On Wednesday, July 10, 2013 11:39:39 PM Trevor Vaughan wrote:
"Either order is valid syntax"
I could have sworn that this blew up in my face at some point. Perhaps a different patch set fixed it.
Either order is valid syntax for auditctl. Its been this way since RHEL4. Its not valid if you are running a scanner with a hardcoded ordering.
-Steve
On Sun, Mar 3, 2013 at 9:03 AM, Steve Grubb sgrubb@redhat.com wrote:
- RHEL5 wants audit rules to start with "exit,always"; RHEL6 wants
them to start with "always,exit". Note that some of the actual RHEL6 benchmark content checks for both (e.g. adjtimex), while some (the majority) does not (e.g. chmod).
-> This was a change in auditd itself. "exit,always" is no longer valid.
Either order is valid syntax. However, people were asking for order out of chaos and I went through all audit rules and fixed them (in upstream audit) all to have one ordering. This was not because auditctl would reject the rule, its because configuration testers need one order so that rules can be verified.
-Steve _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide