инструмент для запроса журналов демона аудита (a tool to query audit daemon logs)
Примечание (Note)
The boot time option is a convenience function and has
limitations. The time it calculates is based on time now minus
/proc/uptime. If after boot the system clock has been adjusted,
perhaps by ntp, then the calculation may be wrong. In that case
you'll need to fully specify the time. You can check the time it
would use by running:
date -d "`cut -f1 -d. /proc/uptime` seconds ago"
