The auditd acceptance test should prune the loaded rules and pass them through `auditctl -R` during the acceptance test

Description

Presently, the 00_base_spec.rb acceptance test removes errors and then checks to see if an expected error exists.

As the systems and rules change, this will be increasingly fragile and should be changed to prune the ruleset and then load the ruleset, validate that it does not have any issues, and restart the auditd service so that items that are usually an issue (non-root users and file paths) are automatically ignored.

The following should probably be excluded:

  • Items with path=

  • Items starting with -w

  • Items where uid=<anything> where <anything> is not equal to root or 0

Acceptance Criteria

None

Labels

None

Epic Link

None

Story Points

2

Components

Affects versions

Priority

Medium
Configure