* Re: Patch to auparse to handle out of order messages 1 of 3
From: Steve Grubb @ 2016-01-06 15:43 UTC (permalink / raw)
To: linux-audit, burn
In-Reply-To: <1452076157.26850.87.camel@swtf.swtf.dyndns.org>
On Wednesday, January 06, 2016 09:29:17 PM Burn Alting wrote:
> The following three patches address this problem.
>
> #1 - convert the existing code to change auparse's auparse_state_t (aka
> struct opaque) event_list_t element 'le' to be a pointer, so the 'lol'
> code can more seamlessly fit in.
Applied thanks!
-Steve
^ permalink raw reply
* Patch to auparse to handle out of order messages 2 of 3 - quite large awaiting moderator review
From: Burn Alting @ 2016-01-06 10:53 UTC (permalink / raw)
To: linux-audit@redhat.com
For who think I didn't post the 3 of 3 patch.
It's a tad large, so Steve has to review first.
Regards
^ permalink raw reply
* Patch to auparse to handle out of order messages 3 of 3
From: Burn Alting @ 2016-01-06 10:30 UTC (permalink / raw)
To: linux-audit@redhat.com
[-- Attachment #1: Type: text/plain, Size: 47 bytes --]
#3 - modify the standard auparse() test code.
[-- Attachment #2: audit-2.4.5-3.patch --]
[-- Type: text/x-patch, Size: 287047 bytes --]
diff -Npru audit-2.4.5.orig/auparse/test/auditd_raw.sed audit-2.4.5/auparse/test/auditd_raw.sed
--- audit-2.4.5.orig/auparse/test/auditd_raw.sed 1970-01-01 10:00:00.000000000 +1000
+++ audit-2.4.5/auparse/test/auditd_raw.sed 2016-01-04 22:47:35.409251185 +1100
@@ -0,0 +1,32 @@
+s/ cwd/ cwd/
+s/ comm=/ comm=/
+s/msg='//
+s/(hostname=/hostname=/
+s/success)/success/
+s/ : exe=/ exe=/
+s/'$//
+s/): a/): a/
+s/, addr=/ addr=/
+s/, terminal=/ terminal=/
+s/tty pid=/pid=/
+s/Unknown permission start for class system //
+s/Unknown permission stop for class system //
+s/ exe=/ exe=/
+s/ pam: default-context/ default-context/
+s/ avc: denied { stop } for auid=/ auid=/
+s/old ses=/ses=/
+s/new ses=/ses=/
+s/old auid=/auid=/
+s/login pid=/pid=/
+s/user pid=/pid=/
+s/new auid=/auid=/
+s/auditd start, ver=/ver=/
+s/policy loaded auid=/auid=/
+s/auditd normal halt, sending auid=/auid=/
+s/op=change password id=/op=change id=/
+s/avc: received policyload notice (seqno=\(\d+)\))/seqno=\1/
+s/PAM: accounting acct/acct/
+s/PAM: session open acct/acct/
+s/PAM: session close acct/acct/
+s/PAM: setcred acct/acct/
+s/avc: denied { read write } for pid=/seresult=denied seperms=read,write pid=/
diff -Npru audit-2.4.5.orig/auparse/test/auparselol_test.c audit-2.4.5/auparse/test/auparselol_test.c
--- audit-2.4.5.orig/auparse/test/auparselol_test.c 1970-01-01 10:00:00.000000000 +1000
+++ audit-2.4.5/auparse/test/auparselol_test.c 2016-01-03 15:00:15.659327719 +1100
@@ -0,0 +1,250 @@
+#include "config.h"
+#include <stdio.h>
+#include <locale.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <pwd.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include "libaudit.h"
+#include "auparse.h"
+
+/*
+ * Tool to exercise the auparse library input and processing capability
+ * Based on the code example shown in auparse_feed manual entry
+ *
+ * Standard test would be
+ * mkdir /tmp/auparse_test
+ * cp /var/log/audit/audit.log /tmp/auparse_test/audit.log
+ * sed -f auparse_patch.sed /tmp/auparse_test/audit.log | sort > /tmp/auparse_test/auparse.raw
+ * auparselol_test --check -f /tmp/auparse_test/audit.log | sort > /tmp/auparse_test/auparse.new
+ * diff /tmp/auparse_test/auparse.raw /tmp/auparse_test/auparse.new
+ * and the ouput of the diff should be zero or explainable (and hence expand the auparse_patch.sed file)
+ *
+ */
+
+/*
+ * Flags bitset
+ */
+unsigned flags = 0x0;
+
+#define F_VERBOSE 0x00000001
+#define F_CHECK 0x00000002
+#define F_USESTDIN 0x00000004
+
+/*
+ * Print a null terminated string, escaping chararters from the given set
+ */
+void print_escape(FILE * fd, char *str, const char *escape)
+{
+ register char *s = str;
+ int ch;
+
+ while ((ch = (int) *s++)) {
+ if (strrchr(escape, ch))
+ fputc('\\', fd);
+ fputc(ch, fd);
+ }
+}
+
+/*
+ * auparse_callback - callback routine to be executed once a complete event is composed
+ */
+void
+auparse_callback(auparse_state_t * au, auparse_cb_event_t cb_event_type,
+ void *user_data)
+{
+ int *event_cnt = (int *) user_data;
+
+ if (cb_event_type == AUPARSE_CB_EVENT_READY) {
+ if (auparse_first_record(au) <= 0)
+ return; /* If no first record, then no event ! */
+
+ if (!(flags & F_CHECK))
+ printf("event=%d records=%d\n", *event_cnt,
+ auparse_get_num_records(au));
+ do {
+ const au_event_t *e = auparse_get_timestamp(au);
+ if (e == NULL)
+ return; /* If no timestamp, then no event */
+
+ /* If checking, we just emit the raw record again
+ */
+ if (flags & F_CHECK) {
+ if (e->host != NULL)
+ printf("node=%s type=%s msg=audit(%u.%3.3u:%lu):",
+ e->host, auparse_get_type_name(au),
+ (unsigned) e->sec, e->milli, e->serial);
+ else
+ printf("type=%s msg=audit(%u.%3.3u:%lu):",
+ auparse_get_type_name(au),
+ (unsigned) e->sec, e->milli, e->serial);
+ auparse_first_field(au); /* Move to first field */
+ do {
+ const char *fname = auparse_get_field_name(au);
+
+ /* We ignore the node and type fields */
+ if (strcmp(fname, "type") == 0
+ || strcmp(fname, "node") == 0)
+ continue;
+ printf(" %s=%s", fname, auparse_get_field_str(au));
+ } while (auparse_next_field(au) > 0);
+ printf("\n");
+ continue;
+ }
+
+ printf("fields=%d\t", auparse_get_num_fields(au));
+ printf("type=%d (%s) ", auparse_get_type(au),
+ auparse_get_type_name(au));
+ printf("event_tid=%u.%3.3u:%lu ",
+ (unsigned) e->sec, e->milli, e->serial);
+ if (flags & F_VERBOSE) {
+ char *fv, *ifv = NULL;
+ auparse_first_field(au); /* Move to first field */
+ do {
+ fv = (char *) auparse_get_field_str(au);
+ ifv = (char *) auparse_interpret_field(au);
+ printf("%s=", auparse_get_field_name(au));
+ print_escape(stdout, fv, "=()");
+ printf(" (");
+ print_escape(stdout, ifv, "=()");
+ printf(") ");
+ }
+ while (auparse_next_field(au) > 0);
+ }
+ printf("\n");
+ }
+ while (auparse_next_record(au) > 0);
+ (*event_cnt)++;
+ }
+}
+
+void usage(void)
+{
+ fprintf(stderr,
+ "usage: auparselol_test [--stdin] [-f file] [--verbose] [--check] [--escape R|T|S|Q]\n");
+}
+
+int main(int argc, char **argv)
+{
+ char *filename = NULL;
+ auparse_esc_t em;
+ FILE *fd;
+#define BUFSZ 2048
+ char buf[BUFSZ];
+ size_t len;
+ int *event_cnt = NULL;
+ auparse_state_t *au;
+ int i;
+ /* Argument parsing */
+ while (1) {
+ int this_option_optind = optind ? optind : 1;
+ int option_index = 0;
+ int c;
+ static struct option long_options[] = {
+ { "verbose", no_argument, 0, 'v'},
+ { "file", required_argument, 0, 'f'},
+ { "stdin", no_argument, 0, 's'},
+ { "check", no_argument, 0, 'c'},
+ { "escape", required_argument, 0, 'e'},
+ { 0, 0, 0, 0}
+ };
+ c = getopt_long(argc, argv, "cvf:e:s", long_options,
+ &option_index);
+ if (c == -1)
+ break;
+ switch (c) {
+ case 'e': /* escape mode */
+ switch (*optarg) {
+ case 'R':
+ case 'r':
+ em = AUPARSE_ESC_RAW;
+ break;
+ case 'T':
+ case 't':
+ em = AUPARSE_ESC_TTY;
+ break;
+ case 'S':
+ case 's':
+ em = AUPARSE_ESC_SHELL;
+ break;
+ case 'Q':
+ case 'q':
+ em = AUPARSE_ESC_SHELL_QUOTE;
+ break;
+ default:
+ fprintf(stderr,
+ "%s: Unknown escape character 0x%2.2X\n",
+ argv[0], *optarg);
+ usage();
+ return 1;
+ }
+ auparse_set_escape_mode(em);
+ break;
+ case 'c': /* check */
+ flags |= F_CHECK;
+ break;
+ case 'v': /* verbose */
+ flags |= F_VERBOSE;
+ break;
+ case 's': /* stdin */
+ flags |= F_USESTDIN;
+ break;
+ case 'f': /* file */
+ filename = optarg;
+ break;
+ case '?':
+ default:
+ fprintf(stderr, "%s: Unknown option 0x%2.2X\n", argv[0], c);
+ usage();
+ return 1;
+ }
+ }
+ if ((flags & F_USESTDIN) && filename != NULL) {
+ fprintf(stderr,
+ "%s: --stdin cannot be used with file argument\n",
+ argv[0]);
+ usage();
+ return 1;
+ }
+ if (!(flags & F_USESTDIN) && filename == NULL) {
+ fprintf(stderr,
+ "%s: Missing --stdin or -f file argument\n", argv[0]);
+ usage();
+ return 1;
+ }
+
+ if ((event_cnt = malloc(sizeof(int))) == NULL) {
+ fprintf(stderr,
+ "%s: No memory to allocate %u bytes\n",
+ argv[0], sizeof(int));
+ return 1;
+ }
+
+ if (flags & F_USESTDIN) {
+ fd = stdin;
+ } else {
+ if ((fd = fopen(filename, "r")) == NULL) {
+ fprintf(stderr, "could not open ’%s’, %s\n",
+ filename, strerror(errno));
+ (void) free(event_cnt);
+ return 1;
+ }
+ }
+
+ au = auparse_init(AUSOURCE_FEED, NULL);
+ *event_cnt = 1;
+ auparse_add_callback(au, auparse_callback, event_cnt, free);
+ i = 0;
+ while ((len = fread(buf, 1, sizeof(buf), fd))) {
+
+ auparse_feed(au, buf, len);
+ i++;
+ }
+ auparse_flush_feed(au);
+ auparse_destroy(au); /* this also free's event_cnt */
+ if (!(flags & F_USESTDIN))
+ fclose(fd);
+ return 0;
+}
diff -Npru audit-2.4.5.orig/auparse/test/auparse_test.py audit-2.4.5/auparse/test/auparse_test.py
--- audit-2.4.5.orig/auparse/test/auparse_test.py 2015-12-19 06:20:59.000000000 +1100
+++ audit-2.4.5/auparse/test/auparse_test.py 2016-01-04 19:15:33.547099344 +1100
@@ -169,6 +169,7 @@ print "Test 2 Done\n"
# Reset, now lets go to beginning and walk the list manually */
print "Starting Test 3, walk events, records of 1 buffer..."
au = auparse.AuParser(auparse.AUSOURCE_BUFFER, buf[1])
+au.reset()
light_test(au);
print "Test 3 Done\n"
@@ -179,7 +180,7 @@ print "Test 4 Done\n"
print "Starting Test 5, walk events, records of 2 files..."
au = auparse.AuParser(auparse.AUSOURCE_FILE_ARRAY, files);
-walk_test(au);
+walk_test(au);
print "Test 5 Done\n"
print "Starting Test 6, search..."
diff -Npru audit-2.4.5.orig/auparse/test/auparse_test.ref audit-2.4.5/auparse/test/auparse_test.ref
--- audit-2.4.5.orig/auparse/test/auparse_test.ref 2015-12-19 06:20:59.000000000 +1100
+++ audit-2.4.5/auparse/test/auparse_test.ref 2016-01-03 15:07:51.413250806 +1100
@@ -27,6 +27,21 @@ event 1 has 1 records
auid=848 (unknown(848))
event 2 has 1 records
+ record 1 of type 1112(USER_LOGIN) has 10 fields
+ line=3 file=None
+ event time: 1143146623.879:146, host=?
+ type=USER_LOGIN (USER_LOGIN)
+ pid=2027 (2027)
+ uid=0 (root)
+ auid=848 (unknown(848))
+ uid=848 (unknown(848))
+ exe="/bin/login" (/bin/login)
+ hostname=? (?)
+ addr=? (?)
+ terminal=tty3 (tty3)
+ res=success (success)
+
+event 3 has 1 records
record 1 of type 1300(SYSCALL) has 24 fields
line=2 file=None
event time: 1143146623.875:143, host=?
@@ -55,21 +70,6 @@ event 2 has 1 records
exe="/bin/login" (/bin/login)
subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255)
-event 3 has 1 records
- record 1 of type 1112(USER_LOGIN) has 10 fields
- line=3 file=None
- event time: 1143146623.879:146, host=?
- type=USER_LOGIN (USER_LOGIN)
- pid=2027 (2027)
- uid=0 (root)
- auid=848 (unknown(848))
- uid=848 (unknown(848))
- exe="/bin/login" (/bin/login)
- hostname=? (?)
- addr=? (?)
- terminal=tty3 (tty3)
- res=success (success)
-
Test 2 Done
Starting Test 3, walk events, records of 1 buffer...
@@ -560,9 +560,9 @@ auid exists...which is correct
Testing BUFFER_ARRAY, stop on field
Found auid = 848
Testing BUFFER_ARRAY, stop on record
-Found type = SYSCALL
+Found type = USER_LOGIN
Testing BUFFER_ARRAY, stop on event
-Found type = SYSCALL
+Found type = USER_LOGIN
Testing test.log, stop on field
Found auid = 4294967295
Testing test.log, stop on record
@@ -595,6 +595,21 @@ event 1 has 1 records
auid=848 (unknown(848))
event 2 has 1 records
+ record 1 of type 1112(USER_LOGIN) has 10 fields
+ line=3 file=None
+ event time: 1143146623.879:146, host=?
+ type=USER_LOGIN (USER_LOGIN)
+ pid=2027 (2027)
+ uid=0 (root)
+ auid=848 (unknown(848))
+ uid=848 (unknown(848))
+ exe="/bin/login" (/bin/login)
+ hostname=? (?)
+ addr=? (?)
+ terminal=tty3 (tty3)
+ res=success (success)
+
+event 3 has 1 records
record 1 of type 1300(SYSCALL) has 24 fields
line=2 file=None
event time: 1143146623.875:143, host=?
@@ -623,21 +638,6 @@ event 2 has 1 records
exe="/bin/login" (/bin/login)
subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255)
-event 3 has 1 records
- record 1 of type 1112(USER_LOGIN) has 10 fields
- line=3 file=None
- event time: 1143146623.879:146, host=?
- type=USER_LOGIN (USER_LOGIN)
- pid=2027 (2027)
- uid=0 (root)
- auid=848 (unknown(848))
- uid=848 (unknown(848))
- exe="/bin/login" (/bin/login)
- hostname=? (?)
- addr=? (?)
- terminal=tty3 (tty3)
- res=success (success)
-
Test 9 Done
Starting Test 10, file feed...
diff -Npru audit-2.4.5.orig/auparse/test/auparse_test.ref.py audit-2.4.5/auparse/test/auparse_test.ref.py
--- audit-2.4.5.orig/auparse/test/auparse_test.ref.py 2015-12-19 06:20:59.000000000 +1100
+++ audit-2.4.5/auparse/test/auparse_test.ref.py 2016-01-04 19:43:07.617095931 +1100
@@ -19,6 +19,21 @@ event 1 has 1 records
auid=848 (unknown(848))
event 2 has 1 records
+ record 1 of type 1112(USER_LOGIN) has 10 fields
+ line=3 file=None
+ event time: 1143146623.879:146, host=(null)
+ type=USER_LOGIN (USER_LOGIN)
+ pid=2027 (2027)
+ uid=0 (root)
+ auid=848 (unknown(848))
+ uid=848 (unknown(848))
+ exe="/bin/login" (/bin/login)
+ hostname=? (?)
+ addr=? (?)
+ terminal=tty3 (tty3)
+ res=success (success)
+
+event 3 has 1 records
record 1 of type 1300(SYSCALL) has 24 fields
line=2 file=None
event time: 1143146623.875:143, host=(null)
@@ -47,21 +62,6 @@ event 2 has 1 records
exe="/bin/login" (/bin/login)
subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255)
-event 3 has 1 records
- record 1 of type 1112(USER_LOGIN) has 10 fields
- line=3 file=None
- event time: 1143146623.879:146, host=(null)
- type=USER_LOGIN (USER_LOGIN)
- pid=2027 (2027)
- uid=0 (root)
- auid=848 (unknown(848))
- uid=848 (unknown(848))
- exe="/bin/login" (/bin/login)
- hostname=? (?)
- addr=? (?)
- terminal=tty3 (tty3)
- res=success (success)
-
Test 2 Done
Starting Test 3, walk events, records of 1 buffer...
@@ -552,9 +552,9 @@ auid exists...which is correct
Testing BUFFER_ARRAY, stop on field
Found auid = 848
Testing BUFFER_ARRAY, stop on record
-Found type = SYSCALL
+Found type = USER_LOGIN
Testing BUFFER_ARRAY, stop on event
-Found type = SYSCALL
+Found type = USER_LOGIN
Testing test.log, stop on field
Found auid = 4294967295
Testing test.log, stop on record
@@ -585,6 +585,21 @@ event 1 has 1 records
auid=848 (unknown(848))
event 2 has 1 records
+ record 1 of type 1112(USER_LOGIN) has 10 fields
+ line=3 file=None
+ event time: 1143146623.879:146, host=(null)
+ type=USER_LOGIN (USER_LOGIN)
+ pid=2027 (2027)
+ uid=0 (root)
+ auid=848 (unknown(848))
+ uid=848 (unknown(848))
+ exe="/bin/login" (/bin/login)
+ hostname=? (?)
+ addr=? (?)
+ terminal=tty3 (tty3)
+ res=success (success)
+
+event 3 has 1 records
record 1 of type 1300(SYSCALL) has 24 fields
line=2 file=None
event time: 1143146623.875:143, host=(null)
@@ -613,21 +628,6 @@ event 2 has 1 records
exe="/bin/login" (/bin/login)
subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255)
-event 3 has 1 records
- record 1 of type 1112(USER_LOGIN) has 10 fields
- line=3 file=None
- event time: 1143146623.879:146, host=(null)
- type=USER_LOGIN (USER_LOGIN)
- pid=2027 (2027)
- uid=0 (root)
- auid=848 (unknown(848))
- uid=848 (unknown(848))
- exe="/bin/login" (/bin/login)
- hostname=? (?)
- addr=? (?)
- terminal=tty3 (tty3)
- res=success (success)
-
Test 9 Done
Starting Test 10, file feed...
diff -Npru audit-2.4.5.orig/auparse/test/Makefile.am audit-2.4.5/auparse/test/Makefile.am
--- audit-2.4.5.orig/auparse/test/Makefile.am 2015-12-19 06:20:59.000000000 +1100
+++ audit-2.4.5/auparse/test/Makefile.am 2016-01-06 21:13:10.321913092 +1100
@@ -22,7 +22,7 @@
CONFIG_CLEAN_FILES = *.loT *.rej *.orig *.cur
AUTOMAKE_OPTIONS = no-dependencies
-check_PROGRAMS = auparse_test
+check_PROGRAMS = auparse_test auparselol_test
dist_check_SCRIPTS = auparse_test.py
EXTRA_DIST = auparse_test.ref auparse_test.ref.py test.log test2.log
@@ -33,14 +33,22 @@ auparse_test_LDFLAGS = -static
auparse_test_LDADD = ${top_builddir}/auparse/libauparse.la \
${top_builddir}/lib/libaudit.la
+auparselol_test_SOURCES = auparselol_test.c
+auparselol_test_LDFLAGS = -static
+auparselol_test_LDADD = ${top_builddir}/auparse/libauparse.la \
+ ${top_builddir}/lib/libaudit.la
+
drop_srcdir = sed 's,$(srcdir)/test,test,'
-check: auparse_test
+check: auparse_test auparselol_test
test "$(top_srcdir)" = "$(top_builddir)" || \
cp $(top_srcdir)/auparse/test/test*.log .
LC_ALL=C \
./auparse_test > auparse_test.cur
diff -u $(top_srcdir)/auparse/test/auparse_test.ref auparse_test.cur
+ ./auparselol_test -f test3.log --check | sort > auparse_test.cur
+ sed -f ./auditd_raw.sed test3.log | sort > auparse_test.raw
+ diff -u auparse_test.raw auparse_test.cur
if HAVE_PYTHON
cp ${top_builddir}/bindings/swig/python/.libs/_audit.so ${top_builddir}/bindings/swig/python
PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \
@@ -51,9 +59,12 @@ if HAVE_PYTHON
endif
echo -e "===================\nAuparse Test Passes\n==================="
-diffcheck: auparse_test
+diffcheck: auparse_test auparselol_test
./auparse_test > auparse_test.cur
diff -u $(srcdir)/auparse_test.ref auparse_test.cur
+ ./auparselol_test -f test3.log --check | sort > auparse_test.cur
+ sed -f ./auditd_raw.sed test3.log | sort > auparse_test.raw
+ diff -u auparse_test.raw auparse_test.cur
memcheck: auparse_test
valgrind --leak-check=yes --show-reachable=yes ./auparse_test
@@ -85,6 +96,7 @@ endif
clean-generic:
$(RM) *.cur
+ $(RM) auparse_test.raw
if HAVE_PYTHON
$(RM) ${top_builddir}/bindings/swig/python/_audit.so
endif
diff -Npru audit-2.4.5.orig/auparse/test/Makefile.in audit-2.4.5/auparse/test/Makefile.in
--- audit-2.4.5.orig/auparse/test/Makefile.in 2015-12-19 06:21:09.000000000 +1100
+++ audit-2.4.5/auparse/test/Makefile.in 2016-01-06 21:14:10.499551952 +1100
@@ -110,7 +110,7 @@ POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
target_triplet = @target@
-check_PROGRAMS = auparse_test$(EXEEXT)
+check_PROGRAMS = auparse_test$(EXEEXT) auparselol_test$(EXEEXT)
subdir = auparse/test
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \
@@ -129,6 +129,10 @@ am_auparse_test_OBJECTS = auparse_test.$
auparse_test_OBJECTS = $(am_auparse_test_OBJECTS)
auparse_test_DEPENDENCIES = ${top_builddir}/auparse/libauparse.la \
${top_builddir}/lib/libaudit.la
+am_auparselol_test_OBJECTS = auparselol_test.$(OBJEXT)
+auparselol_test_OBJECTS = $(am_auparselol_test_OBJECTS)
+auparselol_test_DEPENDENCIES = ${top_builddir}/auparse/libauparse.la \
+ ${top_builddir}/lib/libaudit.la
AM_V_lt = $(am__v_lt_@AM_V@)
am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
am__v_lt_0 = --silent
@@ -136,6 +140,9 @@ am__v_lt_1 =
auparse_test_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
$(auparse_test_LDFLAGS) $(LDFLAGS) -o $@
+auparselol_test_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(auparselol_test_LDFLAGS) $(LDFLAGS) -o $@
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
@@ -169,8 +176,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@)
am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
am__v_CCLD_0 = @echo " CCLD " $@;
am__v_CCLD_1 =
-SOURCES = $(auparse_test_SOURCES)
-DIST_SOURCES = $(auparse_test_SOURCES)
+SOURCES = $(auparse_test_SOURCES) $(auparselol_test_SOURCES)
+DIST_SOURCES = $(auparse_test_SOURCES) $(auparselol_test_SOURCES)
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
@@ -363,6 +370,10 @@ auparse_test_SOURCES = auparse_test.c
auparse_test_LDFLAGS = -static
auparse_test_LDADD = ${top_builddir}/auparse/libauparse.la \
${top_builddir}/lib/libaudit.la
+auparselol_test_SOURCES = auparselol_test.c
+auparselol_test_LDFLAGS = -static
+auparselol_test_LDADD = ${top_builddir}/auparse/libauparse.la \
+ ${top_builddir}/lib/libaudit.la
drop_srcdir = sed 's,$(srcdir)/test,test,'
all: all-am
@@ -412,6 +423,11 @@ auparse_test$(EXEEXT): $(auparse_test_OB
@rm -f auparse_test$(EXEEXT)
$(AM_V_CCLD)$(auparse_test_LINK) $(auparse_test_OBJECTS) $(auparse_test_LDADD) $(LIBS)
+auparselol_test$(EXEEXT): $(auparselol_test_OBJECTS) $(auparselol_test_DEPENDENCIES) $(EXTRA_auparselol_test_DEPENDENCIES)
+ @rm -f auparselol_test$(EXEEXT)
+ $(AM_V_CCLD)$(auparselol_test_LINK) $(auparselol_test_OBJECTS) $(auparselol_test_LDADD) $(LIBS)
+
+
mostlyclean-compile:
-rm -f *.$(OBJEXT)
@@ -637,12 +653,15 @@ uninstall-am:
.PRECIOUS: Makefile
-check: auparse_test
+check: auparse_test auparselol_test
test "$(top_srcdir)" = "$(top_builddir)" || \
cp $(top_srcdir)/auparse/test/test*.log .
LC_ALL=C \
./auparse_test > auparse_test.cur
diff -u $(top_srcdir)/auparse/test/auparse_test.ref auparse_test.cur
+ ./auparselol_test -f test3.log --check | sort > auparse_test.cur
+ sed -f ./auditd_raw.sed test3.log | sort > auparse_test.raw
+ diff -u auparse_test.raw auparse_test.cur
@HAVE_PYTHON_TRUE@ cp ${top_builddir}/bindings/swig/python/.libs/_audit.so ${top_builddir}/bindings/swig/python
@HAVE_PYTHON_TRUE@ PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \
@HAVE_PYTHON_TRUE@ LD_LIBRARY_PATH=${top_builddir}/auparse/.libs \
@@ -654,6 +673,9 @@ check: auparse_test
diffcheck: auparse_test
./auparse_test > auparse_test.cur
diff -u $(srcdir)/auparse_test.ref auparse_test.cur
+ ./auparselol_test -f test3.log --check | sort > auparse_test.cur
+ sed -f ./auditd_raw.sed test3.log | sort > auparse_test.raw
+ diff -u auparse_test.raw auparse_test.cur
memcheck: auparse_test
valgrind --leak-check=yes --show-reachable=yes ./auparse_test
@@ -679,6 +701,7 @@ pymemcheck: auparse_test.py
clean-generic:
$(RM) *.cur
+ $(RM) auparse_test.raw
@HAVE_PYTHON_TRUE@ $(RM) ${top_builddir}/bindings/swig/python/_audit.so
test "$(top_srcdir)" = "$(top_builddir)" || $(RM) test*.log
diff -Npru audit-2.4.5.orig/auparse/test/test3.log audit-2.4.5/auparse/test/test3.log
--- audit-2.4.5.orig/auparse/test/test3.log 1970-01-01 10:00:00.000000000 +1000
+++ audit-2.4.5/auparse/test/test3.log 2016-01-06 20:45:12.183983969 +1100
@@ -0,0 +1,1184 @@
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.389:194432): arch=c000003e syscall=1 success=yes exit=1 a0=9 a1=564201849ef9 a2=1 a3=0 items=0 ppid=1271 pid=1281 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.393:194431): arch=c000003e syscall=13 success=yes exit=0 a0=7 a1=7ffd42eb1590 a2=0 a3=8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.393:194431): proctitle="bash"
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.389:194432): proctitle=737368643A206275726E205B707269765D
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.394:194434): arch=c000003e syscall=228 success=yes exit=0 a0=7 a1=7ffdac6fe940 a2=564201867510 a3=a items=0 ppid=1271 pid=1281 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.394:194434): proctitle=737368643A206275726E205B707269765D
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.394:194435): arch=c000003e syscall=23 success=yes exit=1 a0=c a1=56420184ade0 a2=564201867510 a3=0 items=0 ppid=1271 pid=1281 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.394:194433): arch=c000003e syscall=13 success=yes exit=0 a0=b a1=7ffd42eb1590 a2=0 a3=8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.394:194433): proctitle="bash"
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.394:194435): proctitle=737368643A206275726E205B707269765D
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.394:194436): arch=c000003e syscall=13 success=yes exit=0 a0=1f a1=7ffd42eb1590 a2=0 a3=8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.394:194437): arch=c000003e syscall=14 success=yes exit=0 a0=0 a1=7ffdac6fe9a0 a2=7ffdac6fe920 a3=8 items=0 ppid=1271 pid=1281 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.394:194436): proctitle="bash"
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.394:194437): proctitle=737368643A206275726E205B707269765D
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.394:194438): arch=c000003e syscall=13 success=yes exit=0 a0=d a1=7ffd42eb1590 a2=0 a3=8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.394:194439): arch=c000003e syscall=14 success=yes exit=0 a0=2 a1=7ffdac6fe920 a2=0 a3=8 items=0 ppid=1271 pid=1281 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.394:194439): proctitle=737368643A206275726E205B707269765D
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.394:194440): arch=c000003e syscall=228 success=yes exit=0 a0=7 a1=7ffdac6fe9c0 a2=564201867510 a3=8 items=0 ppid=1271 pid=1281 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.394:194438): proctitle="bash"
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.394:194440): proctitle=737368643A206275726E205B707269765D
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.394:194441): arch=c000003e syscall=13 success=yes exit=0 a0=e a1=7ffd42eb1590 a2=0 a3=8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.394:194442): arch=c000003e syscall=0 success=yes exit=2 a0=b a1=7ffdac6fa900 a2=4000 a3=8 items=0 ppid=1271 pid=1281 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.394:194441): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.394:194443): arch=c000003e syscall=13 success=yes exit=0 a0=18 a1=7ffd42eb1590 a2=0 a3=8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.394:194442): proctitle=737368643A206275726E205B707269765D
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.394:194444): arch=c000003e syscall=228 success=yes exit=0 a0=7 a1=7ffdac6fe940 a2=564201867510 a3=4000000 items=0 ppid=1271 pid=1281 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.394:194443): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.394:194445): arch=c000003e syscall=13 success=yes exit=0 a0=19 a1=7ffd42eb1590 a2=0 a3=8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.394:194444): proctitle=737368643A206275726E205B707269765D
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.394:194446): arch=c000003e syscall=23 success=yes exit=1 a0=c a1=56420184ade0 a2=564201867510 a3=0 items=0 ppid=1271 pid=1281 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.394:194445): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.394:194447): arch=c000003e syscall=13 success=yes exit=0 a0=1a a1=7ffd42eb1590 a2=0 a3=8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.394:194446): proctitle=737368643A206275726E205B707269765D
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.394:194448): arch=c000003e syscall=14 success=yes exit=0 a0=0 a1=7ffdac6fe9a0 a2=7ffdac6fe920 a3=8 items=0 ppid=1271 pid=1281 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.394:194447): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.394:194449): arch=c000003e syscall=13 success=yes exit=0 a0=a a1=7ffd42eb1590 a2=0 a3=8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.394:194449): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.395:194450): arch=c000003e syscall=13 success=yes exit=0 a0=c a1=7ffd42eb1590 a2=0 a3=8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.395:194450): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.395:194451): arch=c000003e syscall=13 success=yes exit=0 a0=2 a1=7ffd42eb14a0 a2=7ffd42eb1540 a3=8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.395:194451): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.395:194452): arch=c000003e syscall=13 success=yes exit=0 a0=3 a1=7ffd42eb14a0 a2=7ffd42eb1540 a3=8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.394:194448): proctitle=737368643A206275726E205B707269765D
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.395:194453): arch=c000003e syscall=14 success=yes exit=0 a0=2 a1=7ffdac6fe920 a2=0 a3=8 items=0 ppid=1271 pid=1281 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.395:194452): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.395:194454): arch=c000003e syscall=13 success=yes exit=0 a0=f a1=7ffd42eb14a0 a2=7ffd42eb1540 a3=8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.395:194453): proctitle=737368643A206275726E205B707269765D
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.395:194454): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.395:194456): arch=c000003e syscall=13 success=yes exit=0 a0=11 a1=7ffd42eb14a0 a2=7ffd42eb1540 a3=8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.395:194456): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.395:194455): arch=c000003e syscall=228 success=yes exit=0 a0=7 a1=7ffdac6fe9c0 a2=564201867510 a3=8 items=0 ppid=1271 pid=1281 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.395:194455): proctitle=737368643A206275726E205B707269765D
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.395:194457): arch=c000003e syscall=1 success=yes exit=52 a0=3 a1=564201869ecc a2=34 a3=8 items=0 ppid=1271 pid=1281 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.395:194457): proctitle=737368643A206275726E205B707269765D
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.395:194458): arch=c000003e syscall=228 success=yes exit=0 a0=7 a1=7ffdac6fe940 a2=564201867510 a3=a items=0 ppid=1271 pid=1281 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.395:194458): proctitle=737368643A206275726E205B707269765D
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.395:194459): arch=c000003e syscall=59 success=yes exit=0 a0=564bb1bed930 a1=564bb1c5ea70 a2=564bb1ba9940 a3=564bb1c5ea60 items=2 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=EXECVE msg=audit(1451781471.395:194459): argc=2 a0="adduser" a1="frodo"
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.395:194459): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.395:194459): item=0 name="/sbin/adduser" inode=67499895 dev=fd:00 mode=0100750 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:useradd_exec_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.395:194459): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=67179931 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.395:194459): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.465:194460): arch=c000003e syscall=12 success=yes exit=93890234830848 a0=0 a1=55648560ba00 a2=7ffc382eed18 a3=1 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.465:194460): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.465:194461): arch=c000003e syscall=9 success=yes exit=139684642189312 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.465:194461): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.466:194462): arch=c000003e syscall=21 success=no exit=-2 a0=7f0add5a5e10 a1=4 a2=0 a3=22 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.466:194462): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.466:194462): item=0 name="/etc/ld.so.preload" nametype=UNKNOWN
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.466:194462): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.466:194463): arch=c000003e syscall=2 success=yes exit=3 a0=7f0add5a4761 a1=80000 a2=1 a3=7f0add7aa460 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.466:194463): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.466:194463): item=0 name="/etc/ld.so.cache" inode=67217436 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:ld_so_cache_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.466:194463): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.467:194464): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffc382ee1a0 a2=7ffc382ee1a0 a3=7f0add7aa460 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.467:194464): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.467:194465): arch=c000003e syscall=9 success=yes exit=139684642148352 a0=0 a1=90d3 a2=1 a3=2 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.467:194465): fd=3 flags=0x2
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.467:194465): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.467:194466): arch=c000003e syscall=3 success=yes exit=0 a0=3 a1=90d3 a2=1 a3=2 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.467:194466): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.467:194467): arch=c000003e syscall=2 success=yes exit=3 a0=7f0add7a7640 a1=80000 a2=7f0add7aa148 a3=7f0add7a5a9f items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.467:194467): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.467:194467): item=0 name="/lib64/libaudit.so.1" inode=67217469 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.467:194467): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.467:194468): arch=c000003e syscall=0 success=yes exit=832 a0=3 a1=7ffc382ee330 a2=340 a3=7f0add7a5a9f items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.467:194468): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.467:194469): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffc382ee1e0 a2=7ffc382ee1e0 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.467:194469): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.467:194470): arch=c000003e syscall=9 success=yes exit=139684637708288 a0=0 a1=226048 a2=5 a3=802 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.467:194470): fd=3 flags=0x802
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.467:194470): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.467:194471): arch=c000003e syscall=10 success=yes exit=0 a0=7f0add37d000 a1=1ff000 a2=0 a3=5 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.467:194471): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.468:194472): arch=c000003e syscall=9 success=yes exit=139684639916032 a0=7f0add57c000 a1=2000 a2=3 a3=812 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.468:194472): fd=3 flags=0x812
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.468:194472): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.468:194473): arch=c000003e syscall=9 success=yes exit=139684639924224 a0=7f0add57e000 a1=9048 a2=3 a3=32 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.468:194473): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.468:194474): arch=c000003e syscall=3 success=yes exit=0 a0=3 a1=7f0add7a7698 a2=0 a3=31 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.468:194474): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.468:194475): arch=c000003e syscall=2 success=yes exit=3 a0=7f0add7a7b10 a1=80000 a2=7f0add7aa148 a3=7f0add7a1ef9 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.468:194475): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.468:194475): item=0 name="/lib64/libselinux.so.1" inode=67217403 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.468:194475): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.468:194476): arch=c000003e syscall=0 success=yes exit=832 a0=3 a1=7ffc382ee300 a2=340 a3=7f0add7a1ef9 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.468:194476): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.468:194477): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffc382ee1b0 a2=7ffc382ee1b0 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.468:194477): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.468:194478): arch=c000003e syscall=9 success=yes exit=139684635467776 a0=0 a1=222340 a2=5 a3=802 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.468:194478): fd=3 flags=0x802
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.468:194478): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.468:194479): arch=c000003e syscall=10 success=yes exit=0 a0=7f0add15d000 a1=200000 a2=0 a3=5 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.468:194479): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.468:194480): arch=c000003e syscall=9 success=yes exit=139684637691904 a0=7f0add35d000 a1=2000 a2=3 a3=812 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.468:194480): fd=3 flags=0x812
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.468:194480): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.469:194481): arch=c000003e syscall=9 success=yes exit=139684637700096 a0=7f0add35f000 a1=1340 a2=3 a3=32 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.469:194481): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.469:194482): arch=c000003e syscall=3 success=yes exit=0 a0=3 a1=7f0add7a7b68 a2=0 a3=31 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.469:194482): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.469:194483): arch=c000003e syscall=2 success=yes exit=3 a0=7f0add7a7fe0 a1=80000 a2=7f0add7aa148 a3=7f0add7a1ed1 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.469:194483): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.469:194483): item=0 name="/lib64/libsemanage.so.1" inode=67499860 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.469:194483): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.469:194484): arch=c000003e syscall=0 success=yes exit=832 a0=3 a1=7ffc382ee2d0 a2=340 a3=7f0add7a1ed1 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.469:194484): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.479:194485): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffc382ee180 a2=7ffc382ee180 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.479:194485): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.479:194486): arch=c000003e syscall=9 success=yes exit=139684642144256 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.479:194486): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.479:194487): arch=c000003e syscall=9 success=yes exit=139684633133056 a0=0 a1=239a88 a2=5 a3=802 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.479:194487): fd=3 flags=0x802
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.479:194487): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.479:194488): arch=c000003e syscall=10 success=yes exit=0 a0=7f0adcf3d000 a1=1ff000 a2=0 a3=5 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.479:194488): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.479:194489): arch=c000003e syscall=9 success=yes exit=139684635459584 a0=7f0add13c000 a1=2000 a2=3 a3=812 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.479:194489): fd=3 flags=0x812
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.479:194489): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.481:194490): arch=c000003e syscall=3 success=yes exit=0 a0=3 a1=7f0add79c040 a2=0 a3=31 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.481:194490): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.483:194491): arch=c000003e syscall=2 success=yes exit=3 a0=7f0add79c4c0 a1=80000 a2=7f0add7aa148 a3=7f0add7a5cdc items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.483:194491): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.483:194491): item=0 name="/lib64/libacl.so.1" inode=67217664 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.483:194491): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.483:194492): arch=c000003e syscall=0 success=yes exit=832 a0=3 a1=7ffc382ee2a0 a2=340 a3=7f0add7a5cdc items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.483:194492): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.483:194493): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffc382ee150 a2=7ffc382ee150 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.483:194493): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.483:194494): arch=c000003e syscall=9 success=yes exit=139684630999040 a0=0 a1=208080 a2=5 a3=802 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.483:194494): fd=3 flags=0x802
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.483:194494): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.483:194495): arch=c000003e syscall=10 success=yes exit=0 a0=7f0adcd03000 a1=1ff000 a2=0 a3=5 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.483:194495): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.483:194496): arch=c000003e syscall=9 success=yes exit=139684633124864 a0=7f0adcf02000 a1=2000 a2=3 a3=812 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.483:194496): fd=3 flags=0x812
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.483:194496): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.483:194497): arch=c000003e syscall=3 success=yes exit=0 a0=3 a1=7f0add79c518 a2=0 a3=31 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.483:194497): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.483:194498): arch=c000003e syscall=2 success=yes exit=3 a0=7f0add79c990 a1=80000 a2=7f0add7aa148 a3=7f0add7a5ac1 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.483:194498): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.483:194498): item=0 name="/lib64/libattr.so.1" inode=67217654 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.483:194498): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.483:194499): arch=c000003e syscall=0 success=yes exit=832 a0=3 a1=7ffc382ee270 a2=340 a3=7f0add7a5ac1 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.483:194499): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.483:194500): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffc382ee120 a2=7ffc382ee120 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.483:194500): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.483:194501): arch=c000003e syscall=9 success=yes exit=139684628877312 a0=0 a1=205010 a2=5 a3=802 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.483:194501): fd=3 flags=0x802
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.483:194501): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.483:194502): arch=c000003e syscall=10 success=yes exit=0 a0=7f0adcaf9000 a1=200000 a2=0 a3=5 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.483:194502): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.484:194503): arch=c000003e syscall=9 success=yes exit=139684630990848 a0=7f0adccf9000 a1=1000 a2=3 a3=812 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.484:194503): fd=3 flags=0x812
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.484:194503): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.484:194504): arch=c000003e syscall=9 success=yes exit=139684630994944 a0=7f0adccfa000 a1=10 a2=3 a3=32 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.484:194504): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.484:194505): arch=c000003e syscall=3 success=yes exit=0 a0=3 a1=7f0add79c9e8 a2=0 a3=31 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.484:194505): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.484:194506): arch=c000003e syscall=2 success=yes exit=3 a0=7f0add79ce60 a1=80000 a2=7f0add7aa148 a3=7f0add7a575f items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.484:194506): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.484:194506): item=0 name="/lib64/libc.so.6" inode=67179938 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.484:194506): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.484:194507): arch=c000003e syscall=0 success=yes exit=832 a0=3 a1=7ffc382ee240 a2=340 a3=7f0add7a575f items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.484:194507): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.484:194508): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffc382ee0f0 a2=7ffc382ee0f0 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.484:194508): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.484:194509): arch=c000003e syscall=9 success=yes exit=139684642140160 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.484:194509): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.484:194510): arch=c000003e syscall=9 success=yes exit=139684624941056 a0=0 a1=3c0a40 a2=5 a3=802 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.484:194510): fd=3 flags=0x802
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.484:194510): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.484:194511): arch=c000003e syscall=10 success=yes exit=0 a0=7f0adc8eb000 a1=200000 a2=0 a3=5 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.484:194511): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.485:194512): arch=c000003e syscall=9 success=yes exit=139684628836352 a0=7f0adcaeb000 a1=6000 a2=3 a3=812 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.485:194512): fd=3 flags=0x812
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.485:194512): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.485:194513): arch=c000003e syscall=9 success=yes exit=139684628860928 a0=7f0adcaf1000 a1=3a40 a2=3 a3=32 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.485:194513): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.485:194514): arch=c000003e syscall=3 success=yes exit=0 a0=3 a1=7f0add79b040 a2=0 a3=31 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.485:194514): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.485:194515): arch=c000003e syscall=2 success=yes exit=3 a0=7f0add79b4e0 a1=80000 a2=7f0add7a7b28 a3=7f0add7a2e66 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.485:194515): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.485:194515): item=0 name="/lib64/libpcre.so.1" inode=67217393 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.485:194515): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.485:194516): arch=c000003e syscall=0 success=yes exit=832 a0=3 a1=7ffc382edfe0 a2=340 a3=7f0add7a2e66 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.485:194516): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.485:194517): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffc382ede90 a2=7ffc382ede90 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.485:194517): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.485:194518): arch=c000003e syscall=9 success=yes exit=139684622385152 a0=0 a1=26f108 a2=5 a3=802 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.485:194518): fd=3 flags=0x802
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.485:194518): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.485:194519): arch=c000003e syscall=10 success=yes exit=0 a0=7f0adc533000 a1=1ff000 a2=0 a3=5 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.485:194519): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.485:194520): arch=c000003e syscall=9 success=yes exit=139684624932864 a0=7f0adc732000 a1=2000 a2=3 a3=812 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.485:194520): fd=3 flags=0x812
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.485:194520): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.486:194521): arch=c000003e syscall=3 success=yes exit=0 a0=3 a1=7f0add79b538 a2=0 a3=31 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.486:194521): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.486:194522): arch=c000003e syscall=2 success=yes exit=3 a0=7f0add79b9b0 a1=80000 a2=7f0add7a7b28 a3=7f0add7a4ff9 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.486:194522): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.486:194522): item=0 name="/lib64/libdl.so.2" inode=67179944 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.486:194522): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.486:194523): arch=c000003e syscall=0 success=yes exit=832 a0=3 a1=7ffc382edfb0 a2=340 a3=7f0add7a4ff9 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.486:194523): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.486:194524): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffc382ede60 a2=7ffc382ede60 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.486:194524): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.486:194525): arch=c000003e syscall=9 success=yes exit=139684620271616 a0=0 a1=203110 a2=5 a3=802 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.486:194525): fd=3 flags=0x802
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.486:194525): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.486:194526): arch=c000003e syscall=10 success=yes exit=0 a0=7f0adc2c3000 a1=1ff000 a2=0 a3=5 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.486:194526): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.486:194527): arch=c000003e syscall=9 success=yes exit=139684622376960 a0=7f0adc4c2000 a1=2000 a2=3 a3=812 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.486:194527): fd=3 flags=0x812
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.486:194527): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.486:194528): arch=c000003e syscall=3 success=yes exit=0 a0=3 a1=7f0add79ba08 a2=0 a3=31 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.486:194528): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.486:194529): arch=c000003e syscall=2 success=yes exit=3 a0=7f0add79bed8 a1=80000 a2=7f0add79c000 a3=7f0add7a1e84 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.486:194529): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.486:194529): item=0 name="/lib64/libsepol.so.1" inode=67215246 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.486:194529): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.487:194530): arch=c000003e syscall=0 success=yes exit=832 a0=3 a1=7ffc382ede10 a2=340 a3=7f0add7a1e84 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.487:194530): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.487:194531): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffc382edcc0 a2=7ffc382edcc0 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.487:194531): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.487:194532): arch=c000003e syscall=9 success=yes exit=139684642136064 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.487:194532): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.487:194533): arch=c000003e syscall=9 success=yes exit=139684617633792 a0=0 a1=283390 a2=5 a3=802 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.487:194533): fd=3 flags=0x802
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.487:194533): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.487:194534): arch=c000003e syscall=10 success=yes exit=0 a0=7f0adc0bd000 a1=200000 a2=0 a3=5 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.487:194534): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.487:194535): arch=c000003e syscall=9 success=yes exit=139684620259328 a0=7f0adc2bd000 a1=2000 a2=3 a3=812 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.487:194535): fd=3 flags=0x812
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.487:194535): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.487:194536): arch=c000003e syscall=9 success=yes exit=139684620267520 a0=7f0adc2bf000 a1=390 a2=3 a3=32 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.487:194536): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.487:194537): arch=c000003e syscall=3 success=yes exit=0 a0=3 a1=7f0add79a040 a2=0 a3=31 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.487:194537): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.487:194538): arch=c000003e syscall=2 success=yes exit=3 a0=7f0add79a4b8 a1=80000 a2=7f0add79c000 a3=7f0add7a577c items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.487:194538): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.487:194538): item=0 name="/lib64/libbz2.so.1" inode=67217453 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.487:194538): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.488:194539): arch=c000003e syscall=0 success=yes exit=832 a0=3 a1=7ffc382edde0 a2=340 a3=7f0add7a577c items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.488:194539): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.488:194540): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffc382edc90 a2=7ffc382edc90 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.488:194540): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.488:194541): arch=c000003e syscall=9 success=yes exit=139684615471104 a0=0 a1=20fc08 a2=5 a3=802 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.488:194541): fd=3 flags=0x802
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.488:194541): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.488:194542): arch=c000003e syscall=10 success=yes exit=0 a0=7f0adbe3b000 a1=1ff000 a2=0 a3=5 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.488:194542): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.488:194543): arch=c000003e syscall=9 success=yes exit=139684617625600 a0=7f0adc03a000 a1=2000 a2=3 a3=812 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.488:194543): fd=3 flags=0x812
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.488:194543): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.488:194544): arch=c000003e syscall=3 success=yes exit=0 a0=3 a1=7f0add79a510 a2=0 a3=31 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.488:194544): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.488:194545): arch=c000003e syscall=2 success=yes exit=3 a0=7f0add79a988 a1=80000 a2=7f0add79c000 a3=7f0add7a1628 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.488:194545): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.488:194545): item=0 name="/lib64/libustr-1.0.so.1" inode=67499861 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.488:194545): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.488:194546): arch=c000003e syscall=0 success=yes exit=832 a0=3 a1=7ffc382eddb0 a2=340 a3=7f0add7a1628 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.488:194546): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.489:194547): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffc382edc60 a2=7ffc382edc60 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.489:194547): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.489:194548): arch=c000003e syscall=9 success=yes exit=139684613148672 a0=0 a1=236600 a2=5 a3=802 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.489:194548): fd=3 flags=0x802
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.489:194548): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.490:194549): arch=c000003e syscall=10 success=yes exit=0 a0=7f0adbc2b000 a1=1ff000 a2=0 a3=5 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.490:194549): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.490:194550): arch=c000003e syscall=9 success=yes exit=139684615462912 a0=7f0adbe2a000 a1=2000 a2=3 a3=812 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.490:194550): fd=3 flags=0x812
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.490:194550): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.491:194551): arch=c000003e syscall=3 success=yes exit=0 a0=3 a1=7f0add79a9e0 a2=0 a3=31 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.491:194551): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.492:194552): arch=c000003e syscall=2 success=yes exit=3 a0=7f0add79af60 a1=80000 a2=7f0add79b4f8 a3=7f0add7a2455 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.492:194552): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.492:194552): item=0 name="/lib64/libpthread.so.0" inode=67179966 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.492:194552): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.492:194553): arch=c000003e syscall=0 success=yes exit=832 a0=3 a1=7ffc382edd80 a2=340 a3=7f0add7a2455 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.492:194553): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.492:194554): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffc382edc30 a2=7ffc382edc30 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.492:194554): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.492:194555): arch=c000003e syscall=9 success=yes exit=139684642131968 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.492:194555): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.492:194556): arch=c000003e syscall=9 success=yes exit=139684610932736 a0=0 a1=21c4b0 a2=5 a3=802 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.492:194556): fd=3 flags=0x802
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.492:194556): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.492:194557): arch=c000003e syscall=10 success=yes exit=0 a0=7f0adb9f0000 a1=1ff000 a2=0 a3=5 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.492:194557): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.492:194558): arch=c000003e syscall=9 success=yes exit=139684613124096 a0=7f0adbbef000 a1=2000 a2=3 a3=812 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.492:194558): fd=3 flags=0x812
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.492:194558): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.492:194559): arch=c000003e syscall=9 success=yes exit=139684613132288 a0=7f0adbbf1000 a1=34b0 a2=3 a3=32 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.492:194559): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.493:194560): arch=c000003e syscall=3 success=yes exit=0 a0=3 a1=7f0add799040 a2=0 a3=31 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.493:194560): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.493:194561): arch=c000003e syscall=9 success=yes exit=139684642127872 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.493:194561): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.493:194562): arch=c000003e syscall=9 success=yes exit=139684642119680 a0=0 a1=2000 a2=3 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.493:194562): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.493:194563): arch=c000003e syscall=158 success=yes exit=0 a0=1002 a1=7f0add796800 a2=7f0add798000 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.493:194563): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.493:194564): arch=c000003e syscall=10 success=yes exit=0 a0=7f0adcaeb000 a1=4000 a2=1 a3=4 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.493:194564): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.493:194565): arch=c000003e syscall=10 success=yes exit=0 a0=7f0adbbef000 a1=1000 a2=1 a3=7f0adbbefff0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.493:194565): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.493:194566): arch=c000003e syscall=10 success=yes exit=0 a0=7f0adbe2a000 a1=1000 a2=1 a3=7f0adbe2b588 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.493:194566): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.493:194567): arch=c000003e syscall=10 success=yes exit=0 a0=7f0adc03a000 a1=1000 a2=1 a3=7f0adc03afa8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.493:194567): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.494:194568): arch=c000003e syscall=10 success=yes exit=0 a0=7f0adc2bd000 a1=1000 a2=1 a3=7f0adc2bdff0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.494:194568): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.494:194569): arch=c000003e syscall=10 success=yes exit=0 a0=7f0adc4c2000 a1=1000 a2=1 a3=7f0adc4c2ff8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.494:194569): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.494:194570): arch=c000003e syscall=10 success=yes exit=0 a0=7f0adc732000 a1=1000 a2=1 a3=7f0adc732f80 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.494:194570): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.494:194571): arch=c000003e syscall=10 success=yes exit=0 a0=7f0adccf9000 a1=1000 a2=1 a3=7f0adccf9fc8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.494:194571): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.494:194572): arch=c000003e syscall=10 success=yes exit=0 a0=7f0adcf02000 a1=1000 a2=1 a3=7f0adcf02fa8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.494:194572): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.494:194573): arch=c000003e syscall=10 success=yes exit=0 a0=7f0add57c000 a1=1000 a2=1 a3=7f0add57cf98 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.494:194573): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.494:194574): arch=c000003e syscall=10 success=yes exit=0 a0=7f0add35d000 a1=1000 a2=1 a3=7f0add35df60 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.494:194574): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.495:194575): arch=c000003e syscall=10 success=yes exit=0 a0=7f0add13c000 a1=1000 a2=1 a3=7f0add13cfa8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.495:194575): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.495:194576): arch=c000003e syscall=10 success=yes exit=0 a0=55648581e000 a1=2000 a2=1 a3=55648581ffb8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.495:194576): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.495:194577): arch=c000003e syscall=10 success=yes exit=0 a0=7f0add7a8000 a1=1000 a2=1 a3=7f0add7a8fd8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.495:194577): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.495:194578): arch=c000003e syscall=11 success=yes exit=0 a0=7f0add79d000 a1=90d3 a2=def00000000 a3=7f0add7a8fd8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.495:194578): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.495:194579): arch=c000003e syscall=218 success=yes exit=1321 a0=7f0add796ad0 a1=7ffc382eeb38 a2=7f0add796800 a3=7f0add7a8fd8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.495:194579): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.495:194580): arch=c000003e syscall=273 success=yes exit=0 a0=7f0add796ae0 a1=18 a2=7f0add796800 a3=7f0add7a8fd8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.495:194580): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.496:194581): arch=c000003e syscall=13 success=yes exit=0 a0=20 a1=7ffc382ee880 a2=0 a3=8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.496:194581): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.496:194582): arch=c000003e syscall=13 success=yes exit=0 a0=21 a1=7ffc382ee880 a2=0 a3=8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.496:194582): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.496:194583): arch=c000003e syscall=14 success=yes exit=0 a0=1 a1=7ffc382ee9f8 a2=0 a3=8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.496:194583): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.496:194584): arch=c000003e syscall=97 success=yes exit=0 a0=3 a1=7ffc382ee9e0 a2=3f a3=1a items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.496:194584): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.496:194585): arch=c000003e syscall=137 success=yes exit=0 a0=7f0add157762 a1=7ffc382ee9b0 a2=fffffffffff468f2 a3=206d7 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.496:194585): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.496:194585): item=0 name="/sys/fs/selinux" inode=1 dev=00:10 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:security_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.496:194585): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.496:194586): arch=c000003e syscall=137 success=yes exit=0 a0=7f0add157762 a1=7ffc382ee8a0 a2=fffffffffff468f2 a3=206d7 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.496:194586): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.496:194586): item=0 name="/sys/fs/selinux" inode=1 dev=00:10 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:security_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.496:194586): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.497:194587): arch=c000003e syscall=12 success=yes exit=93890234830848 a0=0 a1=7f0adcaefb40 a2=21000 a3=21000 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.497:194587): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.497:194588): arch=c000003e syscall=12 success=yes exit=93890234966016 a0=5564861a6000 a1=7f0adcaefb40 a2=556486185000 a3=21000 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.497:194588): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.497:194589): arch=c000003e syscall=21 success=yes exit=0 a0=7f0add157249 a1=0 a2=7f0add35f1e0 a3=21000 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.497:194589): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.497:194589): item=0 name="/etc/selinux/config" inode=100888462 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:selinux_config_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.497:194589): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.497:194590): arch=c000003e syscall=2 success=yes exit=3 a0=7f0adc8bfe60 a1=80000 a2=0 a3=7f0adcaefba8 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.497:194590): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.497:194590): item=0 name="/usr/lib/locale/locale-archive" inode=34297353 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:locale_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.497:194590): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.497:194591): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7f0adcaf09a0 a2=7f0adcaf09a0 a3=7f0adcaefba8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.497:194591): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.497:194592): arch=c000003e syscall=9 success=yes exit=139684500492288 a0=0 a1=6952b40 a2=1 a3=2 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.497:194592): fd=3 flags=0x2
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.497:194592): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.497:194593): arch=c000003e syscall=3 success=yes exit=0 a0=3 a1=6952b40 a2=616f a3=2 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.497:194593): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.497:194594): arch=c000003e syscall=41 success=yes exit=3 a0=10 a1=3 a2=9 a3=7f0adcaefba8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.497:194594): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.497:194595): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=2 a2=1 a3=7f0adcaefba8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.497:194595): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.497:194596): arch=c000003e syscall=2 success=yes exit=4 a0=5564858203e0 a1=0 a2=1b6 a3=0 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.497:194596): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.497:194596): item=0 name="/etc/login.defs" inode=67499881 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.497:194596): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.497:194597): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7ffc382ee3e0 a2=7ffc382ee3e0 a3=7f0add796800 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.497:194597): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.498:194598): arch=c000003e syscall=9 success=yes exit=139684642185216 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.498:194598): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.498:194599): arch=c000003e syscall=0 success=yes exit=2028 a0=4 a1=7f0add7a6000 a2=1000 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.498:194599): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.498:194600): arch=c000003e syscall=0 success=yes exit=0 a0=4 a1=7f0add7a6000 a2=1000 a3=7f0add796800 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.498:194600): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.498:194601): arch=c000003e syscall=3 success=yes exit=0 a0=4 a1=1 a2=556486186130 a3=7f0add796800 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.498:194601): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.498:194602): arch=c000003e syscall=11 success=yes exit=0 a0=7f0add7a6000 a1=1000 a2=0 a3=7f0add796800 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.498:194602): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.498:194603): arch=c000003e syscall=2 success=yes exit=4 a0=7f0adc8bc6f2 a1=0 a2=ea60 a3=0 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.498:194603): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.498:194603): item=0 name="/proc/sys/kernel/ngroups_max" inode=17243 dev=00:04 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sysctl_kernel_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.498:194603): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.498:194604): arch=c000003e syscall=0 success=yes exit=6 a0=4 a1=7ffc382ee980 a2=1f a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.498:194604): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.498:194605): arch=c000003e syscall=3 success=yes exit=0 a0=4 a1=7ffc382ee980 a2=6 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.498:194605): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.498:194606): arch=c000003e syscall=9 success=yes exit=139684641591296 a0=0 a1=81000 a2=3 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.498:194606): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.498:194607): arch=c000003e syscall=21 success=yes exit=0 a0=556485821f60 a1=0 a2=7f0add715010 a3=22 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.498:194607): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.498:194607): item=0 name="/etc/shadow" inode=67856639 dev=fd:00 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.498:194607): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.498:194608): arch=c000003e syscall=21 success=yes exit=0 a0=556485821ac0 a1=0 a2=7f0add715010 a3=22 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.498:194608): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.498:194608): item=0 name="/etc/gshadow" inode=67856644 dev=fd:00 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.498:194608): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.499:194609): arch=c000003e syscall=21 success=no exit=-2 a0=556485821620 a1=0 a2=7f0add715010 a3=22 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.499:194609): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.499:194609): item=0 name="/etc/subuid" nametype=UNKNOWN
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.499:194609): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.499:194610): arch=c000003e syscall=21 success=no exit=-2 a0=5564858211e0 a1=0 a2=0 a3=22 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.499:194610): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.499:194610): item=0 name="/etc/subgid" nametype=UNKNOWN
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.499:194610): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.499:194611): arch=c000003e syscall=2 success=yes exit=4 a0=556485618b31 a1=0 a2=1b6 a3=0 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.499:194611): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.499:194611): item=0 name="/etc/default/useradd" inode=186424 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.499:194611): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.534:194612): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7ffc382ee3f0 a2=7ffc382ee3f0 a3=7f0add796800 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.534:194612): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.534:194613): arch=c000003e syscall=9 success=yes exit=139684642185216 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.534:194613): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.534:194614): arch=c000003e syscall=0 success=yes exit=119 a0=4 a1=7f0add7a6000 a2=1000 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.534:194614): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.555:194615): arch=c000003e syscall=41 success=yes exit=5 a0=1 a1=80801 a2=0 a3=6 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.555:194615): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.555:194616): arch=c000003e syscall=42 success=no exit=-2 a0=5 a1=7ffc382edc80 a2=6e a3=6 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=SOCKADDR msg=audit(1451781471.555:194616): saddr=01002F7661722F72756E2F6E7363642F736F636B657400005665885600000000B2CC05200000000000000000000000000000000000000000000000000000000080DD2E38FC7F0000048759DD0A7F000000000000000000002BC29DDB0A7F0000009079DD0A7F0000D50159DD0A7F
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.555:194616): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.555:194616): item=0 name="/var/run/nscd/socket" nametype=UNKNOWN
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.555:194616): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.555:194617): arch=c000003e syscall=3 success=yes exit=0 a0=5 a1=7ffc382edc80 a2=6e a3=6 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.555:194617): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.555:194618): arch=c000003e syscall=41 success=yes exit=5 a0=1 a1=80801 a2=0 a3=5564861864a0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.555:194618): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.555:194619): arch=c000003e syscall=42 success=no exit=-2 a0=5 a1=7ffc382ede00 a2=6e a3=5564861864a0 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=SOCKADDR msg=audit(1451781471.555:194619): saddr=01002F7661722F72756E2F6E7363642F736F636B657400001C000000000000001C0000000000000010000000000000000100000005000000000000000000000000000000000000000000000000000000A072010000000000A0720100000000000000200000000000010000000600
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.555:194619): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.555:194619): item=0 name="/var/run/nscd/socket" nametype=UNKNOWN
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.555:194619): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.555:194620): arch=c000003e syscall=3 success=yes exit=0 a0=5 a1=7ffc382ede00 a2=6e a3=5564861864a0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.555:194620): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.555:194621): arch=c000003e syscall=2 success=yes exit=5 a0=7f0adc8bdab8 a1=80000 a2=1b6 a3=80000 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.555:194621): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.555:194621): item=0 name="/etc/nsswitch.conf" inode=67151268 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.555:194621): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.556:194622): arch=c000003e syscall=5 success=yes exit=0 a0=5 a1=7ffc382ee270 a2=7ffc382ee270 a3=7f0adcaefc08 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.556:194622): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.556:194623): arch=c000003e syscall=9 success=yes exit=139684642181120 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.556:194623): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.556:194624): arch=c000003e syscall=0 success=yes exit=1718 a0=5 a1=7f0add7a5000 a2=1000 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.556:194624): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.556:194625): arch=c000003e syscall=0 success=yes exit=0 a0=5 a1=7f0add7a5000 a2=1000 a3=7f0adcaefbc8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.556:194625): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.556:194626): arch=c000003e syscall=3 success=yes exit=0 a0=5 a1=0 a2=0 a3=7f0adcaefbc8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.556:194626): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.556:194627): arch=c000003e syscall=11 success=yes exit=0 a0=7f0add7a5000 a1=1000 a2=0 a3=7f0adcaefbc8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.556:194627): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.556:194628): arch=c000003e syscall=2 success=yes exit=5 a0=7f0add5a4761 a1=80000 a2=1 a3=7f0add7aa460 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.556:194628): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.556:194628): item=0 name="/etc/ld.so.cache" inode=67217436 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:ld_so_cache_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.556:194628): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.556:194629): arch=c000003e syscall=5 success=yes exit=0 a0=5 a1=7ffc382ed9e0 a2=7ffc382ed9e0 a3=7f0add7aa460 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.556:194629): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.556:194630): arch=c000003e syscall=9 success=yes exit=139684641550336 a0=0 a1=90d3 a2=1 a3=2 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.556:194630): fd=5 flags=0x2
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.556:194630): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.556:194631): arch=c000003e syscall=3 success=yes exit=0 a0=5 a1=90d3 a2=1 a3=2 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.556:194631): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.556:194632): arch=c000003e syscall=2 success=yes exit=5 a0=556486186650 a1=80000 a2=7f0add79b000 a3=7f0adcaefbb8 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.556:194632): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.556:194632): item=0 name="/lib64/libnss_files.so.2" inode=67179958 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.556:194632): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.557:194633): arch=c000003e syscall=0 success=yes exit=832 a0=5 a1=7ffc382edb70 a2=340 a3=7f0adcaefbb8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.557:194633): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.557:194634): arch=c000003e syscall=5 success=yes exit=0 a0=5 a1=7ffc382eda20 a2=7ffc382eda20 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.557:194634): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.557:194635): arch=c000003e syscall=9 success=yes exit=139684498321408 a0=0 a1=211718 a2=5 a3=802 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.557:194635): fd=5 flags=0x802
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.557:194635): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.557:194636): arch=c000003e syscall=10 success=yes exit=0 a0=7f0ad4e7e000 a1=1ff000 a2=0 a3=5 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.557:194636): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.557:194637): arch=c000003e syscall=9 success=yes exit=139684500459520 a0=7f0ad507d000 a1=2000 a2=3 a3=812 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.557:194637): fd=5 flags=0x812
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.557:194637): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.557:194638): arch=c000003e syscall=9 success=yes exit=139684500467712 a0=7f0ad507f000 a1=5718 a2=3 a3=32 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.557:194638): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.557:194639): arch=c000003e syscall=3 success=yes exit=0 a0=5 a1=5564861871f0 a2=0 a3=31 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.557:194639): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.557:194640): arch=c000003e syscall=10 success=yes exit=0 a0=7f0ad507d000 a1=1000 a2=1 a3=7f0ad507dff8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.557:194640): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.557:194641): arch=c000003e syscall=11 success=yes exit=0 a0=7f0add70b000 a1=90d3 a2=7ffc382ee0f7 a3=7f0ad507dff8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.557:194641): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.557:194642): arch=c000003e syscall=2 success=yes exit=5 a0=7f0ad4e7b257 a1=80000 a2=1b6 a3=80000 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.557:194642): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.557:194642): item=0 name="/etc/group" inode=67220873 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.557:194642): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.557:194643): arch=c000003e syscall=5 success=yes exit=0 a0=5 a1=7ffc382ee250 a2=7ffc382ee250 a3=1d7 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.557:194643): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.558:194644): arch=c000003e syscall=9 success=yes exit=139684642181120 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.558:194644): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.558:194645): arch=c000003e syscall=0 success=yes exit=702 a0=5 a1=7f0add7a5000 a2=1000 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.558:194645): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.558:194646): arch=c000003e syscall=3 success=yes exit=0 a0=5 a1=1 a2=556486187740 a3=474 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.558:194646): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.558:194647): arch=c000003e syscall=11 success=yes exit=0 a0=7f0add7a5000 a1=1000 a2=0 a3=474 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.558:194647): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.558:194648): arch=c000003e syscall=0 success=yes exit=0 a0=4 a1=7f0add7a6000 a2=1000 a3=7f0add796800 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.558:194648): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.558:194649): arch=c000003e syscall=3 success=yes exit=0 a0=4 a1=1 a2=556486186130 a3=7f0add796800 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.558:194649): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.558:194650): arch=c000003e syscall=11 success=yes exit=0 a0=7f0add7a6000 a1=1000 a2=0 a3=7f0add796800 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.558:194650): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.558:194651): arch=c000003e syscall=41 success=yes exit=4 a0=1 a1=80801 a2=0 a3=6 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.558:194651): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.558:194652): arch=c000003e syscall=42 success=no exit=-2 a0=4 a1=7ffc382ee550 a2=6e a3=6 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=SOCKADDR msg=audit(1451781471.558:194652): saddr=01002F7661722F72756E2F6E7363642F736F636B65740000D8BC6085645500000000454154455F4D41494C5F53504F4F4C3D79657300000000757073206966206E6F206D656D626572732065786973742E0000642C000A0000006500000000000000000000000000770000007C00
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.558:194652): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.558:194652): item=0 name="/var/run/nscd/socket" nametype=UNKNOWN
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.558:194652): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.558:194653): arch=c000003e syscall=3 success=yes exit=0 a0=4 a1=7ffc382ee550 a2=6e a3=6 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.558:194653): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.559:194654): arch=c000003e syscall=41 success=yes exit=4 a0=1 a1=80801 a2=0 a3=6 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.559:194654): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.559:194655): arch=c000003e syscall=42 success=no exit=-2 a0=4 a1=7ffc382ee6d0 a2=6e a3=6 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=SOCKADDR msg=audit(1451781471.559:194655): saddr=01002F7661722F72756E2F6E7363642F736F636B657400003600000000000000208822D50A7F00009609000000000000608D0FD50A7F000076FA120000000000020000000A7F000060E72E38FC7F00005B6518866455000060E72E38FC7F00005065188664550000AA8C61856455
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.559:194655): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.559:194655): item=0 name="/var/run/nscd/socket" nametype=UNKNOWN
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.559:194655): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.559:194656): arch=c000003e syscall=3 success=yes exit=0 a0=4 a1=7ffc382ee6d0 a2=6e a3=6 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.559:194656): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.559:194657): arch=c000003e syscall=2 success=yes exit=4 a0=7f0ad4e7b262 a1=80000 a2=1b6 a3=80000 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.559:194657): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.559:194657): item=0 name="/etc/passwd" inode=67932620 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.559:194657): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.559:194658): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7ffc382ee6e0 a2=7ffc382ee6e0 a3=80000 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.559:194658): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.559:194659): arch=c000003e syscall=9 success=yes exit=139684642185216 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.559:194659): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.559:194660): arch=c000003e syscall=0 success=yes exit=1618 a0=4 a1=7f0add7a6000 a2=1000 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.559:194660): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.559:194661): arch=c000003e syscall=0 success=yes exit=0 a0=4 a1=7f0add7a6000 a2=1000 a3=1999999999999999 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.559:194661): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.559:194662): arch=c000003e syscall=3 success=yes exit=0 a0=4 a1=1 a2=556486186130 a3=1999999999999999 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.559:194662): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.559:194663): arch=c000003e syscall=11 success=yes exit=0 a0=7f0add7a6000 a1=1000 a2=0 a3=1999999999999999 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.559:194663): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.559:194664): arch=c000003e syscall=2 success=yes exit=4 a0=7f0add5a4761 a1=80000 a2=1 a3=7f0add7aa460 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.559:194664): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.559:194664): item=0 name="/etc/ld.so.cache" inode=67217436 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:ld_so_cache_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.559:194664): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.560:194665): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7ffc382eded0 a2=7ffc382eded0 a3=7f0add7aa460 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.560:194665): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.560:194666): arch=c000003e syscall=9 success=yes exit=139684642148352 a0=0 a1=90d3 a2=1 a3=2 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.560:194666): fd=4 flags=0x2
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.560:194666): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.560:194667): arch=c000003e syscall=3 success=yes exit=0 a0=4 a1=90d3 a2=1 a3=2 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.560:194667): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.560:194668): arch=c000003e syscall=2 success=yes exit=4 a0=556486186070 a1=80000 a2=7f0add79b000 a3=7f0adcaefba8 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.560:194668): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.560:194668): item=0 name="/lib64/libnss_sss.so.2" inode=67352288 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.560:194668): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.560:194669): arch=c000003e syscall=0 success=yes exit=832 a0=4 a1=7ffc382ee060 a2=340 a3=7f0adcaefba8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.560:194669): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.560:194670): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7ffc382edf10 a2=7ffc382edf10 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.560:194670): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.560:194671): arch=c000003e syscall=9 success=yes exit=139684496187392 a0=0 a1=2082d0 a2=5 a3=802 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.560:194671): fd=4 flags=0x802
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.560:194671): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.560:194672): arch=c000003e syscall=10 success=yes exit=0 a0=7f0ad4c72000 a1=1ff000 a2=0 a3=5 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.560:194672): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.560:194673): arch=c000003e syscall=9 success=yes exit=139684498313216 a0=7f0ad4e71000 a1=2000 a2=3 a3=812 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=MMAP msg=audit(1451781471.560:194673): fd=4 flags=0x812
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.560:194673): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.560:194674): arch=c000003e syscall=3 success=yes exit=0 a0=4 a1=556486187ab0 a2=0 a3=31 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.560:194674): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.561:194675): arch=c000003e syscall=10 success=yes exit=0 a0=7f0ad4e71000 a1=1000 a2=1 a3=7f0ad4e71fd0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.561:194675): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.561:194676): arch=c000003e syscall=11 success=yes exit=0 a0=7f0add79d000 a1=90d3 a2=7ffc382ee5e7 a3=7f0ad4e71fd0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.561:194676): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.561:194677): arch=c000003e syscall=202 success=yes exit=0 a0=7f0ad4e72048 a1=81 a2=7fffffff a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.561:194677): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.561:194678): arch=c000003e syscall=2 success=no exit=-2 a0=556486187f20 a1=80000 a2=7ffc382ee744 a3=7f0adcaefdb8 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.561:194678): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.561:194678): item=0 name="/var/lib/sss/mc/passwd" nametype=UNKNOWN
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.561:194678): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.561:194679): arch=c000003e syscall=202 success=yes exit=0 a0=7f0ad4e720c8 a1=81 a2=7fffffff a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.561:194679): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.561:194680): arch=c000003e syscall=2 success=no exit=-2 a0=556486187f20 a1=80000 a2=7ffc382ee744 a3=556486187f10 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.561:194680): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.561:194680): item=0 name="/var/lib/sss/mc/passwd" nametype=UNKNOWN
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.561:194680): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.561:194681): arch=c000003e syscall=5 success=no exit=-9 a0=ffffffffffffffff a1=7ffc382ee780 a2=7ffc382ee780 a3=556486187f10 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.561:194681): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.561:194682): arch=c000003e syscall=41 success=yes exit=4 a0=1 a1=1 a2=0 a3=556486187f10 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.561:194682): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.561:194683): arch=c000003e syscall=72 success=yes exit=2 a0=4 a1=3 a2=0 a3=556486187f10 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.561:194683): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.561:194684): arch=c000003e syscall=72 success=yes exit=0 a0=4 a1=4 a2=802 a3=556486187f10 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.561:194684): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.561:194685): arch=c000003e syscall=72 success=yes exit=0 a0=4 a1=1 a2=0 a3=556486187f10 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.561:194685): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.561:194686): arch=c000003e syscall=72 success=yes exit=0 a0=4 a1=2 a2=1 a3=556486187f10 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.561:194686): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.562:194687): arch=c000003e syscall=42 success=no exit=-2 a0=4 a1=7ffc382ee710 a2=6e a3=556486187f10 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=SOCKADDR msg=audit(1451781471.562:194687): saddr=01002F7661722F6C69622F7373732F70697065732F6E73730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.562:194687): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.562:194687): item=0 name="/var/lib/sss/pipes/nss" nametype=UNKNOWN
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.562:194687): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.562:194688): arch=c000003e syscall=3 success=yes exit=0 a0=4 a1=7ffc382ee710 a2=0 a3=556486187f10 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.562:194688): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.562:194689): arch=c000003e syscall=2 success=yes exit=4 a0=7f0ad4e7b257 a1=80000 a2=1b6 a3=80000 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.562:194689): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.562:194689): item=0 name="/etc/group" inode=67220873 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.562:194689): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.562:194690): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7ffc382ee6e0 a2=7ffc382ee6e0 a3=80000 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.562:194690): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.562:194691): arch=c000003e syscall=9 success=yes exit=139684642185216 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.562:194691): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.562:194692): arch=c000003e syscall=0 success=yes exit=702 a0=4 a1=7f0add7a6000 a2=1000 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.562:194692): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.562:194693): arch=c000003e syscall=0 success=yes exit=0 a0=4 a1=7f0add7a6000 a2=1000 a3=1999999999999999 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.562:194693): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.562:194694): arch=c000003e syscall=3 success=yes exit=0 a0=4 a1=1 a2=556486188410 a3=1999999999999999 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.562:194694): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.562:194695): arch=c000003e syscall=11 success=yes exit=0 a0=7f0add7a6000 a1=1000 a2=0 a3=1999999999999999 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.562:194695): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.562:194696): arch=c000003e syscall=2 success=no exit=-2 a0=5564861883d0 a1=80000 a2=7ffc382ee734 a3=7f0adcaefba8 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.562:194696): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.562:194696): item=0 name="/var/lib/sss/mc/group" nametype=UNKNOWN
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.562:194696): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.563:194697): arch=c000003e syscall=2 success=no exit=-2 a0=5564861883d0 a1=80000 a2=7ffc382ee734 a3=5564861883c0 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.563:194697): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.563:194697): item=0 name="/var/lib/sss/mc/group" nametype=UNKNOWN
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.563:194697): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.563:194698): arch=c000003e syscall=41 success=yes exit=4 a0=1 a1=1 a2=0 a3=5564861883c0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.563:194698): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.563:194699): arch=c000003e syscall=72 success=yes exit=2 a0=4 a1=3 a2=0 a3=5564861883c0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.563:194699): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.563:194700): arch=c000003e syscall=72 success=yes exit=0 a0=4 a1=4 a2=802 a3=5564861883c0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.563:194700): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.563:194701): arch=c000003e syscall=72 success=yes exit=0 a0=4 a1=1 a2=0 a3=5564861883c0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.563:194701): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.563:194702): arch=c000003e syscall=72 success=yes exit=0 a0=4 a1=2 a2=1 a3=5564861883c0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.563:194702): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.563:194703): arch=c000003e syscall=42 success=no exit=-2 a0=4 a1=7ffc382ee700 a2=6e a3=5564861883c0 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=SOCKADDR msg=audit(1451781471.563:194703): saddr=01002F7661722F6C69622F7373732F70697065732F6E73730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.563:194703): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.563:194703): item=0 name="/var/lib/sss/pipes/nss" nametype=UNKNOWN
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.563:194703): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.564:194704): arch=c000003e syscall=3 success=yes exit=0 a0=4 a1=7ffc382ee700 a2=0 a3=5564861883c0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.564:194704): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.564:194705): arch=c000003e syscall=2 success=yes exit=4 a0=7f0adc8bd2e5 a1=80041 a2=180 a3=5564861883c0 items=2 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.564:194705): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.564:194705): item=0 name="/etc/" inode=67151265 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.564:194705): item=1 name="/etc/.pwd.lock" inode=67499968 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.564:194705): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.564:194706): arch=c000003e syscall=13 success=yes exit=0 a0=e a1=7ffc382ee5c0 a2=7ffc382ee660 a3=8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.564:194706): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.564:194707): arch=c000003e syscall=14 success=yes exit=0 a0=1 a1=7ffc382ee7b0 a2=7ffc382ee730 a3=8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.564:194707): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.564:194708): arch=c000003e syscall=37 success=yes exit=0 a0=f a1=7ffc382ee7b0 a2=7ffc382ee730 a3=8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.564:194708): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.564:194709): arch=c000003e syscall=72 success=yes exit=0 a0=4 a1=7 a2=7ffc382ee710 a3=8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.564:194709): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.564:194710): arch=c000003e syscall=37 success=yes exit=15 a0=0 a1=7 a2=7ffc382ee710 a3=8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.564:194710): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.564:194711): arch=c000003e syscall=14 success=yes exit=0 a0=2 a1=7ffc382ee730 a2=0 a3=8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.564:194711): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.565:194712): arch=c000003e syscall=13 success=yes exit=0 a0=e a1=7ffc382ee5c0 a2=0 a3=8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.565:194712): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451786831.916:194713): arch=c000003e syscall=7 success=yes exit=1 a0=7f0ebc0008e0 a1=2 a2=ffffffff a3=561cf096d320 items=0 ppid=1 pid=870 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gmain" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451786831.916:194713): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.565:194714): arch=c000003e syscall=0 success=no exit=-11 a0=4 a1=7f0ec1be0c40 a2=10 a3=561cf096d320 items=0 ppid=1 pid=870 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gmain" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.565:194714): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.565:194715): arch=c000003e syscall=1 success=yes exit=8 a0=4 a1=7f0ec1be0c20 a2=8 a3=20 items=0 ppid=1 pid=870 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gmain" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.565:194715): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.566:194716): arch=c000003e syscall=0 success=yes exit=32 a0=b a1=7f0ec1bdfc20 a2=1000 a3=ffffffffff7ff000 items=0 ppid=1 pid=870 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gmain" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.566:194716): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.566:194717): arch=c000003e syscall=1 success=yes exit=8 a0=4 a1=7f0ec1bdfbb0 a2=8 a3=20 items=0 ppid=1 pid=870 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gmain" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.566:194717): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.566:194718): arch=c000003e syscall=1 success=yes exit=8 a0=4 a1=7f0ec1be0c20 a2=8 a3=20 items=0 ppid=1 pid=870 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gmain" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.566:194718): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.566:194719): arch=c000003e syscall=7 success=yes exit=1 a0=7f0ebc0008e0 a1=2 a2=64 a3=561cf0972c40 items=0 ppid=1 pid=870 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gmain" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.566:194719): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.566:194720): arch=c000003e syscall=7 success=yes exit=1 a0=7f0ebc0008e0 a1=2 a2=64 a3=561cf0972c40 items=0 ppid=1 pid=870 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gmain" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.566:194720): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.566:194721): arch=c000003e syscall=0 success=yes exit=8 a0=4 a1=7f0ec1be0c40 a2=10 a3=561cf0972c40 items=0 ppid=1 pid=870 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gmain" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.566:194721): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.565:194722): arch=c000003e syscall=2 success=yes exit=5 a0=7ffc382ee150 a1=241 a2=180 a3=b items=2 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.565:194722): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.565:194722): item=0 name="/etc/" inode=67151265 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.565:194722): item=1 name="/etc/passwd.1321" inode=67151278 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=CREATE
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.565:194722): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.566:194723): arch=c000003e syscall=1 success=yes exit=5 a0=5 a1=7ffc382ee130 a2=5 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.566:194723): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.566:194724): arch=c000003e syscall=3 success=yes exit=0 a0=5 a1=7ffc382ee130 a2=5 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.566:194724): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.566:194725): arch=c000003e syscall=86 success=yes exit=0 a0=7ffc382ee150 a1=7ffc382ee550 a2=5 a3=0 items=3 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.566:194725): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.566:194725): item=0 name="/etc/passwd.1321" inode=67151278 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.566:194725): item=1 name="/etc/" inode=67151265 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.566:194725): item=2 name="/etc/passwd.lock" inode=67151278 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=CREATE
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.566:194725): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.570:194726): arch=c000003e syscall=4 success=yes exit=0 a0=7ffc382ee150 a1=7ffc382ee0a0 a2=7ffc382ee0a0 a3=0 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.570:194726): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.570:194726): item=0 name="/etc/passwd.1321" inode=67151278 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.570:194726): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.571:194727): arch=c000003e syscall=87 success=yes exit=0 a0=7ffc382ee150 a1=7ffc382ee0a0 a2=7ffc382ee0a0 a3=0 items=2 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.571:194727): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.571:194727): item=0 name="/etc/" inode=67151265 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.571:194727): item=1 name="/etc/passwd.1321" inode=67151278 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=DELETE
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.571:194727): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.571:194728): arch=c000003e syscall=2 success=yes exit=5 a0=556485820d40 a1=20902 a2=c1770000 a3=0 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.571:194728): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.571:194728): item=0 name="/etc/passwd" inode=67932620 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.571:194728): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.571:194729): arch=c000003e syscall=72 success=yes exit=165890 a0=5 a1=3 a2=c1770000 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.571:194729): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.571:194730): arch=c000003e syscall=72 success=yes exit=0 a0=5 a1=2 a2=1 a3=7f0adcaefdb8 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.571:194730): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.571:194731): arch=c000003e syscall=5 success=yes exit=0 a0=5 a1=7ffc382ee7f0 a2=7ffc382ee7f0 a3=7f0add796800 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.571:194731): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.571:194732): arch=c000003e syscall=9 success=yes exit=139684642185216 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.571:194732): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.572:194733): arch=c000003e syscall=0 success=yes exit=1618 a0=5 a1=7f0add7a6000 a2=1000 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.572:194733): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.572:194734): arch=c000003e syscall=0 success=yes exit=0 a0=5 a1=7f0add7a6000 a2=1000 a3=7f0add796800 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.572:194734): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.572:194735): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc382ee150 a1=241 a2=180 a3=a items=2 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.572:194735): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.572:194735): item=0 name="/etc/" inode=67151265 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.572:194735): item=1 name="/etc/group.1321" inode=67179932 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=CREATE
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.572:194735): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.573:194736): arch=c000003e syscall=1 success=yes exit=5 a0=6 a1=7ffc382ee130 a2=5 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.573:194736): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.574:194737): arch=c000003e syscall=3 success=yes exit=0 a0=6 a1=7ffc382ee130 a2=5 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.574:194737): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.574:194738): arch=c000003e syscall=86 success=yes exit=0 a0=7ffc382ee150 a1=7ffc382ee550 a2=5 a3=0 items=3 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.574:194738): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.574:194738): item=0 name="/etc/group.1321" inode=67179932 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.574:194738): item=1 name="/etc/" inode=67151265 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.574:194738): item=2 name="/etc/group.lock" inode=67179932 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=CREATE
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.574:194738): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.574:194739): arch=c000003e syscall=4 success=yes exit=0 a0=7ffc382ee150 a1=7ffc382ee0a0 a2=7ffc382ee0a0 a3=0 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.574:194739): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.574:194739): item=0 name="/etc/group.1321" inode=67179932 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.574:194739): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.574:194740): arch=c000003e syscall=87 success=yes exit=0 a0=7ffc382ee150 a1=7ffc382ee0a0 a2=7ffc382ee0a0 a3=0 items=2 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.574:194740): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.574:194740): item=0 name="/etc/" inode=67151265 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.574:194740): item=1 name="/etc/group.1321" inode=67179932 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=DELETE
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.574:194740): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.575:194741): arch=c000003e syscall=2 success=yes exit=6 a0=5564858208a0 a1=20902 a2=c1770000 a3=0 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.575:194741): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.575:194741): item=0 name="/etc/group" inode=67220873 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.575:194741): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.575:194742): arch=c000003e syscall=72 success=yes exit=165890 a0=6 a1=3 a2=c1770000 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.575:194742): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.575:194743): arch=c000003e syscall=72 success=yes exit=0 a0=6 a1=2 a2=1 a3=556486188610 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.575:194743): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.575:194744): arch=c000003e syscall=5 success=yes exit=0 a0=6 a1=7ffc382ee7c0 a2=7ffc382ee7c0 a3=7f0add796800 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.575:194744): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.575:194745): arch=c000003e syscall=9 success=yes exit=139684642181120 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.575:194745): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.575:194746): arch=c000003e syscall=0 success=yes exit=702 a0=6 a1=7f0add7a5000 a2=1000 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.575:194746): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.575:194747): arch=c000003e syscall=0 success=yes exit=0 a0=6 a1=7f0add7a5000 a2=1000 a3=7f0add796800 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.575:194747): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.575:194748): arch=c000003e syscall=2 success=yes exit=7 a0=7ffc382ee150 a1=241 a2=180 a3=c items=2 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.575:194748): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.575:194748): item=0 name="/etc/" inode=67151265 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.575:194748): item=1 name="/etc/gshadow.1321" inode=67179939 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=CREATE
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.575:194748): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.577:194749): arch=c000003e syscall=1 success=yes exit=5 a0=7 a1=7ffc382ee130 a2=5 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.577:194749): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.577:194750): arch=c000003e syscall=3 success=yes exit=0 a0=7 a1=7ffc382ee130 a2=5 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.577:194750): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.577:194751): arch=c000003e syscall=86 success=yes exit=0 a0=7ffc382ee150 a1=7ffc382ee550 a2=5 a3=0 items=3 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.577:194751): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.577:194751): item=0 name="/etc/gshadow.1321" inode=67179939 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.577:194751): item=1 name="/etc/" inode=67151265 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.577:194751): item=2 name="/etc/gshadow.lock" inode=67179939 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=CREATE
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.577:194751): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.578:194752): arch=c000003e syscall=4 success=yes exit=0 a0=7ffc382ee150 a1=7ffc382ee0a0 a2=7ffc382ee0a0 a3=0 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.578:194752): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.578:194752): item=0 name="/etc/gshadow.1321" inode=67179939 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.578:194752): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.578:194753): arch=c000003e syscall=87 success=yes exit=0 a0=7ffc382ee150 a1=7ffc382ee0a0 a2=7ffc382ee0a0 a3=0 items=2 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.578:194753): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.578:194753): item=0 name="/etc/" inode=67151265 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.578:194753): item=1 name="/etc/gshadow.1321" inode=67179939 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=DELETE
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.578:194753): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.578:194754): arch=c000003e syscall=2 success=yes exit=7 a0=556485821ac0 a1=20902 a2=c1770000 a3=0 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.578:194754): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.578:194754): item=0 name="/etc/gshadow" inode=67856644 dev=fd:00 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.578:194754): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.578:194755): arch=c000003e syscall=72 success=yes exit=165890 a0=7 a1=3 a2=c1770000 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.578:194755): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.578:194756): arch=c000003e syscall=72 success=yes exit=0 a0=7 a1=2 a2=1 a3=55648618c020 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.578:194756): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.579:194757): arch=c000003e syscall=5 success=yes exit=0 a0=7 a1=7ffc382ee7c0 a2=7ffc382ee7c0 a3=7f0add796800 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.579:194757): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.579:194758): arch=c000003e syscall=9 success=yes exit=139684642177024 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.579:194758): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.579:194759): arch=c000003e syscall=0 success=yes exit=564 a0=7 a1=7f0add7a4000 a2=1000 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.579:194759): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.595:194760): arch=c000003e syscall=0 success=yes exit=0 a0=7 a1=7f0add7a4000 a2=1000 a3=7f0add796800 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.595:194760): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.595:194761): arch=c000003e syscall=2 success=yes exit=8 a0=7f0ad4e7b262 a1=80000 a2=1b6 a3=80000 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.595:194761): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.595:194761): item=0 name="/etc/passwd" inode=67932620 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.595:194761): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.595:194762): arch=c000003e syscall=5 success=yes exit=0 a0=8 a1=7ffc382ee670 a2=7ffc382ee670 a3=80000 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.595:194762): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.595:194763): arch=c000003e syscall=9 success=yes exit=139684642172928 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.595:194763): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.596:194764): arch=c000003e syscall=0 success=yes exit=1618 a0=8 a1=7f0add7a3000 a2=1000 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.596:194764): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.596:194765): arch=c000003e syscall=0 success=yes exit=0 a0=8 a1=7f0add7a3000 a2=1000 a3=1999999999999999 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.596:194765): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.596:194766): arch=c000003e syscall=3 success=yes exit=0 a0=8 a1=1 a2=55648618fc80 a3=1999999999999999 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.596:194766): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.596:194767): arch=c000003e syscall=11 success=yes exit=0 a0=7f0add7a3000 a1=1000 a2=0 a3=1999999999999999 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.596:194767): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.596:194768): arch=c000003e syscall=2 success=no exit=-2 a0=55648618fc60 a1=80000 a2=7ffc382ee6c4 a3=7f0adcaefba8 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.596:194768): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.596:194768): item=0 name="/var/lib/sss/mc/passwd" nametype=UNKNOWN
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.596:194768): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.596:194769): arch=c000003e syscall=2 success=no exit=-2 a0=55648618fc60 a1=80000 a2=7ffc382ee6c4 a3=55648618fc50 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.596:194769): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.596:194769): item=0 name="/var/lib/sss/mc/passwd" nametype=UNKNOWN
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.596:194769): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.596:194770): arch=c000003e syscall=41 success=yes exit=8 a0=1 a1=1 a2=0 a3=55648618fc50 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.596:194770): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.596:194771): arch=c000003e syscall=72 success=yes exit=2 a0=8 a1=3 a2=0 a3=55648618fc50 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.596:194771): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.596:194772): arch=c000003e syscall=72 success=yes exit=0 a0=8 a1=4 a2=802 a3=55648618fc50 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.596:194772): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.596:194773): arch=c000003e syscall=72 success=yes exit=0 a0=8 a1=1 a2=0 a3=55648618fc50 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.596:194773): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.597:194774): arch=c000003e syscall=72 success=yes exit=0 a0=8 a1=2 a2=1 a3=55648618fc50 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.597:194774): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.597:194775): arch=c000003e syscall=42 success=no exit=-2 a0=8 a1=7ffc382ee6a0 a2=6e a3=55648618fc50 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=SOCKADDR msg=audit(1451781471.597:194775): saddr=01002F7661722F6C69622F7373732F70697065732F6E73730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.597:194775): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.597:194775): item=0 name="/var/lib/sss/pipes/nss" nametype=UNKNOWN
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.597:194775): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.597:194776): arch=c000003e syscall=3 success=yes exit=0 a0=8 a1=7ffc382ee6a0 a2=0 a3=55648618fc50 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.597:194776): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.597:194777): arch=c000003e syscall=2 success=yes exit=8 a0=7ffc382ee150 a1=241 a2=180 a3=b items=2 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.597:194777): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.597:194777): item=0 name="/etc/" inode=67151265 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.597:194777): item=1 name="/etc/shadow.1321" inode=67179943 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=CREATE
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.597:194777): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.597:194778): arch=c000003e syscall=1 success=yes exit=5 a0=8 a1=7ffc382ee130 a2=5 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.597:194778): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.597:194779): arch=c000003e syscall=3 success=yes exit=0 a0=8 a1=7ffc382ee130 a2=5 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.597:194779): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.597:194780): arch=c000003e syscall=86 success=yes exit=0 a0=7ffc382ee150 a1=7ffc382ee550 a2=5 a3=0 items=3 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.597:194780): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.597:194780): item=0 name="/etc/shadow.1321" inode=67179943 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.597:194780): item=1 name="/etc/" inode=67151265 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.597:194780): item=2 name="/etc/shadow.lock" inode=67179943 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=CREATE
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.597:194780): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.597:194781): arch=c000003e syscall=4 success=yes exit=0 a0=7ffc382ee150 a1=7ffc382ee0a0 a2=7ffc382ee0a0 a3=0 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.597:194781): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.597:194781): item=0 name="/etc/shadow.1321" inode=67179943 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.597:194781): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.597:194782): arch=c000003e syscall=87 success=yes exit=0 a0=7ffc382ee150 a1=7ffc382ee0a0 a2=7ffc382ee0a0 a3=0 items=2 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.597:194782): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.597:194782): item=0 name="/etc/" inode=67151265 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.597:194782): item=1 name="/etc/shadow.1321" inode=67179943 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=DELETE
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.597:194782): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.597:194783): arch=c000003e syscall=2 success=yes exit=8 a0=556485821f60 a1=20902 a2=c1770000 a3=0 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.597:194783): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.597:194783): item=0 name="/etc/shadow" inode=67856639 dev=fd:00 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.597:194783): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.597:194784): arch=c000003e syscall=72 success=yes exit=165890 a0=8 a1=3 a2=c1770000 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.597:194784): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.597:194785): arch=c000003e syscall=72 success=yes exit=0 a0=8 a1=2 a2=1 a3=55648618fbe0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.597:194785): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194786): arch=c000003e syscall=5 success=yes exit=0 a0=8 a1=7ffc382ee7f0 a2=7ffc382ee7f0 a3=7f0add796800 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194786): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194787): arch=c000003e syscall=9 success=yes exit=139684642172928 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194787): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194788): arch=c000003e syscall=0 success=yes exit=1024 a0=8 a1=7f0add7a3000 a2=1000 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194788): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194789): arch=c000003e syscall=0 success=yes exit=0 a0=8 a1=7f0add7a3000 a2=1000 a3=7f0add796800 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194789): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194790): arch=c000003e syscall=2 success=yes exit=9 a0=7f0ad4e7b257 a1=80000 a2=1b6 a3=80000 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.598:194790): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.598:194790): item=0 name="/etc/group" inode=67220873 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194790): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194791): arch=c000003e syscall=5 success=yes exit=0 a0=9 a1=7ffc382ee680 a2=7ffc382ee680 a3=80000 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194791): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194792): arch=c000003e syscall=9 success=yes exit=139684642168832 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194792): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194793): arch=c000003e syscall=0 success=yes exit=702 a0=9 a1=7f0add7a2000 a2=1000 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194793): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194794): arch=c000003e syscall=0 success=yes exit=0 a0=9 a1=7f0add7a2000 a2=1000 a3=1999999999999999 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194794): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194795): arch=c000003e syscall=3 success=yes exit=0 a0=9 a1=1 a2=5564861932f0 a3=1999999999999999 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194795): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194796): arch=c000003e syscall=11 success=yes exit=0 a0=7f0add7a2000 a1=1000 a2=0 a3=1999999999999999 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194796): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194797): arch=c000003e syscall=2 success=no exit=-2 a0=5564861932d0 a1=80000 a2=7ffc382ee6c4 a3=7f0adcaefba8 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.598:194797): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.598:194797): item=0 name="/var/lib/sss/mc/group" nametype=UNKNOWN
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194797): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194798): arch=c000003e syscall=2 success=no exit=-2 a0=5564861932d0 a1=80000 a2=7ffc382ee6c4 a3=5564861932c0 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.598:194798): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.598:194798): item=0 name="/var/lib/sss/mc/group" nametype=UNKNOWN
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194798): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194799): arch=c000003e syscall=41 success=yes exit=9 a0=1 a1=1 a2=0 a3=5564861932c0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194799): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194800): arch=c000003e syscall=72 success=yes exit=2 a0=9 a1=3 a2=0 a3=5564861932c0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194800): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194801): arch=c000003e syscall=72 success=yes exit=0 a0=9 a1=4 a2=802 a3=5564861932c0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194801): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194802): arch=c000003e syscall=72 success=yes exit=0 a0=9 a1=1 a2=0 a3=5564861932c0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194802): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194803): arch=c000003e syscall=72 success=yes exit=0 a0=9 a1=2 a2=1 a3=5564861932c0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194803): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194804): arch=c000003e syscall=42 success=no exit=-2 a0=9 a1=7ffc382ee6a0 a2=6e a3=5564861932c0 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=SOCKADDR msg=audit(1451781471.598:194804): saddr=01002F7661722F6C69622F7373732F70697065732F6E73730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.598:194804): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.598:194804): item=0 name="/var/lib/sss/pipes/nss" nametype=UNKNOWN
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194804): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194805): arch=c000003e syscall=3 success=yes exit=0 a0=9 a1=7ffc382ee6a0 a2=0 a3=5564861932c0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194805): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194806): arch=c000003e syscall=2 success=yes exit=9 a0=7f0adc8bc50c a1=80000 a2=1b6 a3=80000 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.598:194806): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.598:194806): item=0 name="/etc/localtime" inode=100664282 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:locale_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194806): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194807): arch=c000003e syscall=5 success=yes exit=0 a0=9 a1=7ffc382ee6f0 a2=7ffc382ee6f0 a3=80000 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194807): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194808): arch=c000003e syscall=5 success=yes exit=0 a0=9 a1=7ffc382ee540 a2=7ffc382ee540 a3=80000 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194808): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194809): arch=c000003e syscall=9 success=yes exit=139684642168832 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194809): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194810): arch=c000003e syscall=0 success=yes exit=2223 a0=9 a1=7f0add7a2000 a2=1000 a3=22 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194810): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194811): arch=c000003e syscall=8 success=yes exit=808 a0=9 a1=fffffffffffffa79 a2=1 a3=e items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194811): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194812): arch=c000003e syscall=0 success=yes exit=1415 a0=9 a1=7f0add7a2000 a2=1000 a3=e items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194812): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194813): arch=c000003e syscall=3 success=yes exit=0 a0=9 a1=0 a2=0 a3=e items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194813): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194814): arch=c000003e syscall=11 success=yes exit=0 a0=7f0add7a2000 a1=1000 a2=0 a3=e items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194814): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194815): arch=c000003e syscall=41 success=yes exit=9 a0=1 a1=80002 a2=0 a3=730 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194815): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194816): arch=c000003e syscall=42 success=yes exit=0 a0=9 a1=7f0adcaf21c0 a2=6e a3=730 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=SOCKADDR msg=audit(1451781471.598:194816): saddr=01002F6465762F6C6F6700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.598:194816): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.598:194816): item=0 name="/dev/log" inode=8682 dev=00:14 mode=0140666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:devlog_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194816): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781463.809:194817): arch=c000003e syscall=232 success=yes exit=1 a0=8 a1=7fff2467bc20 a2=17 a3=ffffffff items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781463.809:194817): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.599:194818): arch=c000003e syscall=228 success=yes exit=0 a0=7 a1=7fff2467bbf0 a2=0 a3=ffffffffff7ff000 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.599:194818): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.599:194819): arch=c000003e syscall=16 success=yes exit=0 a0=3 a1=541b a2=7fff2467babc a3=ffffffffff7ff000 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.599:194819): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.599:194820): arch=c000003e syscall=47 success=yes exit=66 a0=3 a1=7fff2467bae0 a2=40000040 a3=ffffffffff7ff000 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.599:194820): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.599:194821): arch=c000003e syscall=2 success=yes exit=28 a0=7fff2467ad50 a1=80000 a2=1b6 a3=80000 items=1 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.599:194821): cwd="/"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.599:194821): item=0 name="/proc/1321/cgroup" inode=21181 dev=00:04 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.599:194821): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.599:194822): arch=c000003e syscall=5 success=yes exit=0 a0=1c a1=7fff2467abd0 a2=7fff2467abd0 a3=7f129e519840 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.599:194822): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.599:194823): arch=c000003e syscall=9 success=yes exit=139717942345728 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.599:194823): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.599:194824): arch=c000003e syscall=0 success=yes exit=190 a0=1c a1=7f129e528000 a2=400 a3=22 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.599:194824): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.599:194825): arch=c000003e syscall=3 success=yes exit=0 a0=1c a1=1 a2=55b63b7da460 a3=69737365732f6563 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.599:194825): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.599:194826): arch=c000003e syscall=11 success=yes exit=0 a0=7f129e528000 a1=1000 a2=0 a3=69737365732f6563 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.599:194826): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.599:194827): arch=c000003e syscall=2 success=yes exit=28 a0=7fff2467b340 a1=80000 a2=1b6 a3=80000 items=1 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.599:194827): cwd="/"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.599:194827): item=0 name="/proc/1321/comm" inode=21182 dev=00:04 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.599:194827): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.599:194828): arch=c000003e syscall=5 success=yes exit=0 a0=1c a1=7fff2467a990 a2=7fff2467a990 a3=7f129e519840 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.599:194828): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.599:194829): arch=c000003e syscall=9 success=yes exit=139717942345728 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.599:194829): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.599:194830): arch=c000003e syscall=0 success=yes exit=8 a0=1c a1=7f129e528000 a2=400 a3=22 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.599:194830): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.599:194831): arch=c000003e syscall=3 success=yes exit=0 a0=1c a1=1 a2=55b63b7da460 a3=55b63b7da970 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.599:194831): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.599:194832): arch=c000003e syscall=11 success=yes exit=0 a0=7f129e528000 a1=1000 a2=0 a3=55b63b7da970 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.599:194832): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.599:194833): arch=c000003e syscall=267 success=yes exit=17 a0=ffffff9c a1=7fff2467b320 a2=55b63b7da860 a3=63 items=1 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.599:194833): cwd="/"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.599:194833): item=0 name="/proc/1321/exe" inode=21183 dev=00:04 mode=0120777 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.599:194833): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194834): arch=c000003e syscall=2 success=yes exit=28 a0=7fff2467b2a0 a1=80000 a2=1b6 a3=80000 items=1 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.600:194834): cwd="/"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.600:194834): item=0 name="/proc/1321/cmdline" inode=21184 dev=00:04 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194834): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194835): arch=c000003e syscall=5 success=yes exit=0 a0=1c a1=7fff2467b190 a2=7fff2467b190 a3=80000 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194835): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194836): arch=c000003e syscall=9 success=yes exit=139717942345728 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194836): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194837): arch=c000003e syscall=0 success=yes exit=14 a0=1c a1=7f129e528000 a2=400 a3=22 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194837): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194838): arch=c000003e syscall=0 success=yes exit=0 a0=1c a1=7f129e528000 a2=400 a3=55b63b7da5e0 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194838): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194839): arch=c000003e syscall=3 success=yes exit=0 a0=1c a1=1 a2=55b63b7da460 a3=55b63b7da5e0 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194839): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194840): arch=c000003e syscall=11 success=yes exit=0 a0=7f129e528000 a1=1000 a2=0 a3=55b63b7da5e0 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194840): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194841): arch=c000003e syscall=2 success=yes exit=28 a0=7fff2467b2b0 a1=80000 a2=1b6 a3=80000 items=1 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.600:194841): cwd="/"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.600:194841): item=0 name="/proc/1321/status" inode=21185 dev=00:04 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194841): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194842): arch=c000003e syscall=5 success=yes exit=0 a0=1c a1=7fff2467b1d0 a2=7fff2467b1d0 a3=80000 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194842): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194843): arch=c000003e syscall=5 success=yes exit=0 a0=1c a1=7fff2467b090 a2=7fff2467b090 a3=7f129e519840 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194843): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194844): arch=c000003e syscall=9 success=yes exit=139717942345728 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194844): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194845): arch=c000003e syscall=0 success=yes exit=972 a0=1c a1=55b63b7dac50 a2=800 a3=22 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194845): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194846): arch=c000003e syscall=0 success=yes exit=0 a0=1c a1=55b63b7db01c a2=400 a3=22 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194846): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194847): arch=c000003e syscall=0 success=yes exit=0 a0=1c a1=55b63b7db01c a2=c00 a3=7f129e519840 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194847): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194848): arch=c000003e syscall=3 success=yes exit=0 a0=1c a1=1 a2=55b63b7da460 a3=7f129e519840 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194848): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194849): arch=c000003e syscall=11 success=yes exit=0 a0=7f129e528000 a1=1000 a2=0 a3=7f129e519840 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194849): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194850): arch=c000003e syscall=2 success=yes exit=28 a0=7fff2467b280 a1=80000 a2=1b6 a3=80000 items=1 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.600:194850): cwd="/"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.600:194850): item=0 name="/proc/1321/sessionid" inode=21186 dev=00:04 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194850): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194851): arch=c000003e syscall=5 success=yes exit=0 a0=1c a1=7fff2467a8d0 a2=7fff2467a8d0 a3=7f129e519840 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194851): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194852): arch=c000003e syscall=9 success=yes exit=139717942345728 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194852): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194853): arch=c000003e syscall=0 success=yes exit=1 a0=1c a1=7f129e528000 a2=400 a3=22 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194853): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194854): arch=c000003e syscall=0 success=yes exit=0 a0=1c a1=7f129e528000 a2=400 a3=22 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194854): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194855): arch=c000003e syscall=3 success=yes exit=0 a0=1c a1=1 a2=55b63b7da460 a3=55b63b7da970 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194855): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194856): arch=c000003e syscall=11 success=yes exit=0 a0=7f129e528000 a1=1000 a2=0 a3=55b63b7da970 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194856): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194857): arch=c000003e syscall=2 success=yes exit=28 a0=7fff2467b280 a1=80000 a2=1b6 a3=80000 items=1 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.600:194857): cwd="/"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.600:194857): item=0 name="/proc/1321/loginuid" inode=21187 dev=00:04 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194857): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194858): arch=c000003e syscall=5 success=yes exit=0 a0=1c a1=7fff2467a8d0 a2=7fff2467a8d0 a3=7f129e519840 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194858): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194859): arch=c000003e syscall=9 success=yes exit=139717942345728 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194859): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194860): arch=c000003e syscall=0 success=yes exit=4 a0=1c a1=7f129e528000 a2=400 a3=22 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194860): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194861): arch=c000003e syscall=0 success=yes exit=0 a0=1c a1=7f129e528000 a2=400 a3=22 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194861): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194862): arch=c000003e syscall=3 success=yes exit=0 a0=1c a1=1 a2=55b63b7da460 a3=55b63b7da970 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194862): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194863): arch=c000003e syscall=11 success=yes exit=0 a0=7f129e528000 a1=1000 a2=0 a3=55b63b7da970 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194863): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194864): arch=c000003e syscall=2 success=yes exit=28 a0=7fff2467a9f0 a1=80000 a2=1b6 a3=80000 items=1 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.600:194864): cwd="/"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.600:194864): item=0 name="/proc/1321/cgroup" inode=21181 dev=00:04 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194864): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194865): arch=c000003e syscall=5 success=yes exit=0 a0=1c a1=7fff2467a870 a2=7fff2467a870 a3=7f129e519840 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194865): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194866): arch=c000003e syscall=9 success=yes exit=139717942345728 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194866): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194867): arch=c000003e syscall=0 success=yes exit=190 a0=1c a1=7f129e528000 a2=400 a3=22 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194867): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194868): arch=c000003e syscall=3 success=yes exit=0 a0=1c a1=1 a2=55b63b7da460 a3=69737365732f6563 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194868): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194869): arch=c000003e syscall=11 success=yes exit=0 a0=7f129e528000 a1=1000 a2=0 a3=69737365732f6563 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194869): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.600:194870): arch=c000003e syscall=5 success=yes exit=0 a0=11 a1=55b63b7d2c70 a2=55b63b7d2c70 a3=ffffffffff7ff000 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.600:194870): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781463.808:194871): arch=c000003e syscall=271 success=yes exit=1 a0=7ffcf96cc3e0 a1=1 a2=0 a3=7ffcf96cc3f0 items=0 ppid=1 pid=767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrt-dump-journ" exe="/usr/bin/abrt-dump-journal-xorg" subj=system_u:system_r:abrt_dump_oops_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781463.808:194871): proctitle=2F7573722F62696E2F616272742D64756D702D6A6F75726E616C2D786F7267002D66787444
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.601:194872): arch=c000003e syscall=0 success=yes exit=32 a0=3 a1=7ffcf96cc280 a2=110 a3=ffffffffff7ff000 items=0 ppid=1 pid=767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrt-dump-journ" exe="/usr/bin/abrt-dump-journal-xorg" subj=system_u:system_r:abrt_dump_oops_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.601:194872): proctitle=2F7573722F62696E2F616272742D64756D702D6A6F75726E616C2D786F7267002D66787444
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.601:194873): arch=c000003e syscall=0 success=no exit=-11 a0=3 a1=7ffcf96cc280 a2=110 a3=560957e11440 items=0 ppid=1 pid=767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrt-dump-journ" exe="/usr/bin/abrt-dump-journal-xorg" subj=system_u:system_r:abrt_dump_oops_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.601:194873): proctitle=2F7573722F62696E2F616272742D64756D702D6A6F75726E616C2D786F7267002D66787444
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781463.808:194874): arch=c000003e syscall=271 success=yes exit=1 a0=7ffecb493800 a1=1 a2=0 a3=7ffecb493810 items=0 ppid=1 pid=766 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrt-dump-journ" exe="/usr/bin/abrt-dump-journal-oops" subj=system_u:system_r:abrt_dump_oops_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781463.808:194874): proctitle=2F7573722F62696E2F616272742D64756D702D6A6F75726E616C2D6F6F7073002D66787444
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.601:194875): arch=c000003e syscall=0 success=yes exit=32 a0=3 a1=7ffecb4936a0 a2=110 a3=ffffffffff7ff000 items=0 ppid=1 pid=766 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrt-dump-journ" exe="/usr/bin/abrt-dump-journal-oops" subj=system_u:system_r:abrt_dump_oops_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.601:194875): proctitle=2F7573722F62696E2F616272742D64756D702D6A6F75726E616C2D6F6F7073002D66787444
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.601:194876): arch=c000003e syscall=0 success=no exit=-11 a0=3 a1=7ffecb4936a0 a2=110 a3=55cd01855780 items=0 ppid=1 pid=766 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrt-dump-journ" exe="/usr/bin/abrt-dump-journal-oops" subj=system_u:system_r:abrt_dump_oops_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.601:194876): proctitle=2F7573722F62696E2F616272742D64756D702D6A6F75726E616C2D6F6F7073002D66787444
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781463.809:194877): arch=c000003e syscall=7 success=yes exit=1 a0=7fa0c7956cb0 a1=1 a2=ffffffff a3=55c0e766d580 items=0 ppid=1 pid=730 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="in:imjournal" exe="/usr/sbin/rsyslogd" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781463.809:194877): proctitle=2F7573722F7362696E2F727379736C6F6764002D6E
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.601:194878): arch=c000003e syscall=0 success=yes exit=32 a0=9 a1=7fa0c7956ac0 a2=110 a3=ffffffffff7ff000 items=0 ppid=1 pid=730 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="in:imjournal" exe="/usr/sbin/rsyslogd" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.601:194878): proctitle=2F7573722F7362696E2F727379736C6F6764002D6E
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.601:194879): arch=c000003e syscall=0 success=no exit=-11 a0=9 a1=7fa0c7956ac0 a2=110 a3=7fa0c00027e0 items=0 ppid=1 pid=730 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="in:imjournal" exe="/usr/sbin/rsyslogd" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.601:194879): proctitle=2F7573722F7362696E2F727379736C6F6764002D6E
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781463.808:194880): arch=c000003e syscall=202 success=yes exit=0 a0=55c0e766e19c a1=80 a2=6b1b a3=0 items=0 ppid=1 pid=731 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=72733A6D61696E20513A526567 exe="/usr/sbin/rsyslogd" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781463.808:194880): proctitle=2F7573722F7362696E2F727379736C6F6764002D6E
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.601:194881): arch=c000003e syscall=202 success=yes exit=1 a0=55c0e766e19c a1=85 a2=1 a3=1 items=0 ppid=1 pid=730 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="in:imjournal" exe="/usr/sbin/rsyslogd" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.601:194881): proctitle=2F7573722F7362696E2F727379736C6F6764002D6E
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.601:194882): arch=c000003e syscall=202 success=yes exit=0 a0=55c0e766dfb0 a1=80 a2=2 a3=0 items=0 ppid=1 pid=731 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=72733A6D61696E20513A526567 exe="/usr/sbin/rsyslogd" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.601:194882): proctitle=2F7573722F7362696E2F727379736C6F6764002D6E
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.601:194883): arch=c000003e syscall=202 success=yes exit=0 a0=55c0e766dfb0 a1=81 a2=1 a3=0 items=0 ppid=1 pid=731 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=72733A6D61696E20513A526567 exe="/usr/sbin/rsyslogd" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.601:194883): proctitle=2F7573722F7362696E2F727379736C6F6764002D6E
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.601:194884): arch=c000003e syscall=1 success=yes exit=78 a0=4 a1=7fa0b8003a70 a2=4e a3=55c0e60dc2c0 items=0 ppid=1 pid=731 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=72733A6D61696E20513A526567 exe="/usr/sbin/rsyslogd" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.601:194884): proctitle=2F7573722F7362696E2F727379736C6F6764002D6E
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.601:194885): arch=c000003e syscall=202 success=yes exit=1 a0=55c0e766dfb0 a1=81 a2=1 a3=1 items=0 ppid=1 pid=730 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="in:imjournal" exe="/usr/sbin/rsyslogd" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.601:194885): proctitle=2F7573722F7362696E2F727379736C6F6764002D6E
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.601:194886): arch=c000003e syscall=77 success=yes exit=0 a0=11 a1=2800000 a2=0 a3=7fff2467af00 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.601:194886): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.598:194887): arch=c000003e syscall=44 success=yes exit=66 a0=9 a1=5564861957e0 a2=42 a3=4000 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.598:194887): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.601:194888): arch=c000003e syscall=89 success=yes exit=17 a0=7f0add37add9 a1=7ffc382eb540 a2=1000 a3=556486193480 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.601:194888): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.601:194888): item=0 name="/proc/self/exe" inode=21183 dev=00:04 mode=0120777 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.601:194888): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.601:194889): arch=c000003e syscall=16 success=yes exit=0 a0=0 a1=5401 a2=7ffc382ec2a0 a3=11 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.601:194889): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.601:194890): arch=c000003e syscall=5 success=yes exit=0 a0=0 a1=7ffc382ec350 a2=7ffc382ec350 a3=11 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.601:194890): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.601:194891): arch=c000003e syscall=89 success=yes exit=10 a0=7ffc382ec2f0 a1=7ffc382ec590 a2=1f a3=0 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.601:194891): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.601:194891): item=0 name="/proc/self/fd/0" inode=21189 dev=00:04 mode=0120700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.601:194891): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.601:194892): arch=c000003e syscall=4 success=yes exit=0 a0=7ffc382ec590 a1=7ffc382ec3e0 a2=7ffc382ec3e0 a3=0 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.601:194892): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.601:194892): item=0 name="/dev/pts/0" inode=3 dev=00:0d mode=020620 ouid=1000 ogid=5 rdev=88:00 obj=unconfined_u:object_r:user_devpts_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.601:194892): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.601:194893): arch=c000003e syscall=6 success=yes exit=0 a0=7ffc382ec590 a1=7ffc382ec4b0 a2=7ffc382ec4b0 a3=0 items=1 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.601:194893): cwd="/home/itsec"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.601:194893): item=0 name="/dev/pts/0" inode=3 dev=00:0d mode=020620 ouid=1000 ogid=5 rdev=88:00 obj=unconfined_u:object_r:user_devpts_t:s0 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.601:194893): proctitle="bash"
+node=auditdtest.a1959.org type=ADD_GROUP msg=audit(1451781471.602:194894): pid=1321 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-group acct="frodo" exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/0 res=success'
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.602:194895): arch=c000003e syscall=44 success=yes exit=112 a0=3 a1=7ffc382e7ea0 a2=70 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=SOCKADDR msg=audit(1451781471.602:194895): saddr=100000000000000000000000
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.602:194895): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.602:194896): arch=c000003e syscall=7 success=yes exit=1 a0=7ffc382e7e90 a1=1 a2=1f4 a3=0 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.602:194896): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.602:194897): arch=c000003e syscall=45 success=yes exit=36 a0=3 a1=7ffc382ea1d0 a2=231c a3=42 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=SOCKADDR msg=audit(1451781471.602:194897): saddr=100000000000000000000000
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.602:194897): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.602:194898): arch=c000003e syscall=45 success=yes exit=36 a0=3 a1=7ffc382ea1d0 a2=231c a3=40 items=0 ppid=1306 pid=1321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="adduser" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+node=auditdtest.a1959.org type=SOCKADDR msg=audit(1451781471.602:194898): saddr=100000000000000000000000
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.602:194898): proctitle="bash"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.601:194899): arch=c000003e syscall=232 success=yes exit=1 a0=8 a1=7fff2467bc20 a2=17 a3=ffffffff items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.601:194899): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.602:194900): arch=c000003e syscall=228 success=yes exit=0 a0=7 a1=7fff2467bbf0 a2=0 a3=ffffffffff7ff000 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.602:194900): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.602:194901): arch=c000003e syscall=16 success=yes exit=0 a0=3 a1=541b a2=7fff2467babc a3=ffffffffff7ff000 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.602:194901): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.602:194902): arch=c000003e syscall=47 success=yes exit=110 a0=3 a1=7fff2467bae0 a2=40000040 a3=ffffffffff7ff000 items=0 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.602:194902): proctitle="/usr/lib/systemd/systemd-journald"
+node=auditdtest.a1959.org type=SYSCALL msg=audit(1451781471.602:194903): arch=c000003e syscall=2 success=yes exit=28 a0=7fff2467ad20 a1=80000 a2=1b6 a3=80000 items=1 ppid=1 pid=561 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
+node=auditdtest.a1959.org type=CWD msg=audit(1451781471.602:194903): cwd="/"
+node=auditdtest.a1959.org type=PATH msg=audit(1451781471.602:194903): item=0 name="/proc/1321/cgroup" inode=21181 dev=00:04 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 nametype=NORMAL
+node=auditdtest.a1959.org type=PROCTITLE msg=audit(1451781471.602:194903): proctitle="/usr/lib/systemd/systemd-journald"
[-- Attachment #3: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Patch to auparse to handle out of order messages 2 of 3
From: Burn Alting @ 2016-01-06 10:29 UTC (permalink / raw)
To: linux-audit@redhat.com
[-- Attachment #1: Type: text/plain, Size: 167 bytes --]
#2 - the 'lol' patch itself. Integrate the ausearch/aureport 'lol' code
into auparse() and adjust auparse() to deal with maintain an incore list
of incomplete events.
[-- Attachment #2: audit-2.4.5-2.patch --]
[-- Type: text/x-patch, Size: 20402 bytes --]
diff -Npru audit-2.4.5.orig/auparse/auparse.c audit-2.4.5/auparse/auparse.c
--- audit-2.4.5.orig/auparse/auparse.c 2016-01-03 14:05:15.858351108 +1100
+++ audit-2.4.5/auparse/auparse.c 2016-01-06 19:58:58.414629974 +1100
@@ -107,6 +107,347 @@ static int setup_log_file_array(auparse_
return 0;
}
+#define LOL_EVENTS 1 /* enable new list of list event processing */
+#define LOL_EVENTS_DEBUG01 0 /* add debug for list of list event processing */
+
+#if LOL_EVENTS
+
+/*
+ * NOTES:
+ * Auditd events are made up of one or more records. The auditd system cannot guarantee that
+ * the set of records that make up an event will occur atomically, that is the stream will have
+ * interleaved records of different events. IE
+ * ...
+ * event0_record0
+ * event1_record0
+ * event1_record1
+ * event2_record0
+ * event1_record3
+ * event2_record1
+ * event1_record4
+ * event3_record0
+ * ...
+ *
+ * The auditd system does guarantee that the records that make up an event will appear in
+ * order. Thus, when processing event streams, we need to maintain a list of events with
+ * their own list of records hence List of List (LOL) event processing.
+ *
+ * When processing an event stream we define the end of an event via
+ * record type = AUDIT_EOE (audit end of event type record), or
+ * record type = AUDIT_PROCTITLE (we note the AUDIT_PROCTITLE is always the last record), or
+ * record type < AUDIT_FIRST_EVENT (only single record events appear before this type), or
+ * record type >= AUDIT_FIRST_ANOM_MSG (only single record events appear after this type), or
+ * for the stream being processed, the time of the event is over 2 seconds old
+ *
+ * So, under LOL_EVENT processing, a event node (au_lolnode) can be either
+ *
+ * EBS_EMPTY: node is scheduled for emptying (freeing)
+ * EBS_BUILDING: node is still building (awaiting more records and/or awaiting an End of Event action)
+ * EBS_COMPLETE: node is complete and avaiable for use
+ *
+ * The old auparse() library processed events as they appeared and hence failed to deal with
+ * interleaved records. The old library kept a 'current' event which it would parse. This new
+ * LOL_EVENT code maintains the concept of a 'current' event, but it now points to an event within
+ * the list of list events structure.
+ */
+typedef enum { EBS_EMPTY, EBS_BUILDING, EBS_COMPLETE } au_lol_t;
+
+/*
+ * Structure to hold an event and it's list of constituent records
+ */
+typedef struct _au_lolnode {
+ event_list_t * l; /* the list of this event's records */
+ au_lol_t status; /* this event's build state */
+} au_lolnode;
+
+/*
+ * List of events being processed at any one time
+ */
+typedef struct {
+ au_lolnode * array; /* array of events */
+ int maxi; /* largest index in array used */
+ int limit; /* number of events in array */
+} au_lol;
+
+/*
+ * Base of list management
+ */
+static au_lol au_lo;
+
+/*
+ * The list is a dynamically growable list. We initally hold ARRAY_LIMIT
+ * events and grow by ARRAY_LIMIT if we need to maintain more events at
+ * any one time
+ */
+#define ARRAY_LIMIT 80
+
+/*
+ * For speed, we note how many EBS_COMPLETE events we hold at any point in time. Thus
+ * we don't have to scan the list
+ */
+static int au_ready = 0;
+
+/*
+ * au_lol_create - Create and initialise the base List of List event structure
+ * Args:
+ * lol - pointer to memory holding structure (eg the static au_lo variable)
+ * Rtns:
+ * NULL - no memory
+ * ptr - pointer to array of event nodes (au_lolnode)
+ */
+au_lolnode *
+au_lol_create(au_lol * lol) {
+ int sz = ARRAY_LIMIT * sizeof(au_lolnode);
+
+ lol->maxi = -1;
+ lol->limit = ARRAY_LIMIT;
+ if ((lol->array = (au_lolnode *)malloc(sz)) == NULL) {
+ lol->maxi = -1;
+ return NULL;
+ }
+ memset(lol->array, 0x00, sz);
+
+ return lol->array;
+}
+
+/*
+ * au_lol_clear - Free or rest the base List of List event structure
+ *
+ * Args:
+ * lol - pointer to memory holding structure (eg the static au_lo variable)
+ * reset - flag to indicate a reset of the structure, or the complete freeing of memory
+ * Rtns:
+ * void
+ */
+void au_lol_clear(au_lol * lol, int reset)
+{
+ int i;
+
+ if (lol->array) for (i = 0; i <= lol->maxi; i++) {
+ if (lol->array[i].l) {
+ aup_list_clear(lol->array[i].l);
+ free(lol->array[i].l);
+ }
+ }
+ if (reset) {
+ /* If resetting, we just zero fields */
+ if (lol->array)
+ memset(lol->array, 0x00, lol->limit * sizeof(au_lolnode));
+ lol->maxi = -1;
+ } else {
+ /* If not resetting, we free everything */
+ if (lol->array) free(lol->array);
+ lol->array = NULL;
+ lol->maxi = -1;
+ }
+}
+
+/*
+ * au_lol_append - Add a new event to our base List of List structure
+ *
+ * Args:
+ * lol - pointer to memory holding structure (eg the static au_lo variable)
+ * l - the event list structure (which will contain an event's constituent records)
+ * Rtns:
+ * ptr - pointer to au_lolnode which holds the event list structure
+ * NULL - failed to reallocate memory
+ */
+au_lolnode *
+au_lol_append(au_lol * lol, event_list_t * l)
+{
+ int i;
+ size_t new_size;
+ au_lolnode * ptr;
+
+ for (i = 0; i < lol->limit; i++) {
+ au_lolnode * cur = &lol->array[i];
+ if (cur->status == EBS_EMPTY) {
+ cur->l = l;
+ cur->status = EBS_BUILDING;
+ if (i > lol->maxi)
+ lol->maxi = i;
+ return cur;
+ }
+ }
+ /* Over ran the array, make it bigger */
+ new_size = sizeof(au_lolnode) * (lol->limit + ARRAY_LIMIT);
+ ptr = realloc(lol->array, new_size);
+ if (ptr) {
+ lol->array = ptr;
+ memset(&lol->array[lol->limit], 0x00, sizeof(au_lolnode) * ARRAY_LIMIT);
+ lol->array[i].l = l;
+ lol->array[i].status = EBS_BUILDING;
+ lol->maxi = i;
+ lol->limit += ARRAY_LIMIT;
+ }
+ return ptr;
+}
+
+/*
+ * au_get_ready_event - Find the next COMPLETE event in our list and mark it EMPTY
+ *
+ * Args:
+ * lol - pointer to memory holding structure (eg the static au_lo variable)
+ * is_test - do not mark the node EMPTY
+ * Rtns:
+ * ptr - pointer to complete node (possibly just marked empty)
+ * NULL - no complete nodes exist
+ */
+static event_list_t *
+au_get_ready_event(au_lol *lol, int is_test)
+{
+ int i;
+
+ if (au_ready == 0)
+ return NULL;
+
+ for (i=0; i<=lol->maxi; i++) {
+ au_lolnode *cur = &(lol->array[i]);
+ if (cur->status == EBS_COMPLETE) {
+ /*
+ * If we are just testing for a complete event, return
+ */
+ if (is_test)
+ return cur->l;
+ /*
+ * Otherwise set it status to empty and accept the
+ * caller will take custody of the memory
+ */
+ cur->status = EBS_EMPTY;
+ au_ready--;
+ return cur->l;
+ }
+ }
+
+ return NULL;
+}
+
+/*
+ * au_check_events - Run though all events marking those we can mark COMPLETE
+ *
+ * Args:
+ * lol - pointer to memory holding structure (eg the static au_lo variable)
+ * sec - time of current event from stream being processed. We use this to see
+ * how old the events are we have in our list
+ * Rtns:
+ * void
+ */
+static void au_check_events(au_lol *lol, time_t sec)
+{
+ rnode * r;
+ int i;
+
+ for(i=0;i<=lol->maxi; i++) {
+ au_lolnode *cur = &lol->array[i];
+ if (cur->status == EBS_BUILDING) {
+ if ((r = aup_list_get_cur(cur->l)) == NULL)
+ continue;
+ // If 2 seconds have elapsed, we are done
+ if (cur->l->e.sec + 2 < sec) {
+ cur->status = EBS_COMPLETE;
+ au_ready++;
+ } else if (
+ r->type == AUDIT_PROCTITLE || /* FIXME: Check this remains true */
+ r->type == AUDIT_EOE ||
+ r->type < AUDIT_FIRST_EVENT ||
+ r->type >= AUDIT_FIRST_ANOM_MSG) {
+ // If known to be 1 record event, we are done
+ cur->status = EBS_COMPLETE;
+ au_ready++;
+ }
+ }
+ }
+}
+
+/*
+ * au_terminate_all_events - Mark all events in 'BUILD' state to be COMPLETE
+ *
+ * Args:
+ * lol - pointer to memory holding structure (eg the static au_lo variable)
+ * Rtns:
+ * void
+ */
+void au_terminate_all_events(au_lol *lol)
+{
+ int i;
+
+ for (i=0; i<=lol->maxi; i++) {
+ au_lolnode *cur = &lol->array[i];
+ if (cur->status == EBS_BUILDING) {
+ cur->status = EBS_COMPLETE;
+ au_ready++;
+ }
+ }
+}
+
+#if LOL_EVENTS_DEBUG01
+/*
+ * print_list_t - Print summary of event's records
+ * Args:
+ * l - event_list to print
+ * Rtns:
+ * void
+ */
+void
+print_list_t(event_list_t * l)
+{
+ rnode * r;
+
+ if (l == NULL) {
+ printf("\n");
+ return;
+ }
+ printf("0x%X: %lu.%3.3lu:%d %s", l, l->e.sec, l->e.milli, l->e.serial, l->e.host ? l->e.host : "");
+ printf(" cnt=%d", l->cnt);
+ for (r = l->head; r != NULL; r = r->next) {
+ printf(" {%d %d %d}", r->type, r->list_idx, r->line_number);
+ }
+ printf("\n");
+}
+
+/*
+ * lol_status - return type of event state as a character
+ * Args:
+ * s - event state
+ * Rtns:
+ * char - E, B or C for EMPTY, BUILDING or COMPLETE, or '*' for unknown
+ */
+static char
+lol_status(au_lol_t s)
+{
+ switch(s) {
+ case EBS_EMPTY: return 'E'; break;
+ case EBS_BUILDING: return 'B'; break;
+ case EBS_COMPLETE: return 'C'; break;
+ }
+ return '*';
+}
+
+/*
+ * print_lol - Print a list of list events and their records
+ * Args:
+ * label - String to act as label when printing
+ * lol - pointer to memory holding structure (eg the static au_lo variable)
+ * Rtns:
+ * void
+ */
+void
+print_lol(char * label, au_lol * lol)
+{
+ int i;
+
+ printf("%s 0x%X: a: 0x%X, %d, %d\n", label, lol, lol->array, lol->maxi, lol->limit);
+ if (debug > 1) for (i = 0; i <= lol->maxi; i++) {
+ printf("{%2d 0x%X %c } ", i, (&lol->array[i]), lol_status(lol->array[i].status));
+ print_list_t(lol->array[i].l);
+ }
+ if (lol->maxi >= 0)
+ printf("\n");
+}
+#endif /* LOL_EVENTS_DEBUG01 */
+
+#endif /* LOL_EVENTS */
+
/* General functions that affect operation of the library */
auparse_state_t *auparse_init(ausource_t source, const void *b)
{
@@ -121,12 +462,24 @@ auparse_state_t *auparse_init(ausource_t
}
au->le = NULL;
+#if LOL_EVENTS
+ /*
+ * Set up the List of List events base structure
+ */
+ au_lol_clear(&au_lo, 0); /* for python that doesn't call auparse_destroy() */
+ if (au_lol_create(&au_lo) == NULL) {
+ free(au);
+ errno = ENOMEM;
+ return NULL;
+ }
+#else /* LOL_EVENTS */
/* Allocate the 'current' event of interest pointer */
if ((au->le = (event_list_t *)malloc(sizeof(event_list_t))) == NULL) {
free(au);
errno = ENOMEM;
return NULL;
}
+#endif /* LOL_EVENTS */
au->in = NULL;
au->source_list = NULL;
databuf_init(&au->databuf, 0, 0);
@@ -213,7 +566,9 @@ auparse_state_t *auparse_init(ausource_t
au->off = 0;
au->cur_buf = NULL;
au->line_pushed = 0;
+#if LOL_EVENTS == 0
aup_list_create(au->le); /* Initialise the 'current' event pointer */
+#endif /* LOL_EVENTS == 0 */
au->parse_state = EVENT_EMPTY;
au->expr = NULL;
au->find_field = NULL;
@@ -222,7 +577,12 @@ auparse_state_t *auparse_init(ausource_t
return au;
bad_exit:
databuf_free(&au->databuf);
- free(au->le); /* Free the 'current' event of interest event pointer */
+#if LOL_EVENTS
+ /* Feee list of events list (au_lo) structure */
+ au_lol_clear(&au_lo, 0);
+#else /* LOL_EVENTS */
+ free(au->le); /* Free the 'current' event of interest event pointer */
+#endif /* LOL_EVENTS */
free(au);
return NULL;
}
@@ -257,6 +617,27 @@ static void consume_feed(auparse_state_t
if (flush) {
// FIXME: might need a call here to force auparse_next_event()
// to consume any partial data not fully consumed.
+#if LOL_EVENTS
+ /* Terminate all outstanding events, as we are at end of input (ie
+ * mark BUILDING events as COMPLETE events) then if we have a
+ * callback execute the callback on each event
+ * FIXME: Should we implement a 'checkpoint' concept as per
+ * ausearch or accept these 'partial' events?
+ */
+ event_list_t * l;
+
+ if (debug) printf("terminate all events in flush\n");
+ au_terminate_all_events(&au_lo);
+ while ((l = au_get_ready_event(&au_lo, 0)) != NULL) {
+ au->le = l; /* make this current the event of interest */
+ aup_list_first(l);
+ aup_list_first_field(l);
+ if (au->callback) {
+ (*au->callback)(au, AUPARSE_CB_EVENT_READY,
+ au->callback_user_data);
+ }
+ }
+#else /* LOL_EVENTS */
if (au->parse_state == EVENT_ACCUMULATING) {
// Emit the event, set event cursors to initial position
aup_list_first(au->le);
@@ -267,6 +648,7 @@ static void consume_feed(auparse_state_t
au->callback_user_data);
}
}
+#endif /* LOL_EVENTS */
}
}
@@ -288,8 +670,13 @@ int auparse_flush_feed(auparse_state_t *
// Otherwise return 0 to indicate its empty
int auparse_feed_has_data(const auparse_state_t *au)
{
+#if LOL_EVENTS
+ if (au_get_ready_event(&au_lo, 1) != NULL)
+ return 1;
+#else /* LOL_EVENTS */
if (au->parse_state == EVENT_ACCUMULATING)
return 1;
+#endif /* LOL_EVENTS */
return 0;
}
@@ -305,9 +692,17 @@ int auparse_reset(auparse_state_t *au)
return -1;
}
+#if LOL_EVENTS
+ /* Create or Free list of events list (au_lo) structure */
+ if (au_lo.array == NULL)
+ au_lol_create(&au_lo);
+ else
+ au_lol_clear(&au_lo, 1);
+#else /* LOL_EVENTS */
/* Free the 'current' event of interest list and it's content */
if (au->le)
aup_list_clear(au->le);
+#endif /* LOL_EVENTS */
au->parse_state = EVENT_EMPTY;
switch (au->source)
{
@@ -543,6 +938,7 @@ void auparse_destroy(auparse_state_t *au
{
aulookup_destroy_uid_list();
aulookup_destroy_gid_list();
+
if (au == NULL)
return;
@@ -557,9 +953,14 @@ void auparse_destroy(auparse_state_t *au
au->next_buf = NULL;
free(au->cur_buf);
au->cur_buf = NULL;
+#if LOL_EVENTS
+ /* Delete list of events list (au_lo) */
+ au_lol_clear(&au_lo, 0);
+#else /* LOL_EVENTS */
/* Reset and clear any data in the 'current' event of interest ptr then free it. */
aup_list_clear(au->le);
free(au->le);
+#endif /* LOL_EVENTS */
au->le = NULL;
au->parse_state = EVENT_EMPTY;
free(au->find_field);
@@ -965,12 +1366,178 @@ int ausearch_next_event(auparse_state_t
return 0;
}
+#if LOL_EVENTS
+/*
+ * au_auparse_next_event - Get the next complete event
+ * Args:
+ * au - the parser state machine
+ * Rtns:
+ * < 0 - error
+ * == 0 - no data
+ * > 0 - we have an event and it's set to the 'current event' au->le
+ */
+static
+int au_auparse_next_event(auparse_state_t *au)
+{
+ int rc, i, built;
+ event_list_t * l;
+ rnode * r;
+ au_event_t e;
+
+ /*
+ * Deal with Python memory management issues where it issues a auparse_destroy()
+ * call after an auparse_init() call but then wants to still work with auparse data.
+ * Bascially, we assume if the user wants to parse for events (calling auparse_next_event())
+ * we accept that they expect the memory structures to exist. This is a bit 'disconcerting'
+ * but the au_lol capability is a patch trying to redress a singleton approach to event
+ * processing.
+ */
+ if (au_lo.array == NULL && au_lo.maxi == -1) {
+ au_lol_create(&au_lo);
+ }
+ /*
+ * First see if we have any empty events but with an allocated event list.
+ * These would have just been processed, so we can free them
+ */
+ for (i = 0; i <= au_lo.maxi; i++) {
+ au_lolnode * cur = &au_lo.array[i];
+ if (cur->status == EBS_EMPTY && cur->l) {
+#if LOL_EVENTS_DEBUG01
+ if (debug) {printf("Freeing at start "); print_list_t(cur->l);}
+#endif /* LOL_EVENTS_DEBUG01 */
+ aup_list_clear(cur->l);
+ free(cur->l);
+ au->le = NULL; /* this should crash any usage of au->le until reset */
+ cur->l = NULL;
+ }
+ }
+ /*
+ * Now see if we have completed events queued, and if so grab the first one
+ * and set it to be the 'current' event of interest
+ */
+ if ((l = au_get_ready_event(&au_lo, 0)) != NULL) {
+ aup_list_first(l);
+ aup_list_first_field(l);
+ au->le = l;
+#if LOL_EVENTS_DEBUG01
+ if (debug) print_lol("upfront", &au_lo);
+#endif /* LOL_EVENTS_DEBUG01 */
+ return 1;
+ }
+ /*
+ * If no complete events are avaiable, lets ingest
+ */
+ while(1) {
+ for (i = 0; i <= au_lo.maxi; i++) {
+ au_lolnode * cur = &au_lo.array[i];
+ if (cur->status == EBS_EMPTY && cur->l) {
+#if LOL_EVENTS_DEBUG01
+ if (debug) {printf("Freeing at loop"); print_list_t(cur->l);}
+#endif /* LOL_EVENTS_DEBUG01 */
+ aup_list_clear(cur->l);
+ free(cur->l);
+ au->le = NULL; /* this should crash any usage of au->le until reset */
+ cur->l = NULL;
+ }
+ }
+ rc = retrieve_next_line(au);
+ if (debug) printf("next_line(%d) '%s'\n", rc, au->cur_buf);
+ if (rc == 0) {
+#if LOL_EVENTS_DEBUG01
+ if (debug) printf("Empty line\n");
+#endif /* LOL_EVENTS_DEBUG01 */
+ return 0; /* NO data now */
+ }
+ if (rc == -2) {
+ /*
+ * We are at EOF, so see if we have any accumulated events.
+ */
+ if (debug) printf("EOF\n");
+ au_terminate_all_events(&au_lo);
+ if ((l = au_get_ready_event(&au_lo, 0)) != NULL) {
+ aup_list_first(l);
+ aup_list_first_field(l);
+ au->le = l;
+#if LOL_EVENTS_DEBUG01
+ if (debug) print_lol("eof termination", &au_lo);
+#endif /* LOL_EVENTS_DEBUG01 */
+ return 1;
+ }
+ return 0;
+ } else if (rc < 0) {
+ /* Straight error */
+ if (debug) printf("Error %d\n", rc);
+ return -1;
+ }
+ /* So we got a successful read ie rc > 0 */
+ if (extract_timestamp(au->cur_buf, &e)) {
+ if (debug) printf("Malformed line:%s\n", au->cur_buf);
+ continue;
+ }
+ /*
+ * Is this an event we have already been building?
+ */
+ built = 0;
+ for (i = 0; i <= au_lo.maxi; i++) {
+ au_lolnode * cur = &au_lo.array[i];
+ if (cur->status == EBS_BUILDING) {
+ if (events_are_equal(&cur->l->e, &e)) {
+ if (debug) printf("Adding event to building event\n");
+ aup_list_append(cur->l, au->cur_buf,
+ au->list_idx, au->line_number);
+ au->cur_buf = NULL;
+ free((char *)e.host);
+ au_check_events(&au_lo, e.sec);
+#if LOL_EVENTS_DEBUG01
+ if (debug) print_lol("building", &au_lo);
+#endif /* LOL_EVENTS_DEBUG01 */
+ /* we built something, so break out */
+ built++;
+ break;
+ }
+ }
+ }
+ if (built) continue;
+
+ /* So create one */
+ if (debug) printf("First record in new event, initialize event\n");
+ if ((l = (event_list_t *)malloc(sizeof(event_list_t))) == NULL) {
+ printf("no memory\n");
+ return -1;
+ }
+ aup_list_create(l);
+ aup_list_set_event(l, &e);
+ aup_list_append(l, au->cur_buf, au->list_idx, au->line_number);
+ if (au_lol_append(&au_lo, l) == NULL) {
+ printf("no memory\n");
+ return -1;
+ }
+ au->cur_buf = NULL;
+ free((char *)e.host);
+ au_check_events(&au_lo, e.sec);
+ if ((l = au_get_ready_event(&au_lo, 0)) != NULL) {
+ aup_list_first(l);
+ aup_list_first_field(l);
+ au->le = l;
+#if LOL_EVENTS_DEBUG01
+ if (debug) print_lol("basic", &au_lo);
+#endif /* LOL_EVENTS_DEBUG01 */
+ return 1;
+ }
+ }
+
+}
+#endif /* LOL_EVENTS */
+
// Brute force go to next event. Returns < 0 on error, 0 no data, > 0 success
int auparse_next_event(auparse_state_t *au)
{
int rc;
au_event_t event;
+#if LOL_EVENTS
+ return au_auparse_next_event(au);
+#else /* LOL_EVENTS */
if (au->parse_state == EVENT_EMITTED) {
// If the last call resulted in emitting event data then
// clear previous event data in preparation to accumulate
@@ -1056,6 +1623,7 @@ int auparse_next_event(auparse_state_t *
return -1;
}
}
+#endif /* LOL_EVENTS */
}
/* Accessors to event data */
diff -Npru audit-2.4.5.orig/auparse/ellist.h audit-2.4.5/auparse/ellist.h
--- audit-2.4.5.orig/auparse/ellist.h 2015-12-19 06:20:59.000000000 +1100
+++ audit-2.4.5/auparse/ellist.h 2016-01-03 14:22:02.026227103 +1100
@@ -43,7 +43,7 @@ typedef struct {
void aup_list_create(event_list_t *l) hidden;
void aup_list_clear(event_list_t* l) hidden;
-static inline unsigned int aup_list_get_cnt(event_list_t *l) { return l->cnt; }
+static inline unsigned int aup_list_get_cnt(event_list_t *l) { return l ? l->cnt : 0; }
static inline void aup_list_first(event_list_t *l) { l->cur = l->head; }
static inline rnode *aup_list_get_cur(event_list_t *l) { return l->cur; }
rnode *aup_list_next(event_list_t *l) hidden;
[-- Attachment #3: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Patch to auparse to handle out of order messages 1 of 3
From: Burn Alting @ 2016-01-06 10:29 UTC (permalink / raw)
To: linux-audit@redhat.com
[-- Attachment #1: Type: text/plain, Size: 1004 bytes --]
All,
The TODO for 2.5.1 requested
* Fix auparse to handle out of order messages
The problem was that should a stream of raw auditd logs be processed by
auparse(), then if the records that make up a single auditd event were
interleaved with each other, auparse() would 'silently' discard event
data.
Ausearch/Aureport does not have this problem as it handles such
interleaved event records. The approach to solve this problem was to
take the ausearch/aureport's list of list event record code (lol) and
incorporate it into auparse().
The following three patches address this problem.
#1 - convert the existing code to change auparse's auparse_state_t (aka
struct opaque) event_list_t element 'le' to be a pointer, so the 'lol'
code can more seamlessly fit in.
#2 - the 'lol' patch itself. Integrate the ausearch/aureport 'lol' code
into auparse() and adjust auparse() to deal with maintain an incore list
of incomplete events.
#3 - modify the standard auparse() test code.
Regards
Burn Alting
[-- Attachment #2: audit-2.4.5-1.patch --]
[-- Type: text/x-patch, Size: 14543 bytes --]
diff -urp audit-2.4.5.orig/auparse/auparse.c audit-2.4.5/auparse/auparse.c
--- audit-2.4.5.orig/auparse/auparse.c 2015-12-19 06:20:59.000000000 +1100
+++ audit-2.4.5/auparse/auparse.c 2016-01-03 14:05:15.858351108 +1100
@@ -120,6 +120,13 @@ auparse_state_t *auparse_init(ausource_t
return NULL;
}
+ au->le = NULL;
+ /* Allocate the 'current' event of interest pointer */
+ if ((au->le = (event_list_t *)malloc(sizeof(event_list_t))) == NULL) {
+ free(au);
+ errno = ENOMEM;
+ return NULL;
+ }
au->in = NULL;
au->source_list = NULL;
databuf_init(&au->databuf, 0, 0);
@@ -206,7 +213,7 @@ auparse_state_t *auparse_init(ausource_t
au->off = 0;
au->cur_buf = NULL;
au->line_pushed = 0;
- aup_list_create(&au->le);
+ aup_list_create(au->le); /* Initialise the 'current' event pointer */
au->parse_state = EVENT_EMPTY;
au->expr = NULL;
au->find_field = NULL;
@@ -215,6 +222,7 @@ auparse_state_t *auparse_init(ausource_t
return au;
bad_exit:
databuf_free(&au->databuf);
+ free(au->le); /* Free the 'current' event of interest event pointer */
free(au);
return NULL;
}
@@ -251,8 +259,8 @@ static void consume_feed(auparse_state_t
// to consume any partial data not fully consumed.
if (au->parse_state == EVENT_ACCUMULATING) {
// Emit the event, set event cursors to initial position
- aup_list_first(&au->le);
- aup_list_first_field(&au->le);
+ aup_list_first(au->le);
+ aup_list_first_field(au->le);
au->parse_state = EVENT_EMITTED;
if (au->callback) {
(*au->callback)(au, AUPARSE_CB_EVENT_READY,
@@ -297,7 +305,9 @@ int auparse_reset(auparse_state_t *au)
return -1;
}
- aup_list_clear(&au->le);
+ /* Free the 'current' event of interest list and it's content */
+ if (au->le)
+ aup_list_clear(au->le);
au->parse_state = EVENT_EMPTY;
switch (au->source)
{
@@ -547,7 +557,10 @@ void auparse_destroy(auparse_state_t *au
au->next_buf = NULL;
free(au->cur_buf);
au->cur_buf = NULL;
- aup_list_clear(&au->le);
+ /* Reset and clear any data in the 'current' event of interest ptr then free it. */
+ aup_list_clear(au->le);
+ free(au->le);
+ au->le = NULL;
au->parse_state = EVENT_EMPTY;
free(au->find_field);
au->find_field = NULL;
@@ -895,11 +908,11 @@ static int ausearch_reposition_cursors(a
switch (au->search_where)
{
case AUSEARCH_STOP_EVENT:
- aup_list_first(&au->le);
- aup_list_first_field(&au->le);
+ aup_list_first(au->le);
+ aup_list_first_field(au->le);
break;
case AUSEARCH_STOP_RECORD:
- aup_list_first_field(&au->le);
+ aup_list_first_field(au->le);
break;
case AUSEARCH_STOP_FIELD:
// do nothing - this is the normal stopping point
@@ -917,7 +930,7 @@ static int ausearch_compare(auparse_stat
{
rnode *r;
- r = aup_list_get_cur(&au->le);
+ r = aup_list_get_cur(au->le);
if (r)
return expr_eval(au, r, au->expr);
@@ -962,7 +975,7 @@ int auparse_next_event(auparse_state_t *
// If the last call resulted in emitting event data then
// clear previous event data in preparation to accumulate
// new event data
- aup_list_clear(&au->le);
+ aup_list_clear(au->le);
au->parse_state = EVENT_EMPTY;
}
@@ -995,17 +1008,17 @@ int auparse_next_event(auparse_state_t *
if (debug)
printf(
"First record in new event, initialize event\n");
- aup_list_set_event(&au->le, &event);
- aup_list_append(&au->le, au->cur_buf,
+ aup_list_set_event(au->le, &event);
+ aup_list_append(au->le, au->cur_buf,
au->list_idx, au->line_number);
au->parse_state = EVENT_ACCUMULATING;
au->cur_buf = NULL;
- } else if (events_are_equal(&au->le.e, &event)) {
+ } else if (events_are_equal(&au->le->e, &event)) {
// Accumulate data into existing event
if (debug)
printf(
"Accumulate data into existing event\n");
- aup_list_append(&au->le, au->cur_buf,
+ aup_list_append(au->le, au->cur_buf,
au->list_idx, au->line_number);
au->parse_state = EVENT_ACCUMULATING;
au->cur_buf = NULL;
@@ -1017,8 +1030,8 @@ int auparse_next_event(auparse_state_t *
push_line(au);
// Emit the event, set event cursors to
// initial position
- aup_list_first(&au->le);
- aup_list_first_field(&au->le);
+ aup_list_first(au->le);
+ aup_list_first_field(au->le);
au->parse_state = EVENT_EMITTED;
free((char *)event.host);
return 1; // data is available
@@ -1027,15 +1040,15 @@ int auparse_next_event(auparse_state_t *
// Check to see if the event can be emitted due to EOE
// or something we know is a single record event. At
// this point, new record should be pointed at 'cur'
- if ((r = aup_list_get_cur(&au->le)) == NULL)
+ if ((r = aup_list_get_cur(au->le)) == NULL)
continue;
if ( r->type == AUDIT_EOE ||
r->type < AUDIT_FIRST_EVENT ||
r->type >= AUDIT_FIRST_ANOM_MSG) {
// Emit the event, set event cursors to
// initial position
- aup_list_first(&au->le);
- aup_list_first_field(&au->le);
+ aup_list_first(au->le);
+ aup_list_first_field(au->le);
au->parse_state = EVENT_EMITTED;
return 1; // data is available
}
@@ -1048,8 +1061,8 @@ int auparse_next_event(auparse_state_t *
/* Accessors to event data */
const au_event_t *auparse_get_timestamp(auparse_state_t *au)
{
- if (au && au->le.e.sec != 0)
- return &au->le.e;
+ if (au && au->le->e.sec != 0)
+ return &au->le->e;
else
return NULL;
}
@@ -1058,7 +1071,7 @@ const au_event_t *auparse_get_timestamp(
time_t auparse_get_time(auparse_state_t *au)
{
if (au)
- return au->le.e.sec;
+ return au->le->e.sec;
else
return 0;
}
@@ -1067,7 +1080,7 @@ time_t auparse_get_time(auparse_state_t
unsigned int auparse_get_milli(auparse_state_t *au)
{
if (au)
- return au->le.e.milli;
+ return au->le->e.milli;
else
return 0;
}
@@ -1076,7 +1089,7 @@ unsigned int auparse_get_milli(auparse_s
unsigned long auparse_get_serial(auparse_state_t *au)
{
if (au)
- return au->le.e.serial;
+ return au->le->e.serial;
else
return 0;
}
@@ -1085,8 +1098,8 @@ unsigned long auparse_get_serial(auparse
// Gets the machine node name
const char *auparse_get_node(auparse_state_t *au)
{
- if (au && au->le.e.host != NULL)
- return strdup(au->le.e.host);
+ if (au && au->le->e.host != NULL)
+ return strdup(au->le->e.host);
else
return NULL;
}
@@ -1130,7 +1143,7 @@ int auparse_timestamp_compare(au_event_t
unsigned int auparse_get_num_records(auparse_state_t *au)
{
- return aup_list_get_cnt(&au->le);
+ return aup_list_get_cnt(au->le);
}
@@ -1139,13 +1152,13 @@ int auparse_first_record(auparse_state_t
{
int rc;
- if (aup_list_get_cnt(&au->le) == 0) {
+ if (aup_list_get_cnt(au->le) == 0) {
rc = auparse_next_event(au);
if (rc <= 0)
return rc;
}
- aup_list_first(&au->le);
- aup_list_first_field(&au->le);
+ aup_list_first(au->le);
+ aup_list_first_field(au->le);
return 1;
}
@@ -1153,12 +1166,12 @@ int auparse_first_record(auparse_state_t
int auparse_next_record(auparse_state_t *au)
{
- if (aup_list_get_cnt(&au->le) == 0) {
+ if (aup_list_get_cnt(au->le) == 0) {
int rc = auparse_first_record(au);
if (rc <= 0)
return rc;
}
- if (aup_list_next(&au->le))
+ if (aup_list_next(au->le))
return 1;
else
return 0;
@@ -1168,10 +1181,10 @@ int auparse_next_record(auparse_state_t
int auparse_goto_record_num(auparse_state_t *au, unsigned int num)
{
/* Check if a request is out of range */
- if (num >= aup_list_get_cnt(&au->le))
+ if (num >= aup_list_get_cnt(au->le))
return 0;
- if (aup_list_goto_rec(&au->le, num) != NULL)
+ if (aup_list_goto_rec(au->le, num) != NULL)
return 1;
else
return 0;
@@ -1181,7 +1194,7 @@ int auparse_goto_record_num(auparse_stat
/* Accessors to record data */
int auparse_get_type(auparse_state_t *au)
{
- rnode *r = aup_list_get_cur(&au->le);
+ rnode *r = aup_list_get_cur(au->le);
if (r)
return r->type;
else
@@ -1191,7 +1204,7 @@ int auparse_get_type(auparse_state_t *au
const char *auparse_get_type_name(auparse_state_t *au)
{
- rnode *r = aup_list_get_cur(&au->le);
+ rnode *r = aup_list_get_cur(au->le);
if (r)
return audit_msg_type_to_name(r->type);
else
@@ -1201,7 +1214,7 @@ const char *auparse_get_type_name(aupars
unsigned int auparse_get_line_number(auparse_state_t *au)
{
- rnode *r = aup_list_get_cur(&au->le);
+ rnode *r = aup_list_get_cur(au->le);
if (r)
return r->line_number;
else
@@ -1220,7 +1233,7 @@ const char *auparse_get_filename(auparse
return NULL;
}
- rnode *r = aup_list_get_cur(&au->le);
+ rnode *r = aup_list_get_cur(au->le);
if (r) {
if (r->list_idx < 0) return NULL;
return au->source_list[r->list_idx];
@@ -1232,13 +1245,13 @@ const char *auparse_get_filename(auparse
int auparse_first_field(auparse_state_t *au)
{
- return aup_list_first_field(&au->le);
+ return aup_list_first_field(au->le);
}
int auparse_next_field(auparse_state_t *au)
{
- rnode *r = aup_list_get_cur(&au->le);
+ rnode *r = aup_list_get_cur(au->le);
if (r) {
if (nvlist_next(&r->nv))
return 1;
@@ -1251,7 +1264,7 @@ int auparse_next_field(auparse_state_t *
unsigned int auparse_get_num_fields(auparse_state_t *au)
{
- rnode *r = aup_list_get_cur(&au->le);
+ rnode *r = aup_list_get_cur(au->le);
if (r)
return nvlist_get_cnt(&r->nv);
else
@@ -1260,7 +1273,7 @@ unsigned int auparse_get_num_fields(aupa
const char *auparse_get_record_text(auparse_state_t *au)
{
- rnode *r = aup_list_get_cur(&au->le);
+ rnode *r = aup_list_get_cur(au->le);
if (r)
return r->record;
else
@@ -1274,12 +1287,12 @@ const char *auparse_find_field(auparse_s
free(au->find_field);
au->find_field = strdup(name);
- if (au->le.e.sec) {
+ if (au->le->e.sec) {
const char *cur_name;
rnode *r;
// look at current record before moving
- r = aup_list_get_cur(&au->le);
+ r = aup_list_get_cur(au->le);
if (r == NULL)
return NULL;
cur_name = nvlist_get_cur_name(&r->nv);
@@ -1298,10 +1311,10 @@ const char *auparse_find_field_next(aupa
errno = EINVAL;
return NULL;
}
- if (au->le.e.sec) {
+ if (au->le->e.sec) {
int moved = 0;
- rnode *r = aup_list_get_cur(&au->le);
+ rnode *r = aup_list_get_cur(au->le);
while (r) { // For each record in the event...
if (!moved) {
nvlist_next(&r->nv);
@@ -1309,9 +1322,9 @@ const char *auparse_find_field_next(aupa
}
if (nvlist_find_name(&r->nv, au->find_field))
return nvlist_get_cur_val(&r->nv);
- r = aup_list_next(&au->le);
+ r = aup_list_next(au->le);
if (r)
- aup_list_first_field(&au->le);
+ aup_list_first_field(au->le);
}
}
return NULL;
@@ -1321,8 +1334,8 @@ const char *auparse_find_field_next(aupa
/* Accessors to field data */
const char *auparse_get_field_name(auparse_state_t *au)
{
- if (au->le.e.sec) {
- rnode *r = aup_list_get_cur(&au->le);
+ if (au->le->e.sec) {
+ rnode *r = aup_list_get_cur(au->le);
if (r)
return nvlist_get_cur_name(&r->nv);
}
@@ -1332,8 +1345,8 @@ const char *auparse_get_field_name(aupar
const char *auparse_get_field_str(auparse_state_t *au)
{
- if (au->le.e.sec) {
- rnode *r = aup_list_get_cur(&au->le);
+ if (au->le->e.sec) {
+ rnode *r = aup_list_get_cur(au->le);
if (r)
return nvlist_get_cur_val(&r->nv);
}
@@ -1342,8 +1355,8 @@ const char *auparse_get_field_str(aupars
int auparse_get_field_type(auparse_state_t *au)
{
- if (au->le.e.sec) {
- rnode *r = aup_list_get_cur(&au->le);
+ if (au->le->e.sec) {
+ rnode *r = aup_list_get_cur(au->le);
if (r)
return nvlist_get_cur_type(r);
}
@@ -1367,8 +1380,8 @@ int auparse_get_field_int(auparse_state_
const char *auparse_interpret_field(auparse_state_t *au)
{
- if (au->le.e.sec) {
- rnode *r = aup_list_get_cur(&au->le);
+ if (au->le->e.sec) {
+ rnode *r = aup_list_get_cur(au->le);
if (r)
return nvlist_interp_cur_val(r);
}
diff -urp audit-2.4.5.orig/auparse/expression.c audit-2.4.5/auparse/expression.c
--- audit-2.4.5.orig/auparse/expression.c 2015-12-19 06:20:59.000000000 +1100
+++ audit-2.4.5/auparse/expression.c 2016-01-03 13:46:09.839274892 +1100
@@ -974,13 +974,13 @@ compare_values(auparse_state_t *au, rnod
}
switch (expr->v.p.field.id) {
case EF_TIMESTAMP:
- if (au->le.e.sec < expr->v.p.value.timestamp.sec)
+ if (au->le->e.sec < expr->v.p.value.timestamp.sec)
res = -1;
- else if (au->le.e.sec > expr->v.p.value.timestamp.sec)
+ else if (au->le->e.sec > expr->v.p.value.timestamp.sec)
res = 1;
- else if (au->le.e.milli < expr->v.p.value.timestamp.milli)
+ else if (au->le->e.milli < expr->v.p.value.timestamp.milli)
res = -1;
- else if (au->le.e.milli > expr->v.p.value.timestamp.milli)
+ else if (au->le->e.milli > expr->v.p.value.timestamp.milli)
res = 1;
else
res = 0;
@@ -996,17 +996,17 @@ compare_values(auparse_state_t *au, rnod
break;
case EF_TIMESTAMP_EX:
- if (au->le.e.sec < expr->v.p.value.timestamp.sec)
+ if (au->le->e.sec < expr->v.p.value.timestamp.sec)
res = -1;
- else if (au->le.e.sec > expr->v.p.value.timestamp.sec)
+ else if (au->le->e.sec > expr->v.p.value.timestamp.sec)
res = 1;
- else if (au->le.e.milli < expr->v.p.value.timestamp.milli)
+ else if (au->le->e.milli < expr->v.p.value.timestamp.milli)
res = -1;
- else if (au->le.e.milli > expr->v.p.value.timestamp.milli)
+ else if (au->le->e.milli > expr->v.p.value.timestamp.milli)
res = 1;
- else if (au->le.e.serial < expr->v.p.value.timestamp_ex.serial)
+ else if (au->le->e.serial < expr->v.p.value.timestamp_ex.serial)
res = -1;
- else if (au->le.e.serial > expr->v.p.value.timestamp_ex.serial)
+ else if (au->le->e.serial > expr->v.p.value.timestamp_ex.serial)
res = 1;
else
res = 0;
diff -urp audit-2.4.5.orig/auparse/internal.h audit-2.4.5/auparse/internal.h
--- audit-2.4.5.orig/auparse/internal.h 2015-12-19 06:20:59.000000000 +1100
+++ audit-2.4.5/auparse/internal.h 2016-01-03 13:44:33.399504620 +1100
@@ -56,7 +56,7 @@ struct opaque
char *cur_buf; // The current buffer being parsed
int line_pushed; // True if retrieve_next_line()
// returns same input
- event_list_t le; // Linked list of record in same event
+ event_list_t * le; // Linked list of record in same event
struct expr *expr; // Search expression or NULL
char *find_field; // Used to store field name when
// searching
[-- Attachment #3: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* RE: Use case not covered by the audit library?
From: Gulland, Scott A @ 2016-01-05 21:59 UTC (permalink / raw)
To: Steve Grubb, linux-audit@redhat.com, Gulland, Scott A
In-Reply-To: <1484204.GzGFVCTWQh@x2>
> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb@redhat.com]
> Sent: Thursday, December 17, 2015 6:51 PM
> > > My problem is I don't know what the proper set of "keys" are and the
> > > values they should contain. If my assumptions are correct, is there
> > > any documentation on on the key-value pairs and how to format the
> > > contents of the message parameter? Based on what I've seen in the
> > > audit log file, I would add "acct=<user>" to the contents of the
> > > message to reflect the particular authenticated user who issued the REST
> API call.
> > Well, Steve has published these as a starting point. I'm sure he'll
> > chime in when he sees your message.
> >
> > http://people.redhat.com/sgrubb/audit/audit-events.txt
> > http://people.redhat.com/sgrubb/audit/audit-parse.txt
>
> Thanks for pointing these out, Richard.
>
> The basic guidance for AUDIT_USYS_CONFIG is to record old and new values.
> Typically old values are prefixed with 'old-' and new values are the name of
> the field with no prefix.
>
> Any field that the user could influence the value has to be handled in such a
> way as to not allow them to trick the parser if they are malicious. For the
> most part, we hex encode those fields and then write some code to label the
> fields as encoded so that interpretation can be done later.
>
> Since your field names may not be official names in the audit system, you
> may have to filter illegal characters the user sent during event construction
> and fill in spaces with an underscore or dash.
Thanks for the feedback and information. It has been very helpful. I've done
some testing using a "val" and "old-val" field names with data values encoded
by audit_encode_nv_string(...). However, when I try to display the event with
"ausearch --interpret ..." neither field's data is decoded back into asci text. So
I plan on using the "op", "data" and "euid" fields. Only the data field needs to
encoded and ausearch does decode this field correctly. My message text
would look like:
"op=<op text> data=<encoded data> euid=<uid>"
When I was using ausearch I expected to be able to find events by uid using
either the "-ua" or "-ue" option that would match the euid field's value, but no
matching events were found. Is this expected behavior? The "-I" option did
correctly convert the euid into the user name.
Scott G.
^ permalink raw reply
* Re: How to monitor audit/audispd killed
From: Steve Grubb @ 2016-01-05 17:48 UTC (permalink / raw)
To: Matthew Chao; +Cc: linux-audit@redhat.com
In-Reply-To: <CAH8ERfY43a13VT2yXMj4xqEUqAnJwFH0+bpw7rFrU3SXsSnSKQ@mail.gmail.com>
On Wednesday, January 06, 2016 12:12:54 AM Matthew Chao wrote:
> In short, my question is: my program depends on audispd to dispatch audit
> messages, for security's sake, when audispd is killed, how can I know it
> happened in time in order to restart audispd?
I think that you have to approach the problem from a different angle. As a
child of audispd, you will probably get a SIGPIPE which if unhandled will
cause termination. That said, your application can't really start audispd
because auditd needs to in order to setup the pipes. Then audispd needs to
start your plugin.
But that raises to the question of are you seeing any problems that cause
audispd to be killed? The reason I ask is that no one is reporting problems
where either auditd or audispd are terminating due to a fault.
But if you were just wanting to be careful, then you really ought to write a
small program that its whole job is to start auditd and catch SIGCHLD. When
you catch SIGCHLD, restart the audit daemon. If your watcher gets any signals
such as SIGHUP/USR1/USR2/TERM, then pass them along to auditd.
If you are on a system with systemd as the init system, it already has a
Restart= option to restart a critical service if it shutsdown. That said, an
admin can always shutdown the audit service if they want to.
Are you having problems with audispd or just trying to be careful with a
design?
Hope this helps...
-Steve
> On Tuesday, January 5, 2016, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Tuesday, January 05, 2016 06:08:54 PM Matthew Chao wrote:
> > > >"You can watch audispd, but I don't think that will help anything.
> > >
> > > my program totally depends on audispd to dispatch audit messages. I
> > > think
> > > audispd need more robust mechanisms to monitor itself killed, otherwise
> > > which inevitably leads to that audispd' plugins receive nothing but
> >
> > always
> >
> > > wait wait wait for event messages.
> > >
> > > So are there some alternative ways to monitor audispd killed in audit
> > > ver1.8 ?
> >
> > To help you, I need to know more about what the actual problem is that you
> > are
> > trying to solve. Would you like to explain the problem so we can help
> > figure
> > out how to address it?
> >
> > Thanks,
> > -Steve
^ permalink raw reply
* Re: How to monitor audit/audispd killed
From: Matthew Chao @ 2016-01-05 16:12 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit@redhat.com
In-Reply-To: <5861142.vTemG0RS1M@x2>
[-- Attachment #1.1: Type: text/plain, Size: 990 bytes --]
In short, my question is: my program depends on audispd to dispatch audit
messages, for security's sake, when audispd is killed, how can I know it
happened in time in order to restart audispd?
Thanks.
On Tuesday, January 5, 2016, Steve Grubb <sgrubb@redhat.com> wrote:
> On Tuesday, January 05, 2016 06:08:54 PM Matthew Chao wrote:
> > >"You can watch audispd, but I don't think that will help anything.
> >
> > my program totally depends on audispd to dispatch audit messages. I think
> > audispd need more robust mechanisms to monitor itself killed, otherwise
> > which inevitably leads to that audispd' plugins receive nothing but
> always
> > wait wait wait for event messages.
> >
> > So are there some alternative ways to monitor audispd killed in audit
> > ver1.8 ?
>
> To help you, I need to know more about what the actual problem is that you
> are
> trying to solve. Would you like to explain the problem so we can help
> figure
> out how to address it?
>
> Thanks,
> -Steve
>
[-- Attachment #1.2: Type: text/html, Size: 1277 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: How to monitor audit/audispd killed
From: Steve Grubb @ 2016-01-05 14:10 UTC (permalink / raw)
To: Matthew Chao; +Cc: linux-audit@redhat.com
In-Reply-To: <CAH8ERfZF6EaKZrFUwDHSoRF7bqzu4ZRxf99w+pB4ab82ORcLcw@mail.gmail.com>
On Tuesday, January 05, 2016 06:08:54 PM Matthew Chao wrote:
> >"You can watch audispd, but I don't think that will help anything.
>
> my program totally depends on audispd to dispatch audit messages. I think
> audispd need more robust mechanisms to monitor itself killed, otherwise
> which inevitably leads to that audispd' plugins receive nothing but always
> wait wait wait for event messages.
>
> So are there some alternative ways to monitor audispd killed in audit
> ver1.8 ?
To help you, I need to know more about what the actual problem is that you are
trying to solve. Would you like to explain the problem so we can help figure
out how to address it?
Thanks,
-Steve
^ permalink raw reply
* Re: Aureport on Centos 7 : Strange behavior
From: Steve Grubb @ 2016-01-05 14:08 UTC (permalink / raw)
To: linux-audit; +Cc: Maupertuis Philippe
In-Reply-To: <3D2AB1326AB2974190FCE3F69401F790DB1E93102B@FRVDX103.fr01.awl.atosorigin.net>
On Tuesday, January 05, 2016 10:34:17 AM Maupertuis Philippe wrote:
> I came across a strange aureport behavior that would amount to a bug unless
<snip>
> But If I request a ten minutes interval or a five minutes interval not
> starting at zero or five aureport hangs !
>
> [root@odbfi021s ~]# aureport -k --summary -ts yesterday 09:35 -te yesterday
> 09:45
>
> Key Summary Report
> ===========================
> total key
> ===========================
> ^C
This is a known problem. It was fixed in 2.4.4.
-Steve
^ permalink raw reply
* Re: How to monitor audit/audispd killed
From: Matthew Chao @ 2016-01-05 10:08 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit@redhat.com
In-Reply-To: <2955652.6SqtRXJnWL@x2>
[-- Attachment #1.1: Type: text/plain, Size: 405 bytes --]
>"You can watch audispd, but I don't think that will help anything.
my program totally depends on audispd to dispatch audit messages. I think
audispd need more robust mechanisms to monitor itself killed, otherwise
which inevitably leads to that audispd' plugins receive nothing but always
wait wait wait for event messages.
So are there some alternative ways to monitor audispd killed in audit
ver1.8 ?
[-- Attachment #1.2: Type: text/html, Size: 493 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Aureport on Centos 7 : Strange behavior
From: Maupertuis Philippe @ 2016-01-05 9:34 UTC (permalink / raw)
To: linux-audit@redhat.com
[-- Attachment #1.1: Type: text/plain, Size: 3812 bytes --]
Hi,
I came across a strange aureport behavior that would amount to a bug unless I am doing something wrong.
I am on Centos 7.2 with :
[root@odbfi021s ~]# rpm -qa|grep audit
audit-libs-2.4.1-5.el7.x86_64
audit-2.4.1-5.el7.x86_64
If I run aureport -k --summary -ts yesterday 09:00 -te yesterday 10:00 I get the answer immediately.
[root@odbfi021s ~]# aureport -k --summary -ts yesterday 09:00 -te yesterday 10:00
Key Summary Report
===========================
total key
===========================
409 log_IAM
27 IAM64
26 audit_log
23 open64
16 etc
1deletion
Same thing with any round five minutes interval
[root@odbfi021s ~]# aureport -k --summary -ts yesterday 09:35 -te yesterday 09:40
Key Summary Report
===========================
total key
===========================
1 IAM64
1 log_IAM
[root@odbfi021s ~]# aureport -k --summary -ts yesterday 09:40 -te yesterday 09:45
Key Summary Report
===========================
total key
===========================
393 log_IAM
16 etc
11 audit_log
3 IAM64
2 open64
1 deletion
But If I request a ten minutes interval or a five minutes interval not starting at zero or five aureport hangs !
[root@odbfi021s ~]# aureport -k --summary -ts yesterday 09:35 -te yesterday 09:45
Key Summary Report
===========================
total key
===========================
^C
Ausearch is ok with the same parameters :
[root@odbfi021s ~]# ausearch -ts yesterday 09:35 -te yesterday 09:45 |head
----
time->Mon Jan 4 09:39:08 2016
type=PATH msg=audit(1451896748.069:31806): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=133906 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL
type=PATH msg=audit(1451896748.069:31806): item=0 name="/sbin/aide" inode=131924 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL
type=CWD msg=audit(1451896748.069:31806): cwd="/root"
type=EXECVE msg=audit(1451896748.069:31806): argc=2 a0="aide" a1="-C"
type=SYSCALL msg=audit(1451896748.069:31806): arch=c000003e syscall=59 success=yes exit=0 a0=11f7d10 a1=11f7bf0 a2=111e8b0 a3=7ffce7b64200 items=2 ppid=21754 pid=21830 auid=3318358 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1230 comm="aide" exe="/usr/sbin/aide" key="IAM64"
----
time->Mon Jan 4 09:39:08 2016
type=PATH msg=audit(1451896748.105:31807): item=1 name="/var/log/aide/aide.log" inode=67 dev=fd:05 mode=0100600 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL
[root@odbfi021s ~]#
Please let me know what I should do.
Regards
Philippe
________________________________
Ce message et les pi?ces jointes sont confidentiels et r?serv?s ? l'usage exclusif de ses destinataires. Il peut ?galement ?tre prot?g? par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir imm?diatement l'exp?diteur et de le d?truire. L'int?grit? du message ne pouvant ?tre assur?e sur Internet, la responsabilit? de Worldline ne pourra ?tre recherch?e quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'exp?diteur ne donne aucune garantie ? cet ?gard et sa responsabilit? ne saurait ?tre recherch?e pour tout dommage r?sultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
[-- Attachment #1.2: Type: text/html, Size: 12237 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: How to monitor audit/audispd killed
From: Matthew Chao @ 2016-01-04 19:51 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: linux-audit@redhat.com
In-Reply-To: <2955652.6SqtRXJnWL@x2>
[-- Attachment #1.1: Type: text/plain, Size: 1357 bytes --]
my syslogd was disabled.
Also, after auditd restarting, those messages don't appear anymore.
I want to know if auditd ( and its child process: audispd) can monitor
themselves killed or not.
On Monday, January 4, 2016, Richard Guy Briggs <rgb@redhat.com> wrote:
> On 16/01/04, Matthew Chao wrote:
> > Hi,
> >
> > I added the following rules in audit.rules for monitoring auditd/audispd
> be
> > killed(audit ver: 1.8),
> > =============
> > -a exit,always -F perm=wa -F path=/var/run/auditd.pid -k cfg
> >
> > -a exit,always -F perm=wa -F path=/var/run/audispd_events -k cfg
> >
> > Or
> > -a exit,always -S kill -F path=/var/run/auditd.pid -k cfg
> >
> > -a exit,always -S kill -F path=/var/run/audispd_events -k cfg
> > =============
> >
> > However, these rules don't work: even the processes (auditd/audispd) are
> > killed, I can't get any related messages except DAEMON_END.
>
> Is that because auditd is no longer there to receive that message? Did
> it show up in syslog or were you able to re-start auditd before the hold
> queue overflowed to be able to pick up those messages?
>
>
> - RGB
>
> --
> Richard Guy Briggs <rbriggs@redhat.com <javascript:;>>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating
> Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
>
[-- Attachment #1.2: Type: text/html, Size: 1810 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: How to monitor audit/audispd killed
From: Matthew Chao @ 2016-01-04 19:49 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: linux-audit@redhat.com
In-Reply-To: <20160104141241.GA21234@madcap2.tricolour.ca>
[-- Attachment #1.1: Type: text/plain, Size: 1357 bytes --]
my syslogd was disabled.
Also, after auditd restarting, those messages don't appear anymore.
I want to know if auditd ( and its child process: audispd) can monitor
themselves killed or not.
On Monday, January 4, 2016, Richard Guy Briggs <rgb@redhat.com> wrote:
> On 16/01/04, Matthew Chao wrote:
> > Hi,
> >
> > I added the following rules in audit.rules for monitoring auditd/audispd
> be
> > killed(audit ver: 1.8),
> > =============
> > -a exit,always -F perm=wa -F path=/var/run/auditd.pid -k cfg
> >
> > -a exit,always -F perm=wa -F path=/var/run/audispd_events -k cfg
> >
> > Or
> > -a exit,always -S kill -F path=/var/run/auditd.pid -k cfg
> >
> > -a exit,always -S kill -F path=/var/run/audispd_events -k cfg
> > =============
> >
> > However, these rules don't work: even the processes (auditd/audispd) are
> > killed, I can't get any related messages except DAEMON_END.
>
> Is that because auditd is no longer there to receive that message? Did
> it show up in syslog or were you able to re-start auditd before the hold
> queue overflowed to be able to pick up those messages?
>
>
> - RGB
>
> --
> Richard Guy Briggs <rbriggs@redhat.com <javascript:;>>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating
> Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
>
[-- Attachment #1.2: Type: text/html, Size: 1810 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: How to monitor audit/audispd killed
From: Steve Grubb @ 2016-01-04 19:43 UTC (permalink / raw)
To: Matthew Chao; +Cc: linux-audit
In-Reply-To: <CAH8ERfawFuZQiiy7hSfjoBd97VOSsmnLDpCgcHw=k3JmX9Mf8g@mail.gmail.com>
On Tuesday, January 05, 2016 03:29:31 AM Matthew Chao wrote:
> >You have a race condition where auditd gets a signal to shutdown and an
> event indicating that shutdown is occurring. On shutdown, the audit daemon
> does not alter the rules or whether auditing is enabled. (This was to get
> shutdown AVCs for selinux.) There is a chance that your event is in syslog's
> files.
>
> For clarity, I am still not sure whether audit rules can be written to
> monitor auditd/auispd killed or not (syslog was disabled under my
> circumstances ).
You cannot audit the audit daemon's pid. Otherwise servicing an event could
create several more events which cause even more and you get an exponential
increase in logging until it dies.
You can watch audispd, but I don't think that will help anything.
> If yes, could you give me some tips? Thanks.
The audit daemon is required to log some information about why it shutdown. If
you have a daemon_end event, this is the required information. Is there
something not in the event that you need?
-Steve
^ permalink raw reply
* How to monitor audit/audispd killed
From: Matthew Chao @ 2016-01-04 19:29 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <4152899.8YOsTRPv25@x2>
[-- Attachment #1.1: Type: text/plain, Size: 510 bytes --]
>You have a race condition where auditd gets a signal to shutdown and an
event
>indicating that shutdown is occurring. On shutdown, the audit daemon does
not
>alter the rules or whether auditing is enabled. (This was to get shutdown
AVCs
>for selinux.) There is a chance that your event is in syslog's files.
For clarity, I am still not sure whether audit rules can be written to
monitor auditd/auispd killed or not (syslog was disabled under my
circumstances ).
If yes, could you give me some tips? Thanks.
[-- Attachment #1.2: Type: text/html, Size: 609 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: Using a watch to find who is using a file
From: Steve Grubb @ 2016-01-04 17:53 UTC (permalink / raw)
To: linux-audit; +Cc: Maupertuis Philippe
In-Reply-To: <3D2AB1326AB2974190FCE3F69401F790DB1E930F47@FRVDX103.fr01.awl.atosorigin.net>
On Monday, January 04, 2016 04:49:13 PM Maupertuis Philippe wrote:
> Hi list
> Our dbas complained that vim swap file were renamed instead of being deleted
> With an audit watch we were able to tell them to stop their silly cron
> rename job :) However, the audit log is missing an important piece of
> information : the job name.
Yes. I opened a bz on this about a month ago.
https://bugzilla.redhat.com/show_bug.cgi?id=1288653
> It seems that we didn't capture the exe name associated with the parent pid.
We never do.
> If I am no misunderstanding the results
> below, pid = 28351 is for the exe /bin/mv
Yes.
> I would have liked to know the exe of the parent pid
That would be useful in many cases, but the parent process could have exited
by the time the child process triggers the event. So, its not really possible.
That said, people really do want something. For example, maybe someone knows
an exploit and can get a command injection through apache which then gives
them a shell and they start doing things to escalate privileges. In this case,
you not only want the ppid, you want the whole chain of processes to see how
someone got into the system. A bz was opened to do this:
https://bugzilla.redhat.com/show_bug.cgi?id=1094156
There didn't seem to be anyone who thought this was a good idea.
> Is there a way to ensure that the audit log includes the executable name
> associated with every pid ? Or the exe associated with pid starting a new
> session ?
You could log all clone & execve syscalls. :-)
> What we did was :
>
> To find out how vim swap files were renamed without the leading dot a the
> following rule was inserted : auditctl -w /etc/mysql -p war -k test_swp
> which gave us the following result :
> ----
> type=PATH msg=audit(12/22/2015 11:45:01.766:1660580) : item=3
> name=param-MYLHCE01V.swp inode=49283 dev=fd:00 mode=file,640 ouid=root
> ogid=root rdev=00:00 nametype=CREATE type=PATH msg=audit(12/22/2015
> 11:45:01.766:1660580) : item=2 name=.param-MYLHCE01V.swp inode=49283
> dev=fd:00 mode=file,640 ouid=root ogid=root rdev=00:00 nametype=DELETE
> type=PATH msg=audit(12/22/2015 11:45:01.766:1660580) : item=1
> name=/etc/mysql inode=49308 dev=fd:00 mode=dir,755 ouid=mysql ogid=mysql
> rdev=00:00 nametype=PARENT type=PATH msg=audit(12/22/2015
> 11:45:01.766:1660580) : item=0 name=/etc/mysql inode=49308 dev=fd:00
> mode=dir,755 ouid=mysql ogid=mysql rdev=00:00 nametype=PARENT type=CWD
> msg=audit(12/22/2015 11:45:01.766:1660580) : cwd=/etc/mysql type=SYSCALL
> msg=audit(12/22/2015 11:45:01.766:1660580) : arch=x86_64 syscall=rename
> success=yes exit=0 a0=0x7ffe46229db3 a1=0x7ffe46229dc8 a2=0x0
> a3=0x7ffe46227c80 items=4 ppid=28254 pid=28351 auid=mysql uid=mysql
> gid=mysql euid=mysql suid=mysql fsuid=mysql egid=mysql sgid=mysql
> fsgid=mysql tty=(none) ses=276356 comm=mv exe=/bin/mv key=swp_move
>
> Searching for the whole session gave us :
In this particular case, the cron patch might help. But overall, cases like
this really want the chain of processes to know the complete origin of
processes involved.
-Steve
^ permalink raw reply
* Using a watch to find who is using a file
From: Maupertuis Philippe @ 2016-01-04 15:49 UTC (permalink / raw)
To: linux-audit@redhat.com
[-- Attachment #1.1: Type: text/plain, Size: 6020 bytes --]
Hi list
Our dbas complained that vim swap file were renamed instead of being deleted
With an audit watch we were able to tell them to stop their silly cron rename job :)
However, the audit log is missing an important piece of information : the job name.
It seems that we didn't capture the exe name associated with the parent pid .
If I am no misunderstanding the results below, pid = 28351 is for the exe /bin/mv
I would have liked to know the exe of the parent pid
Is there a way to ensure that the audit log includes the executable name associated with every pid ?
Or the exe associated with pid starting a new session ?
What we did was :
To find out how vim swap files were renamed without the leading dot a the following rule was inserted :
auditctl -w /etc/mysql -p war -k test_swp
which gave us the following result :
----
type=PATH msg=audit(12/22/2015 11:45:01.766:1660580) : item=3 name=param-MYLHCE01V.swp inode=49283 dev=fd:00 mode=file,640 ouid=root ogid=root rdev=00:00 nametype=CREATE
type=PATH msg=audit(12/22/2015 11:45:01.766:1660580) : item=2 name=.param-MYLHCE01V.swp inode=49283 dev=fd:00 mode=file,640 ouid=root ogid=root rdev=00:00 nametype=DELETE
type=PATH msg=audit(12/22/2015 11:45:01.766:1660580) : item=1 name=/etc/mysql inode=49308 dev=fd:00 mode=dir,755 ouid=mysql ogid=mysql rdev=00:00 nametype=PARENT
type=PATH msg=audit(12/22/2015 11:45:01.766:1660580) : item=0 name=/etc/mysql inode=49308 dev=fd:00 mode=dir,755 ouid=mysql ogid=mysql rdev=00:00 nametype=PARENT
type=CWD msg=audit(12/22/2015 11:45:01.766:1660580) : cwd=/etc/mysql
type=SYSCALL msg=audit(12/22/2015 11:45:01.766:1660580) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x7ffe46229db3 a1=0x7ffe46229dc8 a2=0x0 a3=0x7ffe46227c80 items=4 ppid=28254 pid=28351 auid=mysql uid=mysql gid=mysql euid=mysql suid=mysql fsuid=mysql egid=mysql sgid=mysql fsgid=mysql tty=(none) ses=276356 comm=mv exe=/bin/mv key=swp_move
Searching for the whole session gave us :
----
type=LOGIN msg=audit(12/22/2015 11:45:01.458:1660551) : pid=28174 uid=root old auid=unset new auid=mysql old ses=unset new ses=276356
----
type=USER_START msg=audit(12/22/2015 11:45:01.468:1660570) : user pid=28174 uid=root auid=mysql ses=276356 msg='op=PAM:session_open acct=mysql exe=/usr/sbin/crond hostname=? addr=? terminal=cron res=success'
----
type=CRED_DISP msg=audit(12/22/2015 11:45:01.932:1660589) : user pid=28174 uid=mysql auid=mysql ses=276356 msg='op=PAM:setcred acct=mysql exe=/usr/sbin/crond hostname=? addr=? terminal=cron res=success'
----
type=USER_END msg=audit(12/22/2015 11:45:01.932:1660590) : user pid=28174 uid=mysql auid=mysql ses=276356 msg='op=PAM:session_close acct=mysql exe=/usr/sbin/crond hostname=? addr=? terminal=cron res=success'
----
type=PATH msg=audit(12/22/2015 11:45:01.766:1660580) : item=3 name=param-MYLHCE01V.swp inode=49283 dev=fd:00 mode=file,640 ouid=root ogid=root rdev=00:00 nametype=CREATE
type=PATH msg=audit(12/22/2015 11:45:01.766:1660580) : item=2 name=.param-MYLHCE01V.swp inode=49283 dev=fd:00 mode=file,640 ouid=root ogid=root rdev=00:00 nametype=DELETE
type=PATH msg=audit(12/22/2015 11:45:01.766:1660580) : item=1 name=/etc/mysql inode=49308 dev=fd:00 mode=dir,755 ouid=mysql ogid=mysql rdev=00:00 nametype=PARENT
type=PATH msg=audit(12/22/2015 11:45:01.766:1660580) : item=0 name=/etc/mysql inode=49308 dev=fd:00 mode=dir,755 ouid=mysql ogid=mysql rdev=00:00 nametype=PARENT
type=CWD msg=audit(12/22/2015 11:45:01.766:1660580) : cwd=/etc/mysql
type=SYSCALL msg=audit(12/22/2015 11:45:01.766:1660580) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x7ffe46229db3 a1=0x7ffe46229dc8 a2=0x0 a3=0x7ffe46227c80 items=4 ppid=28254 pid=28351 auid=mysql uid=mysql gid=mysql euid=mysql suid=mysql fsuid=mysql egid=mysql sgid=mysql fsgid=mysql tty=(none) ses=276356 comm=mv exe=/bin/mv key=swp_move
----
type=PATH msg=audit(12/22/2015 11:45:01.767:1660581) : item=1 name=(null) inode=319568 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL
type=PATH msg=audit(12/22/2015 11:45:01.767:1660581) : item=0 name=/bin/chmod inode=40985 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL
type=CWD msg=audit(12/22/2015 11:45:01.767:1660581) : cwd=/etc/mysql
type=EXECVE msg=audit(12/22/2015 11:45:01.767:1660581) : argc=3 a0=chmod a1=660 a2=param-MYLHCE01V.swp
type=SYSCALL msg=audit(12/22/2015 11:45:01.767:1660581) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7f5b008c2959 a1=0x7f5b008c26c8 a2=0x7f5b008c2828 a3=0x8 items=2 ppid=28254 pid=28355 auid=mysql uid=mysql gid=mysql euid=mysql suid=mysql fsuid=mysql egid=mysql sgid=mysql fsgid=mysql tty=(none) ses=276356 comm=chmod exe=/bin/chmod key=system_commands
Happy new year.
Philippe
________________________________
Ce message et les pi?ces jointes sont confidentiels et r?serv?s ? l'usage exclusif de ses destinataires. Il peut ?galement ?tre prot?g? par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir imm?diatement l'exp?diteur et de le d?truire. L'int?grit? du message ne pouvant ?tre assur?e sur Internet, la responsabilit? de Worldline ne pourra ?tre recherch?e quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'exp?diteur ne donne aucune garantie ? cet ?gard et sa responsabilit? ne saurait ?tre recherch?e pour tout dommage r?sultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
[-- Attachment #1.2: Type: text/html, Size: 11440 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: How to monitor audit/audispd killed
From: Steve Grubb @ 2016-01-04 14:32 UTC (permalink / raw)
To: linux-audit
In-Reply-To: <CAH8ERfatWjaVOyawRPT9Zb8cBE=3cYWoxd4Y5YYU_E7c8rozaQ@mail.gmail.com>
On Monday, January 04, 2016 08:10:29 PM Matthew Chao wrote:
> Hi,
>
> I added the following rules in audit.rules for monitoring auditd/audispd be
> killed(audit ver: 1.8),
> =============
> -a exit,always -F perm=wa -F path=/var/run/auditd.pid -k cfg
>
> -a exit,always -F perm=wa -F path=/var/run/audispd_events -k cfg
>
> Or
> -a exit,always -S kill -F path=/var/run/auditd.pid -k cfg
>
> -a exit,always -S kill -F path=/var/run/audispd_events -k cfg
> =============
>
> However, these rules don't work:
You have a race condition where auditd gets a signal to shutdown and an event
indicating that shutdown is occurring. On shutdown, the audit daemon does not
alter the rules or whether auditing is enabled. (This was to get shutdown AVCs
for selinux.) There is a chance that your event is in syslog's files.
> even the processes (auditd/audispd) are killed, I can't get any related
> messages except DAEMON_END.
The daemon end event should give you 2 things, who issued the shutdown (auid)
and the sending pid. That should let you track it down.
-Steve
^ permalink raw reply
* Re: How to monitor audit/audispd killed
From: Richard Guy Briggs @ 2016-01-04 14:12 UTC (permalink / raw)
To: Matthew Chao; +Cc: linux-audit
In-Reply-To: <CAH8ERfatWjaVOyawRPT9Zb8cBE=3cYWoxd4Y5YYU_E7c8rozaQ@mail.gmail.com>
On 16/01/04, Matthew Chao wrote:
> Hi,
>
> I added the following rules in audit.rules for monitoring auditd/audispd be
> killed(audit ver: 1.8),
> =============
> -a exit,always -F perm=wa -F path=/var/run/auditd.pid -k cfg
>
> -a exit,always -F perm=wa -F path=/var/run/audispd_events -k cfg
>
> Or
> -a exit,always -S kill -F path=/var/run/auditd.pid -k cfg
>
> -a exit,always -S kill -F path=/var/run/audispd_events -k cfg
> =============
>
> However, these rules don't work: even the processes (auditd/audispd) are
> killed, I can't get any related messages except DAEMON_END.
Is that because auditd is no longer there to receive that message? Did
it show up in syslog or were you able to re-start auditd before the hold
queue overflowed to be able to pick up those messages?
- RGB
--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
^ permalink raw reply
* How to monitor audit/audispd killed
From: Matthew Chao @ 2016-01-04 12:10 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 519 bytes --]
Hi,
I added the following rules in audit.rules for monitoring auditd/audispd be
killed(audit ver: 1.8),
=============
-a exit,always -F perm=wa -F path=/var/run/auditd.pid -k cfg
-a exit,always -F perm=wa -F path=/var/run/audispd_events -k cfg
Or
-a exit,always -S kill -F path=/var/run/auditd.pid -k cfg
-a exit,always -S kill -F path=/var/run/audispd_events -k cfg
=============
However, these rules don't work: even the processes (auditd/audispd) are
killed, I can't get any related messages except DAEMON_END.
[-- Attachment #1.2: Type: text/html, Size: 726 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: audit 2.4.5 released
From: Steve Grubb @ 2016-01-02 17:27 UTC (permalink / raw)
To: burn; +Cc: linux-audit
In-Reply-To: <1451626861.3232.149.camel@swtf.swtf.dyndns.org>
On Friday, January 01, 2016 04:41:01 PM Burn Alting wrote:
> On Fri, 2015-12-18 at 14:49 -0500, Steve Grubb wrote:
> > Hello,
> >
> > I've just released a new version of the audit daemon. It can be downloaded
> > from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
> > soon. The ChangeLog is:
> >
> > - Fix auditd disk flushing for data and sync modes
> > - Fix auditctl to not show options not supported on older OS
> > - Add audit.m4 file to aid adding support to other projects
> > - Fix C99 inline function build issue
> > - Add account lock and unlock event types
> > - Change logging loophole check to geteuid()
> > - Fix ausearch to not consider AUDIT_PROCTITLE events malformed (Burn
> > Alting) - Fix ausearch to parse FEATURE_CHANGE events
> >
> > Please let me know if you run across any problems with this release.
>
> Minor bug fix ... the various auparse/interpret.c:*_escape() routines
> did not terminate the strings they generated.
Applied. Thanks!
-Steve
^ permalink raw reply
* Re: audit 2.4.5 released
From: Burn Alting @ 2016-01-01 5:41 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <1929164.Q9DeV9IFDj@x2>
[-- Attachment #1: Type: text/plain, Size: 888 bytes --]
On Fri, 2015-12-18 at 14:49 -0500, Steve Grubb wrote:
> Hello,
>
> I've just released a new version of the audit daemon. It can be downloaded
> from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
> soon. The ChangeLog is:
>
> - Fix auditd disk flushing for data and sync modes
> - Fix auditctl to not show options not supported on older OS
> - Add audit.m4 file to aid adding support to other projects
> - Fix C99 inline function build issue
> - Add account lock and unlock event types
> - Change logging loophole check to geteuid()
> - Fix ausearch to not consider AUDIT_PROCTITLE events malformed (Burn Alting)
> - Fix ausearch to parse FEATURE_CHANGE events
>
> Please let me know if you run across any problems with this release.
Minor bug fix ... the various auparse/interpret.c:*_escape() routines
did not terminate the strings they generated.
Regards
Burn
[-- Attachment #2: audit-2.4.5_escape_bug.patch --]
[-- Type: text/x-patch, Size: 818 bytes --]
diff -Npru audit-2.4.5/auparse/interpret.c audit-2.4.5_escape_bug/auparse/interpret.c
--- audit-2.4.5/auparse/interpret.c 2015-12-19 06:20:59.000000000 +1100
+++ audit-2.4.5_escape_bug/auparse/interpret.c 2016-01-01 16:33:26.567241361 +1100
@@ -163,6 +163,7 @@ static void tty_escape(const char *s, ch
dest[j++] = s[i];
i++;
}
+ dest[j] = '\0'; /* terminate string */
}
static const char sh_set[] = "\"'`$\\";
@@ -195,6 +196,7 @@ static void shell_escape(const char *s,
dest[j++] = s[i];
i++;
}
+ dest[j] = '\0'; /* terminate string */
}
static const char quote_set[] = ";'\"`#$&*?[]<>{}\\";
@@ -227,6 +229,7 @@ static void shell_quote_escape(const cha
dest[j++] = s[i];
i++;
}
+ dest[j] = '\0'; /* terminate string */
}
/* This should return the count of what needs escaping */
[-- Attachment #3: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: New draft standards
From: LC Bruzenak @ 2015-12-29 19:28 UTC (permalink / raw)
To: linux-audit
In-Reply-To: <1736195.o09BuzvBta@x2>
[-- Attachment #1.1: Type: text/plain, Size: 1852 bytes --]
On 12/14/2015 08:34 AM, Steve Grubb wrote:
> That is not exactly what I proposed. What I was proposing was to record the
> translation of things that could change between systems and thus prevent
> correct interpretation later. Doing all translations is technically possible
> but would slow down auditd just a bit and increase the amount of data on disk.
> But doing this is not really necessary for the native audit tools.
>
> But I guess this gives me an opportunity to ask the community what tools they
> are using for audit log collection and viewing? Its been a couple years since
> e had this discussion on the mail list and I think some things have changed.
>
> Do people use ELK?
> Apache Flume?
> Something else?
>
> It might be possible to write a plugin to translate the audit logs into the
> native format of these tools.
Sorry for the late reply. Translating the salient details is for me
important.
This is especially true on systems where:
- aggregation is happening from one or more different machines (and
cannot assume federated UIDs), and
- where records are required to be kept over long periods of time
(system updates happen, UIDs are changed, people leave, etc)
I realize it carries a processing burden somewhere; this is inevitable
and I believe we'll need to design for this.
We're auditing for a reason; we need proof of who did what and in
varying degrees I believe this means persistence of accountability.
Because I'm almost a one-stop shop where I work, and the auditing
requirements are specific and particular, I have a homegrown log
collection and viewing solution for now but would prefer to incorporate
a flexible, more useful user tool. So I'm in the "something else"
category but somewhat open to change.
LCB
--
LC (Lenny) Bruzenak
lenny@magitekltd.com
[-- Attachment #1.2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 3802 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: New draft standards
From: Burn Alting @ 2015-12-28 7:24 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <2221771.1qUNZOCjO5@x2>
On Sun, 2015-12-27 at 10:06 -0500, Steve Grubb wrote:
> On Sunday, December 27, 2015 11:30:59 AM Burn Alting wrote:
> > I'll start with the statement I am happy to enhance the audit capability
> > of Linux in any way (read that as a direct offer to help).
>
> Thanks!
>
> > > I'm somewhat interested in this. I'm just not sure where the best place to
> > > do all this is. Should it be in ausearch? Should it be in auditd? Should
> > > it be in the remote logging plugin? Should audit utilities be modified to
> > > accept this new form of input?
> >
> > I've concentrated on ausearch as this is the only tool that
> > comprehensively parses all existing audit records, both well formed and
> > incorrectly formed. As you know auparse() has difficulties with
> > mal-formed events.
>
> Its main problem is dealing with interlaced records. The kernel does not
> serialize the audit stream. Whatever thread/process is executing at the moment
> can trigger a multi-part or single line event. For example:
>
> type=SYSCALL msg=audit(1396522853.933:313): arch=c000003e syscall=313
> success=yes exit=0 a0=0 a1=41a396 a2=0 a3=0 items=1348 ppid=1263 pid=1264
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> ses=4294967295 tty=(none) comm="modprobe" exe="/usr/bin/kmod"
> subj=system_u:system_r:insmod_t:s0 key="module-load"
> type=LOGIN msg=audit(1396522854.227:460): pid=1523 uid=0 old auid=4294967295
> new auid=4325 old ses=4294967295 new ses=1 res=1
> type=PATH msg=audit(1396522853.933:313): item=0 name=(null) inode=165
> dev=00:06 mode=040755 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:debugfs_t:s0 nametype=PARENT
> type=PATH msg=audit(1396522853.933:313): item=1 name=(null) inode=11206
> dev=00:06 mode=040755 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:debugfs_t:s0 nametype=CREATE
> type=LOGIN msg=audit(1396522854.315:461): pid=1518 uid=0 old auid=4294967295
> new auid=4325 old ses=4294967295 new ses=1 res=1
> type=PATH msg=audit(1396522853.933:313): item=2 name=(null) inode=11206
> dev=00:06 mode=040755 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:debugfs_t:s0 nametype=PARENT
>
> That should be 3 events.
>
I wasn't too concerned about the interleaved events but the incorrect
use of the audit message as per
type=USER_CHAUTHTOK msg=audit(12/28/2015 18:00:30.858:17862432) :
pid=13418 uid=root auid=burn ses=1
subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=change
password id=burn exe=/usr/bin/passwd hostname=? addr=? terminal=pts/0
res=success'
where auparse with discard the string 'password' changing
op=change password id=burn exe=/usr/bin/passwd
to
op=change id=burn exe=/usr/bin/passwd
>
> > Ausearch also has the benefit of not effecting real time performance - I'd not
> > like auditd have to wait on an external DNS service to timeout when
> > attempting to resolve an 'addr' field.
>
> Yeah, I'm thinking about just breaking down the SOCKADDR record into src/dst
> ip and src/dst port and then leaving it as that for now.
>
>
> > Whatever is done, the code needs to be modular so that any utility, be
> > it ausearch, auditd or an audispd plugin, or an independent auparse()
> > based utility can make use of it.
> >
> > Perhaps to address the higher level audit needs, we can provide an
> > additional output format to my proposed changes for 'interpretive
> > formatting' to be that of 'descriptive statements'. This would be
> > similar to Windows auditing when it allows one to include 'Display
> > Information' field which provides a 'human readable' description of the
> > event data.
>
> I'm not familiar with Windows auditing, but yeah.
>
> > Perhaps the thrust should be
> > a. address performance
>
> I might have this solved. I'll send a separate email.
>
> > b. ensure auparse() can better deal with mal-formed events
>
> This would be a big contribution to the project.
>
> > c. provide interpretative formatting
>
> Yes. I think this a good order that has the right things in the right
> priority. There is one other issue that I need to tackle at some point. The
> auparse library does a lot of string manipulation. As such it winds up doing a
> lot of strtok/malloc/free. I'd like to see this run faster somehow. Perhaps
> moving to ustr could help. Or maybe having a list of pointers/lengths to avoid
> malloc/free. But auparse needs a performance boost, too.
>
> -Steve
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox