From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Audit rules keys
Date: Tue, 21 Aug 2007 11:55:45 -0400
Message-ID: <200708211155.46686.sgrubb@redhat.com>
References: <6F2A8C9C4C5BE446A17B745BBC856EEB5A6D39@XMBTX113.northgrum.com>
	<46CB0747.6020203@hp.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <46CB0747.6020203@hp.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tuesday 21 August 2007 11:39:51 Linda Knippers wrote:
> > Using system-config-audit getting key (-k) configuration errors when
> > saving changes.
> >
> > [root@localhost ~]# Stopping auditd: [ =A0OK =A0]
> > Starting auditd: [ =A0OK =A0]
> > key option needs a watch or syscall given prior to it
>
> This is telling you that the -k flag needs to be after a -S
> flag. =A0I don't know why the order matters but apparently it does.

Correct. It matters because originally keys were only associated with wat=
ches.=20
So, I needed the rule writer to declare that this is going to be a syscal=
l or=20
watch rule so that I can error check appropriately.

Keys do not apply to rules like, -b or -e, so I still want to see the rul=
e=20
type ahead of a key option so that errors are caught.

-Steve