I looked through my old notes and confirmed that I was getting yelled at by someone using a scanner that had hard-coded the entries so I adjusted accordingly.
Thanks! Trevor On Thu, Jul 11, 2013 at 10:36 AM, Steve Grubb <[email protected]> wrote: > On Wednesday, July 10, 2013 11:39:39 PM Trevor Vaughan wrote: > > "Either order is valid syntax" > > > > I could have sworn that this blew up in my face at some point. Perhaps a > > different patch set fixed it. > > Either order is valid syntax for auditctl. Its been this way since RHEL4. > Its > not valid if you are running a scanner with a hardcoded ordering. > > -Steve > > > > On Sun, Mar 3, 2013 at 9:03 AM, Steve Grubb <[email protected]> wrote: > > > > > - RHEL5 wants audit rules to start with "exit,always"; RHEL6 wants > > > > > them > > > > > to start with "always,exit". Note that some of the actual RHEL6 > > > > > benchmark content checks for both (e.g. adjtimex), while some (the > > > > > majority) does not (e.g. chmod). > > > > > > > > > > -> This was a change in auditd itself. "exit,always" is no longer > > > > > valid. > > > > > > Either order is valid syntax. However, people were asking for order > out of > > > chaos and I went through all audit rules and fixed them (in upstream > > > audit) all > > > to have one ordering. This was not because auditctl would reject the > rule, > > > its > > > because configuration testers need one order so that rules can be > > > verified. > > > > > > -Steve > > > _______________________________________________ > > > scap-security-guide mailing list > > > [email protected] > > > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 [email protected] -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
