FW: Time field not readable

FW: Time field not readable

[Kirkwood, David A.]

I have removed the packages audit-2.4.1, audit-libs-2.4.1,
audit-libs-devel-2,4,1 and SnareLinux and added via rpm
audit-libs-1.0.14-1, audit-libs-1.0.4-1 and audit-1.0.14-1. The time
field is still not readable when I used ausearch or aureport utilities. 

Have I missed something? I am comparing the system to a known good
system and they appear to be identical.

All help is appreciated.

Thanks,

David A. Kirkwood
SAIC

david.a.kirkwood@saic.com
kirkwoodd@saic.com


-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com] 
Sent: Monday, November 03, 2008 11:13 AM
To: linux-audit@redhat.com
Cc: Kirkwood, David A.
Subject: Re: Time field not readable

On Monday 03 November 2008 10:50:05 Kirkwood, David A. wrote:
> I have had the audit running on multiple system for some time using
> auditctl version 1.0.14 and everything is working just the way I want
> it. I have been given a RHEL4u4 system ( which is what the others are)
> and it havs auditctl version 1.2.1.

RHEL4 must use the audit tools from the 1.0.X series. There were many
changes 
that cause incompatibility with anything newer. Yes, install the 1.0.14
copy 
and it should work better.

-Steve

Re: FW: Time field not readable

[Steve Grubb]

On Monday 03 November 2008 14:59:05 Kirkwood, David A. wrote:
> I have removed the packages audit-2.4.1, audit-libs-2.4.1,
> audit-libs-devel-2,4,1

I have no idea what those are. the latest RHEL4 audit package is 1.0.16 and 
RHEL5 is 1.6.5. My development copy is 1.7.9. You have a RHEL4 system that is 
way out of whack since those are packages that I've never heard of. :)

> and SnareLinux and added via rpm audit-libs-1.0.14-1, audit-libs-1.0.4-1 and
> audit-1.0.14-1. The time field is still not readable when I used ausearch or
> aureport utilities. 

Updating the user space utilities means that from now on your logs will be 
readable. Also, what kernel are you running? Are you running a real RHEL4 
kernel?

-Steve

RE: FW: Time field not readable

[Kirkwood, David A.]

The kernel I am running is 2.6.9-42. I think the kernel may have been
tampered with. Doesn't Snare install require rebuilding the kernel with
traps for the audit to work? Also, I found the complete source tree in
/usr/RedHat and /usr/SRCS (at least there was a lot of code there).

David A. Kirkwood
SAIC

david.a.kirkwood@saic.com
kirkwoodd@saic.com

Phone: (727) 502-8310
Fax:   (727) 822-7776

-----Original Message-----
From: linux-audit-bounces@redhat.com
[mailto:linux-audit-bounces@redhat.com] On Behalf Of Steve Grubb
Sent: Monday, November 03, 2008 4:46 PM
To: linux-audit@redhat.com
Cc: Kirkwood, David A.
Subject: Re: FW: Time field not readable

On Monday 03 November 2008 14:59:05 Kirkwood, David A. wrote:
> I have removed the packages audit-2.4.1, audit-libs-2.4.1,
> audit-libs-devel-2,4,1

I have no idea what those are. the latest RHEL4 audit package is 1.0.16
and 
RHEL5 is 1.6.5. My development copy is 1.7.9. You have a RHEL4 system
that is 
way out of whack since those are packages that I've never heard of. :)

> and SnareLinux and added via rpm audit-libs-1.0.14-1,
audit-libs-1.0.4-1 and
> audit-1.0.14-1. The time field is still not readable when I used
ausearch or
> aureport utilities. 

Updating the user space utilities means that from now on your logs will
be 
readable. Also, what kernel are you running? Are you running a real
RHEL4 
kernel?

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit