From mboxrd@z Thu Jan 1 00:00:00 1970 From: leam hall Subject: Re: Difference between "-a exit,always" and "-a always,exit"? Date: Thu, 3 Apr 2014 08:36:21 -0400 Message-ID: References: <6209163.80HeQiKcI1@x2> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8866996333937581532==" Return-path: Received: from mx1.redhat.com (ext-mx11.extmail.prod.ext.phx2.redhat.com [10.5.110.16]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id s33CaM3j003740 for ; Thu, 3 Apr 2014 08:36:22 -0400 Received: from mail-pd0-f181.google.com (mail-pd0-f181.google.com [209.85.192.181]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s33CaLMv024856 for ; Thu, 3 Apr 2014 08:36:21 -0400 Received: by mail-pd0-f181.google.com with SMTP id p10so1728493pdj.12 for ; Thu, 03 Apr 2014 05:36:21 -0700 (PDT) In-Reply-To: <6209163.80HeQiKcI1@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============8866996333937581532== Content-Type: multipart/alternative; boundary=047d7bd6b82800920a04f622a635 --047d7bd6b82800920a04f622a635 Content-Type: text/plain; charset=UTF-8 You and everyone I know. However, the SCC scan tool is hitting as it expects "exit,always". Ugh... Leam On Thu, Apr 3, 2014 at 8:32 AM, Steve Grubb wrote: > On Thursday, April 03, 2014 08:28:59 AM leam hall wrote: > > In the audit.rules file, is there a difference between "-a exit,always" > > and "-a always,exit"? > > Nope. Both work fine. I think that for consistency, I have fixed all rules > files > to use "-a always,exit". > > -Steve > -- Mind on a Mission --047d7bd6b82800920a04f622a635 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
You and everyone I know. However, the SCC scan tool i= s hitting as it expects "exit,always". Ugh...

Leam


On Th= u, Apr 3, 2014 at 8:32 AM, Steve Grubb <sgrubb@redhat.com> w= rote:
On Thursday, April 03, 2014 = 08:28:59 AM leam hall wrote:
> In the audit.rules file, is there a difference between =C2=A0"-a = exit,always"
> and "-a always,exit"?

Nope. Both work fine. I think that for consistency, I have fixed all = rules files
to use "-a always,exit".

-Steve



--
--047d7bd6b82800920a04f622a635-- --===============8866996333937581532== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============8866996333937581532==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Difference between "-a exit,always" and "-a always,exit"? Date: Thu, 03 Apr 2014 08:32:28 -0400 Message-ID: <6209163.80HeQiKcI1@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: leam hall List-Id: linux-audit@redhat.com On Thursday, April 03, 2014 08:28:59 AM leam hall wrote: > In the audit.rules file, is there a difference between "-a exit,always" > and "-a always,exit"? Nope. Both work fine. I think that for consistency, I have fixed all rules files to use "-a always,exit". -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: leam hall Subject: Difference between "-a exit,always" and "-a always,exit"? Date: Thu, 3 Apr 2014 08:28:59 -0400 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2208737874258781658==" Return-path: Received: from mx1.redhat.com (ext-mx13.extmail.prod.ext.phx2.redhat.com [10.5.110.18]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s33CT1qO026654 for ; Thu, 3 Apr 2014 08:29:01 -0400 Received: from mail-pd0-f172.google.com (mail-pd0-f172.google.com [209.85.192.172]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s33CT0Z2027449 for ; Thu, 3 Apr 2014 08:29:00 -0400 Received: by mail-pd0-f172.google.com with SMTP id p10so1716343pdj.17 for ; Thu, 03 Apr 2014 05:29:00 -0700 (PDT) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============2208737874258781658== Content-Type: multipart/alternative; boundary=001a11362872b43e4b04f6228bf8 --001a11362872b43e4b04f6228bf8 Content-Type: text/plain; charset=UTF-8 In the audit.rules file, is there a difference between "-a exit,always" and "-a always,exit"? Thanks! Leam -- Mind on a Mission --001a11362872b43e4b04f6228bf8 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
In the audit.rules file, is there a difference betwee= n=C2=A0 "-a exit,always" and "-a always,exit"?

<= /div>Thanks!

Leam
 --001a11362872b43e4b04f6228bf8-- --===============2208737874258781658== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============2208737874258781658==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Difference between "-a exit,always" and "-a always,exit"? Date: Thu, 03 Apr 2014 09:23:34 -0400 Message-ID: <2369373.XVSyS8d0au@x2> References: <6209163.80HeQiKcI1@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday, April 03, 2014 08:36:21 AM leam hall wrote: > You and everyone I know. However, the SCC scan tool is hitting as it > expects "exit,always". Ugh... This would be a SCAP content issue. In doing some research, I found that the problem appears to have been solved in the audit-2.0.6 release. It also seems that a couple rules got accidentally re-introduced in 2.2.3 but was fixed again in 2.3.2. But going back to the content, I just grep'ed through the SSG project and see that they are testing for reversed fields. I'll tell them to fix that. -Steve > On Thu, Apr 3, 2014 at 8:32 AM, Steve Grubb wrote: > > On Thursday, April 03, 2014 08:28:59 AM leam hall wrote: > > > In the audit.rules file, is there a difference between "-a exit,always" > > > and "-a always,exit"? > > > > Nope. Both work fine. I think that for consistency, I have fixed all rules > > files > > to use "-a always,exit". > > > > -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: leam hall Subject: Re: Difference between "-a exit,always" and "-a always,exit"? Date: Thu, 3 Apr 2014 09:25:26 -0400 Message-ID: References: <6209163.80HeQiKcI1@x2> <2369373.XVSyS8d0au@x2> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6844833612948911857==" Return-path: Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com [10.5.110.19]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s33DPVfL020682 for ; Thu, 3 Apr 2014 09:25:31 -0400 Received: from mail-pb0-f46.google.com (mail-pb0-f46.google.com [209.85.160.46]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s33DPQCj031088 for ; Thu, 3 Apr 2014 09:25:27 -0400 Received: by mail-pb0-f46.google.com with SMTP id rq2so1838926pbb.5 for ; Thu, 03 Apr 2014 06:25:26 -0700 (PDT) In-Reply-To: <2369373.XVSyS8d0au@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============6844833612948911857== Content-Type: multipart/alternative; boundary=047d7b15aa4d885b0704f623556a --047d7b15aa4d885b0704f623556a Content-Type: text/plain; charset=UTF-8 Quick workaround is sed, if you don't have a lot of files to fix. :) Leam On Thu, Apr 3, 2014 at 9:23 AM, Steve Grubb wrote: > On Thursday, April 03, 2014 08:36:21 AM leam hall wrote: > > You and everyone I know. However, the SCC scan tool is hitting as it > > expects "exit,always". Ugh... > > This would be a SCAP content issue. In doing some research, I found that > the > problem appears to have been solved in the audit-2.0.6 release. It also > seems > that a couple rules got accidentally re-introduced in 2.2.3 but was fixed > again > in 2.3.2. > > But going back to the content, I just grep'ed through the SSG project and > see > that they are testing for reversed fields. I'll tell them to fix that. > > -Steve > > > On Thu, Apr 3, 2014 at 8:32 AM, Steve Grubb wrote: > > > On Thursday, April 03, 2014 08:28:59 AM leam hall wrote: > > > > In the audit.rules file, is there a difference between "-a > exit,always" > > > > and "-a always,exit"? > > > > > > Nope. Both work fine. I think that for consistency, I have fixed all > rules > > > files > > > to use "-a always,exit". > > > > > > -Steve > > -- Mind on a Mission --047d7b15aa4d885b0704f623556a Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Quick workaround is sed, if you don't have a lot of fi= les to fix.=C2=A0=C2=A0 :)

Leam
=

On Thu, Apr 3, 2014 at 9:23 AM, Steve Gr= ubb <sgrubb@redhat.com> wrote:
On Thursday, April 03, 2014 = 08:36:21 AM leam hall wrote:
> You and everyone I know. However, the SCC scan tool is hitting as it > expects "exit,always". Ugh...

This would be a SCAP content issue. In doing some research, I found t= hat the
problem appears to have been solved in the audit-2.0.6 release. It also see= ms
that a couple rules got accidentally re-introduced in 2.2.3 but was fixed a= gain
in 2.3.2.

But going back to the content, I just grep'ed through the SSG project a= nd see
that they are testing for reversed fields. I'll tell them to fix that.<= br>
-Steve

> On Thu, Apr 3, 2014 at 8:32 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Thursday, April 03, 2014 08:28:59 AM leam hall wrote:
> > > In the audit.rules file, is there a difference between =C2= =A0"-a exit,always"
> > > and "-a always,exit"?
> >
> > Nope. Both work fine. I think that for consistency, I have fixed = all rules
> > files
> > to use "-a always,exit".
> >
> > -Steve




--
--047d7b15aa4d885b0704f623556a-- --===============6844833612948911857== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============6844833612948911857==--