Re: auditing for RHEL ES4
On Friday 16 November 2007 10:54:40 Bill Tangren wrote:
> The reports always cover the entire range of available logs (sometimes
> gigabytes of data). The reports can take a LONG time to compile, and it
> doesn't give me the daily snapshot I need.
Use the -ts and -te commandline options to limit the report range. It
requires
the date format to be correct for your locale - iow date "+%x %T". The
older version does not support words like today or yesterday.
I now have time to work on this. I did this for an example:
[root@www ~]# aureport -ts `date "+%x 16:00:00"`
Summary Report
======================
Range of time: 12/12/2007 00:33:26.629 - 12/26/2007 16:08:11.825
Number of changes in configuration: 0
Number of changes to accounts or groups: 0
Number of logins: 0
Number of failed logins: 0
Number of users: 2
Number of terminals: 1
Number of host names: 1
Number of executables: 8
Number of files: 11
Number of AVC denials: 0
Number of failed syscalls: 10
Number of watched file events: 36
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of process IDs: 14
Number of events: 65
[root@www ~]# aureport -ts `date "+%x 00:00:00"`
Summary Report
======================
Range of time: 12/12/2007 00:33:26.629 - 12/26/2007 16:08:26.817
Number of changes in configuration: 0
Number of changes to accounts or groups: 0
Number of logins: 1
Number of failed logins: 0
Number of users: 2
Number of terminals: 3
Number of host names: 2
Number of executables: 54
Number of files: 225
Number of AVC denials: 0
Number of failed syscalls: 834
Number of watched file events: 1550
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of process IDs: 651
Number of events: 3388
[root@www ~]#
Notice that the range times are the same for both examples, but the other
results are different. Is there a problem with the range times?
--
Bill Tangren
U.S. Naval Observatory