summaryrefslogtreecommitdiffstats
path: root/framework/src/audit/auparse/test
diff options
context:
space:
mode:
authorAshlee Young <ashlee@wildernessvoice.com>2015-11-29 08:22:13 -0800
committerAshlee Young <ashlee@wildernessvoice.com>2015-11-29 08:22:13 -0800
commitdf5afa4fcd9725380f94ca6476248d4cc24f889a (patch)
tree65456f62397305febf7f40778c5a413a35d094ef /framework/src/audit/auparse/test
parent76f6bf922552c00546e6e85ca471eab28f56986c (diff)
v2.4.4 audit sources
Change-Id: I9315a7408817db51edf084fb4d27fbb492785084 Signed-off-by: Ashlee Young <ashlee@wildernessvoice.com>
Diffstat (limited to 'framework/src/audit/auparse/test')
-rw-r--r--framework/src/audit/auparse/test/Makefile.am91
-rw-r--r--framework/src/audit/auparse/test/auparse_test.c469
-rwxr-xr-xframework/src/audit/auparse/test/auparse_test.py262
-rw-r--r--framework/src/audit/auparse/test/auparse_test.ref803
-rw-r--r--framework/src/audit/auparse/test/auparse_test.ref.py793
-rw-r--r--framework/src/audit/auparse/test/test.log10
-rw-r--r--framework/src/audit/auparse/test/test2.log10
7 files changed, 2438 insertions, 0 deletions
diff --git a/framework/src/audit/auparse/test/Makefile.am b/framework/src/audit/auparse/test/Makefile.am
new file mode 100644
index 00000000..19793508
--- /dev/null
+++ b/framework/src/audit/auparse/test/Makefile.am
@@ -0,0 +1,91 @@
+# Makefile.am --
+# Copyright 2006-08,2014-15 Red Hat Inc., Durham, North Carolina.
+# All Rights Reserved.
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+# Authors:
+# Steve Grubb <sgrubb@redhat.com>
+#
+
+CONFIG_CLEAN_FILES = *.loT *.rej *.orig *.cur
+AUTOMAKE_OPTIONS = no-dependencies
+check_PROGRAMS = auparse_test
+dist_check_SCRIPTS = auparse_test.py
+EXTRA_DIST = auparse_test.ref auparse_test.ref.py test.log test2.log
+
+AM_CPPFLAGS = -I${top_srcdir}/auparse -I${top_srcdir}/lib
+
+auparse_test_SOURCES = auparse_test.c
+auparse_test_LDFLAGS = -static
+auparse_test_LDADD = ${top_builddir}/auparse/libauparse.la \
+ ${top_builddir}/lib/libaudit.la
+
+drop_srcdir = sed 's,$(srcdir)/test,test,'
+
+check: auparse_test
+ test "$(top_srcdir)" = "$(top_builddir)" || \
+ cp $(top_srcdir)/auparse/test/test*.log .
+ LC_ALL=C \
+ ./auparse_test > auparse_test.cur
+ diff -u $(top_srcdir)/auparse/test/auparse_test.ref auparse_test.cur
+if HAVE_PYTHON
+ cp ${top_builddir}/bindings/swig/python/.libs/_audit.so ${top_builddir}/bindings/swig/python
+ PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \
+ LD_LIBRARY_PATH=${top_builddir}/auparse/.libs \
+ srcdir=$(srcdir) $(srcdir)/auparse_test.py \
+ | $(drop_srcdir) > auparse_test.cur
+ diff -u $(top_srcdir)/auparse/test/auparse_test.ref.py auparse_test.cur
+endif
+ echo -e "===================\nAuparse Test Passes\n==================="
+
+diffcheck: auparse_test
+ ./auparse_test > auparse_test.cur
+ diff -u $(srcdir)/auparse_test.ref auparse_test.cur
+
+memcheck: auparse_test
+ valgrind --leak-check=yes --show-reachable=yes ./auparse_test
+
+pycheck: auparse_test.py
+if HAVE_PYTHON
+ PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \
+ LD_LIBRARY_PATH=${top_builddir}/auparse/.libs \
+ srcdir=$(srcdir) $(srcdir)/auparse_test.py
+endif
+
+pydiffcheck: auparse_test.py
+if HAVE_PYTHON
+ PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \
+ LD_LIBRARY_PATH=${top_builddir}/auparse/.libs \
+ srcdir=$(srcdir) $(srcdir)/auparse_test.py \
+ | $(drop_srcdir) > auparse_test.cur
+ diff $(srcdir)/auparse_test.ref auparse_test.cur
+endif
+
+pymemcheck: auparse_test.py
+if HAVE_PYTHON
+ PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \
+ LD_LIBRARY_PATH=${top_builddir}/auparse/.libs srcdir=$(srcdir) valgrind --leak-check=yes --show-reachable=yes python $(srcdir)/auparse_test.py
+
+${top_builddir}/bindings/python/build/*/auparse.so: ${top_srcdir}/bindings/python/auparse_python.c
+ cd ${top_builddir}/bindings/python && make
+endif
+
+clean-generic:
+ $(RM) *.cur
+if HAVE_PYTHON
+ $(RM) ${top_builddir}/bindings/swig/python/_audit.so
+endif
+ test "$(top_srcdir)" = "$(top_builddir)" || $(RM) test*.log
diff --git a/framework/src/audit/auparse/test/auparse_test.c b/framework/src/audit/auparse/test/auparse_test.c
new file mode 100644
index 00000000..a6477d41
--- /dev/null
+++ b/framework/src/audit/auparse/test/auparse_test.c
@@ -0,0 +1,469 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <locale.h>
+#include <errno.h>
+#include <libaudit.h>
+#include <auparse.h>
+
+
+static const char *buf[] = {
+ "type=LOGIN msg=audit(1143146623.787:142): login pid=2027 uid=0 old auid=4294967295 new auid=848\n"
+ "type=SYSCALL msg=audit(1143146623.875:143): arch=c000003e syscall=188 success=yes exit=0 a0=7fffffa9a9f0 a1=3958d11333 a2=5131f0 a3=20 items=1 pid=2027 auid=848 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty3 comm=\"login\" exe=\"/bin/login\" subj=system_u:system_r:local_login_t:s0-s0:c0.c255\n",
+
+ "type=USER_LOGIN msg=audit(1143146623.879:146): user pid=2027 uid=0 auid=848 msg=\'uid=848: exe=\"/bin/login\" (hostname=?, addr=?, terminal=tty3 res=success)\'\n",
+
+ NULL
+};
+
+
+static void walk_test(auparse_state_t *au)
+{
+ int event_cnt = 1, record_cnt;
+
+ do {
+ if (auparse_first_record(au) <= 0) {
+ printf("Error getting first record (%s)\n",
+ strerror(errno));
+ exit(1);
+ }
+ printf("event %d has %d records\n", event_cnt,
+ auparse_get_num_records(au));
+ record_cnt = 1;
+ do {
+ printf(" record %d of type %d(%s) has %d fields\n",
+ record_cnt,
+ auparse_get_type(au),
+ audit_msg_type_to_name(auparse_get_type(au)),
+ auparse_get_num_fields(au));
+ printf(" line=%d file=%s\n",
+ auparse_get_line_number(au),
+ auparse_get_filename(au) ?
+ auparse_get_filename(au) : "None");
+ const au_event_t *e = auparse_get_timestamp(au);
+ if (e == NULL) {
+ printf("Error getting timestamp - aborting\n");
+ exit(1);
+ }
+ printf(" event time: %u.%u:%lu, host=%s\n",
+ (unsigned)e->sec,
+ e->milli, e->serial, e->host ? e->host : "?");
+ auparse_first_field(au);
+ do {
+ printf(" %s=%s (%s)\n",
+ auparse_get_field_name(au),
+ auparse_get_field_str(au),
+ auparse_interpret_field(au));
+ } while (auparse_next_field(au) > 0);
+ printf("\n");
+ record_cnt++;
+ } while(auparse_next_record(au) > 0);
+ event_cnt++;
+ } while (auparse_next_event(au) > 0);
+}
+
+void light_test(auparse_state_t *au)
+{
+ int record_cnt;
+
+ do {
+ if (auparse_first_record(au) <= 0) {
+ puts("Error getting first record");
+ exit(1);
+ }
+ printf("event has %d records\n", auparse_get_num_records(au));
+ record_cnt = 1;
+ do {
+ printf(" record %d of type %d(%s) has %d fields\n",
+ record_cnt,
+ auparse_get_type(au),
+ audit_msg_type_to_name(auparse_get_type(au)),
+ auparse_get_num_fields(au));
+ printf(" line=%d file=%s\n",
+ auparse_get_line_number(au),
+ auparse_get_filename(au) ?
+ auparse_get_filename(au) : "None");
+ const au_event_t *e = auparse_get_timestamp(au);
+ if (e == NULL) {
+ printf("Error getting timestamp - aborting\n");
+ exit(1);
+ }
+ printf(" event time: %u.%u:%lu, host=%s\n",
+ (unsigned)e->sec,
+ e->milli, e->serial,
+ e->host ? e->host : "?");
+ printf("\n");
+ record_cnt++;
+ } while(auparse_next_record(au) > 0);
+
+ } while (auparse_next_event(au) > 0);
+}
+
+void simple_search(ausource_t source, austop_t where)
+{
+ auparse_state_t *au;
+ const char *val;
+
+ if (source == AUSOURCE_FILE) {
+ au = auparse_init(AUSOURCE_FILE, "./test.log");
+ val = "4294967295";
+ } else {
+ au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
+ val = "848";
+ }
+ if (au == NULL) {
+ printf("auparse_init error - %s\n", strerror(errno));
+ exit(1);
+ }
+ if (ausearch_add_item(au, "auid", "=", val, AUSEARCH_RULE_CLEAR)){
+ printf("ausearch_add_item error - %s\n", strerror(errno));
+ exit(1);
+ }
+ if (ausearch_set_stop(au, where)){
+ printf("ausearch_set_stop error - %s\n", strerror(errno));
+ exit(1);
+ }
+ if (ausearch_next_event(au) <= 0)
+ printf("Error searching for auid - %s\n", strerror(errno));
+ else
+ printf("Found %s = %s\n", auparse_get_field_name(au),
+ auparse_get_field_str(au));
+ auparse_destroy(au);
+}
+
+void compound_search(ausearch_rule_t how)
+{
+ auparse_state_t *au;
+
+ au = auparse_init(AUSOURCE_FILE, "./test.log");
+ if (au == NULL) {
+ printf("auparse_init error - %s\n", strerror(errno));
+ exit(1);
+ }
+ if (how == AUSEARCH_RULE_AND) {
+ if (ausearch_add_item(au, "uid", "=", "0",
+ AUSEARCH_RULE_CLEAR)){
+ printf("ausearch_add_item 1 error - %s\n",
+ strerror(errno));
+ exit(1);
+ }
+ if (ausearch_add_item(au, "pid", "=", "13015", how)){
+ printf("ausearch_add_item 2 error - %s\n",
+ strerror(errno));
+ exit(1);
+ }
+ if (ausearch_add_item(au, "type", "=", "USER_START", how)){
+ printf("ausearch_add_item 3 error - %s\n",
+ strerror(errno));
+ exit(1);
+ }
+ } else {
+ if (ausearch_add_item(au, "auid", "=", "42",
+ AUSEARCH_RULE_CLEAR)){
+ printf("ausearch_add_item 4 error - %s\n",
+ strerror(errno));
+ exit(1);
+ }
+ // should stop on this one
+ if (ausearch_add_item(au, "auid", "=", "0", how)){
+ printf("ausearch_add_item 5 error - %s\n",
+ strerror(errno));
+ exit(1);
+ }
+ if (ausearch_add_item(au, "auid", "=", "500", how)){
+ printf("ausearch_add_item 6 error - %s\n",
+ strerror(errno));
+ exit(1);
+ }
+ }
+ if (ausearch_set_stop(au, AUSEARCH_STOP_FIELD)){
+ printf("ausearch_set_stop error - %s\n", strerror(errno));
+ exit(1);
+ }
+ if (ausearch_next_event(au) <= 0)
+ printf("Error searching for auid - %s\n", strerror(errno));
+ else
+ printf("Found %s = %s\n", auparse_get_field_name(au),
+ auparse_get_field_str(au));
+ auparse_destroy(au);
+}
+
+void regex_search(const char *expr)
+{
+ auparse_state_t *au;
+ int rc;
+
+ au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
+ if (au == NULL) {
+ printf("auparse_init error - %s\n", strerror(errno));
+ exit(1);
+ }
+ if (ausearch_add_regex(au, expr)){
+ printf("ausearch_add_regex error - %s\n", strerror(errno));
+ exit(1);
+ }
+ if (ausearch_set_stop(au, AUSEARCH_STOP_RECORD)){
+ printf("ausearch_set_stop error - %s\n", strerror(errno));
+ exit(1);
+ }
+ rc = ausearch_next_event(au);
+ if (rc < 0)
+ printf("Error searching for %s - %s\n", expr, strerror(errno));
+ else if (rc == 0)
+ printf("Not found\n");
+ else
+ printf("Found %s = %s\n", auparse_get_field_name(au),
+ auparse_get_field_str(au));
+ auparse_destroy(au);
+}
+
+static void auparse_callback(auparse_state_t *au, auparse_cb_event_t cb_event_type, void *user_data)
+{
+ int *event_cnt = (int *)user_data;
+ int record_cnt;
+
+ if (cb_event_type == AUPARSE_CB_EVENT_READY) {
+ if (auparse_first_record(au) <= 0) {
+ printf("can't get first record\n");
+ return;
+ }
+ printf("event %d has %d records\n", *event_cnt,
+ auparse_get_num_records(au));
+ record_cnt = 1;
+ do {
+ printf(" record %d of type %d(%s) has %d fields\n",
+ record_cnt,
+ auparse_get_type(au),
+ audit_msg_type_to_name(auparse_get_type(au)),
+ auparse_get_num_fields(au));
+ printf(" line=%d file=%s\n",
+ auparse_get_line_number(au),
+ auparse_get_filename(au) ?
+ auparse_get_filename(au) : "None");
+ const au_event_t *e = auparse_get_timestamp(au);
+ if (e == NULL) {
+ return;
+ }
+ printf(" event time: %u.%u:%lu, host=%s\n",
+ (unsigned)e->sec,
+ e->milli, e->serial,
+ e->host ? e->host : "?");
+ auparse_first_field(au);
+ do {
+ printf(" %s=%s (%s)\n",
+ auparse_get_field_name(au),
+ auparse_get_field_str(au),
+ auparse_interpret_field(au));
+ } while (auparse_next_field(au) > 0);
+ printf("\n");
+ record_cnt++;
+ } while(auparse_next_record(au) > 0);
+ (*event_cnt)++;
+ }
+}
+
+int main(void)
+{
+ //char *files[4] = { "test.log", "test2.log", "test3.log", NULL };
+ char *files[3] = { "test.log", "test2.log", NULL };
+ setlocale (LC_ALL, "");
+ auparse_state_t *au;
+
+ au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
+ if (au == NULL) {
+ printf("Error - %s\n", strerror(errno));
+ return 1;
+ }
+
+ printf("Starting Test 1, iterate...\n");
+ while (auparse_next_event(au) > 0) {
+ if (auparse_find_field(au, "auid")) {
+ printf("%s=%s\n", auparse_get_field_name(au),
+ auparse_get_field_str(au));
+ printf("interp auid=%s\n", auparse_interpret_field(au));
+ } else
+ printf("Error iterating to auid\n");
+ }
+ auparse_reset(au);
+ while (auparse_next_event(au) > 0) {
+ if (auparse_find_field(au, "auid")) {
+ do {
+ printf("%s=%s\n", auparse_get_field_name(au),
+ auparse_get_field_str(au));
+ printf("interp auid=%s\n", auparse_interpret_field(au));
+ } while (auparse_find_field_next(au));
+ } else
+ printf("Error iterating to auid\n");
+ }
+ printf("Test 1 Done\n\n");
+
+ /* Reset, now lets go to beginning and walk the list manually */
+ printf("Starting Test 2, walk events, records, and fields...\n");
+ auparse_reset(au);
+ walk_test(au);
+ auparse_destroy(au);
+ printf("Test 2 Done\n\n");
+
+ /* Reset, now lets go to beginning and walk the list manually */
+ printf("Starting Test 3, walk events, records of 1 buffer...\n");
+ au = auparse_init(AUSOURCE_BUFFER, buf[1]);
+ if (au == NULL) {
+ printf("Error - %s\n", strerror(errno));
+ return 1;
+ }
+ light_test(au);
+ auparse_destroy(au);
+ printf("Test 3 Done\n\n");
+
+ printf("Starting Test 4, walk events, records of 1 file...\n");
+ au = auparse_init(AUSOURCE_FILE, "./test.log");
+ if (au == NULL) {
+ printf("Error - %s\n", strerror(errno));
+ return 1;
+ }
+ walk_test(au);
+ auparse_destroy(au);
+ printf("Test 4 Done\n\n");
+
+ printf("Starting Test 5, walk events, records of 2 files...\n");
+ au = auparse_init(AUSOURCE_FILE_ARRAY, files);
+ if (au == NULL) {
+ printf("Error - %s\n", strerror(errno));
+ return 1;
+ }
+ walk_test(au);
+ auparse_destroy(au);
+ printf("Test 5 Done\n\n");
+
+ printf("Starting Test 6, search...\n");
+ au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
+ if (au == NULL) {
+ printf("Error - %s\n", strerror(errno));
+ return 1;
+ }
+ if (ausearch_add_item(au, "auid", "=", "500", AUSEARCH_RULE_CLEAR)){
+ printf("Error - %s", strerror(errno));
+ return 1;
+ }
+ if (ausearch_set_stop(au, AUSEARCH_STOP_EVENT)){
+ printf("Error - %s", strerror(errno));
+ exit(1);
+ }
+ if (ausearch_next_event(au) != 0) {
+ printf("Error search found something it shouldn't have\n");
+ }
+ puts("auid = 500 not found...which is correct");
+ ausearch_clear(au);
+ auparse_destroy(au);
+ au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
+ if (ausearch_add_item(au,"auid", "exists", NULL, AUSEARCH_RULE_CLEAR)){
+ printf("Error - %s", strerror(errno));
+ return 1;
+ }
+ if (ausearch_set_stop(au, AUSEARCH_STOP_EVENT)){
+ printf("Error - %s", strerror(errno));
+ exit(1);
+ }
+ if (ausearch_next_event(au) <= 0) {
+ printf("Error searching for existence of auid\n");
+ }
+ puts("auid exists...which is correct");
+ puts("Testing BUFFER_ARRAY, stop on field");
+ simple_search(AUSOURCE_BUFFER_ARRAY, AUSEARCH_STOP_FIELD);
+ puts("Testing BUFFER_ARRAY, stop on record");
+ simple_search(AUSOURCE_BUFFER_ARRAY, AUSEARCH_STOP_RECORD);
+ puts("Testing BUFFER_ARRAY, stop on event");
+ simple_search(AUSOURCE_BUFFER_ARRAY, AUSEARCH_STOP_EVENT);
+ puts("Testing test.log, stop on field");
+ simple_search(AUSOURCE_FILE, AUSEARCH_STOP_FIELD);
+ puts("Testing test.log, stop on record");
+ simple_search(AUSOURCE_FILE, AUSEARCH_STOP_RECORD);
+ puts("Testing test.log, stop on event");
+ simple_search(AUSOURCE_FILE, AUSEARCH_STOP_EVENT);
+ auparse_destroy(au);
+ printf("Test 6 Done\n\n");
+
+ printf("Starting Test 7, compound search...\n");
+ au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
+ if (au == NULL) {
+ printf("Error - %s\n", strerror(errno));
+ return 1;
+ }
+ compound_search(AUSEARCH_RULE_AND);
+ compound_search(AUSEARCH_RULE_OR);
+ auparse_destroy(au);
+ printf("Test 7 Done\n\n");
+
+ printf("Starting Test 8, regex search...\n");
+ puts("Doing regex match...");
+ regex_search("1143146623");
+ puts("Doing regex wildcard search...");
+ regex_search("11431466.*146");
+ printf("Test 8 Done\n\n");
+
+ /* Note: this should match Test 2 exactly */
+ printf("Starting Test 9, buffer feed...\n");
+ {
+ int event_cnt = 1;
+ size_t len, chunk_len = 3;
+ const char **cur_buf, *p_beg, *p_end, *p_chunk_beg,
+ *p_chunk_end;
+
+ au = auparse_init(AUSOURCE_FEED, 0);
+ auparse_add_callback(au, auparse_callback, &event_cnt, NULL);
+ for (cur_buf = buf, p_beg = *cur_buf; *cur_buf;
+ cur_buf++, p_beg = *cur_buf) {
+ len = strlen(p_beg);
+ p_end = p_beg + len;
+ p_chunk_beg = p_beg;
+ while (p_chunk_beg < p_end) {
+ p_chunk_end = p_chunk_beg + chunk_len;
+ if (p_chunk_end > p_end)
+ p_chunk_end = p_end;
+
+ //fwrite(p_chunk_beg, 1,
+ // p_chunk_end-p_chunk_beg, stdout);
+ auparse_feed(au, p_chunk_beg,
+ p_chunk_end-p_chunk_beg);
+ p_chunk_beg = p_chunk_end;
+ }
+ }
+
+ auparse_flush_feed(au);
+ auparse_destroy(au);
+ }
+ printf("Test 9 Done\n\n");
+
+ /* Note: this should match Test 4 exactly */
+ printf("Starting Test 10, file feed...\n");
+ {
+ int *event_cnt = malloc(sizeof(int));
+ size_t len;
+ char filename[] = "./test.log";
+ char buf[4];
+ FILE *fp;
+
+ *event_cnt = 1;
+ au = auparse_init(AUSOURCE_FEED, 0);
+ auparse_add_callback(au, auparse_callback, event_cnt, free);
+ if ((fp = fopen(filename, "r")) == NULL) {
+ fprintf(stderr, "could not open '%s', %s\n",
+ filename, strerror(errno));
+ return 1;
+ }
+ while ((len = fread(buf, 1, sizeof(buf), fp))) {
+ auparse_feed(au, buf, len);
+ }
+
+ fclose(fp);
+ auparse_flush_feed(au);
+ auparse_destroy(au);
+ }
+ printf("Test 10 Done\n\n");
+
+ puts("Finished non-admin tests\n");
+
+ return 0;
+}
+
diff --git a/framework/src/audit/auparse/test/auparse_test.py b/framework/src/audit/auparse/test/auparse_test.py
new file mode 100755
index 00000000..9d9a5c4d
--- /dev/null
+++ b/framework/src/audit/auparse/test/auparse_test.py
@@ -0,0 +1,262 @@
+#!/usr/bin/env python
+
+import os
+srcdir = os.getenv('srcdir')
+
+buf = ["type=LOGIN msg=audit(1143146623.787:142): login pid=2027 uid=0 old auid=4294967295 new auid=848\ntype=SYSCALL msg=audit(1143146623.875:143): arch=c000003e syscall=188 success=yes exit=0 a0=7fffffa9a9f0 a1=3958d11333 a2=5131f0 a3=20 items=1 pid=2027 auid=848 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty3 comm=\"login\" exe=\"/bin/login\" subj=system_u:system_r:local_login_t:s0-s0:c0.c255\n",
+"type=USER_LOGIN msg=audit(1143146623.879:146): user pid=2027 uid=0 auid=848 msg=\'uid=848: exe=\"/bin/login\" (hostname=?, addr=?, terminal=tty3 res=success)\'\n",
+]
+files = [srcdir + "/test.log", srcdir + "/test2.log"]
+
+import sys
+import time
+load_path = '../../bindings/python/build/lib.linux-i686-2.4'
+if False:
+ sys.path.insert(0, load_path)
+
+import auparse
+import audit
+
+def none_to_null(s):
+ 'used so output matches C version'
+ if s is None:
+ return '(null)'
+ else:
+ return s
+
+def walk_test(au):
+ event_cnt = 1
+
+ au.reset()
+ while True:
+ if not au.first_record():
+ print "Error getting first record"
+ sys.exit(1)
+
+ print "event %d has %d records" % (event_cnt, au.get_num_records())
+
+ record_cnt = 1
+ while True:
+ print " record %d of type %d(%s) has %d fields" % \
+ (record_cnt,
+ au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
+ au.get_num_fields())
+ print " line=%d file=%s" % (au.get_line_number(), au.get_filename())
+ event = au.get_timestamp()
+ if event is None:
+ print "Error getting timestamp - aborting"
+ sys.exit(1)
+
+ print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))
+ au.first_field()
+ while True:
+ print " %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field())
+ if not au.next_field(): break
+ print
+ record_cnt += 1
+ if not au.next_record(): break
+ event_cnt += 1
+ if not au.parse_next_event(): break
+
+
+def light_test(au):
+ while True:
+ if not au.first_record():
+ print "Error getting first record"
+ sys.exit(1)
+
+ print "event has %d records" % (au.get_num_records())
+
+ record_cnt = 1
+ while True:
+ print " record %d of type %d(%s) has %d fields" % \
+ (record_cnt,
+ au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
+ au.get_num_fields())
+ print " line=%d file=%s" % (au.get_line_number(), au.get_filename())
+ event = au.get_timestamp()
+ if event is None:
+ print "Error getting timestamp - aborting"
+ sys.exit(1)
+
+ print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))
+ print
+ record_cnt += 1
+ if not au.next_record(): break
+ if not au.parse_next_event(): break
+
+def simple_search(au, source, where):
+
+ if source == auparse.AUSOURCE_FILE:
+ au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log");
+ val = "4294967295"
+ else:
+ au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
+ val = "848"
+
+ au.search_add_item("auid", "=", val, auparse.AUSEARCH_RULE_CLEAR)
+ au.search_set_stop(where)
+ if not au.search_next_event():
+ print "Error searching for auid"
+ else:
+ print "Found %s = %s" % (au.get_field_name(), au.get_field_str())
+
+def compound_search(au, how):
+ au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log");
+ if how == auparse.AUSEARCH_RULE_AND:
+ au.search_add_item("uid", "=", "0", auparse.AUSEARCH_RULE_CLEAR)
+ au.search_add_item("pid", "=", "13015", how)
+ au.search_add_item("type", "=", "USER_START", how)
+ else:
+ au.search_add_item("auid", "=", "42", auparse.AUSEARCH_RULE_CLEAR)
+ # should stop on this one
+ au.search_add_item("auid", "=", "0", how)
+ au.search_add_item("auid", "=", "500", how)
+
+ au.search_set_stop(auparse.AUSEARCH_STOP_FIELD)
+ if not au.search_next_event():
+ print "Error searching for auid"
+ else:
+ print "Found %s = %s" % (au.get_field_name(), au.get_field_str())
+
+def feed_callback(au, cb_event_type, event_cnt):
+ if cb_event_type == auparse.AUPARSE_CB_EVENT_READY:
+ if not au.first_record():
+ print "Error getting first record"
+ sys.exit(1)
+
+ print "event %d has %d records" % (event_cnt[0], au.get_num_records())
+
+ record_cnt = 1
+ while True:
+ print " record %d of type %d(%s) has %d fields" % \
+ (record_cnt,
+ au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
+ au.get_num_fields())
+ print " line=%d file=%s" % (au.get_line_number(), au.get_filename())
+ event = au.get_timestamp()
+ if event is None:
+ print "Error getting timestamp - aborting"
+ sys.exit(1)
+
+ print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))
+ au.first_field()
+ while True:
+ print " %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field())
+ if not au.next_field(): break
+ print
+ record_cnt += 1
+ if not au.next_record(): break
+ event_cnt[0] += 1
+
+au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
+
+print "Starting Test 1, iterate..."
+while au.parse_next_event():
+ if au.find_field("auid"):
+ print "%s=%s" % (au.get_field_name(), au.get_field_str())
+ print "interp auid=%s" % (au.interpret_field())
+ else:
+ print "Error iterating to auid"
+print "Test 1 Done\n"
+
+# Reset, now lets go to beginning and walk the list manually */
+print "Starting Test 2, walk events, records, and fields..."
+au.reset()
+walk_test(au)
+print "Test 2 Done\n"
+
+# Reset, now lets go to beginning and walk the list manually */
+print "Starting Test 3, walk events, records of 1 buffer..."
+au = auparse.AuParser(auparse.AUSOURCE_BUFFER, buf[1])
+light_test(au);
+print "Test 3 Done\n"
+
+print "Starting Test 4, walk events, records of 1 file..."
+au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log");
+walk_test(au);
+print "Test 4 Done\n"
+
+print "Starting Test 5, walk events, records of 2 files..."
+au = auparse.AuParser(auparse.AUSOURCE_FILE_ARRAY, files);
+walk_test(au);
+print "Test 5 Done\n"
+
+print "Starting Test 6, search..."
+au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
+au.search_add_item("auid", "=", "500", auparse.AUSEARCH_RULE_CLEAR)
+au.search_set_stop(auparse.AUSEARCH_STOP_EVENT)
+if au.search_next_event():
+ print "Error search found something it shouldn't have"
+else:
+ print "auid = 500 not found...which is correct"
+au.search_clear()
+au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
+#au.search_add_item("auid", "exists", None, auparse.AUSEARCH_RULE_CLEAR)
+au.search_add_item("auid", "exists", "", auparse.AUSEARCH_RULE_CLEAR)
+au.search_set_stop(auparse.AUSEARCH_STOP_EVENT)
+if not au.search_next_event():
+ print "Error searching for existence of auid"
+print "auid exists...which is correct"
+print "Testing BUFFER_ARRAY, stop on field"
+simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_FIELD)
+print "Testing BUFFER_ARRAY, stop on record"
+simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_RECORD)
+print "Testing BUFFER_ARRAY, stop on event"
+simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_EVENT)
+print "Testing test.log, stop on field"
+simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_FIELD)
+print "Testing test.log, stop on record"
+simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_RECORD)
+print "Testing test.log, stop on event"
+simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_EVENT)
+print "Test 6 Done\n"
+
+print "Starting Test 7, compound search..."
+au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
+compound_search(au, auparse.AUSEARCH_RULE_AND)
+compound_search(au, auparse.AUSEARCH_RULE_OR)
+print "Test 7 Done\n"
+
+print "Starting Test 8, regex search..."
+au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
+print "Doing regex match...\n"
+au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
+print "Test 8 Done\n"
+
+# Note: this should match Test 2 exactly
+# Note: this should match Test 2 exactly
+print "Starting Test 9, buffer feed..."
+au = auparse.AuParser(auparse.AUSOURCE_FEED);
+event_cnt = 1
+au.add_callback(feed_callback, [event_cnt])
+chunk_len = 3
+for s in buf:
+ s_len = len(s)
+ beg = 0
+ while beg < s_len:
+ end = min(s_len, beg + chunk_len)
+ data = s[beg:end]
+ beg += chunk_len
+ au.feed(data)
+au.flush_feed()
+print "Test 9 Done\n"
+
+# Note: this should match Test 4 exactly
+print "Starting Test 10, file feed..."
+au = auparse.AuParser(auparse.AUSOURCE_FEED);
+event_cnt = 1
+au.add_callback(feed_callback, [event_cnt])
+f = open(srcdir + "/test.log");
+while True:
+ data = f.read(4)
+ if not data: break
+ au.feed(data)
+au.flush_feed()
+print "Test 10 Done\n"
+
+print "Finished non-admin tests\n"
+
+au = None
+sys.exit(0)
+
diff --git a/framework/src/audit/auparse/test/auparse_test.ref b/framework/src/audit/auparse/test/auparse_test.ref
new file mode 100644
index 00000000..6cc399bd
--- /dev/null
+++ b/framework/src/audit/auparse/test/auparse_test.ref
@@ -0,0 +1,803 @@
+Starting Test 1, iterate...
+auid=4294967295
+interp auid=unset
+auid=848
+interp auid=unknown(848)
+auid=848
+interp auid=unknown(848)
+auid=4294967295
+interp auid=unset
+auid=848
+interp auid=unknown(848)
+auid=848
+interp auid=unknown(848)
+auid=848
+interp auid=unknown(848)
+Test 1 Done
+
+Starting Test 2, walk events, records, and fields...
+event 1 has 1 records
+ record 1 of type 1006(LOGIN) has 5 fields
+ line=1 file=None
+ event time: 1143146623.787:142, host=?
+ type=LOGIN (LOGIN)
+ pid=2027 (2027)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ auid=848 (unknown(848))
+
+event 2 has 1 records
+ record 1 of type 1300(SYSCALL) has 24 fields
+ line=2 file=None
+ event time: 1143146623.875:143, host=?
+ type=SYSCALL (SYSCALL)
+ arch=c000003e (x86_64)
+ syscall=188 (setxattr)
+ success=yes (yes)
+ exit=0 (0)
+ a0=7fffffa9a9f0 (0x7fffffa9a9f0)
+ a1=3958d11333 (0x3958d11333)
+ a2=5131f0 (0x5131f0)
+ a3=20 (0x20)
+ items=1 (1)
+ pid=2027 (2027)
+ auid=848 (unknown(848))
+ uid=0 (root)
+ gid=0 (root)
+ euid=0 (root)
+ suid=0 (root)
+ fsuid=0 (root)
+ egid=0 (root)
+ sgid=0 (root)
+ fsgid=0 (root)
+ tty=tty3 (tty3)
+ comm="login" (login)
+ exe="/bin/login" (/bin/login)
+ subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255)
+
+event 3 has 1 records
+ record 1 of type 1112(USER_LOGIN) has 10 fields
+ line=3 file=None
+ event time: 1143146623.879:146, host=?
+ type=USER_LOGIN (USER_LOGIN)
+ pid=2027 (2027)
+ uid=0 (root)
+ auid=848 (unknown(848))
+ uid=848 (unknown(848))
+ exe="/bin/login" (/bin/login)
+ hostname=? (?)
+ addr=? (?)
+ terminal=tty3 (tty3)
+ res=success (success)
+
+Test 2 Done
+
+Starting Test 3, walk events, records of 1 buffer...
+event has 1 records
+ record 1 of type 1112(USER_LOGIN) has 10 fields
+ line=1 file=None
+ event time: 1143146623.879:146, host=?
+
+Test 3 Done
+
+Starting Test 4, walk events, records of 1 file...
+event 1 has 4 records
+ record 1 of type 1400(AVC) has 11 fields
+ line=1 file=./test.log
+ event time: 1170021493.977:293, host=?
+ type=AVC (AVC)
+ seresult=denied (denied)
+ seperms=read,write (read,write)
+ pid=13010 (13010)
+ comm="pickup" (pickup)
+ name="maildrop" (maildrop)
+ dev=hda7 (hda7)
+ ino=14911367 (14911367)
+ scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+ tclass=dir (dir)
+
+ record 2 of type 1300(SYSCALL) has 26 fields
+ line=2 file=./test.log
+ event time: 1170021493.977:293, host=?
+ type=SYSCALL (SYSCALL)
+ arch=c000003e (x86_64)
+ syscall=2 (open)
+ success=no (no)
+ exit=-13 (-13(Permission denied))
+ a0=5555665d91b0 (0x5555665d91b0)
+ a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
+ a2=5555665d91b8 (0x5555665d91b8)
+ a3=0 (0x0)
+ items=1 (1)
+ ppid=2013 (2013)
+ pid=13010 (13010)
+ auid=4294967295 (unset)
+ uid=890 (unknown(890))
+ gid=890 (unknown(890))
+ euid=890 (unknown(890))
+ suid=890 (unknown(890))
+ fsuid=890 (unknown(890))
+ egid=890 (unknown(890))
+ sgid=890 (unknown(890))
+ fsgid=890 (unknown(890))
+ tty=(none) ((none))
+ comm="pickup" (pickup)
+ exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
+ subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ key=(null) ((null))
+
+ record 3 of type 1307(CWD) has 2 fields
+ line=3 file=./test.log
+ event time: 1170021493.977:293, host=?
+ type=CWD (CWD)
+ cwd="/var/spool/postfix" (/var/spool/postfix)
+
+ record 4 of type 1302(PATH) has 10 fields
+ line=4 file=./test.log
+ event time: 1170021493.977:293, host=?
+ type=PATH (PATH)
+ item=0 (0)
+ name="maildrop" (maildrop)
+ inode=14911367 (14911367)
+ dev=03:07 (03:07)
+ mode=040730 (dir,730)
+ ouid=890 (unknown(890))
+ ogid=891 (unknown(891))
+ rdev=00:00 (00:00)
+ obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+
+event 2 has 1 records
+ record 1 of type 1101(USER_ACCT) has 11 fields
+ line=5 file=./test.log
+ event time: 1170021601.340:294, host=?
+ type=USER_ACCT (USER_ACCT)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 3 has 1 records
+ record 1 of type 1103(CRED_ACQ) has 11 fields
+ line=6 file=./test.log
+ event time: 1170021601.342:295, host=?
+ type=CRED_ACQ (CRED_ACQ)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 4 has 1 records
+ record 1 of type 1006(LOGIN) has 5 fields
+ line=7 file=./test.log
+ event time: 1170021601.343:296, host=?
+ type=LOGIN (LOGIN)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ auid=0 (root)
+
+event 5 has 1 records
+ record 1 of type 1105(USER_START) has 11 fields
+ line=8 file=./test.log
+ event time: 1170021601.344:297, host=?
+ type=USER_START (USER_START)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 6 has 1 records
+ record 1 of type 1104(CRED_DISP) has 11 fields
+ line=9 file=./test.log
+ event time: 1170021601.364:298, host=?
+ type=CRED_DISP (CRED_DISP)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 7 has 1 records
+ record 1 of type 1106(USER_END) has 11 fields
+ line=10 file=./test.log
+ event time: 1170021601.366:299, host=?
+ type=USER_END (USER_END)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+Test 4 Done
+
+Starting Test 5, walk events, records of 2 files...
+event 1 has 4 records
+ record 1 of type 1400(AVC) has 11 fields
+ line=1 file=test.log
+ event time: 1170021493.977:293, host=?
+ type=AVC (AVC)
+ seresult=denied (denied)
+ seperms=read,write (read,write)
+ pid=13010 (13010)
+ comm="pickup" (pickup)
+ name="maildrop" (maildrop)
+ dev=hda7 (hda7)
+ ino=14911367 (14911367)
+ scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+ tclass=dir (dir)
+
+ record 2 of type 1300(SYSCALL) has 26 fields
+ line=2 file=test.log
+ event time: 1170021493.977:293, host=?
+ type=SYSCALL (SYSCALL)
+ arch=c000003e (x86_64)
+ syscall=2 (open)
+ success=no (no)
+ exit=-13 (-13(Permission denied))
+ a0=5555665d91b0 (0x5555665d91b0)
+ a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
+ a2=5555665d91b8 (0x5555665d91b8)
+ a3=0 (0x0)
+ items=1 (1)
+ ppid=2013 (2013)
+ pid=13010 (13010)
+ auid=4294967295 (unset)
+ uid=890 (unknown(890))
+ gid=890 (unknown(890))
+ euid=890 (unknown(890))
+ suid=890 (unknown(890))
+ fsuid=890 (unknown(890))
+ egid=890 (unknown(890))
+ sgid=890 (unknown(890))
+ fsgid=890 (unknown(890))
+ tty=(none) ((none))
+ comm="pickup" (pickup)
+ exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
+ subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ key=(null) ((null))
+
+ record 3 of type 1307(CWD) has 2 fields
+ line=3 file=test.log
+ event time: 1170021493.977:293, host=?
+ type=CWD (CWD)
+ cwd="/var/spool/postfix" (/var/spool/postfix)
+
+ record 4 of type 1302(PATH) has 10 fields
+ line=4 file=test.log
+ event time: 1170021493.977:293, host=?
+ type=PATH (PATH)
+ item=0 (0)
+ name="maildrop" (maildrop)
+ inode=14911367 (14911367)
+ dev=03:07 (03:07)
+ mode=040730 (dir,730)
+ ouid=890 (unknown(890))
+ ogid=891 (unknown(891))
+ rdev=00:00 (00:00)
+ obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+
+event 2 has 1 records
+ record 1 of type 1101(USER_ACCT) has 11 fields
+ line=5 file=test.log
+ event time: 1170021601.340:294, host=?
+ type=USER_ACCT (USER_ACCT)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 3 has 1 records
+ record 1 of type 1103(CRED_ACQ) has 11 fields
+ line=6 file=test.log
+ event time: 1170021601.342:295, host=?
+ type=CRED_ACQ (CRED_ACQ)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 4 has 1 records
+ record 1 of type 1006(LOGIN) has 5 fields
+ line=7 file=test.log
+ event time: 1170021601.343:296, host=?
+ type=LOGIN (LOGIN)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ auid=0 (root)
+
+event 5 has 1 records
+ record 1 of type 1105(USER_START) has 11 fields
+ line=8 file=test.log
+ event time: 1170021601.344:297, host=?
+ type=USER_START (USER_START)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 6 has 1 records
+ record 1 of type 1104(CRED_DISP) has 11 fields
+ line=9 file=test.log
+ event time: 1170021601.364:298, host=?
+ type=CRED_DISP (CRED_DISP)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 7 has 1 records
+ record 1 of type 1106(USER_END) has 11 fields
+ line=10 file=test.log
+ event time: 1170021601.366:299, host=?
+ type=USER_END (USER_END)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 8 has 4 records
+ record 1 of type 1400(AVC) has 11 fields
+ line=1 file=test2.log
+ event time: 1170021493.977:293, host=?
+ type=AVC (AVC)
+ seresult=denied (denied)
+ seperms=read (read)
+ pid=13010 (13010)
+ comm="pickup" (pickup)
+ name="maildrop" (maildrop)
+ dev=hda7 (hda7)
+ ino=14911367 (14911367)
+ scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+ tclass=dir (dir)
+
+ record 2 of type 1300(SYSCALL) has 26 fields
+ line=2 file=test2.log
+ event time: 1170021493.977:293, host=?
+ type=SYSCALL (SYSCALL)
+ arch=c000003e (x86_64)
+ syscall=2 (open)
+ success=no (no)
+ exit=-13 (-13(Permission denied))
+ a0=5555665d91b0 (0x5555665d91b0)
+ a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
+ a2=5555665d91b8 (0x5555665d91b8)
+ a3=0 (0x0)
+ items=1 (1)
+ ppid=2013 (2013)
+ pid=13010 (13010)
+ auid=4294967295 (unset)
+ uid=890 (unknown(890))
+ gid=890 (unknown(890))
+ euid=890 (unknown(890))
+ suid=890 (unknown(890))
+ fsuid=890 (unknown(890))
+ egid=890 (unknown(890))
+ sgid=890 (unknown(890))
+ fsgid=890 (unknown(890))
+ tty=(none) ((none))
+ comm="pickup" (pickup)
+ exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
+ subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ key=(null) ((null))
+
+ record 3 of type 1307(CWD) has 2 fields
+ line=3 file=test2.log
+ event time: 1170021493.977:293, host=?
+ type=CWD (CWD)
+ cwd="/var/spool/postfix" (/var/spool/postfix)
+
+ record 4 of type 1302(PATH) has 10 fields
+ line=4 file=test2.log
+ event time: 1170021493.977:293, host=?
+ type=PATH (PATH)
+ item=0 (0)
+ name="maildrop" (maildrop)
+ inode=14911367 (14911367)
+ dev=03:07 (03:07)
+ mode=040730 (dir,730)
+ ouid=890 (unknown(890))
+ ogid=891 (unknown(891))
+ rdev=00:00 (00:00)
+ obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+
+event 9 has 1 records
+ record 1 of type 1101(USER_ACCT) has 11 fields
+ line=5 file=test2.log
+ event time: 1170021601.340:294, host=?
+ type=USER_ACCT (USER_ACCT)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 10 has 1 records
+ record 1 of type 1103(CRED_ACQ) has 11 fields
+ line=6 file=test2.log
+ event time: 1170021601.342:295, host=?
+ type=CRED_ACQ (CRED_ACQ)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 11 has 1 records
+ record 1 of type 1006(LOGIN) has 5 fields
+ line=7 file=test2.log
+ event time: 1170021601.343:296, host=?
+ type=LOGIN (LOGIN)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ auid=0 (root)
+
+event 12 has 1 records
+ record 1 of type 1105(USER_START) has 11 fields
+ line=8 file=test2.log
+ event time: 1170021601.344:297, host=?
+ type=USER_START (USER_START)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 13 has 1 records
+ record 1 of type 1104(CRED_DISP) has 11 fields
+ line=9 file=test2.log
+ event time: 1170021601.364:298, host=?
+ type=CRED_DISP (CRED_DISP)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 14 has 1 records
+ record 1 of type 1106(USER_END) has 11 fields
+ line=10 file=test2.log
+ event time: 1170021601.366:299, host=?
+ type=USER_END (USER_END)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+Test 5 Done
+
+Starting Test 6, search...
+auid = 500 not found...which is correct
+auid exists...which is correct
+Testing BUFFER_ARRAY, stop on field
+Found auid = 848
+Testing BUFFER_ARRAY, stop on record
+Found type = SYSCALL
+Testing BUFFER_ARRAY, stop on event
+Found type = SYSCALL
+Testing test.log, stop on field
+Found auid = 4294967295
+Testing test.log, stop on record
+Found type = SYSCALL
+Testing test.log, stop on event
+Found type = AVC
+Test 6 Done
+
+Starting Test 7, compound search...
+Found type = USER_START
+Found auid = 0
+Test 7 Done
+
+Starting Test 8, regex search...
+Doing regex match...
+Found type = LOGIN
+Doing regex wildcard search...
+Found type = USER_LOGIN
+Test 8 Done
+
+Starting Test 9, buffer feed...
+event 1 has 1 records
+ record 1 of type 1006(LOGIN) has 5 fields
+ line=1 file=None
+ event time: 1143146623.787:142, host=?
+ type=LOGIN (LOGIN)
+ pid=2027 (2027)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ auid=848 (unknown(848))
+
+event 2 has 1 records
+ record 1 of type 1300(SYSCALL) has 24 fields
+ line=2 file=None
+ event time: 1143146623.875:143, host=?
+ type=SYSCALL (SYSCALL)
+ arch=c000003e (x86_64)
+ syscall=188 (setxattr)
+ success=yes (yes)
+ exit=0 (0)
+ a0=7fffffa9a9f0 (0x7fffffa9a9f0)
+ a1=3958d11333 (0x3958d11333)
+ a2=5131f0 (0x5131f0)
+ a3=20 (0x20)
+ items=1 (1)
+ pid=2027 (2027)
+ auid=848 (unknown(848))
+ uid=0 (root)
+ gid=0 (root)
+ euid=0 (root)
+ suid=0 (root)
+ fsuid=0 (root)
+ egid=0 (root)
+ sgid=0 (root)
+ fsgid=0 (root)
+ tty=tty3 (tty3)
+ comm="login" (login)
+ exe="/bin/login" (/bin/login)
+ subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255)
+
+event 3 has 1 records
+ record 1 of type 1112(USER_LOGIN) has 10 fields
+ line=3 file=None
+ event time: 1143146623.879:146, host=?
+ type=USER_LOGIN (USER_LOGIN)
+ pid=2027 (2027)
+ uid=0 (root)
+ auid=848 (unknown(848))
+ uid=848 (unknown(848))
+ exe="/bin/login" (/bin/login)
+ hostname=? (?)
+ addr=? (?)
+ terminal=tty3 (tty3)
+ res=success (success)
+
+Test 9 Done
+
+Starting Test 10, file feed...
+event 1 has 4 records
+ record 1 of type 1400(AVC) has 11 fields
+ line=1 file=None
+ event time: 1170021493.977:293, host=?
+ type=AVC (AVC)
+ seresult=denied (denied)
+ seperms=read,write (read,write)
+ pid=13010 (13010)
+ comm="pickup" (pickup)
+ name="maildrop" (maildrop)
+ dev=hda7 (hda7)
+ ino=14911367 (14911367)
+ scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+ tclass=dir (dir)
+
+ record 2 of type 1300(SYSCALL) has 26 fields
+ line=2 file=None
+ event time: 1170021493.977:293, host=?
+ type=SYSCALL (SYSCALL)
+ arch=c000003e (x86_64)
+ syscall=2 (open)
+ success=no (no)
+ exit=-13 (-13(Permission denied))
+ a0=5555665d91b0 (0x5555665d91b0)
+ a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
+ a2=5555665d91b8 (0x5555665d91b8)
+ a3=0 (0x0)
+ items=1 (1)
+ ppid=2013 (2013)
+ pid=13010 (13010)
+ auid=4294967295 (unset)
+ uid=890 (unknown(890))
+ gid=890 (unknown(890))
+ euid=890 (unknown(890))
+ suid=890 (unknown(890))
+ fsuid=890 (unknown(890))
+ egid=890 (unknown(890))
+ sgid=890 (unknown(890))
+ fsgid=890 (unknown(890))
+ tty=(none) ((none))
+ comm="pickup" (pickup)
+ exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
+ subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ key=(null) ((null))
+
+ record 3 of type 1307(CWD) has 2 fields
+ line=3 file=None
+ event time: 1170021493.977:293, host=?
+ type=CWD (CWD)
+ cwd="/var/spool/postfix" (/var/spool/postfix)
+
+ record 4 of type 1302(PATH) has 10 fields
+ line=4 file=None
+ event time: 1170021493.977:293, host=?
+ type=PATH (PATH)
+ item=0 (0)
+ name="maildrop" (maildrop)
+ inode=14911367 (14911367)
+ dev=03:07 (03:07)
+ mode=040730 (dir,730)
+ ouid=890 (unknown(890))
+ ogid=891 (unknown(891))
+ rdev=00:00 (00:00)
+ obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+
+event 2 has 1 records
+ record 1 of type 1101(USER_ACCT) has 11 fields
+ line=5 file=None
+ event time: 1170021601.340:294, host=?
+ type=USER_ACCT (USER_ACCT)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 3 has 1 records
+ record 1 of type 1103(CRED_ACQ) has 11 fields
+ line=6 file=None
+ event time: 1170021601.342:295, host=?
+ type=CRED_ACQ (CRED_ACQ)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 4 has 1 records
+ record 1 of type 1006(LOGIN) has 5 fields
+ line=7 file=None
+ event time: 1170021601.343:296, host=?
+ type=LOGIN (LOGIN)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ auid=0 (root)
+
+event 5 has 1 records
+ record 1 of type 1105(USER_START) has 11 fields
+ line=8 file=None
+ event time: 1170021601.344:297, host=?
+ type=USER_START (USER_START)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 6 has 1 records
+ record 1 of type 1104(CRED_DISP) has 11 fields
+ line=9 file=None
+ event time: 1170021601.364:298, host=?
+ type=CRED_DISP (CRED_DISP)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 7 has 1 records
+ record 1 of type 1106(USER_END) has 11 fields
+ line=10 file=None
+ event time: 1170021601.366:299, host=?
+ type=USER_END (USER_END)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+Test 10 Done
+
+Finished non-admin tests
+
diff --git a/framework/src/audit/auparse/test/auparse_test.ref.py b/framework/src/audit/auparse/test/auparse_test.ref.py
new file mode 100644
index 00000000..d25e0645
--- /dev/null
+++ b/framework/src/audit/auparse/test/auparse_test.ref.py
@@ -0,0 +1,793 @@
+Starting Test 1, iterate...
+auid=4294967295
+interp auid=unset
+auid=848
+interp auid=unknown(848)
+auid=848
+interp auid=unknown(848)
+Test 1 Done
+
+Starting Test 2, walk events, records, and fields...
+event 1 has 1 records
+ record 1 of type 1006(LOGIN) has 5 fields
+ line=1 file=None
+ event time: 1143146623.787:142, host=(null)
+ type=LOGIN (LOGIN)
+ pid=2027 (2027)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ auid=848 (unknown(848))
+
+event 2 has 1 records
+ record 1 of type 1300(SYSCALL) has 24 fields
+ line=2 file=None
+ event time: 1143146623.875:143, host=(null)
+ type=SYSCALL (SYSCALL)
+ arch=c000003e (x86_64)
+ syscall=188 (setxattr)
+ success=yes (yes)
+ exit=0 (0)
+ a0=7fffffa9a9f0 (0x7fffffa9a9f0)
+ a1=3958d11333 (0x3958d11333)
+ a2=5131f0 (0x5131f0)
+ a3=20 (0x20)
+ items=1 (1)
+ pid=2027 (2027)
+ auid=848 (unknown(848))
+ uid=0 (root)
+ gid=0 (root)
+ euid=0 (root)
+ suid=0 (root)
+ fsuid=0 (root)
+ egid=0 (root)
+ sgid=0 (root)
+ fsgid=0 (root)
+ tty=tty3 (tty3)
+ comm="login" (login)
+ exe="/bin/login" (/bin/login)
+ subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255)
+
+event 3 has 1 records
+ record 1 of type 1112(USER_LOGIN) has 10 fields
+ line=3 file=None
+ event time: 1143146623.879:146, host=(null)
+ type=USER_LOGIN (USER_LOGIN)
+ pid=2027 (2027)
+ uid=0 (root)
+ auid=848 (unknown(848))
+ uid=848 (unknown(848))
+ exe="/bin/login" (/bin/login)
+ hostname=? (?)
+ addr=? (?)
+ terminal=tty3 (tty3)
+ res=success (success)
+
+Test 2 Done
+
+Starting Test 3, walk events, records of 1 buffer...
+event has 1 records
+ record 1 of type 1112(USER_LOGIN) has 10 fields
+ line=1 file=None
+ event time: 1143146623.879:146, host=(null)
+
+Test 3 Done
+
+Starting Test 4, walk events, records of 1 file...
+event 1 has 4 records
+ record 1 of type 1400(AVC) has 11 fields
+ line=1 file=test.log
+ event time: 1170021493.977:293, host=(null)
+ type=AVC (AVC)
+ seresult=denied (denied)
+ seperms=read,write (read,write)
+ pid=13010 (13010)
+ comm="pickup" (pickup)
+ name="maildrop" (maildrop)
+ dev=hda7 (hda7)
+ ino=14911367 (14911367)
+ scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+ tclass=dir (dir)
+
+ record 2 of type 1300(SYSCALL) has 26 fields
+ line=2 file=test.log
+ event time: 1170021493.977:293, host=(null)
+ type=SYSCALL (SYSCALL)
+ arch=c000003e (x86_64)
+ syscall=2 (open)
+ success=no (no)
+ exit=-13 (-13(Permission denied))
+ a0=5555665d91b0 (0x5555665d91b0)
+ a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
+ a2=5555665d91b8 (0x5555665d91b8)
+ a3=0 (0x0)
+ items=1 (1)
+ ppid=2013 (2013)
+ pid=13010 (13010)
+ auid=4294967295 (unset)
+ uid=890 (unknown(890))
+ gid=890 (unknown(890))
+ euid=890 (unknown(890))
+ suid=890 (unknown(890))
+ fsuid=890 (unknown(890))
+ egid=890 (unknown(890))
+ sgid=890 (unknown(890))
+ fsgid=890 (unknown(890))
+ tty=(none) ((none))
+ comm="pickup" (pickup)
+ exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
+ subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ key=(null) ((null))
+
+ record 3 of type 1307(CWD) has 2 fields
+ line=3 file=test.log
+ event time: 1170021493.977:293, host=(null)
+ type=CWD (CWD)
+ cwd="/var/spool/postfix" (/var/spool/postfix)
+
+ record 4 of type 1302(PATH) has 10 fields
+ line=4 file=test.log
+ event time: 1170021493.977:293, host=(null)
+ type=PATH (PATH)
+ item=0 (0)
+ name="maildrop" (maildrop)
+ inode=14911367 (14911367)
+ dev=03:07 (03:07)
+ mode=040730 (dir,730)
+ ouid=890 (unknown(890))
+ ogid=891 (unknown(891))
+ rdev=00:00 (00:00)
+ obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+
+event 2 has 1 records
+ record 1 of type 1101(USER_ACCT) has 11 fields
+ line=5 file=test.log
+ event time: 1170021601.340:294, host=(null)
+ type=USER_ACCT (USER_ACCT)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 3 has 1 records
+ record 1 of type 1103(CRED_ACQ) has 11 fields
+ line=6 file=test.log
+ event time: 1170021601.342:295, host=(null)
+ type=CRED_ACQ (CRED_ACQ)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 4 has 1 records
+ record 1 of type 1006(LOGIN) has 5 fields
+ line=7 file=test.log
+ event time: 1170021601.343:296, host=(null)
+ type=LOGIN (LOGIN)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ auid=0 (root)
+
+event 5 has 1 records
+ record 1 of type 1105(USER_START) has 11 fields
+ line=8 file=test.log
+ event time: 1170021601.344:297, host=(null)
+ type=USER_START (USER_START)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 6 has 1 records
+ record 1 of type 1104(CRED_DISP) has 11 fields
+ line=9 file=test.log
+ event time: 1170021601.364:298, host=(null)
+ type=CRED_DISP (CRED_DISP)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 7 has 1 records
+ record 1 of type 1106(USER_END) has 11 fields
+ line=10 file=test.log
+ event time: 1170021601.366:299, host=(null)
+ type=USER_END (USER_END)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+Test 4 Done
+
+Starting Test 5, walk events, records of 2 files...
+event 1 has 4 records
+ record 1 of type 1400(AVC) has 11 fields
+ line=1 file=test.log
+ event time: 1170021493.977:293, host=(null)
+ type=AVC (AVC)
+ seresult=denied (denied)
+ seperms=read,write (read,write)
+ pid=13010 (13010)
+ comm="pickup" (pickup)
+ name="maildrop" (maildrop)
+ dev=hda7 (hda7)
+ ino=14911367 (14911367)
+ scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+ tclass=dir (dir)
+
+ record 2 of type 1300(SYSCALL) has 26 fields
+ line=2 file=test.log
+ event time: 1170021493.977:293, host=(null)
+ type=SYSCALL (SYSCALL)
+ arch=c000003e (x86_64)
+ syscall=2 (open)
+ success=no (no)
+ exit=-13 (-13(Permission denied))
+ a0=5555665d91b0 (0x5555665d91b0)
+ a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
+ a2=5555665d91b8 (0x5555665d91b8)
+ a3=0 (0x0)
+ items=1 (1)
+ ppid=2013 (2013)
+ pid=13010 (13010)
+ auid=4294967295 (unset)
+ uid=890 (unknown(890))
+ gid=890 (unknown(890))
+ euid=890 (unknown(890))
+ suid=890 (unknown(890))
+ fsuid=890 (unknown(890))
+ egid=890 (unknown(890))
+ sgid=890 (unknown(890))
+ fsgid=890 (unknown(890))
+ tty=(none) ((none))
+ comm="pickup" (pickup)
+ exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
+ subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ key=(null) ((null))
+
+ record 3 of type 1307(CWD) has 2 fields
+ line=3 file=test.log
+ event time: 1170021493.977:293, host=(null)
+ type=CWD (CWD)
+ cwd="/var/spool/postfix" (/var/spool/postfix)
+
+ record 4 of type 1302(PATH) has 10 fields
+ line=4 file=test.log
+ event time: 1170021493.977:293, host=(null)
+ type=PATH (PATH)
+ item=0 (0)
+ name="maildrop" (maildrop)
+ inode=14911367 (14911367)
+ dev=03:07 (03:07)
+ mode=040730 (dir,730)
+ ouid=890 (unknown(890))
+ ogid=891 (unknown(891))
+ rdev=00:00 (00:00)
+ obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+
+event 2 has 1 records
+ record 1 of type 1101(USER_ACCT) has 11 fields
+ line=5 file=test.log
+ event time: 1170021601.340:294, host=(null)
+ type=USER_ACCT (USER_ACCT)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 3 has 1 records
+ record 1 of type 1103(CRED_ACQ) has 11 fields
+ line=6 file=test.log
+ event time: 1170021601.342:295, host=(null)
+ type=CRED_ACQ (CRED_ACQ)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 4 has 1 records
+ record 1 of type 1006(LOGIN) has 5 fields
+ line=7 file=test.log
+ event time: 1170021601.343:296, host=(null)
+ type=LOGIN (LOGIN)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ auid=0 (root)
+
+event 5 has 1 records
+ record 1 of type 1105(USER_START) has 11 fields
+ line=8 file=test.log
+ event time: 1170021601.344:297, host=(null)
+ type=USER_START (USER_START)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 6 has 1 records
+ record 1 of type 1104(CRED_DISP) has 11 fields
+ line=9 file=test.log
+ event time: 1170021601.364:298, host=(null)
+ type=CRED_DISP (CRED_DISP)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 7 has 1 records
+ record 1 of type 1106(USER_END) has 11 fields
+ line=10 file=test.log
+ event time: 1170021601.366:299, host=(null)
+ type=USER_END (USER_END)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 8 has 4 records
+ record 1 of type 1400(AVC) has 11 fields
+ line=1 file=test2.log
+ event time: 1170021493.977:293, host=(null)
+ type=AVC (AVC)
+ seresult=denied (denied)
+ seperms=read (read)
+ pid=13010 (13010)
+ comm="pickup" (pickup)
+ name="maildrop" (maildrop)
+ dev=hda7 (hda7)
+ ino=14911367 (14911367)
+ scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+ tclass=dir (dir)
+
+ record 2 of type 1300(SYSCALL) has 26 fields
+ line=2 file=test2.log
+ event time: 1170021493.977:293, host=(null)
+ type=SYSCALL (SYSCALL)
+ arch=c000003e (x86_64)
+ syscall=2 (open)
+ success=no (no)
+ exit=-13 (-13(Permission denied))
+ a0=5555665d91b0 (0x5555665d91b0)
+ a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
+ a2=5555665d91b8 (0x5555665d91b8)
+ a3=0 (0x0)
+ items=1 (1)
+ ppid=2013 (2013)
+ pid=13010 (13010)
+ auid=4294967295 (unset)
+ uid=890 (unknown(890))
+ gid=890 (unknown(890))
+ euid=890 (unknown(890))
+ suid=890 (unknown(890))
+ fsuid=890 (unknown(890))
+ egid=890 (unknown(890))
+ sgid=890 (unknown(890))
+ fsgid=890 (unknown(890))
+ tty=(none) ((none))
+ comm="pickup" (pickup)
+ exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
+ subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ key=(null) ((null))
+
+ record 3 of type 1307(CWD) has 2 fields
+ line=3 file=test2.log
+ event time: 1170021493.977:293, host=(null)
+ type=CWD (CWD)
+ cwd="/var/spool/postfix" (/var/spool/postfix)
+
+ record 4 of type 1302(PATH) has 10 fields
+ line=4 file=test2.log
+ event time: 1170021493.977:293, host=(null)
+ type=PATH (PATH)
+ item=0 (0)
+ name="maildrop" (maildrop)
+ inode=14911367 (14911367)
+ dev=03:07 (03:07)
+ mode=040730 (dir,730)
+ ouid=890 (unknown(890))
+ ogid=891 (unknown(891))
+ rdev=00:00 (00:00)
+ obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+
+event 9 has 1 records
+ record 1 of type 1101(USER_ACCT) has 11 fields
+ line=5 file=test2.log
+ event time: 1170021601.340:294, host=(null)
+ type=USER_ACCT (USER_ACCT)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 10 has 1 records
+ record 1 of type 1103(CRED_ACQ) has 11 fields
+ line=6 file=test2.log
+ event time: 1170021601.342:295, host=(null)
+ type=CRED_ACQ (CRED_ACQ)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 11 has 1 records
+ record 1 of type 1006(LOGIN) has 5 fields
+ line=7 file=test2.log
+ event time: 1170021601.343:296, host=(null)
+ type=LOGIN (LOGIN)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ auid=0 (root)
+
+event 12 has 1 records
+ record 1 of type 1105(USER_START) has 11 fields
+ line=8 file=test2.log
+ event time: 1170021601.344:297, host=(null)
+ type=USER_START (USER_START)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 13 has 1 records
+ record 1 of type 1104(CRED_DISP) has 11 fields
+ line=9 file=test2.log
+ event time: 1170021601.364:298, host=(null)
+ type=CRED_DISP (CRED_DISP)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 14 has 1 records
+ record 1 of type 1106(USER_END) has 11 fields
+ line=10 file=test2.log
+ event time: 1170021601.366:299, host=(null)
+ type=USER_END (USER_END)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+Test 5 Done
+
+Starting Test 6, search...
+auid = 500 not found...which is correct
+auid exists...which is correct
+Testing BUFFER_ARRAY, stop on field
+Found auid = 848
+Testing BUFFER_ARRAY, stop on record
+Found type = SYSCALL
+Testing BUFFER_ARRAY, stop on event
+Found type = SYSCALL
+Testing test.log, stop on field
+Found auid = 4294967295
+Testing test.log, stop on record
+Found type = SYSCALL
+Testing test.log, stop on event
+Found type = AVC
+Test 6 Done
+
+Starting Test 7, compound search...
+Found type = USER_START
+Found auid = 0
+Test 7 Done
+
+Starting Test 8, regex search...
+Doing regex match...
+
+Test 8 Done
+
+Starting Test 9, buffer feed...
+event 1 has 1 records
+ record 1 of type 1006(LOGIN) has 5 fields
+ line=1 file=None
+ event time: 1143146623.787:142, host=(null)
+ type=LOGIN (LOGIN)
+ pid=2027 (2027)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ auid=848 (unknown(848))
+
+event 2 has 1 records
+ record 1 of type 1300(SYSCALL) has 24 fields
+ line=2 file=None
+ event time: 1143146623.875:143, host=(null)
+ type=SYSCALL (SYSCALL)
+ arch=c000003e (x86_64)
+ syscall=188 (setxattr)
+ success=yes (yes)
+ exit=0 (0)
+ a0=7fffffa9a9f0 (0x7fffffa9a9f0)
+ a1=3958d11333 (0x3958d11333)
+ a2=5131f0 (0x5131f0)
+ a3=20 (0x20)
+ items=1 (1)
+ pid=2027 (2027)
+ auid=848 (unknown(848))
+ uid=0 (root)
+ gid=0 (root)
+ euid=0 (root)
+ suid=0 (root)
+ fsuid=0 (root)
+ egid=0 (root)
+ sgid=0 (root)
+ fsgid=0 (root)
+ tty=tty3 (tty3)
+ comm="login" (login)
+ exe="/bin/login" (/bin/login)
+ subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255)
+
+event 3 has 1 records
+ record 1 of type 1112(USER_LOGIN) has 10 fields
+ line=3 file=None
+ event time: 1143146623.879:146, host=(null)
+ type=USER_LOGIN (USER_LOGIN)
+ pid=2027 (2027)
+ uid=0 (root)
+ auid=848 (unknown(848))
+ uid=848 (unknown(848))
+ exe="/bin/login" (/bin/login)
+ hostname=? (?)
+ addr=? (?)
+ terminal=tty3 (tty3)
+ res=success (success)
+
+Test 9 Done
+
+Starting Test 10, file feed...
+event 1 has 4 records
+ record 1 of type 1400(AVC) has 11 fields
+ line=1 file=None
+ event time: 1170021493.977:293, host=(null)
+ type=AVC (AVC)
+ seresult=denied (denied)
+ seperms=read,write (read,write)
+ pid=13010 (13010)
+ comm="pickup" (pickup)
+ name="maildrop" (maildrop)
+ dev=hda7 (hda7)
+ ino=14911367 (14911367)
+ scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+ tclass=dir (dir)
+
+ record 2 of type 1300(SYSCALL) has 26 fields
+ line=2 file=None
+ event time: 1170021493.977:293, host=(null)
+ type=SYSCALL (SYSCALL)
+ arch=c000003e (x86_64)
+ syscall=2 (open)
+ success=no (no)
+ exit=-13 (-13(Permission denied))
+ a0=5555665d91b0 (0x5555665d91b0)
+ a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
+ a2=5555665d91b8 (0x5555665d91b8)
+ a3=0 (0x0)
+ items=1 (1)
+ ppid=2013 (2013)
+ pid=13010 (13010)
+ auid=4294967295 (unset)
+ uid=890 (unknown(890))
+ gid=890 (unknown(890))
+ euid=890 (unknown(890))
+ suid=890 (unknown(890))
+ fsuid=890 (unknown(890))
+ egid=890 (unknown(890))
+ sgid=890 (unknown(890))
+ fsgid=890 (unknown(890))
+ tty=(none) ((none))
+ comm="pickup" (pickup)
+ exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
+ subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
+ key=(null) ((null))
+
+ record 3 of type 1307(CWD) has 2 fields
+ line=3 file=None
+ event time: 1170021493.977:293, host=(null)
+ type=CWD (CWD)
+ cwd="/var/spool/postfix" (/var/spool/postfix)
+
+ record 4 of type 1302(PATH) has 10 fields
+ line=4 file=None
+ event time: 1170021493.977:293, host=(null)
+ type=PATH (PATH)
+ item=0 (0)
+ name="maildrop" (maildrop)
+ inode=14911367 (14911367)
+ dev=03:07 (03:07)
+ mode=040730 (dir,730)
+ ouid=890 (unknown(890))
+ ogid=891 (unknown(891))
+ rdev=00:00 (00:00)
+ obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
+
+event 2 has 1 records
+ record 1 of type 1101(USER_ACCT) has 11 fields
+ line=5 file=None
+ event time: 1170021601.340:294, host=(null)
+ type=USER_ACCT (USER_ACCT)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 3 has 1 records
+ record 1 of type 1103(CRED_ACQ) has 11 fields
+ line=6 file=None
+ event time: 1170021601.342:295, host=(null)
+ type=CRED_ACQ (CRED_ACQ)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 4 has 1 records
+ record 1 of type 1006(LOGIN) has 5 fields
+ line=7 file=None
+ event time: 1170021601.343:296, host=(null)
+ type=LOGIN (LOGIN)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=4294967295 (unset)
+ auid=0 (root)
+
+event 5 has 1 records
+ record 1 of type 1105(USER_START) has 11 fields
+ line=8 file=None
+ event time: 1170021601.344:297, host=(null)
+ type=USER_START (USER_START)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 6 has 1 records
+ record 1 of type 1104(CRED_DISP) has 11 fields
+ line=9 file=None
+ event time: 1170021601.364:298, host=(null)
+ type=CRED_DISP (CRED_DISP)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+event 7 has 1 records
+ record 1 of type 1106(USER_END) has 11 fields
+ line=10 file=None
+ event time: 1170021601.366:299, host=(null)
+ type=USER_END (USER_END)
+ pid=13015 (13015)
+ uid=0 (root)
+ auid=0 (root)
+ subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
+ acct=root (root)
+ exe="/usr/sbin/crond" (/usr/sbin/crond)
+ hostname=? (?)
+ addr=? (?)
+ terminal=cron (cron)
+ res=success (success)
+
+Test 10 Done
+
+Finished non-admin tests
+
diff --git a/framework/src/audit/auparse/test/test.log b/framework/src/audit/auparse/test/test.log
new file mode 100644
index 00000000..e0ffabf5
--- /dev/null
+++ b/framework/src/audit/auparse/test/test.log
@@ -0,0 +1,10 @@
+type=AVC msg=audit(1170021493.977:293): avc: denied { read write } for pid=13010 comm="pickup" name="maildrop" dev=hda7 ino=14911367 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
+type=SYSCALL msg=audit(1170021493.977:293): arch=c000003e syscall=2 success=no exit=-13 a0=5555665d91b0 a1=10800 a2=5555665d91b8 a3=0 items=1 ppid=2013 pid=13010 auid=4294967295 uid=890 gid=890 euid=890 suid=890 fsuid=890 egid=890 sgid=890 fsgid=890 tty=(none) comm="pickup" exe="/usr/libexec/postfix/pickup" subj=system_u:system_r:postfix_pickup_t:s0 key=(null)
+type=CWD msg=audit(1170021493.977:293): cwd="/var/spool/postfix"
+type=PATH msg=audit(1170021493.977:293): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0
+type=USER_ACCT msg=audit(1170021601.340:294): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
+type=CRED_ACQ msg=audit(1170021601.342:295): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
+type=LOGIN msg=audit(1170021601.343:296): login pid=13015 uid=0 old auid=4294967295 new auid=0
+type=USER_START msg=audit(1170021601.344:297): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+type=CRED_DISP msg=audit(1170021601.364:298): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+type=USER_END msg=audit(1170021601.366:299): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session close acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
diff --git a/framework/src/audit/auparse/test/test2.log b/framework/src/audit/auparse/test/test2.log
new file mode 100644
index 00000000..588f1e04
--- /dev/null
+++ b/framework/src/audit/auparse/test/test2.log
@@ -0,0 +1,10 @@
+type=AVC msg=audit(1170021493.977:293): avc: denied { read } for pid=13010 comm="pickup" name="maildrop" dev=hda7 ino=14911367 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
+type=SYSCALL msg=audit(1170021493.977:293): arch=c000003e syscall=2 success=no exit=-13 a0=5555665d91b0 a1=10800 a2=5555665d91b8 a3=0 items=1 ppid=2013 pid=13010 auid=4294967295 uid=890 gid=890 euid=890 suid=890 fsuid=890 egid=890 sgid=890 fsgid=890 tty=(none) comm="pickup" exe="/usr/libexec/postfix/pickup" subj=system_u:system_r:postfix_pickup_t:s0 key=(null)
+type=CWD msg=audit(1170021493.977:293): cwd="/var/spool/postfix"
+type=PATH msg=audit(1170021493.977:293): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0
+type=USER_ACCT msg=audit(1170021601.340:294): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
+type=CRED_ACQ msg=audit(1170021601.342:295): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
+type=LOGIN msg=audit(1170021601.343:296): login pid=13015 uid=0 old auid=4294967295 new auid=0
+type=USER_START msg=audit(1170021601.344:297): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+type=CRED_DISP msg=audit(1170021601.364:298): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+type=USER_END msg=audit(1170021601.366:299): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session close acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'