From: Mr Dash Four <mr.dash.four@googlemail.com>
Cc: Linux Audit <linux-audit@redhat.com>
Subject: Re: excluding auditd events
Date: Wed, 01 Jun 2011 15:47:48 +0100 [thread overview]
Message-ID: <4DE65114.7030204@googlemail.com> (raw)
In-Reply-To: <1306937299.2072.21.camel@lcb>
> Too bad on not using mock; it is in my experience easier than grabbing
> pieces needed and certainly easier when those pieces get revised.
>
The main reason for not using mock (without drifting too much off topic)
is because it sets up the chroot environment to mirror the target arch,
which is not suitable to me at all - the main reason I use
cross-compilation is to utilise the power of the build machine and its
architecture - the last think I expected is mock to install GCC and its
accompanying tools for the (slow) target arch instead of install/build
them for the build arch with the ability for them to cross-compile.
> $ sudo ausearch -ts 05/30/2011 | less
> works fine for me on FC10 & RHEL6.
>
-bash-4.1# ausearch -ts 05/30/2011 | less
Error parsing start date (05/30/2011)
> Look at your system time - is it correct?
> Use the "date" command.
> Check your LC_TIME ENV variable.
>
-bash-4.1# date
Wed Jun 1 15:41:53 BST 2011
-bash-4.1# echo $LC_TIME
-bash-4.1#
(I am executing this as root as you can imagine).
>> -bash-4.1# ausearch -m AVC -ts "05/26/11" | more <- works!
>>
>
> $ sudo ausearch -m AVC -ts "05/26/11"
> Error - year is 11
>
Interesting! I get the desired results and the machine on which this is
executed has all the latest (and greatest) packages in it, so I am not
using something which could be considered outdated (even though it is
all FC13-based a lot of the stuff there is compiled and build from the
newest available sources).
> This also is the same for me on FC10 & RHEL6 (audit-1.7.16 and
> audit-2.1-5 respectively) . So my guess is your LC_TIME or locale value
> is set for 2-digit dates or something alone those lines. The "date"
> command should yield a clue, especially "date +%x".
>
-bash-4.1# ausearch --version
ausearch version 2.1.1
-bash-4.1# date +%x
01/06/11
prev parent reply other threads:[~2011-06-01 14:47 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-26 0:22 excluding auditd events Mr Dash Four
[not found] ` <201105260802.21606.sgrubb@redhat.com>
2011-05-26 13:16 ` Mr Dash Four
2011-05-26 13:50 ` Steve Grubb
2011-05-26 14:07 ` Mr Dash Four
2011-05-26 14:16 ` Steve Grubb
2011-05-26 14:23 ` Mr Dash Four
2011-05-26 14:33 ` Steve Grubb
2011-05-26 15:22 ` Mr Dash Four
2011-05-26 15:51 ` LC Bruzenak
2011-05-26 16:10 ` Mr Dash Four
2011-06-01 12:54 ` Mr Dash Four
2011-06-01 14:08 ` LC Bruzenak
2011-06-01 14:47 ` Mr Dash Four [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DE65114.7030204@googlemail.com \
--to=mr.dash.four@googlemail.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox