How to configure SELinux to print date and time in each entry in audit log?

centos selinux

9,443

Solution 1

While there aren't any options you can set to make auditd log with a human-parseable date format, if you use the 'ausearch' command to search your audit log, there is an -i option which produces human-readable (well, perhaps slightly more human readable) output.

For example, if I ran ausearch -ts today on my newly-booted system, I see:

# ausearch -ts today
----
time->Mon Mar 19 23:07:00 2012
type=DAEMON_START msg=audit(1332212820.421:3834): auditd start, ver=2.1.3 format=raw kernel=3.2.10-3.fc16.x86_64 auid=4294967295 pid=6438 subj=system_u:system_r:auditd_t:s0 res=success

But if I run ausearch -ts today -i, I see:

# ausearch -ts today -i
----
type=DAEMON_START msg=audit(03/19/2012 23:07:00.421:3834) : auditd start, ver=2.1.3 format=raw kernel=3.2.10-3.fc16.x86_64 auid=unset pid=6438 subj=system_u:system_r:auditd_t:s0 res=success

Does that work for you? ausearch is probably what you'll be using to look at audit records anyway. -i also does stuff like uid->username lookups and other resolutions. EDIT: You can see from the above that I'm running Fedora 16, but the same ausearch -i applies to RHEL5.

Solution 2

That long number at the beginning is a timestamp: it's seconds since the epoch. A few moments ago, I got:

[0 1128 18:09:57] ~ % date +%s; date
1331917801
Fri Mar 16 18:10:01 CET 2012

To convert the number into something more readable, try

[0 1133 18:12:41] ~ % date -d @1331897657
Fri Mar 16 12:34:17 CET 2012

(So apparently, you'll need "usual sed tricks" to cut off the sub-second parts.)

I don't have a SE-enabled machine handy, but maybe sealert -a also parses the timestamps into something human-readable?

Solution 3

ausearch -i

From help:

-i,--interpret    Interpret results to be human readable

that't the correct answear as jsbillings wrote.

No need to run tail -f !

P.S. Darn stack points ! That's why I couldn't comment or upvote.

9,443

malloc4k

Updated on September 18, 2022

Comments

malloc4k over 1 year

I'm using CentOS 5.5 and by default my /var/log/audit/audit.log looks like this:

type=USER_AUTH msg=audit(1331897657.359:8435): user pid=15610 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="?" : exe="/usr/sbin/sshd" (hostname=c165-130.i02-2.onvol.net, addr=213.165.165.130, terminal=ssh res=failed)'
type=USER_LOGIN msg=audit(1331897657.360:8436): user pid=15610 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="oracle": exe="/usr/sbin/sshd" (hostname=?, addr=213.165.165.130, terminal=sshd res=failed)'

to be exact, log entries are written without timestamp It makes it more difficult to troubleshoot. There is a man page available

 man auditd.conf

but all it says in this subject is:

log_format
     The log format describes how the information should be stored on
     disk.  There  are  2 options: raw and nolog.  If set to RAW, the
     audit records will be stored in a format exactly as  the  kernel
     sends it. If this option is set to NOLOG then all audit informa-
     tion is discarded instead of writing to disk. This mode does not
     affect data sent to the audit event dispatcher.

How do I configure it to print date/time on the beginning of every entry ?

malloc4k about 12 years

In fact, sealert may be very powerfull tool, but it's now what I've exactly looked for. And a little digression here: sealert generates output that looks like it's been conformed to Windows Server audit, don't You think ?