diff --git a/cis/system/ksp-audit-cis-mysql-1-5.yaml b/cis/system/ksp-audit-cis-mysql-1-5.yaml
index 1a37f9ac..795a0789 100644
--- a/cis/system/ksp-audit-cis-mysql-1-5.yaml
+++ b/cis/system/ksp-audit-cis-mysql-1-5.yaml
@@ -18,4 +18,5 @@ spec:
     matchPaths:
     - path: /bin/false
     - path: /sbin/nologin
+    - path: /usr/sbin/nologin
     action: Audit
diff --git a/cis/system/ksp-block-cis-centos-8-1-1-4-1.yaml b/cis/system/ksp-block-cis-centos-8-1-1-4-1.yaml
index bf3a6b98..2111da6f 100644
--- a/cis/system/ksp-block-cis-centos-8-1-1-4-1.yaml
+++ b/cis/system/ksp-block-cis-centos-8-1-1-4-1.yaml
@@ -21,4 +21,5 @@ spec:
       - path: /usr/bin/auditd
       - path: /bin/auditd
       - path: /sbin/auditd
+      - path: /usr/sbin/auditd
     action: Block
diff --git a/elastic/system/ksp-audit-elasticsearch-bash-spawn.yaml b/elastic/system/ksp-audit-elasticsearch-bash-spawn.yaml
index 9848346c..6570b343 100644
--- a/elastic/system/ksp-audit-elasticsearch-bash-spawn.yaml
+++ b/elastic/system/ksp-audit-elasticsearch-bash-spawn.yaml
@@ -19,5 +19,6 @@ spec:
     - path: /bin/bash
     - path: /bin/sh
     - path: /sbin/sh
+    - path: /usr/sbin/sh
     - path: /bin/csh
   action: Audit
diff --git a/golang/system/ksp-block-golang-generic-policy-1.yaml b/golang/system/ksp-block-golang-generic-policy-1.yaml
index cc1dd6db..be589926 100644
--- a/golang/system/ksp-block-golang-generic-policy-1.yaml
+++ b/golang/system/ksp-block-golang-generic-policy-1.yaml
@@ -19,6 +19,9 @@ spec:
     - path: /sbin/ldconfig
       fromSource:
       - path: /usr/bin/python2.7
+    - path: /usr/sbin/ldconfig
+      fromSource:
+      - path: /usr/bin/python2.7
     - path: /usr/bin/whoami
       fromSource:
       - path: /bin/dash
diff --git a/malware/system/ksp-block-sysrv-hello-malware.yaml b/malware/system/ksp-block-sysrv-hello-malware.yaml
index 90e704c5..cda6fa62 100644
--- a/malware/system/ksp-block-sysrv-hello-malware.yaml
+++ b/malware/system/ksp-block-sysrv-hello-malware.yaml
@@ -22,6 +22,7 @@ spec:
   process:
     matchPaths:
     - path: /sbin/iptables
+    - path: /usr/sbin/iptables
     - path: /etc/iptables
     - path: /usr/share/iptables
     - path: /usr/sbin/ufw
diff --git a/metadata.yaml b/metadata.yaml
index 9ee2ffac..8a7b871d 100644
--- a/metadata.yaml
+++ b/metadata.yaml
@@ -18,6 +18,8 @@ policyRules:
       matchDirectories:
       - dir: /sbin/
         recursive: true
+      - dir: /usr/sbin/
+        recursive: true
     message: restricted maintenance tool access attempted
     selector:
       matchLabels:
diff --git a/nist/system/ksp-system-information-blockwithaudit.yaml b/nist/system/ksp-system-information-blockwithaudit.yaml
index d719f0c3..6e2897ec 100644
--- a/nist/system/ksp-system-information-blockwithaudit.yaml
+++ b/nist/system/ksp-system-information-blockwithaudit.yaml
@@ -28,4 +28,5 @@ spec:
     - path: /bin/lsblk
     - path: /usr/bin/lspci
     - path: /sbin/fdisk
+    - path: /usr/sbin/fdisk
     action: Block
\ No newline at end of file
diff --git a/stigs/system/hsp-audit-stig-ubuntu-20-010173-unix-update.yaml b/stigs/system/hsp-audit-stig-ubuntu-20-010173-unix-update.yaml
index 4e5edd73..0ed5a241 100644
--- a/stigs/system/hsp-audit-stig-ubuntu-20-010173-unix-update.yaml
+++ b/stigs/system/hsp-audit-stig-ubuntu-20-010173-unix-update.yaml
@@ -13,5 +13,6 @@ spec:
   process:
     matchPaths:
     - path: /sbin/unix_update
+    - path: /usr/sbin/unix_update
     action:
       Audit