Description of problem:

The audit_rules_augenrules OVAL definition in shared/checks/oval/audit_rules_augenrules.xml fails to detect augenrules on Fedora 42+. The regex ^ExecStart=(\/usr|)?\/sbin\/augenrules.*$ does not match /usr/bin/augenrules, which is the path in audit-rules.service on Fedora 42 and later due to the /usr/sbin unification. Every audit rule check that depends on this definition fails.

PR #14367 correctly routed Fedora into the audit-rules.service code path, but the regex inherited from RHEL 10 only matches /sbin/ and /usr/sbin/, not /usr/bin/.

SCAP Security Guide Version:

master @ a5b5903

Operating System Version:

Fedora 45 Rawhide aarch64 (openscap-scanner 1.4.3, audit 4.1.3). Unit file paths are arch-independent; verified on F42 through F45.

Steps to Reproduce:

1. Build the Fedora datastream: ./build_product fedora --datastream-only
2. On Fedora 42+, run: grep ExecStart /usr/lib/systemd/system/audit-rules.service — observe /usr/bin/augenrules --load
3. Run: sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard build/ssg-fedora-ds.xml
4. Observe all audit_rules_* checks fail

Actual Results:

audit_rules_augenrules evaluates to false. All dependent audit rule checks fail (25 of 41 failures in the Standard profile).

Expected Results:

audit_rules_augenrules should evaluate to true when audit-rules.service contains ExecStart=/usr/bin/augenrules --load.

Additional Information/Debugging Steps:

On Fedora 42+, %{_sbindir} expands to /usr/bin and /usr/sbin is a symlink to bin. The audit RPM installs directly to /usr/bin/augenrules. Fedora 41 is unaffected (/usr/sbin is a real directory there).