ComplianceAsCode · jan-cerny · Jan 26, 2026 · Jan 26, 2026
diff --git a/...figure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml b/...figure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
@@ -22,8 +22,59 @@
   loop: "{{ result_privileged_commands_search.results }}"
   when: item is not skipped
 
+{{% if product in ["fedora", "rhel10"] %}}
+- name: {{{ rule_title }}} - Set architecture for audit {{{ PATH }}}
+  ansible.builtin.set_fact:
+    audit_arch: "b64"
+  when:
+  - ansible_architecture == "aarch64" or
+    ansible_architecture == "ppc64" or
+    ansible_architecture == "ppc64le" or
+    ansible_architecture == "s390x" or
+    ansible_architecture == "x86_64"
+{{% endif %}}
+
 - name: {{{ rule_title }}} - Privileged Commands are Present in the System
   block:
+{{% if product in ["fedora", "rhel10"] %}}
+    - name: {{{ rule_title }}} - Ensure Rules for All Privileged Commands in augenrules Format 32-bit
+      ansible.builtin.lineinfile:
+        path: /etc/audit/rules.d/privileged.rules
+        line: '-a always,exit -F arch=b32 -F path={{ item }} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
+        regexp: "^.* -F arch=b32 -F path={{ item | regex_escape() }} .*$"
+        create: yes
+      with_items:
+        - "{{ privileged_commands }}"
+
+    - name: {{{ rule_title }}} - Ensure Rules for All Privileged Commands in auditctl Format 32-bit
+      ansible.builtin.lineinfile:
+        path: /etc/audit/audit.rules
+        line: '-a always,exit -F arch=b32 -F path={{ item }} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
+        regexp: "^.* -F arch=b32 -F path={{ item | regex_escape() }} .*$"
+        create: yes
+      with_items:
+        - "{{ privileged_commands }}"
+
+    - name: {{{ rule_title }}} - Ensure Rules for All Privileged Commands in augenrules Format 64-bit
+      ansible.builtin.lineinfile:
+        path: /etc/audit/rules.d/privileged.rules
+        line: '-a always,exit -F arch=b64 -F path={{ item }} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
+        regexp: "^.* -F arch=b64 -F path={{ item | regex_escape() }} .*$"
+        create: yes
+      with_items:
+        - "{{ privileged_commands }}"
+      when: audit_arch == "b64"
+
+    - name: {{{ rule_title }}} - Ensure Rules for All Privileged Commands in auditctl Format 64-bit
+      ansible.builtin.lineinfile:
+        path: /etc/audit/audit.rules
+        line: '-a always,exit -F arch=b64 -F path={{ item }} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
+        regexp: "^.* -F arch=b64 -F path={{ item | regex_escape() }} .*$"
+        create: yes
+      with_items:
+        - "{{ privileged_commands }}"
+      when: audit_arch == "b64"
+{{% else %}}
     - name: {{{ rule_title }}} - Ensure Rules for All Privileged Commands in augenrules Format
       ansible.builtin.lineinfile:
         path: /etc/audit/rules.d/privileged.rules
@@ -41,12 +92,13 @@
         create: yes
       with_items:
         - "{{ privileged_commands }}"
+{{% endif %}}
 
     - name: {{{ rule_title }}} - Search for Duplicated Rules in Other Files
       ansible.builtin.find:
         paths: "/etc/audit/rules.d"
         recurse: no
-        contains: "^-a always,exit -F path={{ item }} .*$"
+        contains: "^-a always,exit (-F arch=b32 |-F arch=b64 )?-F path={{ item | regex_escape() }} .*$"
         patterns: "*.rules"
       with_items:
         - "{{ privileged_commands }}"
@@ -55,7 +107,7 @@
     - name: {{{ rule_title }}} - Ensure Rules for Privileged Commands are Defined Only in One File
       ansible.builtin.lineinfile:
         path: "{{ item.1.path }}"
-        regexp: "^-a always,exit -F path={{ item.0.item }} .*$"
+        regexp: "^-a always,exit (-F arch=b32 |-F arch=b64 )?-F path={{ item.0.item | regex_escape() }} .*$"
         state: absent
       with_subelements:
         - "{{ result_augenrules_files.results }}"

diff --git a/..._configure_rules/audit_privileged_commands/audit_rules_privileged_commands/bash/shared.sh b/..._configure_rules/audit_privileged_commands/audit_rules_privileged_commands/bash/shared.sh
@@ -15,8 +15,19 @@ function add_audit_rule()
     local PRIV_CMD="$1"
     local OTHER_FILTERS="-F path=$PRIV_CMD -F perm=x"
     # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+{{% if product in ["fedora", "rhel10"] %}}
+    [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+    for ARCH in "${RULE_ARCHS[@]}" ; do
+        ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+        {{{ bash_fix_audit_syscall_rule("augenrules", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") | indent(4) }}}
+        {{{ bash_fix_audit_syscall_rule("auditctl", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") | indent(4) }}}
+    done
+{{% else %}}
+    ACTION_ARCH_FILTERS="-a always,exit"
     {{{ bash_fix_audit_syscall_rule("augenrules", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") | indent(4) }}}
     {{{ bash_fix_audit_syscall_rule("auditctl", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") | indent(4) }}}
+{{% endif %}}
+
 }
 
 if {{{ bash_bootc_build() }}} ; then