audit rule question
LC Bruzenak
lenny at magitekltd.com
Wed May 7 16:56:37 UTC 2008
On Wed, 2008-05-07 at 12:44 -0400, Steve Grubb wrote:
> On Wednesday 07 May 2008 12:16:01 LC Bruzenak wrote:
> > Am I misunderstanding this option, or is there a manpage or code error?
> > audit-1.7.2-6.fc9.x86_64
>
> I'd say we need to fix the man page.
OK. Should I open a bz?
And also along these lines, manpage says:
-a list,action
but the supplied /usr/share/doc/audit-1.7.2/stig.rules file has, in a
few places:
stig.rules:-a always,exit
which I believe is backwards.
The other supplied example rules (capp, lspp, nispom) appear to be in
the correct order.
I am a little surprised that the "-a always,exit" doesn't cause an
error. I wonder if it works correctly - maybe auditctl code is smart
enough to overcome syntactic dyslexia? :)
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list