From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Kirkwood, David A." Subject: Time field not readable Date: Mon, 3 Nov 2008 10:50:05 -0500 Message-ID: <954E3479CC27224785179CA04904214D0B23DC95@0668-its-exmp01.us.saic.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0635826303==" Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id mA3FoUe2001120 for ; Mon, 3 Nov 2008 10:50:30 -0500 Received: from mclmx.mail.saic.com (mclmx.mail.saic.com [149.8.64.10]) by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id mA3FoIBd001486 for ; Mon, 3 Nov 2008 10:50:18 -0500 Received: from 0015-ITS-SMS01 ([149.8.64.21] [149.8.64.21]) by mclmx.mail.saic.com with ESMTP id BT-MMP-496758 for linux-audit@redhat.com; Mon, 3 Nov 2008 10:50:08 -0500 Received: from 0015-ITS-EXBH01.us.saic.com (unknown [149.8.64.21]) by 0015-ITS-SMS01 (Symantec Mail Security) with ESMTP id 48240C48124 for ; Mon, 3 Nov 2008 10:50:08 -0500 (EST) Content-class: urn:content-classes:message List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --===============0635826303== Content-class: urn:content-classes:message Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C93DCB.D775FDA6" This is a multi-part message in MIME format. ------_=_NextPart_001_01C93DCB.D775FDA6 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I have had the audit running on multiple system for some time using auditctl version 1.0.14 and everything is working just the way I want it. I have been given a RHEL4u4 system ( which is what the others are) and it havs auditctl version 1.2.1. The time field started out working but ended up as not readable. It seems to have revered to the message id information instead of the time. =20 The audit rules files are identical and consist of: -D -b 8192 -f 2 -a exit,always -S all -F exit=3D-13 =20 In version 1.0.4 I can use a line llike=20 Ausearch -I -x /usr/bin/passwd | grep USER_CHAUTHTOK to get password changes whether they pass or fail =20 Which is anouth difference =20 The main difference, however is that the time, although starting out correctly in 1.2.1 degrades to=20 Monday 03,November,2008 ,..403:202 =20 If the two versions are different, can I just replace auditctl 1.2.1 with auditctl 1.0.14 to get this system up quickly? If so, do I need to change any other files? =20 Thanks =20 David A. Kirkwood SAIC david.a.kirkwood@saic.com kirkwoodd@saic.com Phone: (727) 502-8310 Fax: (727) 822-7776=20 =20 ------_=_NextPart_001_01C93DCB.D775FDA6 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I have had the audit running on multiple system for = some time using auditctl version 1.0.14 and everything is working just the = way I want it. I have been given a RHEL4u4 system ( which is what the others = are) and it havs auditctl version 1.2.1. The time field started out working but = ended up  as not readable. It seems to have revered to the message id information instead of the time.

 

The audit rules files are identical and consist = of:

         =    -D

         =    -b 8192

         =    -f 2

         =    -a exit,always –S all –F = exit=3D-13

 

In version 1.0.4 I can use a line llike =

         =    Ausearch –I –x /usr/bin/passwd | grep USER_CHAUTHTOK  to get = password changes whether they pass or fail

         =             &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;            = ;  Which is anouth difference

 

The main difference, however is that the time, = although starting out correctly in 1.2.1 degrades to

         =    Monday 03,November,2008 ,..403:202

 

If the two versions are different, can I just replace auditctl 1.2.1 with auditctl 1.0.14 to get this system up quickly? If = so, do I need to change any other files?

 

Thanks

 

David A. Kirkwood
SAIC

david.a.kirkwood@saic.com
kirkwoodd@saic.com

Phone: (727) 502-8310
Fax:   (727) 822-7776

 

------_=_NextPart_001_01C93DCB.D775FDA6-- --===============0635826303== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0635826303==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Time field not readable Date: Mon, 3 Nov 2008 11:12:31 -0500 Message-ID: <200811031112.31399.sgrubb@redhat.com> References: <954E3479CC27224785179CA04904214D0B23DC95@0668-its-exmp01.us.saic.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <954E3479CC27224785179CA04904214D0B23DC95@0668-its-exmp01.us.saic.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: "Kirkwood, David A." List-Id: linux-audit@redhat.com On Monday 03 November 2008 10:50:05 Kirkwood, David A. wrote: > I have had the audit running on multiple system for some time using > auditctl version 1.0.14 and everything is working just the way I want > it. I have been given a RHEL4u4 system ( which is what the others are) > and it havs auditctl version 1.2.1. RHEL4 must use the audit tools from the 1.0.X series. There were many changes that cause incompatibility with anything newer. Yes, install the 1.0.14 copy and it should work better. -Steve