From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mr Dash Four <mr.dash.four@googlemail.com>
Subject: Re: excluding auditd events
Date: Wed, 01 Jun 2011 15:47:48 +0100
Message-ID: <4DE65114.7030204@googlemail.com>
References: <4DDD9D3E.8020001@googlemail.com>	
	<201105260950.33723.sgrubb@redhat.com>
	<4DDE5EBD.7060601@googlemail.com>	
	<201105261016.13760.sgrubb@redhat.com>
	<4DE6369F.9070103@googlemail.com> <1306937299.2072.21.camel@lcb>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx13.extmail.prod.ext.phx2.redhat.com
	[10.5.110.18])
	by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id p51ElsUu006044
	for <linux-audit@redhat.com>; Wed, 1 Jun 2011 10:47:55 -0400
Received: from mail-ww0-f46.google.com (mail-ww0-f46.google.com [74.125.82.46])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p51ElcEP004740
	for <linux-audit@redhat.com>; Wed, 1 Jun 2011 10:47:54 -0400
Received: by mail-ww0-f46.google.com with SMTP id 28so4850189wwb.27
	for <linux-audit@redhat.com>; Wed, 01 Jun 2011 07:47:53 -0700 (PDT)
In-Reply-To: <1306937299.2072.21.camel@lcb>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
Cc: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com


> Too bad on not using mock; it is in my experience easier than grabbing
> pieces needed and certainly easier when those pieces get revised.
>   
The main reason for not using mock (without drifting too much off topic) 
is because it sets up the chroot environment to mirror the target arch, 
which is not suitable to me at all - the main reason I use 
cross-compilation is to utilise the power of the build machine and its 
architecture - the last think I expected is mock to install GCC and its 
accompanying tools for the (slow) target arch instead of install/build 
them for the build arch with the ability for them to cross-compile.

> $ sudo ausearch -ts 05/30/2011 | less  
> works fine for me on FC10 & RHEL6.
>   
-bash-4.1# ausearch -ts 05/30/2011 | less
Error parsing start date (05/30/2011)

> Look at your system time - is it correct?
> Use the "date" command.
> Check your LC_TIME ENV variable.
>   
-bash-4.1# date
Wed Jun  1 15:41:53 BST 2011
-bash-4.1# echo $LC_TIME

-bash-4.1#

(I am executing this as root as you can imagine).

>> -bash-4.1# ausearch -m AVC -ts "05/26/11" | more <- works!
>>     
>
> $ sudo ausearch -m AVC -ts "05/26/11"
> Error - year is 11
>   
Interesting! I get the desired results and the machine on which this is 
executed has all the latest (and greatest) packages in it, so I am not 
using something which could be considered outdated (even though it is 
all FC13-based a lot of the stuff there is compiled and build from the 
newest available sources).


> This also is the same for me on FC10 & RHEL6 (audit-1.7.16 and
> audit-2.1-5 respectively) . So my guess is your LC_TIME or locale value
> is set for 2-digit dates or something alone those lines. The "date"
> command should yield a clue, especially "date +%x".
>   
-bash-4.1# ausearch --version
ausearch version 2.1.1

-bash-4.1# date +%x
01/06/11