From mboxrd@z Thu Jan 1 00:00:00 1970 From: ramsdell@mitre.org (John D. Ramsdell) Subject: Re: Should open syscall records occur without a path record? Date: 24 Jul 2007 08:06:44 -0400 Message-ID: References: <200707231500.21392.sgrubb@redhat.com> <200707231556.12993.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: In-Reply-To: <200707231556.12993.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com Steve Grubb writes: > setroubleshoot is written in python and it sorts its input stream to solve > this in the mean time. You might look there for some example code. I was unable to find the relevant code with a quick look, but I didn't take much time as I knew a short script would to do the trick. I just sorted on the serial numbers in the audit message. Diff'ing showed quite a bit of motion in the sorted output. Also, I notice that in just one message, the msg field value does not end with a colon: type=DAEMON_START msg=audit(1185203485.586:824) auditd start, ver=1.5.5, format=raw, auid=500 pid=24638 res=success, auditd pid=24638 John #! /bin/sh python -E -c ' import sys, re def main(): pattern = re.compile("\smsg=audit\(\d+\.\d+:(\d+)\):?\s") for line in sys.stdin: match = pattern.search(line) if not match: sys.stderr.write("cannot parse audit message: '\''%s'\''\n" % line) sys.exit(1) sys.stdout.write(match.group(1) + "\t" + line) if __name__ == "__main__": main() ' | sort -n -s -k 1 | cut -f 2-