Difference between "-a exit,always" and "-a always,exit"?

Difference between "-a exit,always" and "-a always,exit"?

[leam hall]

[-- Attachment #1.1: Type: text/plain, Size: 165 bytes --]

In the audit.rules file, is there a difference between  "-a exit,always"
and "-a always,exit"?

Thanks!

Leam

-- 
Mind on a Mission <http://leamhall.blogspot.com/>

[-- Attachment #1.2: Type: text/html, Size: 317 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Difference between "-a exit,always" and "-a always,exit"?

[Steve Grubb]

On Thursday, April 03, 2014 08:28:59 AM leam hall wrote:
> In the audit.rules file, is there a difference between  "-a exit,always"
> and "-a always,exit"?

Nope. Both work fine. I think that for consistency, I have fixed all rules files 
to use "-a always,exit".

-Steve

Re: Difference between "-a exit,always" and "-a always,exit"?

[leam hall]

[-- Attachment #1.1: Type: text/plain, Size: 525 bytes --]

You and everyone I know. However, the SCC scan tool is hitting as it
expects "exit,always". Ugh...

Leam


On Thu, Apr 3, 2014 at 8:32 AM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Thursday, April 03, 2014 08:28:59 AM leam hall wrote:
> > In the audit.rules file, is there a difference between  "-a exit,always"
> > and "-a always,exit"?
>
> Nope. Both work fine. I think that for consistency, I have fixed all rules
> files
> to use "-a always,exit".
>
> -Steve
>



-- 
Mind on a Mission <http://leamhall.blogspot.com/>

[-- Attachment #1.2: Type: text/html, Size: 1049 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Difference between "-a exit,always" and "-a always,exit"?

[Steve Grubb]

On Thursday, April 03, 2014 08:36:21 AM leam hall wrote:
> You and everyone I know. However, the SCC scan tool is hitting as it
> expects "exit,always". Ugh...

This would be a SCAP content issue. In doing some research, I found that the 
problem appears to have been solved in the audit-2.0.6 release. It also seems 
that a couple rules got accidentally re-introduced in 2.2.3 but was fixed again 
in 2.3.2.

But going back to the content, I just grep'ed through the SSG project and see 
that they are testing for reversed fields. I'll tell them to fix that.

-Steve

> On Thu, Apr 3, 2014 at 8:32 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Thursday, April 03, 2014 08:28:59 AM leam hall wrote:
> > > In the audit.rules file, is there a difference between  "-a exit,always"
> > > and "-a always,exit"?
> > 
> > Nope. Both work fine. I think that for consistency, I have fixed all rules
> > files
> > to use "-a always,exit".
> > 
> > -Steve

Re: Difference between "-a exit,always" and "-a always,exit"?

[leam hall]

[-- Attachment #1.1: Type: text/plain, Size: 1210 bytes --]

Quick workaround is sed, if you don't have a lot of files to fix.   :)

Leam


On Thu, Apr 3, 2014 at 9:23 AM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Thursday, April 03, 2014 08:36:21 AM leam hall wrote:
> > You and everyone I know. However, the SCC scan tool is hitting as it
> > expects "exit,always". Ugh...
>
> This would be a SCAP content issue. In doing some research, I found that
> the
> problem appears to have been solved in the audit-2.0.6 release. It also
> seems
> that a couple rules got accidentally re-introduced in 2.2.3 but was fixed
> again
> in 2.3.2.
>
> But going back to the content, I just grep'ed through the SSG project and
> see
> that they are testing for reversed fields. I'll tell them to fix that.
>
> -Steve
>
> > On Thu, Apr 3, 2014 at 8:32 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > > On Thursday, April 03, 2014 08:28:59 AM leam hall wrote:
> > > > In the audit.rules file, is there a difference between  "-a
> exit,always"
> > > > and "-a always,exit"?
> > >
> > > Nope. Both work fine. I think that for consistency, I have fixed all
> rules
> > > files
> > > to use "-a always,exit".
> > >
> > > -Steve
>
>


-- 
Mind on a Mission <http://leamhall.blogspot.com/>

[-- Attachment #1.2: Type: text/html, Size: 1938 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]