order of entries output from ausearch -i

order of entries output from ausearch -i

[AKASHI Takahiro]

Hi Steve

I followed your advise and verified my patch of AArch64 audit support
by comparing the output from
     # autrace /bin/ls
     # ausearch -i -p XXX | grep SYSCALL
with the output from
     # strace /bin/ls

Here I found that the entries shown by "ausearch -i" are listed
partially in the order of lifo (Last In First Out?).
I don't think this behavior is "intuitive".
(As you know, ausearch without -i generates fifo order of outputs.)
Is there any good reason?

Thanks,
-Takahiro AKASHI

Re: order of entries output from ausearch -i

[Steve Grubb]

On Wednesday, November 13, 2013 05:14:13 PM AKASHI Takahiro wrote:
> Hi Steve
> 
> I followed your advise and verified my patch of AArch64 audit support
> by comparing the output from
>      # autrace /bin/ls
>      # ausearch -i -p XXX | grep SYSCALL
> with the output from
>      # strace /bin/ls
> 
> Here I found that the entries shown by "ausearch -i" are listed
> partially in the order of lifo (Last In First Out?).
> I don't think this behavior is "intuitive".
> (As you know, ausearch without -i generates fifo order of outputs.)
> Is there any good reason?

Yes, the syscall record is often the most important. Its better to scroll the 
auxiliary records off the screen leaving just the syscall record. For example, 
if you triggered a syscall event against   kill(-1, SIGTERM)  you could have a 
100 or more OBJ_PID records with that syscall.

-Steve