summaryrefslogtreecommitdiffstats
path: root/framework/src/audit/auparse/test
diff options
context:
space:
mode:
Diffstat (limited to 'framework/src/audit/auparse/test')
-rw-r--r--framework/src/audit/auparse/test/Makefile.am91
-rw-r--r--framework/src/audit/auparse/test/auparse_test.c469
-rwxr-xr-xframework/src/audit/auparse/test/auparse_test.py262
-rw-r--r--framework/src/audit/auparse/test/auparse_test.ref803
-rw-r--r--framework/src/audit/auparse/test/auparse_test.ref.py793
-rw-r--r--framework/src/audit/auparse/test/test.log10
-rw-r--r--framework/src/audit/auparse/test/test2.log10
7 files changed, 0 insertions, 2438 deletions
diff --git a/framework/src/audit/auparse/test/Makefile.am b/framework/src/audit/auparse/test/Makefile.am
deleted file mode 100644
index 19793508..00000000
--- a/framework/src/audit/auparse/test/Makefile.am
+++ /dev/null
@@ -1,91 +0,0 @@
-# Makefile.am --
-# Copyright 2006-08,2014-15 Red Hat Inc., Durham, North Carolina.
-# All Rights Reserved.
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# This library is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# Lesser General Public License for more details.
-#
-# You should have received a copy of the GNU Lesser General Public
-# License along with this library; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-#
-# Authors:
-# Steve Grubb <sgrubb@redhat.com>
-#
-
-CONFIG_CLEAN_FILES = *.loT *.rej *.orig *.cur
-AUTOMAKE_OPTIONS = no-dependencies
-check_PROGRAMS = auparse_test
-dist_check_SCRIPTS = auparse_test.py
-EXTRA_DIST = auparse_test.ref auparse_test.ref.py test.log test2.log
-
-AM_CPPFLAGS = -I${top_srcdir}/auparse -I${top_srcdir}/lib
-
-auparse_test_SOURCES = auparse_test.c
-auparse_test_LDFLAGS = -static
-auparse_test_LDADD = ${top_builddir}/auparse/libauparse.la \
- ${top_builddir}/lib/libaudit.la
-
-drop_srcdir = sed 's,$(srcdir)/test,test,'
-
-check: auparse_test
- test "$(top_srcdir)" = "$(top_builddir)" || \
- cp $(top_srcdir)/auparse/test/test*.log .
- LC_ALL=C \
- ./auparse_test > auparse_test.cur
- diff -u $(top_srcdir)/auparse/test/auparse_test.ref auparse_test.cur
-if HAVE_PYTHON
- cp ${top_builddir}/bindings/swig/python/.libs/_audit.so ${top_builddir}/bindings/swig/python
- PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \
- LD_LIBRARY_PATH=${top_builddir}/auparse/.libs \
- srcdir=$(srcdir) $(srcdir)/auparse_test.py \
- | $(drop_srcdir) > auparse_test.cur
- diff -u $(top_srcdir)/auparse/test/auparse_test.ref.py auparse_test.cur
-endif
- echo -e "===================\nAuparse Test Passes\n==================="
-
-diffcheck: auparse_test
- ./auparse_test > auparse_test.cur
- diff -u $(srcdir)/auparse_test.ref auparse_test.cur
-
-memcheck: auparse_test
- valgrind --leak-check=yes --show-reachable=yes ./auparse_test
-
-pycheck: auparse_test.py
-if HAVE_PYTHON
- PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \
- LD_LIBRARY_PATH=${top_builddir}/auparse/.libs \
- srcdir=$(srcdir) $(srcdir)/auparse_test.py
-endif
-
-pydiffcheck: auparse_test.py
-if HAVE_PYTHON
- PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \
- LD_LIBRARY_PATH=${top_builddir}/auparse/.libs \
- srcdir=$(srcdir) $(srcdir)/auparse_test.py \
- | $(drop_srcdir) > auparse_test.cur
- diff $(srcdir)/auparse_test.ref auparse_test.cur
-endif
-
-pymemcheck: auparse_test.py
-if HAVE_PYTHON
- PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \
- LD_LIBRARY_PATH=${top_builddir}/auparse/.libs srcdir=$(srcdir) valgrind --leak-check=yes --show-reachable=yes python $(srcdir)/auparse_test.py
-
-${top_builddir}/bindings/python/build/*/auparse.so: ${top_srcdir}/bindings/python/auparse_python.c
- cd ${top_builddir}/bindings/python && make
-endif
-
-clean-generic:
- $(RM) *.cur
-if HAVE_PYTHON
- $(RM) ${top_builddir}/bindings/swig/python/_audit.so
-endif
- test "$(top_srcdir)" = "$(top_builddir)" || $(RM) test*.log
diff --git a/framework/src/audit/auparse/test/auparse_test.c b/framework/src/audit/auparse/test/auparse_test.c
deleted file mode 100644
index a6477d41..00000000
--- a/framework/src/audit/auparse/test/auparse_test.c
+++ /dev/null
@@ -1,469 +0,0 @@
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <locale.h>
-#include <errno.h>
-#include <libaudit.h>
-#include <auparse.h>
-
-
-static const char *buf[] = {
- "type=LOGIN msg=audit(1143146623.787:142): login pid=2027 uid=0 old auid=4294967295 new auid=848\n"
- "type=SYSCALL msg=audit(1143146623.875:143): arch=c000003e syscall=188 success=yes exit=0 a0=7fffffa9a9f0 a1=3958d11333 a2=5131f0 a3=20 items=1 pid=2027 auid=848 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty3 comm=\"login\" exe=\"/bin/login\" subj=system_u:system_r:local_login_t:s0-s0:c0.c255\n",
-
- "type=USER_LOGIN msg=audit(1143146623.879:146): user pid=2027 uid=0 auid=848 msg=\'uid=848: exe=\"/bin/login\" (hostname=?, addr=?, terminal=tty3 res=success)\'\n",
-
- NULL
-};
-
-
-static void walk_test(auparse_state_t *au)
-{
- int event_cnt = 1, record_cnt;
-
- do {
- if (auparse_first_record(au) <= 0) {
- printf("Error getting first record (%s)\n",
- strerror(errno));
- exit(1);
- }
- printf("event %d has %d records\n", event_cnt,
- auparse_get_num_records(au));
- record_cnt = 1;
- do {
- printf(" record %d of type %d(%s) has %d fields\n",
- record_cnt,
- auparse_get_type(au),
- audit_msg_type_to_name(auparse_get_type(au)),
- auparse_get_num_fields(au));
- printf(" line=%d file=%s\n",
- auparse_get_line_number(au),
- auparse_get_filename(au) ?
- auparse_get_filename(au) : "None");
- const au_event_t *e = auparse_get_timestamp(au);
- if (e == NULL) {
- printf("Error getting timestamp - aborting\n");
- exit(1);
- }
- printf(" event time: %u.%u:%lu, host=%s\n",
- (unsigned)e->sec,
- e->milli, e->serial, e->host ? e->host : "?");
- auparse_first_field(au);
- do {
- printf(" %s=%s (%s)\n",
- auparse_get_field_name(au),
- auparse_get_field_str(au),
- auparse_interpret_field(au));
- } while (auparse_next_field(au) > 0);
- printf("\n");
- record_cnt++;
- } while(auparse_next_record(au) > 0);
- event_cnt++;
- } while (auparse_next_event(au) > 0);
-}
-
-void light_test(auparse_state_t *au)
-{
- int record_cnt;
-
- do {
- if (auparse_first_record(au) <= 0) {
- puts("Error getting first record");
- exit(1);
- }
- printf("event has %d records\n", auparse_get_num_records(au));
- record_cnt = 1;
- do {
- printf(" record %d of type %d(%s) has %d fields\n",
- record_cnt,
- auparse_get_type(au),
- audit_msg_type_to_name(auparse_get_type(au)),
- auparse_get_num_fields(au));
- printf(" line=%d file=%s\n",
- auparse_get_line_number(au),
- auparse_get_filename(au) ?
- auparse_get_filename(au) : "None");
- const au_event_t *e = auparse_get_timestamp(au);
- if (e == NULL) {
- printf("Error getting timestamp - aborting\n");
- exit(1);
- }
- printf(" event time: %u.%u:%lu, host=%s\n",
- (unsigned)e->sec,
- e->milli, e->serial,
- e->host ? e->host : "?");
- printf("\n");
- record_cnt++;
- } while(auparse_next_record(au) > 0);
-
- } while (auparse_next_event(au) > 0);
-}
-
-void simple_search(ausource_t source, austop_t where)
-{
- auparse_state_t *au;
- const char *val;
-
- if (source == AUSOURCE_FILE) {
- au = auparse_init(AUSOURCE_FILE, "./test.log");
- val = "4294967295";
- } else {
- au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
- val = "848";
- }
- if (au == NULL) {
- printf("auparse_init error - %s\n", strerror(errno));
- exit(1);
- }
- if (ausearch_add_item(au, "auid", "=", val, AUSEARCH_RULE_CLEAR)){
- printf("ausearch_add_item error - %s\n", strerror(errno));
- exit(1);
- }
- if (ausearch_set_stop(au, where)){
- printf("ausearch_set_stop error - %s\n", strerror(errno));
- exit(1);
- }
- if (ausearch_next_event(au) <= 0)
- printf("Error searching for auid - %s\n", strerror(errno));
- else
- printf("Found %s = %s\n", auparse_get_field_name(au),
- auparse_get_field_str(au));
- auparse_destroy(au);
-}
-
-void compound_search(ausearch_rule_t how)
-{
- auparse_state_t *au;
-
- au = auparse_init(AUSOURCE_FILE, "./test.log");
- if (au == NULL) {
- printf("auparse_init error - %s\n", strerror(errno));
- exit(1);
- }
- if (how == AUSEARCH_RULE_AND) {
- if (ausearch_add_item(au, "uid", "=", "0",
- AUSEARCH_RULE_CLEAR)){
- printf("ausearch_add_item 1 error - %s\n",
- strerror(errno));
- exit(1);
- }
- if (ausearch_add_item(au, "pid", "=", "13015", how)){
- printf("ausearch_add_item 2 error - %s\n",
- strerror(errno));
- exit(1);
- }
- if (ausearch_add_item(au, "type", "=", "USER_START", how)){
- printf("ausearch_add_item 3 error - %s\n",
- strerror(errno));
- exit(1);
- }
- } else {
- if (ausearch_add_item(au, "auid", "=", "42",
- AUSEARCH_RULE_CLEAR)){
- printf("ausearch_add_item 4 error - %s\n",
- strerror(errno));
- exit(1);
- }
- // should stop on this one
- if (ausearch_add_item(au, "auid", "=", "0", how)){
- printf("ausearch_add_item 5 error - %s\n",
- strerror(errno));
- exit(1);
- }
- if (ausearch_add_item(au, "auid", "=", "500", how)){
- printf("ausearch_add_item 6 error - %s\n",
- strerror(errno));
- exit(1);
- }
- }
- if (ausearch_set_stop(au, AUSEARCH_STOP_FIELD)){
- printf("ausearch_set_stop error - %s\n", strerror(errno));
- exit(1);
- }
- if (ausearch_next_event(au) <= 0)
- printf("Error searching for auid - %s\n", strerror(errno));
- else
- printf("Found %s = %s\n", auparse_get_field_name(au),
- auparse_get_field_str(au));
- auparse_destroy(au);
-}
-
-void regex_search(const char *expr)
-{
- auparse_state_t *au;
- int rc;
-
- au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
- if (au == NULL) {
- printf("auparse_init error - %s\n", strerror(errno));
- exit(1);
- }
- if (ausearch_add_regex(au, expr)){
- printf("ausearch_add_regex error - %s\n", strerror(errno));
- exit(1);
- }
- if (ausearch_set_stop(au, AUSEARCH_STOP_RECORD)){
- printf("ausearch_set_stop error - %s\n", strerror(errno));
- exit(1);
- }
- rc = ausearch_next_event(au);
- if (rc < 0)
- printf("Error searching for %s - %s\n", expr, strerror(errno));
- else if (rc == 0)
- printf("Not found\n");
- else
- printf("Found %s = %s\n", auparse_get_field_name(au),
- auparse_get_field_str(au));
- auparse_destroy(au);
-}
-
-static void auparse_callback(auparse_state_t *au, auparse_cb_event_t cb_event_type, void *user_data)
-{
- int *event_cnt = (int *)user_data;
- int record_cnt;
-
- if (cb_event_type == AUPARSE_CB_EVENT_READY) {
- if (auparse_first_record(au) <= 0) {
- printf("can't get first record\n");
- return;
- }
- printf("event %d has %d records\n", *event_cnt,
- auparse_get_num_records(au));
- record_cnt = 1;
- do {
- printf(" record %d of type %d(%s) has %d fields\n",
- record_cnt,
- auparse_get_type(au),
- audit_msg_type_to_name(auparse_get_type(au)),
- auparse_get_num_fields(au));
- printf(" line=%d file=%s\n",
- auparse_get_line_number(au),
- auparse_get_filename(au) ?
- auparse_get_filename(au) : "None");
- const au_event_t *e = auparse_get_timestamp(au);
- if (e == NULL) {
- return;
- }
- printf(" event time: %u.%u:%lu, host=%s\n",
- (unsigned)e->sec,
- e->milli, e->serial,
- e->host ? e->host : "?");
- auparse_first_field(au);
- do {
- printf(" %s=%s (%s)\n",
- auparse_get_field_name(au),
- auparse_get_field_str(au),
- auparse_interpret_field(au));
- } while (auparse_next_field(au) > 0);
- printf("\n");
- record_cnt++;
- } while(auparse_next_record(au) > 0);
- (*event_cnt)++;
- }
-}
-
-int main(void)
-{
- //char *files[4] = { "test.log", "test2.log", "test3.log", NULL };
- char *files[3] = { "test.log", "test2.log", NULL };
- setlocale (LC_ALL, "");
- auparse_state_t *au;
-
- au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
- if (au == NULL) {
- printf("Error - %s\n", strerror(errno));
- return 1;
- }
-
- printf("Starting Test 1, iterate...\n");
- while (auparse_next_event(au) > 0) {
- if (auparse_find_field(au, "auid")) {
- printf("%s=%s\n", auparse_get_field_name(au),
- auparse_get_field_str(au));
- printf("interp auid=%s\n", auparse_interpret_field(au));
- } else
- printf("Error iterating to auid\n");
- }
- auparse_reset(au);
- while (auparse_next_event(au) > 0) {
- if (auparse_find_field(au, "auid")) {
- do {
- printf("%s=%s\n", auparse_get_field_name(au),
- auparse_get_field_str(au));
- printf("interp auid=%s\n", auparse_interpret_field(au));
- } while (auparse_find_field_next(au));
- } else
- printf("Error iterating to auid\n");
- }
- printf("Test 1 Done\n\n");
-
- /* Reset, now lets go to beginning and walk the list manually */
- printf("Starting Test 2, walk events, records, and fields...\n");
- auparse_reset(au);
- walk_test(au);
- auparse_destroy(au);
- printf("Test 2 Done\n\n");
-
- /* Reset, now lets go to beginning and walk the list manually */
- printf("Starting Test 3, walk events, records of 1 buffer...\n");
- au = auparse_init(AUSOURCE_BUFFER, buf[1]);
- if (au == NULL) {
- printf("Error - %s\n", strerror(errno));
- return 1;
- }
- light_test(au);
- auparse_destroy(au);
- printf("Test 3 Done\n\n");
-
- printf("Starting Test 4, walk events, records of 1 file...\n");
- au = auparse_init(AUSOURCE_FILE, "./test.log");
- if (au == NULL) {
- printf("Error - %s\n", strerror(errno));
- return 1;
- }
- walk_test(au);
- auparse_destroy(au);
- printf("Test 4 Done\n\n");
-
- printf("Starting Test 5, walk events, records of 2 files...\n");
- au = auparse_init(AUSOURCE_FILE_ARRAY, files);
- if (au == NULL) {
- printf("Error - %s\n", strerror(errno));
- return 1;
- }
- walk_test(au);
- auparse_destroy(au);
- printf("Test 5 Done\n\n");
-
- printf("Starting Test 6, search...\n");
- au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
- if (au == NULL) {
- printf("Error - %s\n", strerror(errno));
- return 1;
- }
- if (ausearch_add_item(au, "auid", "=", "500", AUSEARCH_RULE_CLEAR)){
- printf("Error - %s", strerror(errno));
- return 1;
- }
- if (ausearch_set_stop(au, AUSEARCH_STOP_EVENT)){
- printf("Error - %s", strerror(errno));
- exit(1);
- }
- if (ausearch_next_event(au) != 0) {
- printf("Error search found something it shouldn't have\n");
- }
- puts("auid = 500 not found...which is correct");
- ausearch_clear(au);
- auparse_destroy(au);
- au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
- if (ausearch_add_item(au,"auid", "exists", NULL, AUSEARCH_RULE_CLEAR)){
- printf("Error - %s", strerror(errno));
- return 1;
- }
- if (ausearch_set_stop(au, AUSEARCH_STOP_EVENT)){
- printf("Error - %s", strerror(errno));
- exit(1);
- }
- if (ausearch_next_event(au) <= 0) {
- printf("Error searching for existence of auid\n");
- }
- puts("auid exists...which is correct");
- puts("Testing BUFFER_ARRAY, stop on field");
- simple_search(AUSOURCE_BUFFER_ARRAY, AUSEARCH_STOP_FIELD);
- puts("Testing BUFFER_ARRAY, stop on record");
- simple_search(AUSOURCE_BUFFER_ARRAY, AUSEARCH_STOP_RECORD);
- puts("Testing BUFFER_ARRAY, stop on event");
- simple_search(AUSOURCE_BUFFER_ARRAY, AUSEARCH_STOP_EVENT);
- puts("Testing test.log, stop on field");
- simple_search(AUSOURCE_FILE, AUSEARCH_STOP_FIELD);
- puts("Testing test.log, stop on record");
- simple_search(AUSOURCE_FILE, AUSEARCH_STOP_RECORD);
- puts("Testing test.log, stop on event");
- simple_search(AUSOURCE_FILE, AUSEARCH_STOP_EVENT);
- auparse_destroy(au);
- printf("Test 6 Done\n\n");
-
- printf("Starting Test 7, compound search...\n");
- au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
- if (au == NULL) {
- printf("Error - %s\n", strerror(errno));
- return 1;
- }
- compound_search(AUSEARCH_RULE_AND);
- compound_search(AUSEARCH_RULE_OR);
- auparse_destroy(au);
- printf("Test 7 Done\n\n");
-
- printf("Starting Test 8, regex search...\n");
- puts("Doing regex match...");
- regex_search("1143146623");
- puts("Doing regex wildcard search...");
- regex_search("11431466.*146");
- printf("Test 8 Done\n\n");
-
- /* Note: this should match Test 2 exactly */
- printf("Starting Test 9, buffer feed...\n");
- {
- int event_cnt = 1;
- size_t len, chunk_len = 3;
- const char **cur_buf, *p_beg, *p_end, *p_chunk_beg,
- *p_chunk_end;
-
- au = auparse_init(AUSOURCE_FEED, 0);
- auparse_add_callback(au, auparse_callback, &event_cnt, NULL);
- for (cur_buf = buf, p_beg = *cur_buf; *cur_buf;
- cur_buf++, p_beg = *cur_buf) {
- len = strlen(p_beg);
- p_end = p_beg + len;
- p_chunk_beg = p_beg;
- while (p_chunk_beg < p_end) {
- p_chunk_end = p_chunk_beg + chunk_len;
- if (p_chunk_end > p_end)
- p_chunk_end = p_end;
-
- //fwrite(p_chunk_beg, 1,
- // p_chunk_end-p_chunk_beg, stdout);
- auparse_feed(au, p_chunk_beg,
- p_chunk_end-p_chunk_beg);
- p_chunk_beg = p_chunk_end;
- }
- }
-
- auparse_flush_feed(au);
- auparse_destroy(au);
- }
- printf("Test 9 Done\n\n");
-
- /* Note: this should match Test 4 exactly */
- printf("Starting Test 10, file feed...\n");
- {
- int *event_cnt = malloc(sizeof(int));
- size_t len;
- char filename[] = "./test.log";
- char buf[4];
- FILE *fp;
-
- *event_cnt = 1;
- au = auparse_init(AUSOURCE_FEED, 0);
- auparse_add_callback(au, auparse_callback, event_cnt, free);
- if ((fp = fopen(filename, "r")) == NULL) {
- fprintf(stderr, "could not open '%s', %s\n",
- filename, strerror(errno));
- return 1;
- }
- while ((len = fread(buf, 1, sizeof(buf), fp))) {
- auparse_feed(au, buf, len);
- }
-
- fclose(fp);
- auparse_flush_feed(au);
- auparse_destroy(au);
- }
- printf("Test 10 Done\n\n");
-
- puts("Finished non-admin tests\n");
-
- return 0;
-}
-
diff --git a/framework/src/audit/auparse/test/auparse_test.py b/framework/src/audit/auparse/test/auparse_test.py
deleted file mode 100755
index 9d9a5c4d..00000000
--- a/framework/src/audit/auparse/test/auparse_test.py
+++ /dev/null
@@ -1,262 +0,0 @@
-#!/usr/bin/env python
-
-import os
-srcdir = os.getenv('srcdir')
-
-buf = ["type=LOGIN msg=audit(1143146623.787:142): login pid=2027 uid=0 old auid=4294967295 new auid=848\ntype=SYSCALL msg=audit(1143146623.875:143): arch=c000003e syscall=188 success=yes exit=0 a0=7fffffa9a9f0 a1=3958d11333 a2=5131f0 a3=20 items=1 pid=2027 auid=848 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty3 comm=\"login\" exe=\"/bin/login\" subj=system_u:system_r:local_login_t:s0-s0:c0.c255\n",
-"type=USER_LOGIN msg=audit(1143146623.879:146): user pid=2027 uid=0 auid=848 msg=\'uid=848: exe=\"/bin/login\" (hostname=?, addr=?, terminal=tty3 res=success)\'\n",
-]
-files = [srcdir + "/test.log", srcdir + "/test2.log"]
-
-import sys
-import time
-load_path = '../../bindings/python/build/lib.linux-i686-2.4'
-if False:
- sys.path.insert(0, load_path)
-
-import auparse
-import audit
-
-def none_to_null(s):
- 'used so output matches C version'
- if s is None:
- return '(null)'
- else:
- return s
-
-def walk_test(au):
- event_cnt = 1
-
- au.reset()
- while True:
- if not au.first_record():
- print "Error getting first record"
- sys.exit(1)
-
- print "event %d has %d records" % (event_cnt, au.get_num_records())
-
- record_cnt = 1
- while True:
- print " record %d of type %d(%s) has %d fields" % \
- (record_cnt,
- au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
- au.get_num_fields())
- print " line=%d file=%s" % (au.get_line_number(), au.get_filename())
- event = au.get_timestamp()
- if event is None:
- print "Error getting timestamp - aborting"
- sys.exit(1)
-
- print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))
- au.first_field()
- while True:
- print " %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field())
- if not au.next_field(): break
- print
- record_cnt += 1
- if not au.next_record(): break
- event_cnt += 1
- if not au.parse_next_event(): break
-
-
-def light_test(au):
- while True:
- if not au.first_record():
- print "Error getting first record"
- sys.exit(1)
-
- print "event has %d records" % (au.get_num_records())
-
- record_cnt = 1
- while True:
- print " record %d of type %d(%s) has %d fields" % \
- (record_cnt,
- au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
- au.get_num_fields())
- print " line=%d file=%s" % (au.get_line_number(), au.get_filename())
- event = au.get_timestamp()
- if event is None:
- print "Error getting timestamp - aborting"
- sys.exit(1)
-
- print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))
- print
- record_cnt += 1
- if not au.next_record(): break
- if not au.parse_next_event(): break
-
-def simple_search(au, source, where):
-
- if source == auparse.AUSOURCE_FILE:
- au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log");
- val = "4294967295"
- else:
- au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
- val = "848"
-
- au.search_add_item("auid", "=", val, auparse.AUSEARCH_RULE_CLEAR)
- au.search_set_stop(where)
- if not au.search_next_event():
- print "Error searching for auid"
- else:
- print "Found %s = %s" % (au.get_field_name(), au.get_field_str())
-
-def compound_search(au, how):
- au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log");
- if how == auparse.AUSEARCH_RULE_AND:
- au.search_add_item("uid", "=", "0", auparse.AUSEARCH_RULE_CLEAR)
- au.search_add_item("pid", "=", "13015", how)
- au.search_add_item("type", "=", "USER_START", how)
- else:
- au.search_add_item("auid", "=", "42", auparse.AUSEARCH_RULE_CLEAR)
- # should stop on this one
- au.search_add_item("auid", "=", "0", how)
- au.search_add_item("auid", "=", "500", how)
-
- au.search_set_stop(auparse.AUSEARCH_STOP_FIELD)
- if not au.search_next_event():
- print "Error searching for auid"
- else:
- print "Found %s = %s" % (au.get_field_name(), au.get_field_str())
-
-def feed_callback(au, cb_event_type, event_cnt):
- if cb_event_type == auparse.AUPARSE_CB_EVENT_READY:
- if not au.first_record():
- print "Error getting first record"
- sys.exit(1)
-
- print "event %d has %d records" % (event_cnt[0], au.get_num_records())
-
- record_cnt = 1
- while True:
- print " record %d of type %d(%s) has %d fields" % \
- (record_cnt,
- au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
- au.get_num_fields())
- print " line=%d file=%s" % (au.get_line_number(), au.get_filename())
- event = au.get_timestamp()
- if event is None:
- print "Error getting timestamp - aborting"
- sys.exit(1)
-
- print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))
- au.first_field()
- while True:
- print " %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field())
- if not au.next_field(): break
- print
- record_cnt += 1
- if not au.next_record(): break
- event_cnt[0] += 1
-
-au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
-
-print "Starting Test 1, iterate..."
-while au.parse_next_event():
- if au.find_field("auid"):
- print "%s=%s" % (au.get_field_name(), au.get_field_str())
- print "interp auid=%s" % (au.interpret_field())
- else:
- print "Error iterating to auid"
-print "Test 1 Done\n"
-
-# Reset, now lets go to beginning and walk the list manually */
-print "Starting Test 2, walk events, records, and fields..."
-au.reset()
-walk_test(au)
-print "Test 2 Done\n"
-
-# Reset, now lets go to beginning and walk the list manually */
-print "Starting Test 3, walk events, records of 1 buffer..."
-au = auparse.AuParser(auparse.AUSOURCE_BUFFER, buf[1])
-light_test(au);
-print "Test 3 Done\n"
-
-print "Starting Test 4, walk events, records of 1 file..."
-au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log");
-walk_test(au);
-print "Test 4 Done\n"
-
-print "Starting Test 5, walk events, records of 2 files..."
-au = auparse.AuParser(auparse.AUSOURCE_FILE_ARRAY, files);
-walk_test(au);
-print "Test 5 Done\n"
-
-print "Starting Test 6, search..."
-au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
-au.search_add_item("auid", "=", "500", auparse.AUSEARCH_RULE_CLEAR)
-au.search_set_stop(auparse.AUSEARCH_STOP_EVENT)
-if au.search_next_event():
- print "Error search found something it shouldn't have"
-else:
- print "auid = 500 not found...which is correct"
-au.search_clear()
-au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
-#au.search_add_item("auid", "exists", None, auparse.AUSEARCH_RULE_CLEAR)
-au.search_add_item("auid", "exists", "", auparse.AUSEARCH_RULE_CLEAR)
-au.search_set_stop(auparse.AUSEARCH_STOP_EVENT)
-if not au.search_next_event():
- print "Error searching for existence of auid"
-print "auid exists...which is correct"
-print "Testing BUFFER_ARRAY, stop on field"
-simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_FIELD)
-print "Testing BUFFER_ARRAY, stop on record"
-simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_RECORD)
-print "Testing BUFFER_ARRAY, stop on event"
-simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_EVENT)
-print "Testing test.log, stop on field"
-simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_FIELD)
-print "Testing test.log, stop on record"
-simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_RECORD)
-print "Testing test.log, stop on event"
-simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_EVENT)
-print "Test 6 Done\n"
-
-print "Starting Test 7, compound search..."
-au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
-compound_search(au, auparse.AUSEARCH_RULE_AND)
-compound_search(au, auparse.AUSEARCH_RULE_OR)
-print "Test 7 Done\n"
-
-print "Starting Test 8, regex search..."
-au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
-print "Doing regex match...\n"
-au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
-print "Test 8 Done\n"
-
-# Note: this should match Test 2 exactly
-# Note: this should match Test 2 exactly
-print "Starting Test 9, buffer feed..."
-au = auparse.AuParser(auparse.AUSOURCE_FEED);
-event_cnt = 1
-au.add_callback(feed_callback, [event_cnt])
-chunk_len = 3
-for s in buf:
- s_len = len(s)
- beg = 0
- while beg < s_len:
- end = min(s_len, beg + chunk_len)
- data = s[beg:end]
- beg += chunk_len
- au.feed(data)
-au.flush_feed()
-print "Test 9 Done\n"
-
-# Note: this should match Test 4 exactly
-print "Starting Test 10, file feed..."
-au = auparse.AuParser(auparse.AUSOURCE_FEED);
-event_cnt = 1
-au.add_callback(feed_callback, [event_cnt])
-f = open(srcdir + "/test.log");
-while True:
- data = f.read(4)
- if not data: break
- au.feed(data)
-au.flush_feed()
-print "Test 10 Done\n"
-
-print "Finished non-admin tests\n"
-
-au = None
-sys.exit(0)
-
diff --git a/framework/src/audit/auparse/test/auparse_test.ref b/framework/src/audit/auparse/test/auparse_test.ref
deleted file mode 100644
index 6cc399bd..00000000
--- a/framework/src/audit/auparse/test/auparse_test.ref
+++ /dev/null
@@ -1,803 +0,0 @@
-Starting Test 1, iterate...
-auid=4294967295
-interp auid=unset
-auid=848
-interp auid=unknown(848)
-auid=848
-interp auid=unknown(848)
-auid=4294967295
-interp auid=unset
-auid=848
-interp auid=unknown(848)
-auid=848
-interp auid=unknown(848)
-auid=848
-interp auid=unknown(848)
-Test 1 Done
-
-Starting Test 2, walk events, records, and fields...
-event 1 has 1 records
- record 1 of type 1006(LOGIN) has 5 fields
- line=1 file=None
- event time: 1143146623.787:142, host=?
- type=LOGIN (LOGIN)
- pid=2027 (2027)
- uid=0 (root)
- auid=4294967295 (unset)
- auid=848 (unknown(848))
-
-event 2 has 1 records
- record 1 of type 1300(SYSCALL) has 24 fields
- line=2 file=None
- event time: 1143146623.875:143, host=?
- type=SYSCALL (SYSCALL)
- arch=c000003e (x86_64)
- syscall=188 (setxattr)
- success=yes (yes)
- exit=0 (0)
- a0=7fffffa9a9f0 (0x7fffffa9a9f0)
- a1=3958d11333 (0x3958d11333)
- a2=5131f0 (0x5131f0)
- a3=20 (0x20)
- items=1 (1)
- pid=2027 (2027)
- auid=848 (unknown(848))
- uid=0 (root)
- gid=0 (root)
- euid=0 (root)
- suid=0 (root)
- fsuid=0 (root)
- egid=0 (root)
- sgid=0 (root)
- fsgid=0 (root)
- tty=tty3 (tty3)
- comm="login" (login)
- exe="/bin/login" (/bin/login)
- subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255)
-
-event 3 has 1 records
- record 1 of type 1112(USER_LOGIN) has 10 fields
- line=3 file=None
- event time: 1143146623.879:146, host=?
- type=USER_LOGIN (USER_LOGIN)
- pid=2027 (2027)
- uid=0 (root)
- auid=848 (unknown(848))
- uid=848 (unknown(848))
- exe="/bin/login" (/bin/login)
- hostname=? (?)
- addr=? (?)
- terminal=tty3 (tty3)
- res=success (success)
-
-Test 2 Done
-
-Starting Test 3, walk events, records of 1 buffer...
-event has 1 records
- record 1 of type 1112(USER_LOGIN) has 10 fields
- line=1 file=None
- event time: 1143146623.879:146, host=?
-
-Test 3 Done
-
-Starting Test 4, walk events, records of 1 file...
-event 1 has 4 records
- record 1 of type 1400(AVC) has 11 fields
- line=1 file=./test.log
- event time: 1170021493.977:293, host=?
- type=AVC (AVC)
- seresult=denied (denied)
- seperms=read,write (read,write)
- pid=13010 (13010)
- comm="pickup" (pickup)
- name="maildrop" (maildrop)
- dev=hda7 (hda7)
- ino=14911367 (14911367)
- scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
- tclass=dir (dir)
-
- record 2 of type 1300(SYSCALL) has 26 fields
- line=2 file=./test.log
- event time: 1170021493.977:293, host=?
- type=SYSCALL (SYSCALL)
- arch=c000003e (x86_64)
- syscall=2 (open)
- success=no (no)
- exit=-13 (-13(Permission denied))
- a0=5555665d91b0 (0x5555665d91b0)
- a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
- a2=5555665d91b8 (0x5555665d91b8)
- a3=0 (0x0)
- items=1 (1)
- ppid=2013 (2013)
- pid=13010 (13010)
- auid=4294967295 (unset)
- uid=890 (unknown(890))
- gid=890 (unknown(890))
- euid=890 (unknown(890))
- suid=890 (unknown(890))
- fsuid=890 (unknown(890))
- egid=890 (unknown(890))
- sgid=890 (unknown(890))
- fsgid=890 (unknown(890))
- tty=(none) ((none))
- comm="pickup" (pickup)
- exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
- subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- key=(null) ((null))
-
- record 3 of type 1307(CWD) has 2 fields
- line=3 file=./test.log
- event time: 1170021493.977:293, host=?
- type=CWD (CWD)
- cwd="/var/spool/postfix" (/var/spool/postfix)
-
- record 4 of type 1302(PATH) has 10 fields
- line=4 file=./test.log
- event time: 1170021493.977:293, host=?
- type=PATH (PATH)
- item=0 (0)
- name="maildrop" (maildrop)
- inode=14911367 (14911367)
- dev=03:07 (03:07)
- mode=040730 (dir,730)
- ouid=890 (unknown(890))
- ogid=891 (unknown(891))
- rdev=00:00 (00:00)
- obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
-
-event 2 has 1 records
- record 1 of type 1101(USER_ACCT) has 11 fields
- line=5 file=./test.log
- event time: 1170021601.340:294, host=?
- type=USER_ACCT (USER_ACCT)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 3 has 1 records
- record 1 of type 1103(CRED_ACQ) has 11 fields
- line=6 file=./test.log
- event time: 1170021601.342:295, host=?
- type=CRED_ACQ (CRED_ACQ)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 4 has 1 records
- record 1 of type 1006(LOGIN) has 5 fields
- line=7 file=./test.log
- event time: 1170021601.343:296, host=?
- type=LOGIN (LOGIN)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- auid=0 (root)
-
-event 5 has 1 records
- record 1 of type 1105(USER_START) has 11 fields
- line=8 file=./test.log
- event time: 1170021601.344:297, host=?
- type=USER_START (USER_START)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 6 has 1 records
- record 1 of type 1104(CRED_DISP) has 11 fields
- line=9 file=./test.log
- event time: 1170021601.364:298, host=?
- type=CRED_DISP (CRED_DISP)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 7 has 1 records
- record 1 of type 1106(USER_END) has 11 fields
- line=10 file=./test.log
- event time: 1170021601.366:299, host=?
- type=USER_END (USER_END)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-Test 4 Done
-
-Starting Test 5, walk events, records of 2 files...
-event 1 has 4 records
- record 1 of type 1400(AVC) has 11 fields
- line=1 file=test.log
- event time: 1170021493.977:293, host=?
- type=AVC (AVC)
- seresult=denied (denied)
- seperms=read,write (read,write)
- pid=13010 (13010)
- comm="pickup" (pickup)
- name="maildrop" (maildrop)
- dev=hda7 (hda7)
- ino=14911367 (14911367)
- scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
- tclass=dir (dir)
-
- record 2 of type 1300(SYSCALL) has 26 fields
- line=2 file=test.log
- event time: 1170021493.977:293, host=?
- type=SYSCALL (SYSCALL)
- arch=c000003e (x86_64)
- syscall=2 (open)
- success=no (no)
- exit=-13 (-13(Permission denied))
- a0=5555665d91b0 (0x5555665d91b0)
- a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
- a2=5555665d91b8 (0x5555665d91b8)
- a3=0 (0x0)
- items=1 (1)
- ppid=2013 (2013)
- pid=13010 (13010)
- auid=4294967295 (unset)
- uid=890 (unknown(890))
- gid=890 (unknown(890))
- euid=890 (unknown(890))
- suid=890 (unknown(890))
- fsuid=890 (unknown(890))
- egid=890 (unknown(890))
- sgid=890 (unknown(890))
- fsgid=890 (unknown(890))
- tty=(none) ((none))
- comm="pickup" (pickup)
- exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
- subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- key=(null) ((null))
-
- record 3 of type 1307(CWD) has 2 fields
- line=3 file=test.log
- event time: 1170021493.977:293, host=?
- type=CWD (CWD)
- cwd="/var/spool/postfix" (/var/spool/postfix)
-
- record 4 of type 1302(PATH) has 10 fields
- line=4 file=test.log
- event time: 1170021493.977:293, host=?
- type=PATH (PATH)
- item=0 (0)
- name="maildrop" (maildrop)
- inode=14911367 (14911367)
- dev=03:07 (03:07)
- mode=040730 (dir,730)
- ouid=890 (unknown(890))
- ogid=891 (unknown(891))
- rdev=00:00 (00:00)
- obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
-
-event 2 has 1 records
- record 1 of type 1101(USER_ACCT) has 11 fields
- line=5 file=test.log
- event time: 1170021601.340:294, host=?
- type=USER_ACCT (USER_ACCT)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 3 has 1 records
- record 1 of type 1103(CRED_ACQ) has 11 fields
- line=6 file=test.log
- event time: 1170021601.342:295, host=?
- type=CRED_ACQ (CRED_ACQ)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 4 has 1 records
- record 1 of type 1006(LOGIN) has 5 fields
- line=7 file=test.log
- event time: 1170021601.343:296, host=?
- type=LOGIN (LOGIN)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- auid=0 (root)
-
-event 5 has 1 records
- record 1 of type 1105(USER_START) has 11 fields
- line=8 file=test.log
- event time: 1170021601.344:297, host=?
- type=USER_START (USER_START)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 6 has 1 records
- record 1 of type 1104(CRED_DISP) has 11 fields
- line=9 file=test.log
- event time: 1170021601.364:298, host=?
- type=CRED_DISP (CRED_DISP)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 7 has 1 records
- record 1 of type 1106(USER_END) has 11 fields
- line=10 file=test.log
- event time: 1170021601.366:299, host=?
- type=USER_END (USER_END)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 8 has 4 records
- record 1 of type 1400(AVC) has 11 fields
- line=1 file=test2.log
- event time: 1170021493.977:293, host=?
- type=AVC (AVC)
- seresult=denied (denied)
- seperms=read (read)
- pid=13010 (13010)
- comm="pickup" (pickup)
- name="maildrop" (maildrop)
- dev=hda7 (hda7)
- ino=14911367 (14911367)
- scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
- tclass=dir (dir)
-
- record 2 of type 1300(SYSCALL) has 26 fields
- line=2 file=test2.log
- event time: 1170021493.977:293, host=?
- type=SYSCALL (SYSCALL)
- arch=c000003e (x86_64)
- syscall=2 (open)
- success=no (no)
- exit=-13 (-13(Permission denied))
- a0=5555665d91b0 (0x5555665d91b0)
- a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
- a2=5555665d91b8 (0x5555665d91b8)
- a3=0 (0x0)
- items=1 (1)
- ppid=2013 (2013)
- pid=13010 (13010)
- auid=4294967295 (unset)
- uid=890 (unknown(890))
- gid=890 (unknown(890))
- euid=890 (unknown(890))
- suid=890 (unknown(890))
- fsuid=890 (unknown(890))
- egid=890 (unknown(890))
- sgid=890 (unknown(890))
- fsgid=890 (unknown(890))
- tty=(none) ((none))
- comm="pickup" (pickup)
- exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
- subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- key=(null) ((null))
-
- record 3 of type 1307(CWD) has 2 fields
- line=3 file=test2.log
- event time: 1170021493.977:293, host=?
- type=CWD (CWD)
- cwd="/var/spool/postfix" (/var/spool/postfix)
-
- record 4 of type 1302(PATH) has 10 fields
- line=4 file=test2.log
- event time: 1170021493.977:293, host=?
- type=PATH (PATH)
- item=0 (0)
- name="maildrop" (maildrop)
- inode=14911367 (14911367)
- dev=03:07 (03:07)
- mode=040730 (dir,730)
- ouid=890 (unknown(890))
- ogid=891 (unknown(891))
- rdev=00:00 (00:00)
- obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
-
-event 9 has 1 records
- record 1 of type 1101(USER_ACCT) has 11 fields
- line=5 file=test2.log
- event time: 1170021601.340:294, host=?
- type=USER_ACCT (USER_ACCT)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 10 has 1 records
- record 1 of type 1103(CRED_ACQ) has 11 fields
- line=6 file=test2.log
- event time: 1170021601.342:295, host=?
- type=CRED_ACQ (CRED_ACQ)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 11 has 1 records
- record 1 of type 1006(LOGIN) has 5 fields
- line=7 file=test2.log
- event time: 1170021601.343:296, host=?
- type=LOGIN (LOGIN)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- auid=0 (root)
-
-event 12 has 1 records
- record 1 of type 1105(USER_START) has 11 fields
- line=8 file=test2.log
- event time: 1170021601.344:297, host=?
- type=USER_START (USER_START)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 13 has 1 records
- record 1 of type 1104(CRED_DISP) has 11 fields
- line=9 file=test2.log
- event time: 1170021601.364:298, host=?
- type=CRED_DISP (CRED_DISP)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 14 has 1 records
- record 1 of type 1106(USER_END) has 11 fields
- line=10 file=test2.log
- event time: 1170021601.366:299, host=?
- type=USER_END (USER_END)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-Test 5 Done
-
-Starting Test 6, search...
-auid = 500 not found...which is correct
-auid exists...which is correct
-Testing BUFFER_ARRAY, stop on field
-Found auid = 848
-Testing BUFFER_ARRAY, stop on record
-Found type = SYSCALL
-Testing BUFFER_ARRAY, stop on event
-Found type = SYSCALL
-Testing test.log, stop on field
-Found auid = 4294967295
-Testing test.log, stop on record
-Found type = SYSCALL
-Testing test.log, stop on event
-Found type = AVC
-Test 6 Done
-
-Starting Test 7, compound search...
-Found type = USER_START
-Found auid = 0
-Test 7 Done
-
-Starting Test 8, regex search...
-Doing regex match...
-Found type = LOGIN
-Doing regex wildcard search...
-Found type = USER_LOGIN
-Test 8 Done
-
-Starting Test 9, buffer feed...
-event 1 has 1 records
- record 1 of type 1006(LOGIN) has 5 fields
- line=1 file=None
- event time: 1143146623.787:142, host=?
- type=LOGIN (LOGIN)
- pid=2027 (2027)
- uid=0 (root)
- auid=4294967295 (unset)
- auid=848 (unknown(848))
-
-event 2 has 1 records
- record 1 of type 1300(SYSCALL) has 24 fields
- line=2 file=None
- event time: 1143146623.875:143, host=?
- type=SYSCALL (SYSCALL)
- arch=c000003e (x86_64)
- syscall=188 (setxattr)
- success=yes (yes)
- exit=0 (0)
- a0=7fffffa9a9f0 (0x7fffffa9a9f0)
- a1=3958d11333 (0x3958d11333)
- a2=5131f0 (0x5131f0)
- a3=20 (0x20)
- items=1 (1)
- pid=2027 (2027)
- auid=848 (unknown(848))
- uid=0 (root)
- gid=0 (root)
- euid=0 (root)
- suid=0 (root)
- fsuid=0 (root)
- egid=0 (root)
- sgid=0 (root)
- fsgid=0 (root)
- tty=tty3 (tty3)
- comm="login" (login)
- exe="/bin/login" (/bin/login)
- subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255)
-
-event 3 has 1 records
- record 1 of type 1112(USER_LOGIN) has 10 fields
- line=3 file=None
- event time: 1143146623.879:146, host=?
- type=USER_LOGIN (USER_LOGIN)
- pid=2027 (2027)
- uid=0 (root)
- auid=848 (unknown(848))
- uid=848 (unknown(848))
- exe="/bin/login" (/bin/login)
- hostname=? (?)
- addr=? (?)
- terminal=tty3 (tty3)
- res=success (success)
-
-Test 9 Done
-
-Starting Test 10, file feed...
-event 1 has 4 records
- record 1 of type 1400(AVC) has 11 fields
- line=1 file=None
- event time: 1170021493.977:293, host=?
- type=AVC (AVC)
- seresult=denied (denied)
- seperms=read,write (read,write)
- pid=13010 (13010)
- comm="pickup" (pickup)
- name="maildrop" (maildrop)
- dev=hda7 (hda7)
- ino=14911367 (14911367)
- scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
- tclass=dir (dir)
-
- record 2 of type 1300(SYSCALL) has 26 fields
- line=2 file=None
- event time: 1170021493.977:293, host=?
- type=SYSCALL (SYSCALL)
- arch=c000003e (x86_64)
- syscall=2 (open)
- success=no (no)
- exit=-13 (-13(Permission denied))
- a0=5555665d91b0 (0x5555665d91b0)
- a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
- a2=5555665d91b8 (0x5555665d91b8)
- a3=0 (0x0)
- items=1 (1)
- ppid=2013 (2013)
- pid=13010 (13010)
- auid=4294967295 (unset)
- uid=890 (unknown(890))
- gid=890 (unknown(890))
- euid=890 (unknown(890))
- suid=890 (unknown(890))
- fsuid=890 (unknown(890))
- egid=890 (unknown(890))
- sgid=890 (unknown(890))
- fsgid=890 (unknown(890))
- tty=(none) ((none))
- comm="pickup" (pickup)
- exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
- subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- key=(null) ((null))
-
- record 3 of type 1307(CWD) has 2 fields
- line=3 file=None
- event time: 1170021493.977:293, host=?
- type=CWD (CWD)
- cwd="/var/spool/postfix" (/var/spool/postfix)
-
- record 4 of type 1302(PATH) has 10 fields
- line=4 file=None
- event time: 1170021493.977:293, host=?
- type=PATH (PATH)
- item=0 (0)
- name="maildrop" (maildrop)
- inode=14911367 (14911367)
- dev=03:07 (03:07)
- mode=040730 (dir,730)
- ouid=890 (unknown(890))
- ogid=891 (unknown(891))
- rdev=00:00 (00:00)
- obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
-
-event 2 has 1 records
- record 1 of type 1101(USER_ACCT) has 11 fields
- line=5 file=None
- event time: 1170021601.340:294, host=?
- type=USER_ACCT (USER_ACCT)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 3 has 1 records
- record 1 of type 1103(CRED_ACQ) has 11 fields
- line=6 file=None
- event time: 1170021601.342:295, host=?
- type=CRED_ACQ (CRED_ACQ)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 4 has 1 records
- record 1 of type 1006(LOGIN) has 5 fields
- line=7 file=None
- event time: 1170021601.343:296, host=?
- type=LOGIN (LOGIN)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- auid=0 (root)
-
-event 5 has 1 records
- record 1 of type 1105(USER_START) has 11 fields
- line=8 file=None
- event time: 1170021601.344:297, host=?
- type=USER_START (USER_START)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 6 has 1 records
- record 1 of type 1104(CRED_DISP) has 11 fields
- line=9 file=None
- event time: 1170021601.364:298, host=?
- type=CRED_DISP (CRED_DISP)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 7 has 1 records
- record 1 of type 1106(USER_END) has 11 fields
- line=10 file=None
- event time: 1170021601.366:299, host=?
- type=USER_END (USER_END)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-Test 10 Done
-
-Finished non-admin tests
-
diff --git a/framework/src/audit/auparse/test/auparse_test.ref.py b/framework/src/audit/auparse/test/auparse_test.ref.py
deleted file mode 100644
index d25e0645..00000000
--- a/framework/src/audit/auparse/test/auparse_test.ref.py
+++ /dev/null
@@ -1,793 +0,0 @@
-Starting Test 1, iterate...
-auid=4294967295
-interp auid=unset
-auid=848
-interp auid=unknown(848)
-auid=848
-interp auid=unknown(848)
-Test 1 Done
-
-Starting Test 2, walk events, records, and fields...
-event 1 has 1 records
- record 1 of type 1006(LOGIN) has 5 fields
- line=1 file=None
- event time: 1143146623.787:142, host=(null)
- type=LOGIN (LOGIN)
- pid=2027 (2027)
- uid=0 (root)
- auid=4294967295 (unset)
- auid=848 (unknown(848))
-
-event 2 has 1 records
- record 1 of type 1300(SYSCALL) has 24 fields
- line=2 file=None
- event time: 1143146623.875:143, host=(null)
- type=SYSCALL (SYSCALL)
- arch=c000003e (x86_64)
- syscall=188 (setxattr)
- success=yes (yes)
- exit=0 (0)
- a0=7fffffa9a9f0 (0x7fffffa9a9f0)
- a1=3958d11333 (0x3958d11333)
- a2=5131f0 (0x5131f0)
- a3=20 (0x20)
- items=1 (1)
- pid=2027 (2027)
- auid=848 (unknown(848))
- uid=0 (root)
- gid=0 (root)
- euid=0 (root)
- suid=0 (root)
- fsuid=0 (root)
- egid=0 (root)
- sgid=0 (root)
- fsgid=0 (root)
- tty=tty3 (tty3)
- comm="login" (login)
- exe="/bin/login" (/bin/login)
- subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255)
-
-event 3 has 1 records
- record 1 of type 1112(USER_LOGIN) has 10 fields
- line=3 file=None
- event time: 1143146623.879:146, host=(null)
- type=USER_LOGIN (USER_LOGIN)
- pid=2027 (2027)
- uid=0 (root)
- auid=848 (unknown(848))
- uid=848 (unknown(848))
- exe="/bin/login" (/bin/login)
- hostname=? (?)
- addr=? (?)
- terminal=tty3 (tty3)
- res=success (success)
-
-Test 2 Done
-
-Starting Test 3, walk events, records of 1 buffer...
-event has 1 records
- record 1 of type 1112(USER_LOGIN) has 10 fields
- line=1 file=None
- event time: 1143146623.879:146, host=(null)
-
-Test 3 Done
-
-Starting Test 4, walk events, records of 1 file...
-event 1 has 4 records
- record 1 of type 1400(AVC) has 11 fields
- line=1 file=test.log
- event time: 1170021493.977:293, host=(null)
- type=AVC (AVC)
- seresult=denied (denied)
- seperms=read,write (read,write)
- pid=13010 (13010)
- comm="pickup" (pickup)
- name="maildrop" (maildrop)
- dev=hda7 (hda7)
- ino=14911367 (14911367)
- scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
- tclass=dir (dir)
-
- record 2 of type 1300(SYSCALL) has 26 fields
- line=2 file=test.log
- event time: 1170021493.977:293, host=(null)
- type=SYSCALL (SYSCALL)
- arch=c000003e (x86_64)
- syscall=2 (open)
- success=no (no)
- exit=-13 (-13(Permission denied))
- a0=5555665d91b0 (0x5555665d91b0)
- a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
- a2=5555665d91b8 (0x5555665d91b8)
- a3=0 (0x0)
- items=1 (1)
- ppid=2013 (2013)
- pid=13010 (13010)
- auid=4294967295 (unset)
- uid=890 (unknown(890))
- gid=890 (unknown(890))
- euid=890 (unknown(890))
- suid=890 (unknown(890))
- fsuid=890 (unknown(890))
- egid=890 (unknown(890))
- sgid=890 (unknown(890))
- fsgid=890 (unknown(890))
- tty=(none) ((none))
- comm="pickup" (pickup)
- exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
- subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- key=(null) ((null))
-
- record 3 of type 1307(CWD) has 2 fields
- line=3 file=test.log
- event time: 1170021493.977:293, host=(null)
- type=CWD (CWD)
- cwd="/var/spool/postfix" (/var/spool/postfix)
-
- record 4 of type 1302(PATH) has 10 fields
- line=4 file=test.log
- event time: 1170021493.977:293, host=(null)
- type=PATH (PATH)
- item=0 (0)
- name="maildrop" (maildrop)
- inode=14911367 (14911367)
- dev=03:07 (03:07)
- mode=040730 (dir,730)
- ouid=890 (unknown(890))
- ogid=891 (unknown(891))
- rdev=00:00 (00:00)
- obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
-
-event 2 has 1 records
- record 1 of type 1101(USER_ACCT) has 11 fields
- line=5 file=test.log
- event time: 1170021601.340:294, host=(null)
- type=USER_ACCT (USER_ACCT)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 3 has 1 records
- record 1 of type 1103(CRED_ACQ) has 11 fields
- line=6 file=test.log
- event time: 1170021601.342:295, host=(null)
- type=CRED_ACQ (CRED_ACQ)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 4 has 1 records
- record 1 of type 1006(LOGIN) has 5 fields
- line=7 file=test.log
- event time: 1170021601.343:296, host=(null)
- type=LOGIN (LOGIN)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- auid=0 (root)
-
-event 5 has 1 records
- record 1 of type 1105(USER_START) has 11 fields
- line=8 file=test.log
- event time: 1170021601.344:297, host=(null)
- type=USER_START (USER_START)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 6 has 1 records
- record 1 of type 1104(CRED_DISP) has 11 fields
- line=9 file=test.log
- event time: 1170021601.364:298, host=(null)
- type=CRED_DISP (CRED_DISP)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 7 has 1 records
- record 1 of type 1106(USER_END) has 11 fields
- line=10 file=test.log
- event time: 1170021601.366:299, host=(null)
- type=USER_END (USER_END)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-Test 4 Done
-
-Starting Test 5, walk events, records of 2 files...
-event 1 has 4 records
- record 1 of type 1400(AVC) has 11 fields
- line=1 file=test.log
- event time: 1170021493.977:293, host=(null)
- type=AVC (AVC)
- seresult=denied (denied)
- seperms=read,write (read,write)
- pid=13010 (13010)
- comm="pickup" (pickup)
- name="maildrop" (maildrop)
- dev=hda7 (hda7)
- ino=14911367 (14911367)
- scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
- tclass=dir (dir)
-
- record 2 of type 1300(SYSCALL) has 26 fields
- line=2 file=test.log
- event time: 1170021493.977:293, host=(null)
- type=SYSCALL (SYSCALL)
- arch=c000003e (x86_64)
- syscall=2 (open)
- success=no (no)
- exit=-13 (-13(Permission denied))
- a0=5555665d91b0 (0x5555665d91b0)
- a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
- a2=5555665d91b8 (0x5555665d91b8)
- a3=0 (0x0)
- items=1 (1)
- ppid=2013 (2013)
- pid=13010 (13010)
- auid=4294967295 (unset)
- uid=890 (unknown(890))
- gid=890 (unknown(890))
- euid=890 (unknown(890))
- suid=890 (unknown(890))
- fsuid=890 (unknown(890))
- egid=890 (unknown(890))
- sgid=890 (unknown(890))
- fsgid=890 (unknown(890))
- tty=(none) ((none))
- comm="pickup" (pickup)
- exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
- subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- key=(null) ((null))
-
- record 3 of type 1307(CWD) has 2 fields
- line=3 file=test.log
- event time: 1170021493.977:293, host=(null)
- type=CWD (CWD)
- cwd="/var/spool/postfix" (/var/spool/postfix)
-
- record 4 of type 1302(PATH) has 10 fields
- line=4 file=test.log
- event time: 1170021493.977:293, host=(null)
- type=PATH (PATH)
- item=0 (0)
- name="maildrop" (maildrop)
- inode=14911367 (14911367)
- dev=03:07 (03:07)
- mode=040730 (dir,730)
- ouid=890 (unknown(890))
- ogid=891 (unknown(891))
- rdev=00:00 (00:00)
- obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
-
-event 2 has 1 records
- record 1 of type 1101(USER_ACCT) has 11 fields
- line=5 file=test.log
- event time: 1170021601.340:294, host=(null)
- type=USER_ACCT (USER_ACCT)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 3 has 1 records
- record 1 of type 1103(CRED_ACQ) has 11 fields
- line=6 file=test.log
- event time: 1170021601.342:295, host=(null)
- type=CRED_ACQ (CRED_ACQ)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 4 has 1 records
- record 1 of type 1006(LOGIN) has 5 fields
- line=7 file=test.log
- event time: 1170021601.343:296, host=(null)
- type=LOGIN (LOGIN)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- auid=0 (root)
-
-event 5 has 1 records
- record 1 of type 1105(USER_START) has 11 fields
- line=8 file=test.log
- event time: 1170021601.344:297, host=(null)
- type=USER_START (USER_START)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 6 has 1 records
- record 1 of type 1104(CRED_DISP) has 11 fields
- line=9 file=test.log
- event time: 1170021601.364:298, host=(null)
- type=CRED_DISP (CRED_DISP)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 7 has 1 records
- record 1 of type 1106(USER_END) has 11 fields
- line=10 file=test.log
- event time: 1170021601.366:299, host=(null)
- type=USER_END (USER_END)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 8 has 4 records
- record 1 of type 1400(AVC) has 11 fields
- line=1 file=test2.log
- event time: 1170021493.977:293, host=(null)
- type=AVC (AVC)
- seresult=denied (denied)
- seperms=read (read)
- pid=13010 (13010)
- comm="pickup" (pickup)
- name="maildrop" (maildrop)
- dev=hda7 (hda7)
- ino=14911367 (14911367)
- scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
- tclass=dir (dir)
-
- record 2 of type 1300(SYSCALL) has 26 fields
- line=2 file=test2.log
- event time: 1170021493.977:293, host=(null)
- type=SYSCALL (SYSCALL)
- arch=c000003e (x86_64)
- syscall=2 (open)
- success=no (no)
- exit=-13 (-13(Permission denied))
- a0=5555665d91b0 (0x5555665d91b0)
- a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
- a2=5555665d91b8 (0x5555665d91b8)
- a3=0 (0x0)
- items=1 (1)
- ppid=2013 (2013)
- pid=13010 (13010)
- auid=4294967295 (unset)
- uid=890 (unknown(890))
- gid=890 (unknown(890))
- euid=890 (unknown(890))
- suid=890 (unknown(890))
- fsuid=890 (unknown(890))
- egid=890 (unknown(890))
- sgid=890 (unknown(890))
- fsgid=890 (unknown(890))
- tty=(none) ((none))
- comm="pickup" (pickup)
- exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
- subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- key=(null) ((null))
-
- record 3 of type 1307(CWD) has 2 fields
- line=3 file=test2.log
- event time: 1170021493.977:293, host=(null)
- type=CWD (CWD)
- cwd="/var/spool/postfix" (/var/spool/postfix)
-
- record 4 of type 1302(PATH) has 10 fields
- line=4 file=test2.log
- event time: 1170021493.977:293, host=(null)
- type=PATH (PATH)
- item=0 (0)
- name="maildrop" (maildrop)
- inode=14911367 (14911367)
- dev=03:07 (03:07)
- mode=040730 (dir,730)
- ouid=890 (unknown(890))
- ogid=891 (unknown(891))
- rdev=00:00 (00:00)
- obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
-
-event 9 has 1 records
- record 1 of type 1101(USER_ACCT) has 11 fields
- line=5 file=test2.log
- event time: 1170021601.340:294, host=(null)
- type=USER_ACCT (USER_ACCT)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 10 has 1 records
- record 1 of type 1103(CRED_ACQ) has 11 fields
- line=6 file=test2.log
- event time: 1170021601.342:295, host=(null)
- type=CRED_ACQ (CRED_ACQ)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 11 has 1 records
- record 1 of type 1006(LOGIN) has 5 fields
- line=7 file=test2.log
- event time: 1170021601.343:296, host=(null)
- type=LOGIN (LOGIN)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- auid=0 (root)
-
-event 12 has 1 records
- record 1 of type 1105(USER_START) has 11 fields
- line=8 file=test2.log
- event time: 1170021601.344:297, host=(null)
- type=USER_START (USER_START)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 13 has 1 records
- record 1 of type 1104(CRED_DISP) has 11 fields
- line=9 file=test2.log
- event time: 1170021601.364:298, host=(null)
- type=CRED_DISP (CRED_DISP)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 14 has 1 records
- record 1 of type 1106(USER_END) has 11 fields
- line=10 file=test2.log
- event time: 1170021601.366:299, host=(null)
- type=USER_END (USER_END)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-Test 5 Done
-
-Starting Test 6, search...
-auid = 500 not found...which is correct
-auid exists...which is correct
-Testing BUFFER_ARRAY, stop on field
-Found auid = 848
-Testing BUFFER_ARRAY, stop on record
-Found type = SYSCALL
-Testing BUFFER_ARRAY, stop on event
-Found type = SYSCALL
-Testing test.log, stop on field
-Found auid = 4294967295
-Testing test.log, stop on record
-Found type = SYSCALL
-Testing test.log, stop on event
-Found type = AVC
-Test 6 Done
-
-Starting Test 7, compound search...
-Found type = USER_START
-Found auid = 0
-Test 7 Done
-
-Starting Test 8, regex search...
-Doing regex match...
-
-Test 8 Done
-
-Starting Test 9, buffer feed...
-event 1 has 1 records
- record 1 of type 1006(LOGIN) has 5 fields
- line=1 file=None
- event time: 1143146623.787:142, host=(null)
- type=LOGIN (LOGIN)
- pid=2027 (2027)
- uid=0 (root)
- auid=4294967295 (unset)
- auid=848 (unknown(848))
-
-event 2 has 1 records
- record 1 of type 1300(SYSCALL) has 24 fields
- line=2 file=None
- event time: 1143146623.875:143, host=(null)
- type=SYSCALL (SYSCALL)
- arch=c000003e (x86_64)
- syscall=188 (setxattr)
- success=yes (yes)
- exit=0 (0)
- a0=7fffffa9a9f0 (0x7fffffa9a9f0)
- a1=3958d11333 (0x3958d11333)
- a2=5131f0 (0x5131f0)
- a3=20 (0x20)
- items=1 (1)
- pid=2027 (2027)
- auid=848 (unknown(848))
- uid=0 (root)
- gid=0 (root)
- euid=0 (root)
- suid=0 (root)
- fsuid=0 (root)
- egid=0 (root)
- sgid=0 (root)
- fsgid=0 (root)
- tty=tty3 (tty3)
- comm="login" (login)
- exe="/bin/login" (/bin/login)
- subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255)
-
-event 3 has 1 records
- record 1 of type 1112(USER_LOGIN) has 10 fields
- line=3 file=None
- event time: 1143146623.879:146, host=(null)
- type=USER_LOGIN (USER_LOGIN)
- pid=2027 (2027)
- uid=0 (root)
- auid=848 (unknown(848))
- uid=848 (unknown(848))
- exe="/bin/login" (/bin/login)
- hostname=? (?)
- addr=? (?)
- terminal=tty3 (tty3)
- res=success (success)
-
-Test 9 Done
-
-Starting Test 10, file feed...
-event 1 has 4 records
- record 1 of type 1400(AVC) has 11 fields
- line=1 file=None
- event time: 1170021493.977:293, host=(null)
- type=AVC (AVC)
- seresult=denied (denied)
- seperms=read,write (read,write)
- pid=13010 (13010)
- comm="pickup" (pickup)
- name="maildrop" (maildrop)
- dev=hda7 (hda7)
- ino=14911367 (14911367)
- scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
- tclass=dir (dir)
-
- record 2 of type 1300(SYSCALL) has 26 fields
- line=2 file=None
- event time: 1170021493.977:293, host=(null)
- type=SYSCALL (SYSCALL)
- arch=c000003e (x86_64)
- syscall=2 (open)
- success=no (no)
- exit=-13 (-13(Permission denied))
- a0=5555665d91b0 (0x5555665d91b0)
- a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
- a2=5555665d91b8 (0x5555665d91b8)
- a3=0 (0x0)
- items=1 (1)
- ppid=2013 (2013)
- pid=13010 (13010)
- auid=4294967295 (unset)
- uid=890 (unknown(890))
- gid=890 (unknown(890))
- euid=890 (unknown(890))
- suid=890 (unknown(890))
- fsuid=890 (unknown(890))
- egid=890 (unknown(890))
- sgid=890 (unknown(890))
- fsgid=890 (unknown(890))
- tty=(none) ((none))
- comm="pickup" (pickup)
- exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
- subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- key=(null) ((null))
-
- record 3 of type 1307(CWD) has 2 fields
- line=3 file=None
- event time: 1170021493.977:293, host=(null)
- type=CWD (CWD)
- cwd="/var/spool/postfix" (/var/spool/postfix)
-
- record 4 of type 1302(PATH) has 10 fields
- line=4 file=None
- event time: 1170021493.977:293, host=(null)
- type=PATH (PATH)
- item=0 (0)
- name="maildrop" (maildrop)
- inode=14911367 (14911367)
- dev=03:07 (03:07)
- mode=040730 (dir,730)
- ouid=890 (unknown(890))
- ogid=891 (unknown(891))
- rdev=00:00 (00:00)
- obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
-
-event 2 has 1 records
- record 1 of type 1101(USER_ACCT) has 11 fields
- line=5 file=None
- event time: 1170021601.340:294, host=(null)
- type=USER_ACCT (USER_ACCT)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 3 has 1 records
- record 1 of type 1103(CRED_ACQ) has 11 fields
- line=6 file=None
- event time: 1170021601.342:295, host=(null)
- type=CRED_ACQ (CRED_ACQ)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 4 has 1 records
- record 1 of type 1006(LOGIN) has 5 fields
- line=7 file=None
- event time: 1170021601.343:296, host=(null)
- type=LOGIN (LOGIN)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- auid=0 (root)
-
-event 5 has 1 records
- record 1 of type 1105(USER_START) has 11 fields
- line=8 file=None
- event time: 1170021601.344:297, host=(null)
- type=USER_START (USER_START)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 6 has 1 records
- record 1 of type 1104(CRED_DISP) has 11 fields
- line=9 file=None
- event time: 1170021601.364:298, host=(null)
- type=CRED_DISP (CRED_DISP)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 7 has 1 records
- record 1 of type 1106(USER_END) has 11 fields
- line=10 file=None
- event time: 1170021601.366:299, host=(null)
- type=USER_END (USER_END)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-Test 10 Done
-
-Finished non-admin tests
-
diff --git a/framework/src/audit/auparse/test/test.log b/framework/src/audit/auparse/test/test.log
deleted file mode 100644
index e0ffabf5..00000000
--- a/framework/src/audit/auparse/test/test.log
+++ /dev/null
@@ -1,10 +0,0 @@
-type=AVC msg=audit(1170021493.977:293): avc: denied { read write } for pid=13010 comm="pickup" name="maildrop" dev=hda7 ino=14911367 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
-type=SYSCALL msg=audit(1170021493.977:293): arch=c000003e syscall=2 success=no exit=-13 a0=5555665d91b0 a1=10800 a2=5555665d91b8 a3=0 items=1 ppid=2013 pid=13010 auid=4294967295 uid=890 gid=890 euid=890 suid=890 fsuid=890 egid=890 sgid=890 fsgid=890 tty=(none) comm="pickup" exe="/usr/libexec/postfix/pickup" subj=system_u:system_r:postfix_pickup_t:s0 key=(null)
-type=CWD msg=audit(1170021493.977:293): cwd="/var/spool/postfix"
-type=PATH msg=audit(1170021493.977:293): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0
-type=USER_ACCT msg=audit(1170021601.340:294): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
-type=CRED_ACQ msg=audit(1170021601.342:295): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
-type=LOGIN msg=audit(1170021601.343:296): login pid=13015 uid=0 old auid=4294967295 new auid=0
-type=USER_START msg=audit(1170021601.344:297): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
-type=CRED_DISP msg=audit(1170021601.364:298): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
-type=USER_END msg=audit(1170021601.366:299): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session close acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
diff --git a/framework/src/audit/auparse/test/test2.log b/framework/src/audit/auparse/test/test2.log
deleted file mode 100644
index 588f1e04..00000000
--- a/framework/src/audit/auparse/test/test2.log
+++ /dev/null
@@ -1,10 +0,0 @@
-type=AVC msg=audit(1170021493.977:293): avc: denied { read } for pid=13010 comm="pickup" name="maildrop" dev=hda7 ino=14911367 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
-type=SYSCALL msg=audit(1170021493.977:293): arch=c000003e syscall=2 success=no exit=-13 a0=5555665d91b0 a1=10800 a2=5555665d91b8 a3=0 items=1 ppid=2013 pid=13010 auid=4294967295 uid=890 gid=890 euid=890 suid=890 fsuid=890 egid=890 sgid=890 fsgid=890 tty=(none) comm="pickup" exe="/usr/libexec/postfix/pickup" subj=system_u:system_r:postfix_pickup_t:s0 key=(null)
-type=CWD msg=audit(1170021493.977:293): cwd="/var/spool/postfix"
-type=PATH msg=audit(1170021493.977:293): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0
-type=USER_ACCT msg=audit(1170021601.340:294): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
-type=CRED_ACQ msg=audit(1170021601.342:295): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
-type=LOGIN msg=audit(1170021601.343:296): login pid=13015 uid=0 old auid=4294967295 new auid=0
-type=USER_START msg=audit(1170021601.344:297): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
-type=CRED_DISP msg=audit(1170021601.364:298): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
-type=USER_END msg=audit(1170021601.366:299): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session close acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'