Is there a hidden switch option to auditctl that would tell me the last time auditd was restart specifically in epoch (down to the second)?
If my rules are changed to non-immutable ( -e 1 ) rebooted, and then changed back to immutable ( -e 2 ), then I discover this weeks later, then I will not know for sure which was most recently updated/restarted. That is the reason for the question. I am doing this for a hardening script that will tell me based on known recent changes (as of script execution), but I cannot properly/successfully assess for dates outside of a day or so. :-/ Any ideas would be appreciated, -------------------------- Warron French
-- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
