From 0a22bbbaeabd9c13254ef251479e9d74143620e6 Mon Sep 17 00:00:00 2001
From: Ilya Okomin <ilya.okomin@oracle.com>
Date: Mon, 23 Mar 2020 20:07:47 -0400
Subject: [PATCH] Fix rsyslog_nolisten regex to match rule description

Signed-off-by: Ilya Okomin <ilya.okomin@oracle.com>
---
 .../rsyslog_nolisten/oval/shared.xml                          | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/oval/shared.xml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/oval/shared.xml
index e38dee5bbc..b56281e283 100644
--- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/oval/shared.xml
+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/oval/shared.xml
@@ -16,13 +16,13 @@
     </criteria>
   </definition>
   <ind:textfilecontent54_test check="all" check_existence="none_exist"
-  comment="Ensure that the /etc/rsyslog.conf does not contain $InputTCPServerRun | $UDPServerRun | $InputRELPServerRun"
+  comment="Ensure that the /etc/rsyslog.conf does not contain $InputTCPServerRun | $UDPServerRun | $InputRELPServerRun | $ModLoad imtcp | $ModLoad imudp | $ModLoad imrelp"
   id="test_rsyslog_nolisten" version="1">
     <ind:object object_ref="object_rsyslog_nolisten" />
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_rsyslog_nolisten" version="2">
     <ind:filepath>/etc/rsyslog.conf</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*\$(?:Input(?:TCP|RELP)|UDP)ServerRun</ind:pattern>
+    <ind:pattern operation="pattern match">^[\s]*\$((?:Input(?:TCP|RELP)|UDP)ServerRun|ModLoad[\s]+(imtcp|imudp|imrelp))</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 </def-group>