Time field not readable

Time field not readable

[Kirkwood, David A.]

[-- Attachment #1.1: Type: text/plain, Size: 1252 bytes --]

I have had the audit running on multiple system for some time using
auditctl version 1.0.14 and everything is working just the way I want
it. I have been given a RHEL4u4 system ( which is what the others are)
and it havs auditctl version 1.2.1. The time field started out working
but ended up  as not readable. It seems to have revered to the message
id information instead of the time.

 

The audit rules files are identical and consist of:

            -D

            -b 8192

            -f 2

            -a exit,always -S all -F exit=-13

 

In version 1.0.4 I can use a line llike 

            Ausearch -I -x /usr/bin/passwd | grep USER_CHAUTHTOK  to get
password changes whether they pass or fail

 
Which is anouth difference

 

The main difference, however is that the time, although starting out
correctly in 1.2.1 degrades to 

            Monday 03,November,2008 ,..403:202

 

If the two versions are different, can I just replace auditctl 1.2.1
with auditctl 1.0.14 to get this system up quickly? If so, do I need to
change any other files?

 

Thanks

 

David A. Kirkwood
SAIC

david.a.kirkwood@saic.com
kirkwoodd@saic.com

Phone: (727) 502-8310
Fax:   (727) 822-7776 

 


[-- Attachment #1.2: Type: text/html, Size: 6072 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Time field not readable

[Steve Grubb]

On Monday 03 November 2008 10:50:05 Kirkwood, David A. wrote:
> I have had the audit running on multiple system for some time using
> auditctl version 1.0.14 and everything is working just the way I want
> it. I have been given a RHEL4u4 system ( which is what the others are)
> and it havs auditctl version 1.2.1.

RHEL4 must use the audit tools from the 1.0.X series. There were many changes 
that cause incompatibility with anything newer. Yes, install the 1.0.14 copy 
and it should work better.

-Steve