Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 224628 - "-ts today 11:15:00" causes error message
Summary: "-ts today 11:15:00" causes error message
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: audit
Version: 4.4
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Steve Grubb
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-01-26 19:24 UTC by Steve Grubb
Modified: 2007-11-17 01:14 UTC (History)
0 users

Fixed In Version: RHBA-2007-0285
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-05-07 23:56:02 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0285 normal SHIPPED_LIVE audit enhancement update 2007-04-28 18:59:20 UTC

Description Steve Grubb 2007-01-26 19:24:12 UTC
+++ This bug was initially created as a clone of Bug #191394 +++

Description of problem:
# ausearch -m avc -if audit.log -te now -ts today 11:15:00
Invalid start date (today). Month, Day, and Year are required.

(Note that '-ts 11:15:00' and letting it default to "today" *works*)

However, the manpage for ausearch says:
 -ts [start date] [start time]
              Search for events with time stamps equal to or after  the  given
              end  time. The format of end time depends on your locale. If the
              date is omitted, today is assumed. If the time is omitted,  mid-
              night is assumed. Use 24 hour clock time rather than AM or PM to
              specify time. An example date is 10/24/2005. An example of  time
              is  18:00:00. You may also use the word: now, today, and yester-
              day. Today means starting at 1 second after midnight.  Yesterday
              is 1 second after midnight the previous day.


Version-Release number of selected component (if applicable):
audit-1.2.1-2

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

-- Additional comment from sgrubb@redhat.com on 2006-05-12 08:24 EST --
today is a full time specification, meaning that it translates to 05/12/2006
00:00:01. So, doing -ts today 11:15:00 is the same as doing 05/12/2006 00:00:01
11:15:00, which is an error. I should probably cleanup the error messages and
update documentation. If you had wanted 11:15:00 on today's date, you only need
to enter the time and today's date is assumed.

-- Additional comment from zing@fastmail.fm on 2006-06-27 11:49 EST --
Could you also clarify whether the -ts option requires at least one of either
the time or date?

It is a confusing that -te can be used without any time specifications, but -ts
requires at least one time specification of date or time.  At least, this is
what I see on FC5:

$ ausearch -ts
-ts requires either date and/or time

It would be nice, and, IMO, expected to have -ts work like -te.

-- Additional comment from sgrubb@redhat.com on 2006-09-19 10:23 EST --
This was fixed in audit-1.2.7 and will be pushed into rawhide, FC-6, and FC-5.
Thanks for the suggestion.

Comment 6 Red Hat Bugzilla 2007-05-07 23:56:02 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0285.html


Note You need to log in before you can comment on or make changes to this bug.