[SOLVED] - Howto get precise start time in EPOCH for auditd

Issues related to applications and software problems and general support
Post Reply
User avatar
warron.french
Posts: 616
Joined: 2014/03/27 20:21:58

[SOLVED] - Howto get precise start time in EPOCH for auditd

Post by warron.french » 2021/08/04 19:18:12

Is there an undocumented switch argument to auditctl or any other method that can help assess the precise time and date that auditd was started?

I would like to know, whether after 2 minutes or 2 years (who knows, it could happen), the epoch time stamp of when the last update occured to /etc/auditd.conf compared to the restart of auditd -- to ensure that auditd does actually have the latest changes in place.

I would also like to be able to do the exact same thing for /etc/audit/audit.rules (on RHEL7 or RHEL8) compared to the restart time (in EPOCH) for auditd, for the exact same reason.

I want it in epoch because then I can do a comparison in a shell script using
if [ "${auditd_uptime}" -gt "audit_rules_update" ];then

or likewise
if [ "${auditd_uptime}" -gt "audit_conf_update" ];then
Last edited by warron.french on 2021/08/06 19:13:21, edited 1 time in total.
Thanks,
War

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Howto get precise start time in EPOCH for auditd

Post by TrevorH » 2021/08/04 20:20:14

I presume that if you can get the time format you want by looking at the files you mention then you should also be able to do so from the directory /proc/$(pidof auditd)
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

MartinR
Posts: 714
Joined: 2015/05/11 07:53:27
Location: UK

Re: Howto get precise start time in EPOCH for auditd

Post by MartinR » 2021/08/04 20:32:00

The daemon records the time it starts in the audit file:

Code: Select all

# ausearch  -m DAEMON_START -ts today
----
time->Wed Aug  4 08:07:22 2021
type=DAEMON_START msg=audit(1628060842.560:1012): op=start ver=3.0 format=enriched kernel=4.18.0-305.10.2.el8_4.x86_64 auid=4294967295 pid=1152 uid=0 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=success
# date --date='@1628060842.560'
Wed  4 Aug 08:07:22 BST 2021
Look at the string "msg=audit(1628060842.560:1012):", the first part is the seconds since 1970-01-01 00:00:00 UTC, identical to that returned by date +%s which is your epoch time. Don't use -i on the ausearch command, or it will interpret the command in your current locale rather than UTC.

HTH

User avatar
warron.french
Posts: 616
Joined: 2014/03/27 20:21:58

Re: Howto get precise start time in EPOCH for auditd

Post by warron.french » 2021/08/05 14:16:59

Thanks MartinR, I was driving home and thinking about this problem and determined I could also use systemctl status auditd and suss the data out of that too.

I posted my question to linux-audit@redhat.com and Steve Grubb wrote back to me with two options:

1. Your method below searching inside of the audit.log, and
2. Essentially the same as mine - systemctl status auditd.

Thanks again,
I clearly was tired if I could not remember systemctl at the time I posted this question. :-/ I am swimming again and doing many lengths of the pool. Exhausting but healthy.
Thanks,
War

Post Reply