Hello,
On Wednesday, August 4, 2021 3:25:40 PM EDT warron.french wrote:
> Is there a hidden switch option to auditctl that would tell me the last
> time auditd was restart specifically in epoch (down to the second)?
Not auditctl, but maybe ausearch:
ausearch --start boot -m daemon_start -i
Or...
systemctl status auditd.service | grep Active
And if you need this in the epoch:
date --date="$(systemctl status auditd.service|grep Active|awk '{printf "%s
%s", $6, $7}')" +"%s"
> If my rules are changed to non-immutable ( -e 1 ) rebooted, and then
> changed back to immutable ( -e 2 ), then I discover this weeks later, then
> I will not know for sure which was most recently updated/restarted.
That might be one issue with using ausearch...it might have scrolled away.
Maybe this could be collected at start and printed as part of the auditd
state report? I could see this being useful information for various reasons.
> That is the reason for the question. I am doing this for a hardening
> script that will tell me based on known recent changes (as of script
> execution), but I cannot properly/successfully assess for dates outside of
> a day or so. :-/
systemctl should be able to get you the info you need. I might add this info
to the state report, though.
-Steve
--
Linux-audit mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/linux-audit
