Mailinglist Archive: opensuse-security (51 mails)

< Previous Next >
Re: [opensuse-security] No time stamps in audit.log?
On Thu, Sep 04, 2014 at 12:46:47AM +0200, pinguin74 wrote:
Am 03.09.2014 09:44, schrieb Marcus Meissner:
On Tue, Sep 02, 2014 at 06:22:47PM +0200, pinguin74 wrote:
Hello,

it seems events in audit.log do not have time stamps. This makes
analyzing events a bit uncomfortable I think.

Can you make the audit system somehow to add a time stamp to logged
events? Just like in /var/log/messages.

It is there ... :)

type=AVC msg=audit(1409728889.981:41): apparmor="STATUS"
operation="profile_load" name="/usr/share/gitweb/gitweb.cgi" pid=655
comm="apparmor_parser"

The timestamp is 1409728889.981

$ date --date="@1409728889.981"
Wed Sep 3 09:21:29 CEST 2014

Is this their goal, to make reading the log file as hard as possible?
Why not encrypt it with AES to be sure you canĀ“t read it.....

This logfile needs be easily machine readable without ambiguities, and human
readable
timestamps are kind of harder to parse than just seconds since 1970.

It is assumed that tools will be used to post-process it, e.g. aureport
or aa-logprof or others.

Ciao, Marcus
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx

< Previous Next >
List Navigation
Follow Ups