Description of problem:

The /usr/share/audit/sample-rules/30-ospp-v42.rules file has section

1. 1. Use of special rights for config changes. This would be use of setuid
   2. programs that relate to user accts. This is not all setuid apps because
   3. requirements are only for ones that affect system configuration.

A binary which meets this criteria but is not listed is /usr/sbin/grub2-set-bootflag.

Version-Release number of selected component (if applicable):

audit-3.0.7-101.el9_0.2.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. cp /usr/share/audit/sample-rules/30-ospp-v42.rules /etc/audit/rules.d/
2. augenrules --load
3. As unprivileged user, run grub2-set-bootflag boot_success
4. grep grub2-set-bootflag /var/log/audit/audit.log

Actual results:

No record found.

Expected results:

type=SYSCALL msg=audit(1655369136.284:296): arch=c000003e syscall=59 success=yes exit=0 a0=5588b7677f90 a1=5588b7684400 a2=5588b7691b60 a3=8 items=2 ppid=15172 pid=15349 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=3 comm="grub2-set-bootf" exe="/usr/sbin/grub2-set-bootflag" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="special-config-changes"ARCH=x86_64 SYSCALL=execve AUID="test" UID="test" GID="test" EUID="root" SUID="root" FSUID="root" EGID="test" SGID="test" FSGID="test"
type=EXECVE msg=audit(1655369136.284:296): argc=2 a0="grub2-set-bootflag" a1="boot_success"
type=PATH msg=audit(1655369136.284:296): item=0 name="/usr/sbin/grub2-set-bootflag" inode=67490455 dev=fd:00 mode=0104755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bootloader_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"

Additional info: