On Wednesday, July 10, 2013 11:39:39 PM Trevor Vaughan wrote:Either order is valid syntax for auditctl. Its been this way since RHEL4. Its
> "Either order is valid syntax"
>
> I could have sworn that this blew up in my face at some point. Perhaps a
> different patch set fixed it.
not valid if you are running a scanner with a hardcoded ordering.
-Steve
> > > > - RHEL5 wants audit rules to start with "exit,always"; RHEL6 wants
> > > > them
> > > > to start with "always,exit". Note that some of the actual RHEL6
> > > > benchmark content checks for both (e.g. adjtimex), while some (the
> > > > majority) does not (e.g. chmod).
> > > >
> > > > -> This was a change in auditd itself. "exit,always" is no longer
> > > > valid.
> >
> > Either order is valid syntax. However, people were asking for order out of
> > chaos and I went through all audit rules and fixed them (in upstream
> > audit) all
> > to have one ordering. This was not because auditctl would reject the rule,
> > its
> > because configuration testers need one order so that rules can be
> > verified.
> >
> > -Steve
> > _______________________________________________
> > scap-security-guide mailing list
> > scap-security-guide@lists.fedorahosted.org
> > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide