Re: excluding auditd events
So, it turns out that apart from the human-like date description like
"yesterday" and "today", ausearch only accepts 2-digit years! I
thought
we have long-passed these Y2K-related issues - that is so 1999. That is
assuming I didn't mess things up, which is also a possibility, of
course! The error messages I was getting above did not help my cause either!
Too bad on not using mock; it is in my experience easier than grabbing
pieces needed and certainly easier when those pieces get revised.
You must have read the ausearch man page which describes the date usage
and subsequently followed the pointer to the localtime man page. The
dates work as described in those pages:
$ sudo ausearch -ts 05/30/2011 | less
works fine for me on FC10 & RHEL6.
Look at your system time - is it correct?
Use the "date" command.
Check your LC_TIME ENV variable.
-bash-4.1# ausearch -m AVC -ts "05/26/11" | more <-
works!
$ sudo ausearch -m AVC -ts "05/26/11"
Error - year is 11
This also is the same for me on FC10 & RHEL6 (audit-1.7.16 and
audit-2.1-5 respectively) . So my guess is your LC_TIME or locale value
is set for 2-digit dates or something alone those lines. The "date"
command should yield a clue, especially "date +%x".
LCB
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com