On Wednesday, July 10, 2013 11:39:39 PM Trevor Vaughan wrote: > "Either order is valid syntax" > > I could have sworn that this blew up in my face at some point. Perhaps a > different patch set fixed it.
Either order is valid syntax for auditctl. Its been this way since RHEL4. Its not valid if you are running a scanner with a hardcoded ordering. -Steve > On Sun, Mar 3, 2013 at 9:03 AM, Steve Grubb <[email protected]> wrote: > > > > - RHEL5 wants audit rules to start with "exit,always"; RHEL6 wants > > > > them > > > > to start with "always,exit". Note that some of the actual RHEL6 > > > > benchmark content checks for both (e.g. adjtimex), while some (the > > > > majority) does not (e.g. chmod). > > > > > > > > -> This was a change in auditd itself. "exit,always" is no longer > > > > valid. > > > > Either order is valid syntax. However, people were asking for order out of > > chaos and I went through all audit rules and fixed them (in upstream > > audit) all > > to have one ordering. This was not because auditctl would reject the rule, > > its > > because configuration testers need one order so that rules can be > > verified. > > > > -Steve > > _______________________________________________ > > scap-security-guide mailing list > > [email protected] > > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
