I have had the audit running on multiple system for some time using auditctl version 1.0.14 and everything is working just the way I want it. I have been given a RHEL4u4 system ( which is what the others are) and it havs auditctl version 1.2.1. The time field started out working but ended up as not readable. It seems to have revered to the message id information instead of the time.
The audit rules files are identical and consist of:
-a exit,always –S all –F exit=-13
In version 1.0.4 I can use a line llike
Ausearch –I –x /usr/bin/passwd | grep USER_CHAUTHTOK to get password changes whether they pass or fail
Which is anouth difference
The main difference, however is that the time, although starting out correctly in 1.2.1 degrades to
Monday 03,November,2008 ,..403:202
If the two versions are different, can I just replace auditctl 1.2.1 with auditctl 1.0.14 to get this system up quickly? If so, do I need to change any other files?