fix: uid_min: use it in audit auid checks, out jinja macro

git grep -Pl 'auid(>|>)=1000\b' linux_os/ shared/macros/ shared/templates/ tests/shared/ | xargs -r \
    sed --follow-symlinks -Ei 's/(auid>=|auid>=)1000\b/\1{{{ uid_min }}}/g'

linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/policy/stig/shared.yml

@@ -15,8 +15,8 @@ checktext: |-
 
     $ sudo auditctl -l | grep chmod
 
-    -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
-    -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
 
     If both the "b32" and "b64" audit rules are not defined for the "chmod", "fchmod", and "fchmodat" syscalls, this is a finding.
 
@@ -25,8 +25,8 @@ fixtext: |-
 
     Add or update the following rules in "/etc/audit/rules.d/audit.rules":
 
-    -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
 
-    -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
 
     The audit daemon must be restarted for the changes to take effect.

linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/policy/stig/shared.yml

@@ -15,8 +15,8 @@ checktext: |-
 
     $ sudo auditctl -l | grep chown
 
-    -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod
-    -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
 
     If both the "b32" and "b64" audit rules are not defined for the "chown", "fchown", "fchownat", and "lchown" syscalls, this is a finding.
 
@@ -25,7 +25,7 @@ fixtext: |-
 
     Add or update the following rules in "/etc/audit/rules.d/audit.rules":
 
-    -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod
-    -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
 
     The audit daemon must be restarted for the changes to take effect.

linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/policy/stig/shared.yml

@@ -18,8 +18,8 @@ checktext: |-
 
 fixtext: |-
     Configure the audit system to generate an audit event for any successful/unsuccessful use of the "fchmod" system call by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
-    -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -k perm_mod
-    -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b32 -S fchmod -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b64 -S fchmod -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
 
     It's allowed to group this system call within the same line as "chmod", "fchmod" and "fchmodat".
 

linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/policy/stig/shared.yml

@@ -18,8 +18,8 @@ checktext: |-
 
 fixtext: |-
     Configure the audit system to generate an audit event for any successful/unsuccessful use of the "fchmodat" system call by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
-    -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
-    -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b32 -S fchmodat -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b64 -S fchmodat -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
 
     It's allowed to group this system call within the same line as "chmod", "fchmod" and "fchmodat".
 

linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/policy/stig/shared.yml

@@ -18,8 +18,8 @@ checktext: |-
 
 fixtext: |-
     Configure the audit system to generate an audit event for any successful/unsuccessful use of the "fchown" system call by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
-    -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -k perm_mod
-    -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b32 -S fchown -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b64 -S fchown -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
 
     It's allowed to group this system call within the same line as "chown", "fchown", "fchownat" and "lchown".
 

linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/policy/stig/shared.yml

@@ -18,8 +18,8 @@ checktext: |-
 
 fixtext: |-
     Configure the audit system to generate an audit event for any successful/unsuccessful use of the "fchownat" system call by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
-    -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -k perm_mod
-    -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b32 -S fchownat -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b64 -S fchownat -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
 
     It's allowed to group this system call within the same line as "chown", "fchown", "fchownat" and "lchown".
 

linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/policy/stig/shared.yml

@@ -15,8 +15,8 @@ checktext: |-
 
     $ sudo auditctl -l | grep xattr
 
-    -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
-    -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
 
     -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod
     -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod
@@ -26,8 +26,8 @@ checktext: |-
 fixtext: |-
     Configure {{{ full_name }}} to audit the execution of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls by adding or updating the following lines to "/etc/audit/rules.d/audit.rules":
 
-    -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
-    -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
 
     -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod
     -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod

linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/policy/stig/shared.yml

@@ -18,8 +18,8 @@ checktext: |-
 
 fixtext: |-
     Configure the audit system to generate an audit event for any successful/unsuccessful use of the "fsetxattr" system call by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
-    -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -k perm_mod
-    -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b32 -S fsetxattr -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b64 -S fsetxattr -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
 
     It's allowed to group this system call within the same line as "fremovexattr", "lremovexattr", "removexattr", "fsetxattr", "lsetxattr" and "setxattr".
 

linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/policy/stig/shared.yml

@@ -18,8 +18,8 @@ checktext: |-
 
 fixtext: |-
     Configure the audit system to generate an audit event for any successful/unsuccessful use of the "lchown" system call by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
-    -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -k perm_mod
-    -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b32 -S lchown -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b64 -S lchown -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
 
     It's allowed to group this system call within the same line as "chown", "fchown", "fchownat" and "lchown".
 

linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/policy/stig/shared.yml

@@ -18,8 +18,8 @@ checktext: |-
 
 fixtext: |-
     Configure the audit system to generate an audit event for any successful/unsuccessful use of the "lremovexattr" system call by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
-    -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
-    -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b32 -S lremovexattr -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b64 -S lremovexattr -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
 
     It's allowed to group this system call within the same line as "fremovexattr", "lremovexattr", "removexattr", "fsetxattr", "lsetxattr" and "setxattr".
 

linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/policy/stig/shared.yml

@@ -18,8 +18,8 @@ checktext: |-
 
 fixtext: |-
     Configure the audit system to generate an audit event for any successful/unsuccessful use of the "lsetxattr" system call by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
-    -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -k perm_mod
-    -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b32 -S lsetxattr -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b64 -S lsetxattr -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
 
     It's allowed to group this system call within the same line as "fremovexattr", "lremovexattr", "removexattr", "fsetxattr", "lsetxattr" and "setxattr".
 

linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/policy/stig/shared.yml

@@ -18,8 +18,8 @@ checktext: |-
 
 fixtext: |-
     Configure the audit system to generate an audit event for any successful/unsuccessful use of the "removexattr" system call by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
-    -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -k perm_mod
-    -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b32 -S removexattr -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b64 -S removexattr -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
 
     It's allowed to group this system call within the same line as "fremovexattr", "lremovexattr", "removexattr", "fsetxattr", "lsetxattr" and "setxattr".
 

linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/policy/stig/shared.yml

@@ -18,8 +18,8 @@ checktext: |-
 
 fixtext: |-
     Configure the audit system to generate an audit event for any successful/unsuccessful use of the "setxattr" system call by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
-    -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -k perm_mod
-    -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b32 -S setxattr -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b64 -S setxattr -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
 
     It's allowed to group this system call within the same line as "fremovexattr", "lremovexattr", "removexattr", "fsetxattr", "lsetxattr" and "setxattr".
 

linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount/policy/stig/shared.yml

@@ -13,12 +13,12 @@ checktext: |-
     "umount" system call, run the following command:
      $ sudo grep "umount" /etc/audit/audit.*
     If the system is configured to audit this activity, it will return a line like the following.
-    -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k privileged-umount
+    -a always,exit -F arch=b32 -S umount -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-umount
 
     If the command does not return a line, or the line is commented out, then this is a finding.
 
 fixtext: |-
     Configure the audit system to generate an audit event for any successful/unsuccessful use of the "umount" system call by adding or updating the following rules in "/etc/audit/audit.rules" and adding the following rules to "/etc/audit/rules.d/perm_mod.rules" or updating the existing rules in files in the "/etc/audit/rules.d/" directory:
 
-    -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S umount -F auid>=1000 -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b32 -S umount -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S umount -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
     The audit daemon must be restarted for the changes to take effect.

linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount/rule.yml

@@ -42,7 +42,7 @@ ocil: |-
     "umount" system call, run the following command:
     <pre space="preserve">$ sudo grep "umount" /etc/audit/audit.*</pre>
     If the system is configured to audit this activity, it will return a line like the following.
-    -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k privileged-umount
+    -a always,exit -F arch=b32 -S umount -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-umount
 
 warnings:
     - general: |-

linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/policy/stig/shared.yml

@@ -20,7 +20,7 @@ fixtext: |-
     Configure the audit system to generate an audit event for any successful/unsuccessful use of the "umount2" system call by adding or updating the following rules in "/etc/audit/audit.rules" and adding the following rules to "/etc/audit/rules.d/perm_mod.rules" or updating the existing rules in files in the "/etc/audit/rules.d/" directory:
 
 
-    -a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -k perm_mod
-    -a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b32 -S umount2 -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b64 -S umount2 -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
 
     The audit daemon must be restarted for the changes to take effect.

linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/policy/stig/shared.yml

@@ -15,14 +15,14 @@ checktext: |-
 
     $ sudo auditctl -l | grep chacl
 
-    -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
+    -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
 
     If the command does not return a line, or the line is commented out, this is a finding.
     If , this is a finding.
 
 fixtext: |-
     Configure {{{ full_name }}} to generate audit records upon successful/unsuccessful attempts to use the "chacl" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
 
-    -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
+    -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
 
     The audit daemon must be restarted for the changes to take effect.

linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/policy/stig/shared.yml

@@ -15,13 +15,13 @@ checktext: |-
 
     $ sudo auditctl -l | grep setfacl
 
-    -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
+    -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
 
     If the command does not return a line, or the line is commented out, this is a finding.
 
 fixtext: |-
     Configure {{{ full_name }}} to generate audit records upon successful/unsuccessful attempts to use the "setfacl" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
 
-    -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
+    -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
 
     The audit daemon must be restarted for the changes to take effect.

linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/policy/stig/shared.yml

@@ -15,13 +15,13 @@ checktext: |-
 
     $ sudo auditctl -l | grep chcon
 
-    -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
+    -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
 
     If the command does not return a line, or the line is commented out, this is a finding.
 
 fixtext: |-
     Configure {{{ full_name }}} to generate audit records upon successful/unsuccessful attempts to use the "chcon" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
 
-    -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
+    -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
 
     The audit daemon must be restarted for the changes to take effect.

linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/policy/stig/shared.yml

@@ -15,13 +15,13 @@ checktext: |-
 
     $ sudo auditctl -l | grep semanage
 
-    -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
+    -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-unix-update
 
     If the command does not return a line, or the line is commented out, this is a finding.
 
 fixtext: |-
     Configure {{{ full_name }}} to generate audit records upon successful/unsuccessful attempts to use the "semanage" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
 
-    -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
+    -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-unix-update
 
     The audit daemon must be restarted for the changes to take effect.

linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/policy/stig/shared.yml

@@ -15,13 +15,13 @@ checktext: |-
 
     $ sudo auditctl -l | grep setfiles
 
-    -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
+    -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-unix-update
 
     If the command does not return a line, or the line is commented out, this is a finding.
 
 fixtext: |-
     Configure {{{ full_name }}} to generate audit records upon successful/unsuccessful attempts to use the "setfiles" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules":
 
-    -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
+    -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-unix-update
 
     The audit daemon must be restarted for the changes to take effect.

linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/policy/stig/shared.yml

@@ -15,13 +15,13 @@ checktext: |-
 
     $ sudo auditctl -l | grep setsebool
 
-     -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+     -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -F key=privileged
 
     If the command does not return a line, or the line is commented out, this is a finding.
 
 fixtext: |-
     Configure {{{ full_name }}} to generate an audit event for any successful/unsuccessful use of the "setsebool " command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
 
-    -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+    -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -F key=privileged
 
     The audit daemon must be restarted for the changes to take effect.