I looked through my old notes and confirmed that I was getting yelled at by
someone using a scanner that had hard-coded the entries so I adjusted
accordingly.
Thanks!
Trevor
On Thu, Jul 11, 2013 at 10:36 AM, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Wednesday, July 10, 2013 11:39:39 PM Trevor Vaughan wrote:
> "Either order is valid syntax"
>
> I could have sworn that this blew up in my face at some point. Perhaps a
> different patch set fixed it.
Either order is valid syntax for auditctl. Its been this way since RHEL4.
Its
not valid if you are running a scanner with a hardcoded ordering.
-Steve
> On Sun, Mar 3, 2013 at 9:03 AM, Steve Grubb <sgrubb(a)redhat.com> wrote:
> > > > - RHEL5 wants audit rules to start with "exit,always";
RHEL6 wants
> > > > them
> > > > to start with "always,exit". Note that some of the actual
RHEL6
> > > > benchmark content checks for both (e.g. adjtimex), while some (the
> > > > majority) does not (e.g. chmod).
> > > >
> > > > -> This was a change in auditd itself. "exit,always" is
no longer
> > > > valid.
> >
> > Either order is valid syntax. However, people were asking for order
out of
> > chaos and I went through all audit rules and fixed them (in upstream
> > audit) all
> > to have one ordering. This was not because auditctl would reject the
rule,
> > its
> > because configuration testers need one order so that rules can be
> > verified.
> >
> > -Steve
> > _______________________________________________
> > scap-security-guide mailing list
> > scap-security-guide(a)lists.fedorahosted.org
> >
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaughan(a)onyxpoint.com
-- This account not approved for unencrypted proprietary information --