diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml
new file mode 100644
index 0000000000..31b65a0833
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/ansible/shared.yml
@@ -0,0 +1,38 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Search /etc/audit/rules.d for audit rule entries
+ find:
+ paths: /etc/audit/rules.d
+ recurse: false
+ contains: ^.*dir=/var/log/audit/.*$
+ patterns: '*.rules'
+ register: find_var_log_audit
+
+- name: Use /etc/audit/rules.d/access-audit-trail.rules as the recipient for the rule
+ set_fact:
+ all_files:
+ - /etc/audit/rules.d/access-audit-trail.rules
+ when: find_var_log_audit.matched == 0
+
+- name: Use matched file as the recipient for the rule
+ set_fact:
+ all_files:
+ - '{{ find_var_log_audit.files | map(attribute=''path'') | list | first }}'
+ when: find_var_log_audit.matched > 0
+
+- name: Inserts/replaces the /var/log/audit/ rule in rules.d
+ lineinfile:
+ path: '{{ all_files[0] }}'
+ line: -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>={{{ auid }}} -F auid!=unset
+ -F key=access-audit-trail
+ create: true
+
+- name: Inserts/replaces the /var/log/audit/ rule in audit.rules
+ lineinfile:
+ path: /etc/audit/audit.rules
+ line: -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>={{{ auid }}} -F auid!=unset
+ -F key=access-audit-trail
+ create: true
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh
new file mode 100644
index 0000000000..515bef7b85
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/bash/shared.sh
@@ -0,0 +1,11 @@
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8, multi_platform_fedora, multi_platform_ol,multi_platform_rhv
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+PATTERN="-a always,exit -F path=/var/log/audit/\\s\\+.*"
+GROUP="access-audit-trail"
+FULL_RULE="-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>={{{ auid }}} -F auid!=unset -F key=access-audit-trail"
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_correct_rule.pass.sh
index e9b1d56af3..2a8a51ff2e 100644
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_correct_rule.pass.sh
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_correct_rule.pass.sh
@@ -1,7 +1,6 @@
#!/bin/bash
# profiles = xccdf_org.ssgproject.content_profile_ospp
-# remediation = none
# Use auditctl in RHEL7
sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_wrong_dir.fail.sh
index 1c68a3229b..ba4086d9b7 100644
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_wrong_dir.fail.sh
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_wrong_dir.fail.sh
@@ -1,7 +1,6 @@
#!/bin/bash
# profiles = xccdf_org.ssgproject.content_profile_ospp
-# remediation = none
# Use auditctl in RHEL7
sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_correct_rule.pass.sh
index 58ef8bc15f..891cddefb7 100644
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_correct_rule.pass.sh
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_correct_rule.pass.sh
@@ -1,6 +1,5 @@
#!/bin/bash
# profiles = xccdf_org.ssgproject.content_profile_ospp
-# remediation = none
echo "-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail" >> /etc/audit/rules.d/var_log_audit.rules
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_dir.fail.sh
index 29f0f2d38e..18ca9936fa 100644
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_dir.fail.sh
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_dir.fail.sh
@@ -1,6 +1,5 @@
#!/bin/bash
# profiles = xccdf_org.ssgproject.content_profile_ospp
-# remediation = none
echo "-a always,exit -F dir=/var/log/auditd/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail" >> /etc/audit/rules.d/var_log_audit.rules
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_perm.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_perm.fail.sh
index 82eae1895d..617e93d121 100644
--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_perm.fail.sh
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_perm.fail.sh
@@ -1,6 +1,5 @@
#!/bin/bash
# profiles = xccdf_org.ssgproject.content_profile_ospp
-# remediation = none
echo "-a always,exit -F dir=/var/log/audit/ -F perm=w -F auid>=1000 -F auid!=unset -F key=access-audit-trail" >> /etc/audit/rules.d/var_log_audit.rules