From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: Re: excluding auditd events
Date: Wed, 01 Jun 2011 09:08:19 -0500
Message-ID: <1306937299.2072.21.camel@lcb>
References: <4DDD9D3E.8020001@googlemail.com>
	<201105260950.33723.sgrubb@redhat.com>
	<4DDE5EBD.7060601@googlemail.com>
	<201105261016.13760.sgrubb@redhat.com>
	<4DE6369F.9070103@googlemail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx13.extmail.prod.ext.phx2.redhat.com
	[10.5.110.18])
	by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id p51E8WcU025626
	for <linux-audit@redhat.com>; Wed, 1 Jun 2011 10:08:32 -0400
Received: from webserver.magitekltd.com (rrcs-24-242-137-197.sw.biz.rr.com
	[24.242.137.197])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p51E8V8d022442
	for <linux-audit@redhat.com>; Wed, 1 Jun 2011 10:08:32 -0400
In-Reply-To: <4DE6369F.9070103@googlemail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Mr Dash Four <mr.dash.four@googlemail.com>
Cc: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com


> So, it turns out that apart from the human-like date description like 
> "yesterday" and "today", ausearch only accepts 2-digit years! I thought 
> we have long-passed these Y2K-related issues - that is so 1999. That is 
> assuming I didn't mess things up, which is also a possibility, of 
> course! The error messages I was getting above did not help my cause either!

Too bad on not using mock; it is in my experience easier than grabbing
pieces needed and certainly easier when those pieces get revised.

You must have read the ausearch man page which describes the date usage
and subsequently followed the pointer to the localtime man page. The
dates work as described in those pages:

$ sudo ausearch -ts 05/30/2011 | less  
works fine for me on FC10 & RHEL6.

Look at your system time - is it correct?
Use the "date" command.
Check your LC_TIME ENV variable.


> -bash-4.1# ausearch -m AVC -ts "05/26/11" | more <- works!

$ sudo ausearch -m AVC -ts "05/26/11"
Error - year is 11

This also is the same for me on FC10 & RHEL6 (audit-1.7.16 and
audit-2.1-5 respectively) . So my guess is your LC_TIME or locale value
is set for 2-digit dates or something alone those lines. The "date"
command should yield a clue, especially "date +%x".

LCB
-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com