I have had the audit running on multiple system for some time using auditctl version 1.0.14 and everything is working just the way I want it. I have been given a RHEL4u4 system ( which is what the others are) and it havs auditctl version 1.2.1. The time field started out working but ended up  as not readable. It seems to have revered to the message id information instead of the time.

 

The audit rules files are identical and consist of:

            -D

            -b 8192

            -f 2

            -a exit,always –S all –F exit=-13

 

In version 1.0.4 I can use a line llike

            Ausearch –I –x /usr/bin/passwd | grep USER_CHAUTHTOK  to get password changes whether they pass or fail

                                                                        Which is anouth difference

 

The main difference, however is that the time, although starting out correctly in 1.2.1 degrades to

            Monday 03,November,2008 ,..403:202

 

If the two versions are different, can I just replace auditctl 1.2.1 with auditctl 1.0.14 to get this system up quickly? If so, do I need to change any other files?

 

Thanks

 

David A. Kirkwood
SAIC

david.a.kirkwood@saic.com
kirkwoodd@saic.com

Phone: (727) 502-8310
Fax:   (727) 822-7776