backup results from the CPAN

backup

Audit-Log

view release on metacpan or search on metacpan


    my $parser = Audit::Log->new();
    my $rows = $parser->search(
        type     => qr/path/i,
        nametype => qr/delete|create|normal/i,
        name     => qr/somefile.txt/i,
    );

=head1 WHY

I had to do reporting for non-incremental backups.
I needed something faster than GNU find, and which took less memory as well.
I didn't want to stat 1M+ files.
Just reads a log and keeps the bare minimum useful information.

You can use auditd for a number of other interesting purposes, which this should support as well.

=head1 CONSTRUCTOR

=head2 new(STRING path, ARRAY returning) = Audit::Log

lib/Audit/Log.pm view on Meta::CPAN

if none is provided.

Also can filter returned keys by the provided array to not allocate unnecesarily in low mem situations.

=head3 using with ausearch

It's common to have the audit log be quite verbose, and log-rotated.
To get around that you can dump pieces of the audit log as appropriate with ausearch.
Here's an example of dumping keyed events for the last day, which you could then load into new().

    ausearch --raw --key backupwatch -ts `date --date yesterday '+%x'` > yesterdays-audit.log

If you pass 'ausearch' as the audit log path to new(), we will pipe-open to this in subsequent search() calls.

=head3 configuring retention

The audit log is quite likely to have very limited retention.
This is configured in the max_log_file and num_logs parameter of /etc/auditd/audit.conf
You will only have max_log_file * num_logs MB of events stored, so plan according to how much you need to watch.

Your specific use case should be observed, and tuned accordingly.

lib/Audit/Log.pm view on Meta::CPAN

Adds in a 'line' parameter to rows returned in case you want to know which line in the log it's on.
Also adds a 'timestamp' parameter, since this is a parsed parameter.

=head3 Speeding it up: by event

Auditd logs are also structured in blocks separated between SYSCALL lines, which are normally filtered by 'key', which corresponds to rule name.
We can speed up processing by ignoring events of the incorrect key.

Example:

    my $rows = $parser->search( type => qr/path/i, nametype=qr/delete|create|normal/i, key => qr/backup_watch/i );

The above will ignore events from all rules save those from the "backup_watch" rule.

=head3 Speeding it up: by timeframe

Auditd log rules also print a timestamp, which means we need a numeric comparison.
Pass in 'older' and 'newer', and we can filter out things appropriately.

Example:

    # Get all records that are from the last 24 hours
    my $rows = $parser->search( type => qr/path/i, nametype=qr/delete|create|normal/i, newer => ( time - 86400 ) );

t/Audit-Log.t view on Meta::CPAN

use warnings;

use lib 'lib';

use Test::More;
use Test::Deep;
use Audit::Log;
use List::Util 1.45 qw{uniq};

my $parser = Audit::Log->new('t/audit.log','name','type','nametype','line','timestamp', 'cwd', 'exe', 'comm', 'res');
my $rows = $parser->search( type => qr/path/i, nametype => qr/create|delete/i, name => qr/^backups\/[^\.]/, key => qr/backupwatch/, older => 1642448670, newer => 1642441403 );

my $expected = [
  {
    'line' => 3,
    'timestamp' => '1642441406.575',
    'type' => 'PATH',
    'nametype' => 'CREATE',
    'name' => 'backups/test.txt',
    'cwd'  => '/testpath',
    'exe'  => '/usr/bin/touch',
    'comm' => 'touch',
    'res'  => 1,
  },
  {
    'type' => 'PATH',
    'timestamp' => '1642441412.975',
    'line' => 8,
    'name' => 'backups/testme.txt',
    'nametype' => 'DELETE',
    'cwd'      => '/testpath',
    'exe'      => '/usr/bin/rm',
    'comm'     => 'rm',
    res        => 1,
  }
];

is_deeply($rows,$expected,"Parser works as expected");
done_testing();

t/audit.log view on Meta::CPAN

type=USER_ACCT msg=audit(1642441188.763:67): pid=11909 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="doge" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AU...
type=USER_CMD msg=audit(1642441188.763:68): pid=11909 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='cwd="/testpath" cmd=736572766963652061756469746420737461747573 exe="/usr/bin/sudo" terminal=pts/1 res=success'UID="doge" AUID="unset"
type=CRED_REFR msg=audit(1642441188.763:69): pid=11909 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="dog...
type=USER_START msg=audit(1642441188.763:70): pid=11909 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_open grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal...
type=USER_END msg=audit(1642441188.815:71): pid=11909 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_close grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=...
type=CRED_DISP msg=audit(1642441188.815:72): pid=11909 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID=...
type=USER_ACCT msg=audit(1642441381.779:73): pid=12068 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="doge" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AU...
type=USER_CMD msg=audit(1642441381.779:74): pid=12068 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='cwd="/testpath" cmd=617564697463746C202D77202F686F6D652F646F67652F436F64652F636C69656E742D736372697074732F686F6C6F70687261737469632F626...
type=CRED_REFR msg=audit(1642441381.779:75): pid=12068 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="dog...
type=USER_START msg=audit(1642441381.779:76): pid=12068 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_open grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal...
type=CONFIG_CHANGE msg=audit(1642441381.779:77): auid=4294967295 ses=4294967295 subj=unconfined op=add_rule key="backupwatch" list=4 res=1AUID="unset"
type=SYSCALL msg=audit(1642441381.779:77): arch=c000003e syscall=44 success=yes exit=1120 a0=4 a1=7ffda0f363e0 a2=460 a3=0 items=0 ppid=12068 pid=12069 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 co...
type=PROCTITLE msg=audit(1642441381.779:77): proctitle=617564697463746C002D77002F686F6D652F646F67652F436F64652F636C69656E742D736372697074732F686F6C6F70687261737469632F6261636B757073002D700077617278002D6B006261636B75707761746368
type=USER_END msg=audit(1642441381.783:78): pid=12068 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_close grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=...
type=CRED_DISP msg=audit(1642441381.783:79): pid=12068 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID=...
type=SYSCALL msg=audit(1642441391.567:80): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffe41a5b831 a2=941 a3=1b6 items=2 ppid=3354 pid=12075 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1...
type=CWD msg=audit(1642441391.567:80): cwd="/testpath"
type=PATH msg=audit(1642441391.567:80): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PATH msg=audit(1642441391.567:80): item=1 name="backups/test.txt" inode=10881960 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PROCTITLE msg=audit(1642441391.567:80): proctitle=746F756368006261636B7570732F746573742E747874
type=SYSCALL msg=audit(1642441402.623:81): arch=c000003e syscall=316 success=yes exit=0 a0=ffffff9c a1=7ffe4b295824 a2=ffffff9c a3=7ffe4b295835 items=4 ppid=3354 pid=12083 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgi...
type=CWD msg=audit(1642441402.623:81): cwd="/testpath"
type=PATH msg=audit(1642441402.623:81): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PATH msg=audit(1642441402.623:81): item=1 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PATH msg=audit(1642441402.623:81): item=2 name="backups/test.txt" inode=10881960 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PATH msg=audit(1642441402.623:81): item=3 name="backups/testme.txt" inode=10881960 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PROCTITLE msg=audit(1642441402.623:81): proctitle=6D76006261636B7570732F746573742E747874006261636B7570732F746573746D652E747874
type=SYSCALL msg=audit(1642441406.575:82): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7fffb180d831 a2=941 a3=1b6 items=2 ppid=3354 pid=12087 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1...
type=CWD msg=audit(1642441406.575:82): cwd="/testpath"
type=PATH msg=audit(1642441406.575:82): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PATH msg=audit(1642441406.575:82): item=1 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PROCTITLE msg=audit(1642441406.575:82): proctitle=746F756368006261636B7570732F746573742E747874
type=SYSCALL msg=audit(1642441412.975:83): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=55ca3d8054d0 a2=0 a3=0 items=2 ppid=3354 pid=12093 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ...
type=CWD msg=audit(1642441412.975:83): cwd="/testpath"
type=PATH msg=audit(1642441412.975:83): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PATH msg=audit(1642441412.975:83): item=1 name="backups/testme.txt" inode=10881960 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PROCTITLE msg=audit(1642441412.975:83): proctitle=726D006261636B7570732F746573746D652E747874
type=SYSCALL msg=audit(1642441419.063:84): arch=c000003e syscall=268 success=yes exit=0 a0=ffffff9c a1=55b8e9c09500 a2=1fd a3=49 items=1 ppid=3354 pid=12097 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=10...
type=CWD msg=audit(1642441419.063:84): cwd="/testpath"
type=PATH msg=audit(1642441419.063:84): item=0 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PROCTITLE msg=audit(1642441419.063:84): proctitle=63686D6F64002B78006261636B7570732F746573742E747874
type=USER_ACCT msg=audit(1642441428.163:85): pid=12106 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="doge" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AU...
type=USER_CMD msg=audit(1642441428.163:86): pid=12106 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='cwd="/testpath" cmd="aureport" exe="/usr/bin/sudo" terminal=pts/1 res=success'UID="doge" AUID="unset"
type=CRED_REFR msg=audit(1642441428.163:87): pid=12106 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="dog...
type=USER_START msg=audit(1642441428.163:88): pid=12106 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_open grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal...
type=USER_END msg=audit(1642441428.167:89): pid=12106 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_close grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=...
type=CRED_DISP msg=audit(1642441428.167:90): pid=12106 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID=...
type=USER_ACCT msg=audit(1642441461.555:91): pid=12157 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="doge" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AU...
type=USER_CMD msg=audit(1642441461.555:92): pid=12157 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='cwd="/testpath" cmd=6C657373202F7661722F6C6F672F61756469742F61756469742E6C6F67 exe="/usr/bin/sudo" terminal=pts/1 res=success'UID="dog...
type=CRED_REFR msg=audit(1642441461.555:93): pid=12157 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="dog...

t/audit.log view on Meta::CPAN

type=USER_ACCT msg=audit(1642448701.852:217): pid=14711 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'UID="root" AUID="uns...
type=CRED_ACQ msg=audit(1642448701.852:218): pid=14711 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'UID="root" AUID=...
type=LOGIN msg=audit(1642448701.852:219): pid=14711 uid=0 subj=unconfined old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=37 res=1UID="root" OLD-AUID="unset" AUID="root"
type=SYSCALL msg=audit(1642448701.852:219): arch=c000003e syscall=1 success=yes exit=1 a0=7 a1=7ffdf543f180 a2=1 a3=7fccdc9c1030 items=0 ppid=934 pid=14711 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=37 comm="cron" e...
type=PROCTITLE msg=audit(1642448701.852:219): proctitle=2F7573722F7362696E2F43524F4E002D66002D50
type=USER_START msg=audit(1642448701.856:220): pid=14711 uid=0 auid=0 ses=37 subj=unconfined msg='op=PAM:session_open grantors=pam_loginuid,pam_env,pam_env,pam_permit,pam_umask,pam_unix,pam_limits acct="root" exe="/usr/sbin/cron" hostname=? addr=? te...
type=CRED_DISP msg=audit(1642448701.856:221): pid=14711 uid=0 auid=0 ses=37 subj=unconfined msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'UID="root" AUID="root"
type=USER_END msg=audit(1642448701.856:222): pid=14711 uid=0 auid=0 ses=37 subj=unconfined msg='op=PAM:session_close grantors=pam_loginuid,pam_env,pam_env,pam_permit,pam_umask,pam_unix,pam_limits acct="root" exe="/usr/sbin/cron" hostname=? addr=? ter...
type=SERVICE_START msg=audit(1642448992.440:223): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="...
type=SERVICE_STOP msg=audit(1642449003.084:224): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="u...
type=SYSCALL msg=audit(1642449025.700:225): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=556754f22ce0 a2=0 a3=0 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000...
type=CWD msg=audit(1642449025.700:225): cwd="/testpath"
type=PATH msg=audit(1642449025.700:225): item=0 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PROCTITLE msg=audit(1642449025.700:225): proctitle=76696D006261636B7570732F746573742E747874
type=SYSCALL msg=audit(1642449025.700:226): arch=c000003e syscall=89 success=no exit=-22 a0=7ffc7917e020 a1=7ffc7917f080 a2=fff a3=21 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsg...
type=CWD msg=audit(1642449025.700:226): cwd="/testpath"
type=PATH msg=audit(1642449025.700:226): item=0 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PROCTITLE msg=audit(1642449025.700:226): proctitle=76696D006261636B7570732F746573742E747874
type=SYSCALL msg=audit(1642449025.700:227): arch=c000003e syscall=257 success=yes exit=4 a0=ffffff9c a1=5567551b4090 a2=c2 a3=180 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1...
type=CWD msg=audit(1642449025.700:227): cwd="/testpath"
type=PATH msg=audit(1642449025.700:227): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PATH msg=audit(1642449025.700:227): item=1 name="backups/.test.txt.swp" inode=10881809 dev=103:02 mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PROCTITLE msg=audit(1642449025.700:227): proctitle=76696D006261636B7570732F746573742E747874
type=SYSCALL msg=audit(1642449025.700:228): arch=c000003e syscall=257 success=yes exit=5 a0=ffffff9c a1=556754f238b0 a2=c2 a3=180 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1...
type=CWD msg=audit(1642449025.700:228): cwd="/testpath"
type=PATH msg=audit(1642449025.700:228): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PATH msg=audit(1642449025.700:228): item=1 name="backups/.test.txt.swx" inode=10881889 dev=103:02 mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PROCTITLE msg=audit(1642449025.700:228): proctitle=76696D006261636B7570732F746573742E747874
type=SYSCALL msg=audit(1642449025.700:229): arch=c000003e syscall=87 success=yes exit=0 a0=556754f238b0 a1=7f0a20d2ccd6 a2=0 a3=1000 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgi...
type=CWD msg=audit(1642449025.700:229): cwd="/testpath"
type=PATH msg=audit(1642449025.700:229): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PATH msg=audit(1642449025.700:229): item=1 name="backups/.test.txt.swx" inode=10881889 dev=103:02 mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PROCTITLE msg=audit(1642449025.700:229): proctitle=76696D006261636B7570732F746573742E747874
type=SYSCALL msg=audit(1642449025.700:230): arch=c000003e syscall=87 success=yes exit=0 a0=5567551b4090 a1=7f0a20d2ccd6 a2=0 a3=1000 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgi...
type=CWD msg=audit(1642449025.700:230): cwd="/testpath"
type=PATH msg=audit(1642449025.700:230): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PATH msg=audit(1642449025.700:230): item=1 name="backups/.test.txt.swp" inode=10881809 dev=103:02 mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PROCTITLE msg=audit(1642449025.700:230): proctitle=76696D006261636B7570732F746573742E747874
type=SYSCALL msg=audit(1642449025.700:231): arch=c000003e syscall=257 success=yes exit=4 a0=ffffff9c a1=5567551b4090 a2=200c2 a3=180 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgi...
type=CWD msg=audit(1642449025.700:231): cwd="/testpath"
type=PATH msg=audit(1642449025.700:231): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PATH msg=audit(1642449025.700:231): item=1 name="backups/.test.txt.swp" inode=10881809 dev=103:02 mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PROCTITLE msg=audit(1642449025.700:231): proctitle=76696D006261636B7570732F746573742E747874
type=SYSCALL msg=audit(1642449025.700:232): arch=c000003e syscall=90 success=yes exit=0 a0=5567551b4090 a1=1a4 a2=556754576420 a3=5567545763a0 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid...
type=CWD msg=audit(1642449025.700:232): cwd="/testpath"
type=PATH msg=audit(1642449025.700:232): item=0 name="backups/.test.txt.swp" inode=10881809 dev=103:02 mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PROCTITLE msg=audit(1642449025.700:232): proctitle=76696D006261636B7570732F746573742E747874
type=SYSCALL msg=audit(1642449025.700:233): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=556754f22ce0 a2=0 a3=0 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000...
type=CWD msg=audit(1642449025.700:233): cwd="/testpath"
type=PATH msg=audit(1642449025.700:233): item=0 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PROCTITLE msg=audit(1642449025.700:233): proctitle=76696D006261636B7570732F746573742E747874
type=SYSCALL msg=audit(1642449028.256:234): arch=c000003e syscall=191 success=no exit=-61 a0=556754f22ce0 a1=7f0a21316000 a2=7ffc7917fd80 a3=84 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgi...
type=CWD msg=audit(1642449028.256:234): cwd="/testpath"
type=PATH msg=audit(1642449028.256:234): item=0 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PROCTITLE msg=audit(1642449028.256:234): proctitle=76696D006261636B7570732F746573742E747874
type=SYSCALL msg=audit(1642449028.256:235): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=556754f17500 a2=200c1 a3=81fd items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsg...
type=CWD msg=audit(1642449028.256:235): cwd="/testpath"
type=PATH msg=audit(1642449028.256:235): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PATH msg=audit(1642449028.256:235): item=1 name="backups/4913" inode=10881889 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PROCTITLE msg=audit(1642449028.256:235): proctitle=76696D006261636B7570732F746573742E747874
type=SYSCALL msg=audit(1642449028.256:236): arch=c000003e syscall=93 success=yes exit=0 a0=3 a1=3e8 a2=3e8 a3=81fd items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 se...
type=CWD msg=audit(1642449028.256:236): cwd="/testpath"
type=PATH msg=audit(1642449028.256:236): item=0 name=(null) inode=10881889 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PROCTITLE msg=audit(1642449028.256:236): proctitle=76696D006261636B7570732F746573742E747874
type=SYSCALL msg=audit(1642449028.256:237): arch=c000003e syscall=87 success=yes exit=0 a0=556754f17500 a1=556754f17500 a2=7ffc79180110 a3=0 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1...
type=CWD msg=audit(1642449028.256:237): cwd="/testpath"
type=PATH msg=audit(1642449028.256:237): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PATH msg=audit(1642449028.256:237): item=1 name="backups/4913" inode=10881889 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PROCTITLE msg=audit(1642449028.256:237): proctitle=76696D006261636B7570732F746573742E747874
type=SYSCALL msg=audit(1642449028.256:238): arch=c000003e syscall=87 success=no exit=-2 a0=556754f8a530 a1=556754f8a530 a2=fffffffffffffea0 a3=0 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sg...
type=CWD msg=audit(1642449028.256:238): cwd="/testpath"
type=PATH msg=audit(1642449028.256:238): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PROCTITLE msg=audit(1642449028.256:238): proctitle=76696D006261636B7570732F746573742E747874
type=SYSCALL msg=audit(1642449028.256:239): arch=c000003e syscall=82 success=yes exit=0 a0=556754f22ce0 a1=556754f8a530 a2=fffffffffffffea0 a3=0 items=4 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sg...
type=CWD msg=audit(1642449028.256:239): cwd="/testpath"
type=PATH msg=audit(1642449028.256:239): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PATH msg=audit(1642449028.256:239): item=1 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PATH msg=audit(1642449028.256:239): item=2 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PATH msg=audit(1642449028.256:239): item=3 name="backups/test.txt~" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PROCTITLE msg=audit(1642449028.256:239): proctitle=76696D006261636B7570732F746573742E747874
type=SYSCALL msg=audit(1642449028.256:240): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=556754f22ce0 a2=41 a3=1fd items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1...
type=CWD msg=audit(1642449028.256:240): cwd="/testpath"
type=PATH msg=audit(1642449028.256:240): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PATH msg=audit(1642449028.256:240): item=1 name="backups/test.txt" inode=10881889 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PROCTITLE msg=audit(1642449028.256:240): proctitle=76696D006261636B7570732F746573742E747874
type=SYSCALL msg=audit(1642449028.264:241): arch=c000003e syscall=91 success=yes exit=0 a0=3 a1=81fd a2=7ffc7917fe30 a3=0 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=...
type=CWD msg=audit(1642449028.264:241): cwd="/testpath"
type=PATH msg=audit(1642449028.264:241): item=0 name=(null) inode=10881889 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PROCTITLE msg=audit(1642449028.264:241): proctitle=76696D006261636B7570732F746573742E747874
type=SYSCALL msg=audit(1642449028.264:242): arch=c000003e syscall=188 success=yes exit=0 a0=556754f22ce0 a1=7f0a21316000 a2=5567551ce620 a3=1c items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid...
type=CWD msg=audit(1642449028.264:242): cwd="/testpath"
type=PATH msg=audit(1642449028.264:242): item=0 name="backups/test.txt" inode=10881889 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PROCTITLE msg=audit(1642449028.264:242): proctitle=76696D006261636B7570732F746573742E747874
type=SYSCALL msg=audit(1642449028.264:243): arch=c000003e syscall=87 success=yes exit=0 a0=556754f8a530 a1=2d667475 a2=5567544e476b a3=0 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 ...
type=CWD msg=audit(1642449028.264:243): cwd="/testpath"
type=PATH msg=audit(1642449028.264:243): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PATH msg=audit(1642449028.264:243): item=1 name="backups/test.txt~" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PROCTITLE msg=audit(1642449028.264:243): proctitle=76696D006261636B7570732F746573742E747874
type=SYSCALL msg=audit(1642449028.264:244): arch=c000003e syscall=87 success=yes exit=0 a0=5567551ca560 a1=1 a2=1d a3=1 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pt...
type=CWD msg=audit(1642449028.264:244): cwd="/testpath"
type=PATH msg=audit(1642449028.264:244): item=0 name="/testpath/backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PATH msg=audit(1642449028.264:244): item=1 name="/testpath/backups/.test.txt.swp" inode=10881809 dev=103:02 mode=0100644 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
type=PROCTITLE msg=audit(1642449028.264:244): proctitle=76696D006261636B7570732F746573742E747874
type=USER_AUTH msg=audit(1642449044.180:245): pid=14821 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:authentication grantors=pam_permit,pam_cap acct="doge" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'...
type=USER_ACCT msg=audit(1642449044.180:246): pid=14821 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="doge" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" A...
type=USER_CMD msg=audit(1642449044.180:247): pid=14821 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='cwd="/home/doge/Code/Audit-Log" cmd=6370202F7661722F6C6F672F61756469742F61756469742E6C6F6720742F exe="/usr/bin/sudo" terminal=pts/1 re...
type=CRED_REFR msg=audit(1642449044.180:248): pid=14821 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="do...
type=USER_START msg=audit(1642449044.180:249): pid=14821 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_open grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? termina...

( run in 0.610 second using v1.01-cache-2.11-cpan-49f99fa48dc )