public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: order of entries output from ausearch -i
Date: Wed, 13 Nov 2013 15:35:36 -0500	[thread overview]
Message-ID: <5330451.157zfHkgAY@x2> (raw)
In-Reply-To: <528334D5.6030609@linaro.org>

On Wednesday, November 13, 2013 05:14:13 PM AKASHI Takahiro wrote:
> Hi Steve
> 
> I followed your advise and verified my patch of AArch64 audit support
> by comparing the output from
>      # autrace /bin/ls
>      # ausearch -i -p XXX | grep SYSCALL
> with the output from
>      # strace /bin/ls
> 
> Here I found that the entries shown by "ausearch -i" are listed
> partially in the order of lifo (Last In First Out?).
> I don't think this behavior is "intuitive".
> (As you know, ausearch without -i generates fifo order of outputs.)
> Is there any good reason?

Yes, the syscall record is often the most important. Its better to scroll the 
auxiliary records off the screen leaving just the syscall record. For example, 
if you triggered a syscall event against   kill(-1, SIGTERM)  you could have a 
100 or more OBJ_PID records with that syscall.

-Steve

      reply	other threads:[~2013-11-13 20:35 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-11-13  8:14 order of entries output from ausearch -i AKASHI Takahiro
2013-11-13 20:35 ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5330451.157zfHkgAY@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox