Description of problem: Typo in /usr/share/doc/audit-x.x.x/stig.rules Version-Release number of selected component (if applicable): Noticed in F12, also present in RHEL5.3 How reproducible: View /usr/share/doc/audit-x.x.x/stig.rules Steps to Reproduce: 1. grep time-change /usr/share/doc/audit-2.0.4/stig.rules Actual results: -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change #-a always,exit -F arch=b32 -S clock_settime -k time-change #-a always,exit -F arch=b64 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change Expected results: -a exit,always -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a exit,always -F arch=b64 -S adjtimex -S settimeofday -k time-change #-a exit,always -F arch=b32 -S clock_settime -k time-change #-a exit,always -F arch=b64 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change Additional info:
I'm still trying to figure out what is wrong. It looks like you list 5 rules in actual and expected results, the key is teh same on each one, the syscalls are the same, the watch is the same.
(In reply to comment #1) > I'm still trying to figure out what is wrong. It looks like you list 5 rules in > actual and expected results, the key is teh same on each one, the syscalls are > the same, the watch is the same. Sorry ... the list and action are in the wrong order 'always,exit' should be 'exit,always'
Ok. The order for that field does not matter. Auditctl will accept things in either order. I suppose I could arrange it for consistency, but I wouldn't call it a bug unless auditctl reports an error.
No problems, just caused a little confusion as it didn't match the man page thanks
This message is a reminder that Fedora 12 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 12. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '12'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 12's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 12 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
This was fixed in an upstream commit: https://fedorahosted.org/audit/changeset/418 It will be in audit-2.0.6 when that is released.