From db57d123d5c024edb8b55a6f0829919571715279 Mon Sep 17 00:00:00 2001
From: Hank Szeto <szeto@thinkingcap.com.au>
Date: Sun, 16 Jan 2022 21:59:50 +1000
Subject: [PATCH] Update rule in ubtu18cis_4_1_15_actions.rules.j2

Space needed between '-F' and `auid`.

This matches what UBUNTU18-CIS-Audit is expecting too.

`-a always,exit -F arch=b32 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions`

vs

`-a always,exit -F arch=b64 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions`

Signed-off-by: Hank Szeto <szeto@thinkingcap.com.au>
---
 templates/audit/ubtu18cis_4_1_15_actions.rules.j2 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/audit/ubtu18cis_4_1_15_actions.rules.j2 b/templates/audit/ubtu18cis_4_1_15_actions.rules.j2
index 95979d1..53824fb 100644
--- a/templates/audit/ubtu18cis_4_1_15_actions.rules.j2
+++ b/templates/audit/ubtu18cis_4_1_15_actions.rules.j2
@@ -1,5 +1,5 @@
--a always,exit -F arch=b32 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions
+-a always,exit -F arch=b32 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions
 {% if ansible_architecture == 'x86_64' -%}
--a always,exit -F arch=b64 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions
+-a always,exit -F arch=b64 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions
 {% endif %}