A few linux auditing questions

[Scott Ehrlich]

I am running 64-bit Fedora 10 and 12 (and yes, I know they are both
old versions, but I don't have the ability, at the moment, to upgrade
them, so I need to work with what I have).

These machines are part of a NIS network and do NOT have SELinux enabled.

A few questions to help educate me:

- If I run aureport -i -l -ts this-week -te this-week   I sometimes
get a resulting username of "unknown".   /var/yp is up-to-date and
/etc/passwd shows no unusual entries for the NIS server nor any of the
clients.    What might cause the 'unknown' entries?

- In /etc/pam.d/system-auth what is the function of shadow, I think on
one of the password lines

- If I type history in bash, I get a listing of commands entered, but
no corresponding date/time stamps.    I did recently learn about the
history timestamp bash variable, but if I export it, it will show me
the history commands with a date/time stamp of _now_ (when I exported
it).   Is there _any_ way to see when the command was entered, or is
it a lost cause?

- As a followup to history, if chkconfig _whaterver_ on/off was typed
(say chkconfig auditd on or off)  where is the best place to see
_when_ it might have been entered?    I looked in /var/log/messages
but it was not readily apparent.

Thanks.

Scott