The kernel I am running is 2.6.9-42. I think the kernel may have been tampered with. Doesn't Snare install require rebuilding the kernel with traps for the audit to work? Also, I found the complete source tree in /usr/RedHat and /usr/SRCS (at least there was a lot of code there).
David A. Kirkwood SAIC [EMAIL PROTECTED] [EMAIL PROTECTED] Phone: (727) 502-8310 Fax: (727) 822-7776 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Grubb Sent: Monday, November 03, 2008 4:46 PM To: [email protected] Cc: Kirkwood, David A. Subject: Re: FW: Time field not readable On Monday 03 November 2008 14:59:05 Kirkwood, David A. wrote: > I have removed the packages audit-2.4.1, audit-libs-2.4.1, > audit-libs-devel-2,4,1 I have no idea what those are. the latest RHEL4 audit package is 1.0.16 and RHEL5 is 1.6.5. My development copy is 1.7.9. You have a RHEL4 system that is way out of whack since those are packages that I've never heard of. :) > and SnareLinux and added via rpm audit-libs-1.0.14-1, audit-libs-1.0.4-1 and > audit-1.0.14-1. The time field is still not readable when I used ausearch or > aureport utilities. Updating the user space utilities means that from now on your logs will be readable. Also, what kernel are you running? Are you running a real RHEL4 kernel? -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
