order of entries output from ausearch -i
Steve Grubb
sgrubb at redhat.com
Wed Nov 13 20:35:36 UTC 2013
On Wednesday, November 13, 2013 05:14:13 PM AKASHI Takahiro wrote:
> Hi Steve
>
> I followed your advise and verified my patch of AArch64 audit support
> by comparing the output from
> # autrace /bin/ls
> # ausearch -i -p XXX | grep SYSCALL
> with the output from
> # strace /bin/ls
>
> Here I found that the entries shown by "ausearch -i" are listed
> partially in the order of lifo (Last In First Out?).
> I don't think this behavior is "intuitive".
> (As you know, ausearch without -i generates fifo order of outputs.)
> Is there any good reason?
Yes, the syscall record is often the most important. Its better to scroll the
auxiliary records off the screen leaving just the syscall record. For example,
if you triggered a syscall event against kill(-1, SIGTERM) you could have a
100 or more OBJ_PID records with that syscall.
-Steve
More information about the Linux-audit
mailing list