[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] No time stamps in audit.log?



On Thu, Sep 04, 2014 at 12:46:47AM +0200, pinguin74 wrote:
> Am 03.09.2014 09:44, schrieb Marcus Meissner:
> > On Tue, Sep 02, 2014 at 06:22:47PM +0200, pinguin74 wrote:
> >> Hello,
> >>
> >> it seems events in audit.log do not have time stamps. This makes
> >> analyzing events a bit uncomfortable I think.
> >>
> >> Can you make the audit system somehow to add a time stamp to logged
> >> events? Just like in /var/log/messages.
> > 
> > It is there ... :)
> > 
> > type=AVC msg=audit(1409728889.981:41): apparmor="STATUS" operation="profile_load" name="/usr/share/gitweb/gitweb.cgi" pid=655 comm="apparmor_parser"
> > 
> > The timestamp is 1409728889.981 
> > 
> > $ date --date="@1409728889.981"
> > Wed Sep  3 09:21:29 CEST 2014
> 
> Is this their goal, to make reading the log file as hard as possible?
> Why not encrypt it with AES to be sure you can´t read it.....

This logfile needs be easily machine readable without ambiguities, and human readable
timestamps are kind of harder to parse than just seconds since 1970.

It is assumed that tools will be used to post-process it, e.g. aureport 
or aa-logprof or others.

Ciao, Marcus
-- 
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx