.pass.sh
@@ -0,0 +1,4 @@
+
+# packages = audit
+echo "-w /etc/sudoers -p wa -k scope" >> /etc/audit/rules.d/actions.rules
+echo "-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/rules.d/actions.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/correct_without_key.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/correct_without_key.pass.sh
new file mode 100644
index 00000000000..d6751c8b4b9
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/correct_without_key.pass.sh
@@ -0,0 +1,4 @@
+
+# packages = audit
+echo "-w /etc/sudoers -p wa" >> /etc/audit/rules.d/actions.rules
+echo "-w /etc/sudoers.d/ -p wa" >> /etc/audit/rules.d/actions.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/empty.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/empty.fail.sh
new file mode 100644
index 00000000000..2fb1b24fcaf
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/empty.fail.sh
@@ -0,0 +1,4 @@
+
+# packages = audit
+rm -f /etc/audit/rules.d/*
+> /etc/audit/audit.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/missing_slash.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/missing_slash.fail.sh
new file mode 100644
index 00000000000..0b190eb9012
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/missing_slash.fail.sh
@@ -0,0 +1,4 @@
+
+# packages = audit
+echo "-w /etc/sudoers -p wa -k scope" >> /etc/audit/rules.d/actions.rules
+echo "-w /etc/sudoers.d -p wa -k scope" >> /etc/audit/rules.d/actions.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/ocp4/e2e.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/ocp4/e2e.yml
new file mode 100644
index 00000000000..fd9b313e87b
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/ocp4/e2e.yml
@@ -0,0 +1,3 @@
+---
+default_result: FAIL
+result_after_remediation: PASS
diff --git a/products/sle15/profiles/hipaa.profile b/products/sle15/profiles/hipaa.profile
index a7b280d90ca..9aeb5ef4600 100644
--- a/products/sle15/profiles/hipaa.profile
+++ b/products/sle15/profiles/hipaa.profile
@@ -119,6 +119,7 @@ selections:
     - audit_rules_privileged_commands_userhelper
     - audit_rules_session_events
     - audit_rules_sysadmin_actions
+    - audit_rules_sysadmin_scope
     - audit_rules_system_shutdown
     - var_audit_failure_mode=panic
     - audit_rules_time_adjtimex
diff --git a/shared/references/cce-sle12-avail.txt b/shared/references/cce-sle12-avail.txt
index 5156837efb4..e94a83382eb 100644
--- a/shared/references/cce-sle12-avail.txt
+++ b/shared/references/cce-sle12-avail.txt
@@ -17,7 +17,6 @@ CCE-92347-4
 CCE-92348-2
 CCE-92350-8
 CCE-92354-0
-CCE-92355-7
 CCE-92357-3
 CCE-92358-1
 CCE-92360-7
diff --git a/shared/references/cce-sle15-avail.txt b/shared/references/cce-sle15-avail.txt
index 9b225e4ed7e..a615e8a5d0f 100644
--- a/shared/references/cce-sle15-avail.txt
+++ b/shared/references/cce-sle15-avail.txt
@@ -43,7 +43,6 @@ CCE-92546-1
 CCE-92547-9
 CCE-92549-5
 CCE-92550-3
-CCE-92551-1
 CCE-92553-7
 CCE-92554-5
 CCE-92555-2

From 0f47fbc8f405bcc59778e54c7f7619c283941a60 Mon Sep 17 00:00:00 2001
From: rchikov <rumen.chikov@suse.com>
Date: Fri, 21 Jul 2023 12:35:37 +0200
Subject: [PATCH 2/2] Corrections related to audit_rules_sysadmin_actions and
 adaptation of the rule sudo_log_events for usage in SLE 12/15

---
 controls/anssi.yml                            |  2 +-
 controls/cis_sle12.yml                        |  6 +-
 controls/cis_sle15.yml                        |  8 +--
 controls/pcidss_3.yml                         |  2 +-
 controls/pcidss_4.yml                         |  2 +-
 .../audit_rules_sysadmin_actions/rule.yml     |  4 +-
 .../ansible/shared.yml                        | 10 ---
 .../audit_rules_sysadmin_scope/bash/shared.sh |  9 ---
 .../oval/shared.xml                           | 54 ----------------
 .../audit_rules_sysadmin_scope/rule.yml       | 62 -------------------
 .../tests/correct.pass.sh                     |  4 --
 .../tests/correct_without_key.pass.sh         |  4 --
 .../tests/empty.fail.sh                       |  4 --
 .../tests/missing_slash.fail.sh               |  4 --
 .../tests/ocp4/e2e.yml                        |  3 -
 .../audit_sudo_log_events/rule.yml            |  9 ++-
 products/sle15/profiles/hipaa.profile         |  2 +-
 17 files changed, 21 insertions(+), 168 deletions(-)
 delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/ansible/shared.yml
 delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/bash/shared.sh
 delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/oval/shared.xml
 delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/rule.yml
 delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/correct.pass.sh
 delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/correct_without_key.pass.sh
 delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/empty.fail.sh
 delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/missing_slash.fail.sh
 delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/ocp4/e2e.yml

diff --git a/controls/anssi.yml b/controls/anssi.yml
index ff0a4ae0bc5..fc8b7b8aeec 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -1362,8 +1362,8 @@ controls:
       The logging of the system activity must be done through the auditd service.
     status: automated
     rules:
-    - audit_rules_sysadmin_scope
     - audit_rules_sysadmin_actions
+    - audit_sudo_log_events
 
     - audit_rules_login_events_faillock
     - audit_rules_login_events_lastlog
diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml
index 2bb781a4740..d5581ad00bd 100644
--- a/controls/cis_sle12.yml
+++ b/controls/cis_sle12.yml
@@ -1277,7 +1277,7 @@ controls:
       - l2_workstation
     status: automated
     rules:
-      - audit_rules_sysadmin_scope
+      - audit_rules_sysadmin_actions
 
   - id: 4.1.15
     title: Ensure system administrator actions (sudolog) are collected (Automated)
@@ -1285,8 +1285,8 @@ controls:
       - l2_server
       - l2_workstation
     status: automated
-    related_rules:
-      - audit_rules_sysadmin_actions
+    rules:
+      - audit_sudo_log_events
 
   - id: 4.1.16
     title: Ensure kernel module loading and unloading is collected (Automated)
diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml
index 756e509d823..d50eeb70b18 100644
--- a/controls/cis_sle15.yml
+++ b/controls/cis_sle15.yml
@@ -1469,9 +1469,9 @@ controls:
     levels:
       - l2_server
       - l2_workstation
-    status: automated 
+    status: automated
     rules:
-      - audit_rules_sysadmin_scope
+      - audit_rules_sysadmin_actions
 
   - id: 4.1.15
     title: Ensure system administrator actions (sudolog) are collected (Automated)
@@ -1479,8 +1479,8 @@ controls:
       - l2_server
       - l2_workstation
     status: automated
-    related_rules:
-      - audit_rules_sysadmin_actions
+    rules:
+      - audit_sudo_log_events
 
   - id: 4.1.16
     title: Ensure kernel module loading and unloading is collected (Automated)
diff --git a/controls/pcidss_3.yml b/controls/pcidss_3.yml
index e786b401222..ab0be9a7242 100644
--- a/controls/pcidss_3.yml
+++ b/controls/pcidss_3.yml
@@ -1852,8 +1852,8 @@ controls:
     status: automated
     rules:
       - audit_rules_privileged_commands
-      - audit_rules_sysadmin_scope
       - audit_rules_sysadmin_actions
+      - audit_sudo_log_events
 
   - id: Req-10.2.3
     title: 10.2.3 Access to all audit trails
diff --git a/controls/pcidss_4.yml b/controls/pcidss_4.yml
index d3822bd8fc3..f57c2d6b3ab 100644
--- a/controls/pcidss_4.yml
+++ b/controls/pcidss_4.yml
@@ -2073,8 +2073,8 @@ controls:
         status: automated
         rules:
           - audit_rules_privileged_commands
-          - audit_rules_sysadmin_scope
           - audit_rules_sysadmin_actions
+          - audit_sudo_log_events
 
       - id: 10.2.1.3
         title: 'Audit logs capture all access to audit logs.Records of all access to
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml
index dc79df352a1..5989225eb03 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml
@@ -39,8 +39,8 @@ references:
     cis@rhel7: 4.1.14
     cis@rhel8: 4.1.3.1
     cis@rhel9: 4.1.3.1
-    cis@sle12: 4.1.14,4.1.15
-    cis@sle15: 4.1.14,4.1.15
+    cis@sle12: 4.1.14
+    cis@sle15: 4.1.14
     cis@ubuntu2004: 4.1.14
     cis@ubuntu2204: 4.1.3.1
     cjis: 5.4.1.1
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/ansible/shared.yml
deleted file mode 100644
index 8782641a948..00000000000
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/ansible/shared.yml
+++ /dev/null
@@ -1,10 +0,0 @@
-# platform = multi_platform_sle
-# reboot = false
-# strategy = restrict
-# complexity = low
-# disruption = low
-
-{{{ ansible_audit_auditctl_add_watch_rule(path='/etc/sudoers', permissions='wa', key='scope') }}}
-{{{ ansible_audit_augenrules_add_watch_rule(path='/etc/sudoers', permissions='wa', key='scope') }}}
-{{{ ansible_audit_auditctl_add_watch_rule(path='/etc/sudoers.d/', permissions='wa', key='scope') }}}
-{{{ ansible_audit_augenrules_add_watch_rule(path='/etc/sudoers.d/', permissions='wa', key='scope') }}}
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/bash/shared.sh
deleted file mode 100644
index 1eb6827f11a..00000000000
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/bash/shared.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-# platform = multi_platform_sle
-
-# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
-
-{{{ bash_fix_audit_watch_rule("auditctl", "/etc/sudoers", "wa", "scope") }}}
-{{{ bash_fix_audit_watch_rule("augenrules", "/etc/sudoers", "wa", "scope") }}}
-{{{ bash_fix_audit_watch_rule("auditctl", "/etc/sudoers.d/", "wa", "scope") }}}
-{{{ bash_fix_audit_watch_rule("augenrules", "/etc/sudoers.d/", "wa", "scope") }}}
-
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/oval/shared.xml
deleted file mode 100644
index 571c2fd11a1..00000000000
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/oval/shared.xml
+++ /dev/null
@@ -1,54 +0,0 @@
-<def-group>
-  <definition class="compliance" id="{{{ rule_id }}}"  version="1">
-    {{{ oval_metadata("Audit changes of system administrators scope on the system.") }}}
-    <criteria operator="OR">
-      <criteria operator="AND">
-        <extend_definition comment="aud_scope augenrules" definition_ref="audit_rules_augenrules" />
-        <criterion comment="aud_scope augenrules sudoers" test_ref="test_aud_scope_rules_sysadmin_actions_sudoers_augenrules" />
-        <criterion comment="aud_scope augenrules sudoers_d" test_ref="test_aud_scope_rules_sysadmin_actions_sudoers_d_augenrules" />
-      </criteria>
-      <criteria operator="AND">
-        <extend_definition comment="aud_scope auditctl" definition_ref="audit_rules_auditctl" />
-        <criterion comment="aud_scope auditctl sudoers" test_ref="test_aud_scope_rules_sysadmin_actions_sudoers_auditctl" />
-        <criterion comment="aud_scope auditctl sudoers_d" test_ref="test_aud_scope_rules_sysadmin_actions_sudoers_d_auditctl" />
-      </criteria>
-    </criteria>
-  </definition>
-
-  <ind:textfilecontent54_test check="all" comment="aud_scope augenrules sudoers" id="test_aud_scope_rules_sysadmin_actions_sudoers_augenrules" version="1">
-    <ind:object object_ref="object_aud_scope_rules_sysadmin_actions_sudoers_augenrules" />
-  </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_aud_scope_rules_sysadmin_actions_sudoers_augenrules" version="1">
-    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-    <ind:pattern operation="pattern match">^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\bwa[[:space:]]*-k[[:space:]]scope\b$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" comment="aud_scope augenrules sudoers" id="test_aud_scope_rules_sysadmin_actions_sudoers_d_augenrules" version="1">
-    <ind:object object_ref="object_aud_scope_rules_sysadmin_actions_sudoers_d_augenrules" />
-  </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_aud_scope_rules_sysadmin_actions_sudoers_d_augenrules" version="1">
-    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-    <ind:pattern operation="pattern match">^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\bwa[[:space:]]*-k[[:space:]]scope\b$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" comment="aud_scope auditctl sudoers" id="test_aud_scope_rules_sysadmin_actions_sudoers_auditctl" version="1">
-    <ind:object object_ref="object_aud_scope_rules_sysadmin_actions_sudoers_auditctl" />
-  </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_aud_scope_rules_sysadmin_actions_sudoers_auditctl" version="1">
-    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-    <ind:pattern operation="pattern match">^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\bwa[[:space:]]*-k[[:space:]]scope\b$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_test check="all" comment="aud_scope auditctl sudoers" id="test_aud_scope_rules_sysadmin_actions_sudoers_d_auditctl" version="1">
-    <ind:object object_ref="object_aud_scope_rules_sysadmin_actions_sudoers_d_auditctl" />
-  </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_aud_scope_rules_sysadmin_actions_sudoers_d_auditctl" version="1">
-    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-    <ind:pattern operation="pattern match">^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\bwa[[:space:]]*-k[[:space:]]scope\b$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-</def-group>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/rule.yml
deleted file mode 100644
index 2a870a937e3..00000000000
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/rule.yml
+++ /dev/null
@@ -1,62 +0,0 @@
-documentation_complete: true
-
-prodtype: sle12,sle15
-
-title: 'Ensure auditd Collects System Administrator Scope'
-
-description: |-
-    Monitor changes in scope for system administrators, when the system is 
-    configured to to force system administrators to log in as themselves first 
-    and then use the sudo command to execute privileged commands.
-    If the <tt>auditd</tt> daemon is configured to use the
-    <tt>augenrules</tt> program to read audit rules during daemon startup (the default),
-    add the following line to a file with suffix <tt>.rules</tt> in the directory
-    <tt>/etc/audit/rules.d</tt>:
-    <pre>-w /etc/sudoers -p wa -k scope
-    -w /etc/sudoers.d/ -p wa -k scope</pre>
-    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-    utility to read audit rules during daemon startup, add the following line to
-    <tt>/etc/audit/audit.rules</tt> file:
-    <pre>-w /etc/sudoers -p wa -k scope
-    -w /etc/sudoers.d/ -p wa -k scope</pre>
-
-rationale: |-
-    Changes in the /etc/sudoers file, or a file in the /etc/sudoers.d/ directory 
-    can indicate that an unauthorized change has been made to scope of system 
-    administrator activity.
-
-severity: medium
-
-identifiers:
-    cce@sle12: CCE-92355-7
-    cce@sle15: CCE-92551-1
-
-references:
-    anssi: BP28(R73)
-    cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9
-    cis@sle12: 4.1.14
-    cis@sle15: 4.1.14
-    cjis: 5.4.1.1
-    cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
-    cui: 3.1.7
-    disa: CCI-000126,CCI-000130,CCI-000135,CCI-000169,CCI-000172,CCI-002884
-    hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
-    isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
-    isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
-    iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
-    nist: AC-2(7)(b),AU-2(d),AU-12(c),AC-6(9),CM-6(a)
-    nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
-    nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv),MA-4(1)(a)
-    ospp: FAU_GEN.1.1.c
-    pcidss: Req-10.2.2,Req-10.2.5.b
-    pcidss4: "10.2.1.5,10.2.2"
-    srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221
-
-
-ocil_clause: 'there is not output'
-
-ocil: |-
-    To verify that auditing is configured for system administrator actions, run the following commands:
-    <pre>$ sudo grep scope /etc/audit/rules.d/*.rules</pre>
-    or 
-    <pre>$ auditctl -l | grep scope</pre>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/correct.pass.sh
deleted file mode 100644
index be8fc3b8209..00000000000
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/correct.pass.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-
-# packages = audit
-echo "-w /etc/sudoers -p wa -k scope" >> /etc/audit/rules.d/actions.rules
-echo "-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/rules.d/actions.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/correct_without_key.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/correct_without_key.pass.sh
deleted file mode 100644
index d6751c8b4b9..00000000000
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/correct_without_key.pass.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-
-# packages = audit
-echo "-w /etc/sudoers -p wa" >> /etc/audit/rules.d/actions.rules
-echo "-w /etc/sudoers.d/ -p wa" >> /etc/audit/rules.d/actions.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/empty.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/empty.fail.sh
deleted file mode 100644
index 2fb1b24fcaf..00000000000
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/empty.fail.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-
-# packages = audit
-rm -f /etc/audit/rules.d/*
-> /etc/audit/audit.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/missing_slash.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/missing_slash.fail.sh
deleted file mode 100644
index 0b190eb9012..00000000000
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/missing_slash.fail.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-
-# packages = audit
-echo "-w /etc/sudoers -p wa -k scope" >> /etc/audit/rules.d/actions.rules
-echo "-w /etc/sudoers.d -p wa -k scope" >> /etc/audit/rules.d/actions.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/ocp4/e2e.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/ocp4/e2e.yml
deleted file mode 100644
index fd9b313e87b..00000000000
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_scope/tests/ocp4/e2e.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-default_result: FAIL
-result_after_remediation: PASS
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_sudo_log_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_sudo_log_events/rule.yml
index b00fb3856ac..6e26c8578df 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_sudo_log_events/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_sudo_log_events/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,rhel8,rhel9,ubuntu2004,ubuntu2204
+prodtype: fedora,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204
 
 title: 'Record Attempts to perform maintenance activities'
 
@@ -40,13 +40,20 @@ severity: medium
 identifiers:
     cce@rhel8: CCE-86432-2
     cce@rhel9: CCE-86433-0
+    cce@sle12: CCE-92355-7
+    cce@sle15: CCE-92551-1    
 
 references:
+    anssi: BP28(R73)
     ccn@rhel9: A.3.SEC-RHEL7
     cis@rhel8: 4.1.3.3
     cis@rhel9: 4.1.3.3
+    cis@sle12: 4.1.15
+    cis@sle15: 4.1.15    
     cis@ubuntu2204: 4.1.3.3
     disa: CCI-000172,CCI-002884
+    pcidss: Req-10.2.2,Req-10.2.5.b
+    pcidss4: "10.2.1.5,10.2.2"    
     srg: SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215
     stigid@ubuntu2004: UBTU-20-010244
 
diff --git a/products/sle15/profiles/hipaa.profile b/products/sle15/profiles/hipaa.profile
index 9aeb5ef4600..d8850db82ba 100644
--- a/products/sle15/profiles/hipaa.profile
+++ b/products/sle15/profiles/hipaa.profile
@@ -119,7 +119,6 @@ selections:
     - audit_rules_privileged_commands_userhelper
     - audit_rules_session_events
     - audit_rules_sysadmin_actions
-    - audit_rules_sysadmin_scope
     - audit_rules_system_shutdown
     - var_audit_failure_mode=panic
     - audit_rules_time_adjtimex
@@ -138,6 +137,7 @@ selections:
     - audit_rules_usergroup_modification_opasswd
     - audit_rules_usergroup_modification_passwd
     - audit_rules_usergroup_modification_shadow
+    - audit_sudo_log_events
     - auditd_data_retention_flush
     - configure_crypto_policy
     - dconf_gnome_remote_access_credential_prompt