When executing the check for RHEL-06-000183, the .detect script incorrectly misses the trailing slash in the regex when searching for /etc/selinux/ in the rules output from auditctl -l.
=== Relevant line from /etc/audit/audit.rules ===
[root@dtutest SCM]# grep -1 selinux /etc/audit/audit.rules
# RHEL-06-000183
-w /etc/selinux/ -p wa -k MAC-policy
=== Check results with no modifications to .detect script ===
[root@dtutest SCM]# pwd
/var/opt/BESClient/__BESData/CustomSite_DISA_RHEL6/SCM
[root@dtutest SCM]# ./runme.sh -t -f RHEL-06-000183
++ ./util/get_epoch_seconds
+ START_TIME=1425394963
+ TMPDIR=./mytmp
+ BFTMPDIR=./mytmp
+ export BFTMPDIR
+ rm -f ./mytmp/tmp/RHEL-06-000183.errtmp.6165
+ mkdir -p ./mytmp/data ./mytmp/results ./mytmp/tmp
+ MASTER_LOG_FILE=./mytmp/results/master.results
++ uname -s
+ OsName=Linux
++ uname -r
+ OsRelease=2.6.32-504.3.3.el6.x86_64
+ '[' Linux = Linux ']'
+ '[' -f /etc/redhat-release ']'
++ egrep -ic 'release 3' /etc/redhat-release
+ '[' 0 -gt 0 ']'
++ egrep -ic 'release 4' /etc/redhat-release
+ '[' 0 -gt 0 ']'
++ egrep -ic 'release 5' /etc/redhat-release
+ '[' 0 -gt 0 ']'
+ OsRelease=6
+ case $OsName in
+ :
+ export DEBUG TRACE OSname REMEDIATE OsName OsRelease
+ echo VER:0.1
+ TOTAL_SCRIPTLETS_RUN=0
+ TOTAL_SCRIPTLETS_PASS=0
+ TOTAL_SCRIPTLETS_FAIL=0
+ TOTAL_SCRIPTLETS_NA=0
+ TOTAL_SCRIPTLETS_ERR=0
+ '[' x = xY ']'
+ '[' x = xY ']'
+ '[' Yx = Yx ']'
+ FILES_TO_RUN='echo $FILE'
+ read scriptlet
+ eval echo '$FILE'
++ echo RHEL-06-000183
+ run_script RHEL-06-000183.detect
+ SCRIPTLET_NAME=RHEL-06-000183.detect
+ shargs=
+ '[' Y = Y ']'
+ shargs=-x
+ SH=/bin/sh
+ '[' Linux = SunOS ']'
+ '[' -f ../scm_preserve/Linux/6/RHEL-06-000183.detect ']'
+ /bin/sh -x ./Linux/6/RHEL-06-000183.detect
+ RETURN_VALUE=4
+ case $RETURN_VALUE in
++ expr 0 + 1
+ TOTAL_SCRIPTLETS_FAIL=1
++ expr 0 + 1
+ TOTAL_SCRIPTLETS_RUN=1
+ echo TOTAL_SCRIPTLETS_RUN:1
+ echo TOTAL_SCRIPTLETS_PASS:0
+ echo TOTAL_SCRIPTLETS_FAIL:1
+ echo TOTAL_SCRIPTLETS_NA:0
+ echo TOTAL_SCRIPTLETS_ERR:0
+ '[' xN = xY ']'
+ read scriptlet
+ '[' xY = xN ']'
[root@dtutest SCM]#
=== Check results with corrected .detect script in scm_preserve ===
[root@dtutest SCM]# pwd
/var/opt/BESClient/__BESData/CustomSite_DISA_RHEL6/SCM
[root@dtutest SCM]# ./runme.sh -t -f RHEL-06-000183
++ ./util/get_epoch_seconds
+ START_TIME=1425395028
+ TMPDIR=./mytmp
+ BFTMPDIR=./mytmp
+ export BFTMPDIR
+ rm -f ./mytmp/tmp/RHEL-06-000183.errtmp.6242
+ mkdir -p ./mytmp/data ./mytmp/results ./mytmp/tmp
+ MASTER_LOG_FILE=./mytmp/results/master.results
++ uname -s
+ OsName=Linux
++ uname -r
+ OsRelease=2.6.32-504.3.3.el6.x86_64
+ '[' Linux = Linux ']'
+ '[' -f /etc/redhat-release ']'
++ egrep -ic 'release 3' /etc/redhat-release
+ '[' 0 -gt 0 ']'
++ egrep -ic 'release 4' /etc/redhat-release
+ '[' 0 -gt 0 ']'
++ egrep -ic 'release 5' /etc/redhat-release
+ '[' 0 -gt 0 ']'
+ OsRelease=6
+ case $OsName in
+ :
+ export DEBUG TRACE OSname REMEDIATE OsName OsRelease
+ echo VER:0.1
+ TOTAL_SCRIPTLETS_RUN=0
+ TOTAL_SCRIPTLETS_PASS=0
+ TOTAL_SCRIPTLETS_FAIL=0
+ TOTAL_SCRIPTLETS_NA=0
+ TOTAL_SCRIPTLETS_ERR=0
+ '[' x = xY ']'
+ '[' x = xY ']'
+ '[' Yx = Yx ']'
+ FILES_TO_RUN='echo $FILE'
+ eval echo '$FILE'
++ echo RHEL-06-000183
+ read scriptlet
+ run_script RHEL-06-000183.detect
+ SCRIPTLET_NAME=RHEL-06-000183.detect
+ shargs=
+ '[' Y = Y ']'
+ shargs=-x
+ SH=/bin/sh
+ '[' Linux = SunOS ']'
+ '[' -f ../scm_preserve/Linux/6/RHEL-06-000183.detect ']'
+ /bin/sh -x ../scm_preserve/Linux/6/RHEL-06-000183.detect
+ RETURN_VALUE=2
+ case $RETURN_VALUE in
++ expr 0 + 1
+ TOTAL_SCRIPTLETS_PASS=1
++ expr 0 + 1
+ TOTAL_SCRIPTLETS_RUN=1
+ echo TOTAL_SCRIPTLETS_RUN:1
+ echo TOTAL_SCRIPTLETS_PASS:1
+ echo TOTAL_SCRIPTLETS_FAIL:0
+ echo TOTAL_SCRIPTLETS_NA:0
+ echo TOTAL_SCRIPTLETS_ERR:0
+ '[' xN = xY ']'
+ read scriptlet
+ '[' xY = xN ']'
[root@dtutest SCM]#
=== Diff between standard .detect and corrected .detect ===
[root@dtutest SCM]# diff /var/opt/BESClient/__BESData/CustomSite_DISA_RHEL6/SCM/Linux/6/RHEL-06-000183.detect /var/opt/BESClient/__BESData/CustomSite_DISA_RHEL6/scm_preserve/Linux/6/RHEL-06-000183.detect
17c17
< if ! out=$(echo "$auditout" | egrep -- "-w|$KEYWORD=" | egrep -- "-p|perm=$FILE_PERM" | egrep -q "[, =]$file([ ,]|$)")
---
> if ! out=$(echo "$auditout" | egrep -- "-w|$KEYWORD=" | egrep -- "-p|perm=$FILE_PERM" | egrep -q "[, =]$file([ ,/]|$)")
[root@dtutest SCM]#