* Difference between "-a exit,always" and "-a always,exit"? @ 2014-04-03 12:28 leam hall 2014-04-03 12:32 ` Steve Grubb 0 siblings, 1 reply; 5+ messages in thread From: leam hall @ 2014-04-03 12:28 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 165 bytes --] In the audit.rules file, is there a difference between "-a exit,always" and "-a always,exit"? Thanks! Leam -- Mind on a Mission <http://leamhall.blogspot.com/> [-- Attachment #1.2: Type: text/html, Size: 317 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Difference between "-a exit,always" and "-a always,exit"? 2014-04-03 12:28 Difference between "-a exit,always" and "-a always,exit"? leam hall @ 2014-04-03 12:32 ` Steve Grubb 2014-04-03 12:36 ` leam hall 0 siblings, 1 reply; 5+ messages in thread From: Steve Grubb @ 2014-04-03 12:32 UTC (permalink / raw) To: linux-audit; +Cc: leam hall On Thursday, April 03, 2014 08:28:59 AM leam hall wrote: > In the audit.rules file, is there a difference between "-a exit,always" > and "-a always,exit"? Nope. Both work fine. I think that for consistency, I have fixed all rules files to use "-a always,exit". -Steve ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Difference between "-a exit,always" and "-a always,exit"? 2014-04-03 12:32 ` Steve Grubb @ 2014-04-03 12:36 ` leam hall 2014-04-03 13:23 ` Steve Grubb 0 siblings, 1 reply; 5+ messages in thread From: leam hall @ 2014-04-03 12:36 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 525 bytes --] You and everyone I know. However, the SCC scan tool is hitting as it expects "exit,always". Ugh... Leam On Thu, Apr 3, 2014 at 8:32 AM, Steve Grubb <sgrubb@redhat.com> wrote: > On Thursday, April 03, 2014 08:28:59 AM leam hall wrote: > > In the audit.rules file, is there a difference between "-a exit,always" > > and "-a always,exit"? > > Nope. Both work fine. I think that for consistency, I have fixed all rules > files > to use "-a always,exit". > > -Steve > -- Mind on a Mission <http://leamhall.blogspot.com/> [-- Attachment #1.2: Type: text/html, Size: 1049 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Difference between "-a exit,always" and "-a always,exit"? 2014-04-03 12:36 ` leam hall @ 2014-04-03 13:23 ` Steve Grubb 2014-04-03 13:25 ` leam hall 0 siblings, 1 reply; 5+ messages in thread From: Steve Grubb @ 2014-04-03 13:23 UTC (permalink / raw) To: linux-audit On Thursday, April 03, 2014 08:36:21 AM leam hall wrote: > You and everyone I know. However, the SCC scan tool is hitting as it > expects "exit,always". Ugh... This would be a SCAP content issue. In doing some research, I found that the problem appears to have been solved in the audit-2.0.6 release. It also seems that a couple rules got accidentally re-introduced in 2.2.3 but was fixed again in 2.3.2. But going back to the content, I just grep'ed through the SSG project and see that they are testing for reversed fields. I'll tell them to fix that. -Steve > On Thu, Apr 3, 2014 at 8:32 AM, Steve Grubb <sgrubb@redhat.com> wrote: > > On Thursday, April 03, 2014 08:28:59 AM leam hall wrote: > > > In the audit.rules file, is there a difference between "-a exit,always" > > > and "-a always,exit"? > > > > Nope. Both work fine. I think that for consistency, I have fixed all rules > > files > > to use "-a always,exit". > > > > -Steve ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Difference between "-a exit,always" and "-a always,exit"? 2014-04-03 13:23 ` Steve Grubb @ 2014-04-03 13:25 ` leam hall 0 siblings, 0 replies; 5+ messages in thread From: leam hall @ 2014-04-03 13:25 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 1210 bytes --] Quick workaround is sed, if you don't have a lot of files to fix. :) Leam On Thu, Apr 3, 2014 at 9:23 AM, Steve Grubb <sgrubb@redhat.com> wrote: > On Thursday, April 03, 2014 08:36:21 AM leam hall wrote: > > You and everyone I know. However, the SCC scan tool is hitting as it > > expects "exit,always". Ugh... > > This would be a SCAP content issue. In doing some research, I found that > the > problem appears to have been solved in the audit-2.0.6 release. It also > seems > that a couple rules got accidentally re-introduced in 2.2.3 but was fixed > again > in 2.3.2. > > But going back to the content, I just grep'ed through the SSG project and > see > that they are testing for reversed fields. I'll tell them to fix that. > > -Steve > > > On Thu, Apr 3, 2014 at 8:32 AM, Steve Grubb <sgrubb@redhat.com> wrote: > > > On Thursday, April 03, 2014 08:28:59 AM leam hall wrote: > > > > In the audit.rules file, is there a difference between "-a > exit,always" > > > > and "-a always,exit"? > > > > > > Nope. Both work fine. I think that for consistency, I have fixed all > rules > > > files > > > to use "-a always,exit". > > > > > > -Steve > > -- Mind on a Mission <http://leamhall.blogspot.com/> [-- Attachment #1.2: Type: text/html, Size: 1938 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-04-03 13:25 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-04-03 12:28 Difference between "-a exit,always" and "-a always,exit"? leam hall 2014-04-03 12:32 ` Steve Grubb 2014-04-03 12:36 ` leam hall 2014-04-03 13:23 ` Steve Grubb 2014-04-03 13:25 ` leam hall
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox