Would it be possible to log human-readable timestamps in the audit logs rather than the time_t values? audit(1114428905.134:0). A couple of times I've had to do time_t->date conversions to see what's going on with SELinux policy errors!
There is a utility ausearch that fulfills this. For example, if you know the event you are looking for is between 8:30 & 9:00, the syntax is this: ausearch -ts 08:30:00 -te 09:00:00 If you want all records to now. Check and see what time it is. For example 8:50 ausearch -te 08:50:00 Sample record: ---- time->Sun Apr 24 13:59:15 2005 type=KERNEL msg=audit(1114365555.724:10300557): syscall=39 arch=40000003 success=yes exit=0 a0=bffed9d0 a1=b6cff4 a2=804847c a3=0 items=1 pid=16601 loginuid=4325 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 type=KERNEL msg=audit(1114365555.724:10300557): item=0 name="/tmp/config3" inode=2 dev=03:08 mode=041777 uid=0 gid=0 rdev=00:00 ausearch is slated to have more improvements that makes the whole record easy to understand.
That seems fine, though actually formatting the date is what's important to me. though if those "-ts" and "-te" options are not proper GNU getopt_long-style --long-options then please make them so to be consistent with 95% of the rest of the distro! i.e. much preferable syntax: ausearch --since 08:00 --earlier 09:00 == ausearch -s 08:00 -e 09:00
>That seems fine, though actually formatting the date is what's important to me. What is missing? What do you want to see? >though if those "-ts" and "-te" options are not proper GNU getopt_long-style >--long-options then please make them so to be consistent with 95% of the rest >of the distro! This is not likely to happen in the near future. I have real bugs and functionality that's simply missing that has to be done real soon. I also did not want the commandline option mess that auditctl became (before I took it over).
Sorry I missed the "time->" part, never mind me :)
I added a -i commandline option for ausearch. This interprets all numeric information into human readable text. type=USER_AUTH msg=audit(06/02/05 16:37:06.836:2403073) : user pid=2795 uid=sgrubb auid=sgrubb msg='PAM authentication: user=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/1 result=Success)'