I looked through my old notes and confirmed that I was getting yelled at by someone using a scanner that had hard-coded the entries so I adjusted accordingly.
Thanks!
Trevor
On Thu, Jul 11, 2013 at 10:36 AM, Steve Grubb sgrubb@redhat.com wrote:
On Wednesday, July 10, 2013 11:39:39 PM Trevor Vaughan wrote:
"Either order is valid syntax"
I could have sworn that this blew up in my face at some point. Perhaps a different patch set fixed it.
Either order is valid syntax for auditctl. Its been this way since RHEL4. Its not valid if you are running a scanner with a hardcoded ordering.
-Steve
On Sun, Mar 3, 2013 at 9:03 AM, Steve Grubb sgrubb@redhat.com wrote:
- RHEL5 wants audit rules to start with "exit,always"; RHEL6 wants
them to start with "always,exit". Note that some of the actual RHEL6 benchmark content checks for both (e.g. adjtimex), while some (the majority) does not (e.g. chmod).
-> This was a change in auditd itself. "exit,always" is no longer valid.
Either order is valid syntax. However, people were asking for order
out of
chaos and I went through all audit rules and fixed them (in upstream audit) all to have one ordering. This was not because auditctl would reject the
rule,
its because configuration testers need one order so that rules can be verified.
-Steve _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide