Hello, The audit system can take rules that start with
-a always,exit just as well as rules that start with -a exit,always This has been trouble for scanners because people see rules in both orders. But people complained about this and as of the 2.0.6 release of the audit package, all rules were in a consistent '-a always,exit' format. Someone reported a problem on the linux-audit mail list saying they were failing a scan. I check the SSG content and sure enough, its looking for rules in the exit,always order. You can check it like so: grep -rl '\-a exit\,always' * The rules should be fixed to match only always,exit so that everything everywhere is consistent. I would only be concerned about RHEL6/7 because there is no possibility of changing the RHEL5 audit package to ship rules that are consistent. Thanks, -Steve _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
