Looking at RHEL8 DISA STIG, I have several machines that get an error when checking audit settings.
I’ve slightly simplified the query to exhibit the problem in these fixlets. I’m at a loss as to why most machines return OK, but some error. Open to any suggestions.
Without the matching, I do get values for all processes.
Here’s the result of some local qna:
server# /opt/BESClient/bin/qna
Default masthead location, using /etc/opt/BESClient/actionsite.afxm
Q: ((concatenation “:” of (preceding text of first “%00” of it ) of (lines of file ("/proc/" & pid of it as string & “/cmdline”)) | “”, loginuid of it) of processes) whose (exist matches (regex “^/usr/sbin/rsyslogd\b”) of (item 0 of it))
E: Singular expression refers to nonexistent object.
T: 207663
Q: ((concatenation “:” of (preceding text of first “%00” of it ) of (lines of file ("/proc/" & pid of it as string & “/cmdline”)) | “”, pid of it) of processes) whose (exist matches (regex “^/usr/sbin/rsyslogd\b”) of (item 0 of it))
A: /usr/sbin/rsyslogd, 15685
T: 136261
and this one is interesting - right?
Q: (concatenation “:” of (preceding text of first “%00” of it ) of (lines of file ("/proc/" & pid of it as string & “/cmdline”)) | “”, loginuid of it) of processes whose (pid of it = 15685)
A: /usr/sbin/rsyslogd, 4294967295
T: 51128