The relevance in the RHEL 8 CIS Benchmark Fixlet - Ensure login and logout events are collected is wrong.
Current relvance:
not exists 1 whose ((((0 < number of ((it, (if exists it then concatenation "," of substrings separated by "<!comma>" of it else it) of tuple string items (1 - 1) of concatenation ", " of substrings separated by "<!plural>" of concatenation "<!comma>" of substrings separated by "," of concatenation "<!plural>" of (if exist matches (regex "<!comma>|<!plural>") of it then error "Delimiter in string: <!comma>|<!plural>" else it) of lines whose (exist matches (regex "^-w\s+\/var\/log\/lastlog\s+-p\s+wa\s+-k\s+logins\s*$") of it) of it, "^-w\s+\/var\/log\/lastlog\s+-p\s+wa\s+-k\s+logins\s*$", 1) of it) of files "/etc/audit/audit.rules" and 0 < number of ((it, (if exists it then concatenation "," of substrings separated by "<!comma>" of it else it) of tuple string items (1 - 1) of concatenation ", " of substrings separated by "<!plural>" of concatenation "<!comma>" of substrings separated by "," of concatenation "<!plural>" of (if exist matches (regex "<!comma>|<!plural>") of it then error "Delimiter in string: <!comma>|<!plural>" else it) of lines whose (exist matches (regex "^-w\s+\/var\/run\/faillock\/\s+-p\s+wa\s+-k\s+logins\s*$") of it) of it, "^-w\s+\/var\/run\/faillock\/\s+-p\s+wa\s+-k\s+logins\s*$", 1) of it) of files "/etc/audit/audit.rules")) or ((0 < number of ((it, (if exists it then concatenation "," of substrings separated by "<!comma>" of it else it) of tuple string items (1 - 1) of concatenation ", " of substrings separated by "<!plural>" of concatenation "<!comma>" of substrings separated by "," of concatenation "<!plural>" of (if exist matches (regex "<!comma>|<!plural>") of it then error "Delimiter in string: <!comma>|<!plural>" else it) of lines whose (exist matches (regex "^-w\s+\/var\/log\/lastlog\s+-p\s+wa\s+-k\s+logins\s*$") of it) of it, "^-w\s+\/var\/log\/lastlog\s+-p\s+wa\s+-k\s+logins\s*$", 1) of it) of files whose (exist matches (regex ".*.rules") of name of it) of folders "/etc/audit/rules.d" and 0 < number of ((it, (if exists it then concatenation "," of substrings separated by "<!comma>" of it else it) of tuple string items (1 - 1) of concatenation ", " of substrings separated by "<!plural>" of concatenation "<!comma>" of substrings separated by "," of concatenation "<!plural>" of (if exist matches (regex "<!comma>|<!plural>") of it then error "Delimiter in string: <!comma>|<!plural>" else it) of lines whose (exist matches (regex "^-w\s+\/var\/run\/faillock\/\s+-p\s+wa\s+-k\s+logins\s*$") of it) of it, "^-w\s+\/var\/run\/faillock\/\s+-p\s+wa\s+-k\s+logins\s*$", 1) of it) of files whose (exist matches (regex ".*.rules") of name of it) of folders "/etc/audit/rules.d"))))
Corrected:
not exists 1 whose ((((0 < number of ((it, (if exists it then concatenation "," of substrings separated by "<!comma>" of it else it) of tuple string items (1 - 1) of concatenation ", " of substrings separated by "<!plural>" of concatenation "<!comma>" of substrings separated by "," of concatenation "<!plural>" of (if exist matches (regex "<!comma>|<!plural>") of it then error "Delimiter in string: <!comma>|<!plural>" else it) of lines whose (exist matches (regex "^-w\s+\/var\/log\/lastlog\s+-p\s+wa\s+-k\s+logins\s*$") of it) of it, "^-w\s+\/var\/log\/lastlog\s+-p\s+wa\s+-k\s+logins\s*$", 1) of it) of files "/etc/audit/audit.rules" and 0 < number of ((it, (if exists it then concatenation "," of substrings separated by "<!comma>" of it else it) of tuple string items (1 - 1) of concatenation ", " of substrings separated by "<!plural>" of concatenation "<!comma>" of substrings separated by "," of concatenation "<!plural>" of (if exist matches (regex "<!comma>|<!plural>") of it then error "Delimiter in string: <!comma>|<!plural>" else it) of lines whose (exist matches (regex "^-w\s+\/var\/run\/faillock\/\s+-p\s+wa\s+-k\s+logins\s*$") of it) of it, "^-w\s+\/var\/run\/faillock\/\s+-p\s+wa\s+-k\s+logins\s*$", 1) of it) of files "/etc/audit/audit.rules")) or ((0 < number of ((it, (if exists it then concatenation "," of substrings separated by "<!comma>" of it else it) of tuple string items (1 - 1) of concatenation ", " of substrings separated by "<!plural>" of concatenation "<!comma>" of substrings separated by "," of concatenation "<!plural>" of (if exist matches (regex "<!comma>|<!plural>") of it then error "Delimiter in string: <!comma>|<!plural>" else it) of lines whose (exist matches (regex "^-w\s+\/var\/log\/lastlog\s+-p\s+wa\s+-k\s+logins\s*$") of it) of it, "^-w\s+\/var\/log\/lastlog\s+-p\s+wa\s+-k\s+logins\s*$", 1) of it) of files whose (exist matches (regex ".*.rules") of name of it) of folders "/etc/audit/rules.d" and 0 < number of ((it, (if exists it then concatenation "," of substrings separated by "<!comma>" of it else it) of tuple string items (1 - 1) of concatenation ", " of substrings separated by "<!plural>" of concatenation "<!comma>" of substrings separated by "," of concatenation "<!plural>" of (if exist matches (regex "<!comma>|<!plural>") of it then error "Delimiter in string: <!comma>|<!plural>" else it) of lines whose (exist matches (regex "^-w\s+\/var\/run\/faillock\s+-p\s+wa\s+-k\s+logins\s*$") of it) of it, "^-w\s+\/var\/run\/faillock\s+-p\s+wa\s+-k\s+logins\s*$", 1) of it) of files whose (exist matches (regex ".*.rules") of name of it) of folders "/etc/audit/rules.d"))))
This is the line (which is in it twice btw) that I corrected:
"^-w\s+\/var\/run\/faillock\/\s+-p\s+wa\s+-k\s+logins\s*$"
Instead of faillock\/\s+ it should be faillock\s+