summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWe-unite <3205135446@qq.com>2024-07-17 11:47:03 +0800
committerWe-unite <3205135446@qq.com>2024-07-17 14:03:06 +0800
commitf055b3940f999c2e26448812e67b68da363dcbad (patch)
tree145411eb93d96ecd4b5b24783d10da5e345791f7
downloadgodo-f055b3940f999c2e26448812e67b68da363dcbad.tar.gz
godo-f055b3940f999c2e26448812e67b68da363dcbad.zip
Initial commit
This repo is to supervise all processes in containers, in other words inspect behaviors of dockers, and get the pid tree. There are several ways for programs in user space to intereact with kernel space: - system calls, which can be found out in source path arch/x86/syscalls - ioctl - /proc virtual file system, to read kernel realtime info - nerlink socket the pid we should pay attention to is /usr/bin/containerd, which may come from service docker-daemon and ppid is 1. Each time a docker is start or stop, this forks a pid, the pid then forks, that's the main process of the docker. To grub the info of pid create or exit, this program is based on go-libauditd, which uses netlink socket to hear from kernel about audit log. What's worrying is that one event is always devided into several entries, and several events may be received alternately. So, from my point of view, which program has 3 coroutines and 2 channels. the first receives raw event message from audit, then throw it to channel 1; the second listen to channel 1, and organizes each event until there's a EOE, then throw to channel 2; the third discover event from channel 2, deal with th event, such as create or delete pid. Specially, since two relative infomation(pid 1 fork pid2, then pid 1 exits)may comes out of order, deletion mast be delayed for some time(may 1 second), to keep the process tree correct.
Diffstat
-rw-r--r--.gitignore2
-rwxr-xr-xbuild.sh7
-rw-r--r--go.mod15
-rw-r--r--go.sum57
-rw-r--r--godo.go213
-rw-r--r--logs/fuck.log401
-rw-r--r--old/audit.go127
-rw-r--r--old/auparse.go218
8 files changed, 1040 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..6cff91d
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
1.vscode/*
2godo \ No newline at end of file
diff --git a/build.sh b/build.sh
new file mode 100755
index 0000000..8bdadb3
--- /dev/null
+++ b/build.sh
@@ -0,0 +1,7 @@
1#!/bin/bash
2
3set -e
4docker_api_version=$(docker version)
5docker_api_version=$(docker version | grep API | head -n 1 | awk '{print $3}')
6echo "Docker API version is $docker_api_version..."
7export DOCKER_API_VERSION=$docker_api_version \ No newline at end of file
diff --git a/go.mod b/go.mod
new file mode 100644
index 0000000..c73fc4f
--- /dev/null
+++ b/go.mod
@@ -0,0 +1,15 @@
1module godo
2
3go 1.21.5
4
5require (
6 github.com/elastic/go-libaudit/v2 v2.5.0
7 gopkg.in/yaml.v3 v3.0.1
8)
9
10require (
11 go.uber.org/atomic v1.7.0 // indirect
12 go.uber.org/multierr v1.7.0 // indirect
13 golang.org/x/sys v0.11.0 // indirect
14 gopkg.in/yaml.v2 v2.4.0 // indirect
15)
diff --git a/go.sum b/go.sum
new file mode 100644
index 0000000..6880c39
--- /dev/null
+++ b/go.sum
@@ -0,0 +1,57 @@
1github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
2github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
3github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
4github.com/elastic/go-libaudit/v2 v2.5.0 h1:5OK919QRnGtcjVBz3n/cs5F42im1mPlVTA9TyIn2K54=
5github.com/elastic/go-libaudit/v2 v2.5.0/go.mod h1:AjlnhinP+kKQuUJoXLVrqxBM8uyhQmkzoV6jjsCFP4Q=
6github.com/elastic/go-licenser v0.4.1 h1:1xDURsc8pL5zYT9R29425J3vkHdt4RT5TNEMeRN48x4=
7github.com/elastic/go-licenser v0.4.1/go.mod h1:V56wHMpmdURfibNBggaSBfqgPxyT1Tldns1i87iTEvU=
8github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
9github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
10github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
11github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
12github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
13github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
14github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
15github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
16github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
17go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
18go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
19go.uber.org/multierr v1.7.0 h1:zaiO/rmgFjbmCXdSYJWQcdvOCsthmdaHfr3Gm2Kx4Ec=
20go.uber.org/multierr v1.7.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak=
21golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
22golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
23golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
24golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
25golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
26golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
27golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
28golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
29golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
30golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
31golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
32golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
33golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
34golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
35golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
36golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
37golang.org/x/sys v0.0.0-20211102192858-4dd72447c267/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
38golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
39golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
40golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
41golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
42golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
43golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
44golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
45golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
46golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
47golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
48golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
49golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
50gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
51gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
52gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
53gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
54gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
55gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
56gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
57gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/godo.go b/godo.go
new file mode 100644
index 0000000..6b6f48f
--- /dev/null
+++ b/godo.go
@@ -0,0 +1,213 @@
1package main
2
3import (
4 "bufio"
5 "flag"
6 "fmt"
7 "io"
8 "log"
9 "os"
10 "os/exec"
11 "path/filepath"
12 "strconv"
13 "strings"
14 "sync"
15
16 "github.com/elastic/go-libaudit/v2"
17 "github.com/elastic/go-libaudit/v2/auparse"
18)
19
20var (
21 fs = flag.NewFlagSet("audit", flag.ExitOnError)
22 diag = fs.String("diag", "", "dump raw information from kernel to file")
23 rate = fs.Uint("rate", 0, "rate limit in kernel (default 0, no rate limit)")
24 backlog = fs.Uint("backlog", 8192, "backlog limit")
25 immutable = fs.Bool("immutable", false, "make kernel audit settings immutable (requires reboot to undo)")
26 receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+")
27)
28
29type process struct {
30 cmdline string
31 rootfs string
32 children []int
33}
34
35var pids map[int]*process //古希腊掌管进程的神
36var containers map[string]int // 古希腊掌管容器的神
37var wg sync.WaitGroup // 掌管协程
38
39func main() {
40 // 检查用户身份,并添加auditd规则,监听所有syscall
41 if os.Geteuid() != 0 {
42 fmt.Printf("Err: Please run me as root, %d!\n", os.Getegid())
43 return
44 }
45 syscall := [5]string{"fork", "vfork", "execve", "exit", "exit_group"}
46 var auditCmd *exec.Cmd
47 auditCmd = exec.Command("auditctl", "-D") // 清空所有规则
48 auditCmd.Run()
49 // 设置监听规则
50 for i := 0; i < 5; i++ {
51 auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", syscall[i])
52 auditCmd.Run()
53 }
54
55 // 查找pid
56 containerdPid, err := getPid()
57 if err != nil {
58 fmt.Printf("Error finding containerd: %v\n", err)
59 return
60 }
61
62 pids = make(map[int]*process)
63 containers = make(map[string]int)
64 pids[containerdPid] = &process{cmdline: "/usr/bin/cmdline", rootfs: "/", children: make([]int, 0)}
65
66 // 开始运行,解析命令行参数后监听
67 if err := fs.Parse(os.Args[1:]); err != nil {
68 log.Fatal(err)
69 }
70
71 if err := read(); err != nil {
72 log.Fatalf("error: %v", err)
73 }
74}
75
76func getPid() (int, error) {
77 // 指定要搜索的关键词
78 keyword := "/usr/bin/containerd"
79
80 // 获取/proc目录下的所有子目录
81 procDir, err := filepath.Glob("/proc/*")
82 if err != nil {
83 return 0, err
84 }
85
86 // 遍历子目录,查找包含关键词的进程
87 for _, dir := range procDir {
88 pid, err := strconv.Atoi(filepath.Base(dir))
89 if err != nil {
90 continue // 跳过非PID的目录
91 }
92
93 // 检查进程是否包含关键词
94 if containsKeyword(pid, keyword) {
95 return pid, nil
96 }
97 }
98 err = fmt.Errorf("Error: no containerd process found.\n")
99 return 0, err
100}
101
102func containsKeyword(pid int, keyword string) bool {
103 // 构造完整的进程命令路径
104 cmdPath := fmt.Sprintf("/proc/%d/cmdline", pid)
105
106 // 打开文件
107 file, err := os.Open(cmdPath)
108 if err != nil {
109 return false
110 }
111 defer file.Close()
112
113 // 读取文件内容
114 scanner := bufio.NewScanner(file)
115 scanner.Split(bufio.ScanLines)
116 for scanner.Scan() {
117 line := scanner.Text()
118 if strings.Contains(line, keyword) {
119 return true
120 }
121 }
122 return false
123}
124
125func read() error {
126 // Write netlink response to a file for further analysis or for writing
127 // tests cases.
128 var diagWriter io.Writer
129 if *diag != "" {
130 f, err := os.OpenFile(*diag, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0o600)
131 if err != nil {
132 return err
133 }
134 defer f.Close()
135 diagWriter = f
136 }
137
138 log.Println("starting netlink client")
139
140 var err error
141 var client *libaudit.AuditClient
142 if *receiveOnly {
143 client, err = libaudit.NewMulticastAuditClient(diagWriter)
144 if err != nil {
145 return fmt.Errorf("failed to create receive-only audit client: %w", err)
146 }
147 defer client.Close()
148 } else {
149 client, err = libaudit.NewAuditClient(diagWriter)
150 if err != nil {
151 return fmt.Errorf("failed to create audit client: %w", err)
152 }
153 defer client.Close()
154
155 status, err := client.GetStatus()
156 if err != nil {
157 return fmt.Errorf("failed to get audit status: %w", err)
158 }
159 log.Printf("received audit status=%+v", status)
160
161 if status.Enabled == 0 {
162 log.Println("enabling auditing in the kernel")
163 if err = client.SetEnabled(true, libaudit.WaitForReply); err != nil {
164 return fmt.Errorf("failed to set enabled=true: %w", err)
165 }
166 }
167
168 if status.RateLimit != uint32(*rate) {
169 log.Printf("setting rate limit in kernel to %v", *rate)
170 if err = client.SetRateLimit(uint32(*rate), libaudit.NoWait); err != nil {
171 return fmt.Errorf("failed to set rate limit to unlimited: %w", err)
172 }
173 }
174
175 if status.BacklogLimit != uint32(*backlog) {
176 log.Printf("setting backlog limit in kernel to %v", *backlog)
177 if err = client.SetBacklogLimit(uint32(*backlog), libaudit.NoWait); err != nil {
178 return fmt.Errorf("failed to set backlog limit: %w", err)
179 }
180 }
181
182 if status.Enabled != 2 && *immutable {
183 log.Printf("setting kernel settings as immutable")
184 if err = client.SetImmutable(libaudit.NoWait); err != nil {
185 return fmt.Errorf("failed to set kernel as immutable: %w", err)
186 }
187 }
188
189 log.Printf("sending message to kernel registering our PID (%v) as the audit daemon", os.Getpid())
190 if err = client.SetPID(libaudit.NoWait); err != nil {
191 return fmt.Errorf("failed to set audit PID: %w", err)
192 }
193 }
194
195 return receive(client)
196}
197
198func receive(r *libaudit.AuditClient) error {
199 for {
200 rawEvent, err := r.Receive(false)
201 if err != nil {
202 return fmt.Errorf("receive failed: %w", err)
203 }
204
205 // Messages from 1300-2999 are valid audit messages.
206 if rawEvent.Type < auparse.AUDIT_USER_AUTH ||
207 rawEvent.Type > auparse.AUDIT_LAST_USER_MSG2 {
208 continue
209 }
210
211 fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data)
212 }
213}
diff --git a/logs/fuck.log b/logs/fuck.log
new file mode 100644
index 0000000..4686a03
--- /dev/null
+++ b/logs/fuck.log
@@ -0,0 +1,401 @@
1type=SYSCALL msg=audit(1721179984.136:629): arch=c000003e syscall=59 success=yes exit=0 a0=1a16830 a1=193e6e0 a2=1a02870 a3=7ffcb50a1a20 items=2 ppid=2945 pid=3339 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="docker" exe="/usr/bin/docker" subj=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 key=(null)
2type=EXECVE msg=audit(1721179984.136:629): argc=3 a0="docker" a1="start" a2="ubuntu"
3type=CWD msg=audit(1721179984.136:629): cwd="/home/player"
4type=PATH msg=audit(1721179984.136:629): item=0 name="/bin/docker" inode=103221779 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
5type=PATH msg=audit(1721179984.136:629): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
6type=PROCTITLE msg=audit(1721179984.136:629): proctitle=646F636B6572007374617274007562756E7475
7---
8type=ANOM_PROMISCUOUS msg=audit(1721179984.167:630): dev=vethc3c7cd5 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
9type=SYSCALL msg=audit(1721179984.167:630): arch=c000003e syscall=44 success=yes exit=40 a0=e a1=c001190420 a2=28 a3=0 items=0 ppid=1 pid=1315 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dockerd" exe="/usr/bin/dockerd" subj=system_u:system_r:container_runtime_t:s0 key=(null)
10type=SOCKADDR msg=audit(1721179984.167:630): saddr=100000000000000000000000
11type=PROCTITLE msg=audit(1721179984.167:630): proctitle=2F7573722F62696E2F646F636B657264002D480066643A2F2F002D2D636F6E7461696E6572643D2F72756E2F636F6E7461696E6572642F636F6E7461696E6572642E736F636B
12---
13type=SYSCALL msg=audit(1721179984.170:631): arch=c000003e syscall=59 success=yes exit=0 a0=7ffdf0c1eda0 a1=7ffdf0c1e9a0 a2=55cdb48fd710 a3=8 items=2 ppid=3345 pid=3347 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
14type=EXECVE msg=audit(1721179984.170:631): argc=5 a0="/usr/lib/systemd/systemd-sysctl" a1="--prefix=/net/ipv4/conf/vethee301d7" a2="--prefix=/net/ipv4/neigh/vethee301d7" a3="--prefix=/net/ipv6/conf/vethee301d7" a4="--prefix=/net/ipv6/neigh/vethee301d7"
15type=CWD msg=audit(1721179984.170:631): cwd="/"
16type=PATH msg=audit(1721179984.170:631): item=0 name="/usr/lib/systemd/systemd-sysctl" inode=355868 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:systemd_sysctl_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
17type=PATH msg=audit(1721179984.170:631): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
18type=PROCTITLE msg=audit(1721179984.170:631): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D73797363746C002D2D7072656669783D2F6E65742F697076342F636F6E662F7665746865653330316437002D2D7072656669783D2F6E65742F697076342F6E656967682F7665746865653330316437002D2D7072656669783D2F6E65742F697076362F636F6E66
19---
20type=SYSCALL msg=audit(1721179984.172:632): arch=c000003e syscall=59 success=yes exit=0 a0=7ffdf0c1eda0 a1=7ffdf0c1e9a0 a2=55cdb4901330 a3=8 items=2 ppid=3346 pid=3348 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
21type=EXECVE msg=audit(1721179984.172:632): argc=5 a0="/usr/lib/systemd/systemd-sysctl" a1="--prefix=/net/ipv4/conf/vethc3c7cd5" a2="--prefix=/net/ipv4/neigh/vethc3c7cd5" a3="--prefix=/net/ipv6/conf/vethc3c7cd5" a4="--prefix=/net/ipv6/neigh/vethc3c7cd5"
22type=CWD msg=audit(1721179984.172:632): cwd="/"
23type=PATH msg=audit(1721179984.172:632): item=0 name="/usr/lib/systemd/systemd-sysctl" inode=355868 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:systemd_sysctl_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
24type=PATH msg=audit(1721179984.172:632): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
25type=PROCTITLE msg=audit(1721179984.172:632): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D73797363746C002D2D7072656669783D2F6E65742F697076342F636F6E662F7665746863336337636435002D2D7072656669783D2F6E65742F697076342F6E656967682F7665746863336337636435002D2D7072656669783D2F6E65742F697076362F636F6E66
26---
27type=SYSCALL msg=audit(1721179984.177:633): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=ffffffffffffff60 items=0 ppid=3345 pid=3347 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
28type=SYSCALL msg=audit(1721179984.177:634): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=ffffffffffffff60 items=0 ppid=3346 pid=3348 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
29type=PROCTITLE msg=audit(1721179984.177:634): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D73797363746C002D2D7072656669783D2F6E65742F697076342F636F6E662F7665746863336337636435002D2D7072656669783D2F6E65742F697076342F6E656967682F7665746863336337636435002D2D7072656669783D2F6E65742F697076362F636F6E66
30type=PROCTITLE msg=audit(1721179984.177:633): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D73797363746C002D2D7072656669783D2F6E65742F697076342F636F6E662F7665746865653330316437002D2D7072656669783D2F6E65742F697076342F6E656967682F7665746865653330316437002D2D7072656669783D2F6E65742F697076362F636F6E66
31---
32---
33---
34type=SYSCALL msg=audit(1721179984.200:635): arch=c000003e syscall=59 success=yes exit=0 a0=c00003a450 a1=c00071c840 a2=c00048fd80 a3=0 items=1 ppid=1139 pid=3350 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="containerd-shim" exe="/usr/bin/containerd-shim-runc-v2" subj=system_u:system_r:container_runtime_t:s0 key=(null)
35type=EXECVE msg=audit(1721179984.200:635): argc=10 a0="/usr/bin/containerd-shim-runc-v2" a1="-namespace" a2="moby" a3="-address" a4="/run/containerd/containerd.sock" a5="-publish-binary" a6="/usr/bin/containerd" a7="-id" a8="a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8" a9="start"
36type=CWD msg=audit(1721179984.200:635): cwd="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
37type=PATH msg=audit(1721179984.200:635): item=0 name="/usr/bin/containerd-shim-runc-v2" inode=100665599 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
38type=PROCTITLE msg=audit(1721179984.200:635): proctitle=2F7573722F62696E2F636F6E7461696E6572642D7368696D2D72756E632D7632002D6E616D657370616365006D6F6279002D61646472657373002F72756E2F636F6E7461696E6572642F636F6E7461696E6572642E736F636B002D7075626C6973682D62696E617279002F7573722F62696E2F636F6E7461696E657264002D69
39---
40type=SYSCALL msg=audit(1721179984.211:636): arch=c000003e syscall=59 success=yes exit=0 a0=c0000a69f0 a1=c00009f040 a2=c00009f080 a3=0 items=1 ppid=3350 pid=3357 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="containerd-shim" exe="/usr/bin/containerd-shim-runc-v2" subj=system_u:system_r:container_runtime_t:s0 key=(null)
41type=EXECVE msg=audit(1721179984.211:636): argc=7 a0="/usr/bin/containerd-shim-runc-v2" a1="-namespace" a2="moby" a3="-id" a4="a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8" a5="-address" a6="/run/containerd/containerd.sock"
42type=CWD msg=audit(1721179984.211:636): cwd="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
43type=PATH msg=audit(1721179984.211:636): item=0 name="/usr/bin/containerd-shim-runc-v2" inode=100665599 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
44type=PROCTITLE msg=audit(1721179984.211:636): proctitle=2F7573722F62696E2F636F6E7461696E6572642D7368696D2D72756E632D7632002D6E616D657370616365006D6F6279002D69640061376332373634663566386435383464623766393033636365646632333336656666343031343531666231303936373865613336373635336662393265356238002D61646472657373002F
45---
46type=SYSCALL msg=audit(1721179984.213:637): arch=c000003e syscall=231 a0=0 a1=1 a2=0 a3=4ec items=0 ppid=1139 pid=3350 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="containerd-shim" exe="/usr/bin/containerd-shim-runc-v2" subj=system_u:system_r:container_runtime_t:s0 key=(null)
47type=PROCTITLE msg=audit(1721179984.213:637): proctitle=2F7573722F62696E2F636F6E7461696E6572642D7368696D2D72756E632D7632002D6E616D657370616365006D6F6279002D61646472657373002F72756E2F636F6E7461696E6572642F636F6E7461696E6572642E736F636B002D7075626C6973682D62696E617279002F7573722F62696E2F636F6E7461696E657264002D69
48---
49type=SYSCALL msg=audit(1721179984.224:638): arch=c000003e syscall=59 success=yes exit=0 a0=c000199670 a1=c000133180 a2=c0001bc2d0 a3=0 items=2 ppid=3357 pid=3368 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
50type=EXECVE msg=audit(1721179984.224:638): argc=15 a0="runc" a1="--root" a2="/var/run/docker/runtime-runc/moby" a3="--log" a4="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8/log.json" a5="--log-format" a6="json" a7="create" a8="--bundle" a9="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8" a10="--pid-file" a11="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8/init.pid" a12="--console-socket" a13="/tmp/pty3849963645/pty.sock" a14="a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
51type=CWD msg=audit(1721179984.224:638): cwd="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
52type=PATH msg=audit(1721179984.224:638): item=0 name="/usr/bin/runc" inode=100665601 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
53type=PATH msg=audit(1721179984.224:638): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
54type=PROCTITLE msg=audit(1721179984.224:638): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
55---
56type=SYSCALL msg=audit(1721179984.239:639): arch=c000003e syscall=59 success=yes exit=0 a0=c000180a10 a1=c00009d8a8 a2=c0000a67d0 a3=0 items=2 ppid=3368 pid=3375 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="exe" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
57type=EXECVE msg=audit(1721179984.239:639): argc=2 a0="runc" a1="init"
58type=CWD msg=audit(1721179984.239:639): cwd="/var/lib/docker/overlay2/2d28d3d7bbad8e0b6ceb33a57ad027faa3ea261ff2a5ada1a6d7adc886e81c0a/merged"
59type=PATH msg=audit(1721179984.239:639): item=0 name="/proc/self/exe" inode=100665601 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
60type=PATH msg=audit(1721179984.239:639): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
61type=PROCTITLE msg=audit(1721179984.239:639): proctitle=72756E6300696E6974
62---
63type=SYSCALL msg=audit(1721179984.250:640): arch=c000003e syscall=59 success=yes exit=0 a0=7ffd5ec41570 a1=558546109030 a2=558546109050 a3=7ffd5ec410a0 items=2 ppid=3368 pid=3375 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="7" exe="/" subj=system_u:system_r:container_runtime_t:s0 key=(null)
64type=EXECVE msg=audit(1721179984.250:640): argc=2 a0="runc" a1="init"
65type=CWD msg=audit(1721179984.250:640): cwd="/var/lib/docker/overlay2/2d28d3d7bbad8e0b6ceb33a57ad027faa3ea261ff2a5ada1a6d7adc886e81c0a/merged"
66type=PATH msg=audit(1721179984.250:640): item=0 name="/proc/self/fd/7" inode=100665601 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
67type=PATH msg=audit(1721179984.250:640): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
68type=PROCTITLE msg=audit(1721179984.250:640): proctitle=72756E6300696E6974
69---
70type=NETFILTER_CFG msg=audit(1721179984.252:641): table=filter family=2 entries=0
71type=NETFILTER_CFG msg=audit(1721179984.252:641): table=filter family=10 entries=0
72type=NETFILTER_CFG msg=audit(1721179984.252:641): table=raw family=2 entries=0
73type=NETFILTER_CFG msg=audit(1721179984.252:641): table=security family=2 entries=0
74type=NETFILTER_CFG msg=audit(1721179984.252:641): table=mangle family=2 entries=0
75type=NETFILTER_CFG msg=audit(1721179984.252:641): table=nat family=2 entries=0
76type=NETFILTER_CFG msg=audit(1721179984.252:641): table=raw family=10 entries=0
77type=NETFILTER_CFG msg=audit(1721179984.252:641): table=security family=10 entries=0
78type=NETFILTER_CFG msg=audit(1721179984.252:641): table=mangle family=10 entries=0
79type=NETFILTER_CFG msg=audit(1721179984.252:641): table=nat family=10 entries=0
80type=SYSCALL msg=audit(1721179984.252:641): arch=c000003e syscall=272 success=yes exit=0 a0=6c020000 a1=5623ec5cf373 a2=5623ec5d1460 a3=7ffe2c25ba20 items=0 ppid=3368 pid=3377 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc:[1:CHILD]" exe="/" subj=system_u:system_r:container_runtime_t:s0 key=(null)
81type=PROCTITLE msg=audit(1721179984.252:641): proctitle=72756E6300696E6974
82---
83type=SYSCALL msg=audit(1721179984.258:642): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=ffffffffffffff60 items=0 ppid=3368 pid=3377 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc:[1:CHILD]" exe="/" subj=system_u:system_r:container_runtime_t:s0 key=(null)
84type=PROCTITLE msg=audit(1721179984.258:642): proctitle=72756E6300696E6974
85---
86type=SYSCALL msg=audit(1721179984.260:643): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=ffffffffffffff60 items=0 ppid=3368 pid=3375 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc:[0:PARENT]" exe="/" subj=system_u:system_r:container_runtime_t:s0 key=(null)
87type=PROCTITLE msg=audit(1721179984.260:643): proctitle=72756E6300696E6974
88---
89type=SYSCALL msg=audit(1721179984.276:644): arch=c000003e syscall=59 success=yes exit=0 a0=c0001cd230 a1=c0001c1c80 a2=c0001c1cb0 a3=0 items=2 ppid=3368 pid=3383 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="exe" exe="/usr/bin/dockerd" subj=system_u:system_r:container_runtime_t:s0 key=(null)
90type=EXECVE msg=audit(1721179984.276:644): argc=4 a0="libnetwork-setkey" a1="-exec-root=/var/run/docker" a2="a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8" a3="d6ff75a08de6"
91type=CWD msg=audit(1721179984.276:644): cwd="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
92type=PATH msg=audit(1721179984.276:644): item=0 name="/proc/1315/exe" inode=100665603 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
93type=PATH msg=audit(1721179984.276:644): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
94type=PROCTITLE msg=audit(1721179984.276:644): proctitle=6C69626E6574776F726B2D7365746B6579002D657865632D726F6F743D2F7661722F72756E2F646F636B6572006137633237363466356638643538346462376639303363636564663233333665666634303134353166623130393637386561333637363533666239326535623800643666663735613038646536
95---
96type=SYSCALL msg=audit(1721179984.384:645): arch=c000003e syscall=231 a0=0 a1=12 a2=0 a3=558c5cbdb700 items=0 ppid=3368 pid=3383 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="exe" exe="/usr/bin/dockerd" subj=system_u:system_r:container_runtime_t:s0 key=(null)
97type=PROCTITLE msg=audit(1721179984.384:645): proctitle=6C69626E6574776F726B2D7365746B6579002D657865632D726F6F743D2F7661722F72756E2F646F636B6572006137633237363466356638643538346462376639303363636564663233333665666634303134353166623130393637386561333637363533666239326535623800643666663735613038646536
98---
99type=SECCOMP msg=audit(1721179984.454:646): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 pid=3378 comm="runc:[2:INIT]" sig=0 arch=c000003e syscall=439 compat=0 ip=0x5623ec13e40e code=0x50000
100type=SYSCALL msg=audit(1721179984.455:647): arch=c000003e syscall=231 a0=0 a1=1 a2=c00011f2e0 a3=1500 items=0 ppid=3357 pid=3368 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
101type=PROCTITLE msg=audit(1721179984.455:647): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
102---
103type=SYSCALL msg=audit(1721179984.464:648): arch=c000003e syscall=59 success=yes exit=0 a0=c0002ca180 a1=c0002cc2d0 a2=c0002984b0 a3=0 items=2 ppid=3357 pid=3392 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
104type=EXECVE msg=audit(1721179984.464:648): argc=9 a0="runc" a1="--root" a2="/var/run/docker/runtime-runc/moby" a3="--log" a4="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8/log.json" a5="--log-format" a6="json" a7="start" a8="a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
105type=CWD msg=audit(1721179984.464:648): cwd="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
106type=PATH msg=audit(1721179984.464:648): item=0 name="/usr/bin/runc" inode=100665601 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
107type=PATH msg=audit(1721179984.464:648): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
108type=PROCTITLE msg=audit(1721179984.464:648): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
109---
110type=SYSCALL msg=audit(1721179984.474:649): arch=c000003e syscall=231 a0=0 a1=1 a2=0 a3=563955c730e0 items=0 ppid=3357 pid=3392 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
111type=PROCTITLE msg=audit(1721179984.474:649): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
112---
113type=SYSCALL msg=audit(1721179984.474:650): arch=c000003e syscall=59 success=yes exit=0 a0=c0001e1bd0 a1=c00013cb40 a2=c0001a2840 a3=0 items=2 ppid=3357 pid=3378 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/bin/bash" subj=system_u:system_r:spc_t:s0 key=(null)
114type=BPRM_FCAPS msg=audit(1721179984.474:650): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=00000000a80425fb old_pi=0000000000000000 old_pe=00000000a80425fb old_pa=0000000000000000 pp=00000000a80425fb pi=0000000000000000 pe=00000000a80425fb pa=0000000000000000
115type=EXECVE msg=audit(1721179984.474:650): argc=1 a0="/bin/bash"
116type=CWD msg=audit(1721179984.474:650): cwd="/"
117type=PATH msg=audit(1721179984.474:650): item=0 name="/bin/bash" inode=38622 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
118type=PATH msg=audit(1721179984.474:650): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=38631 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
119type=PROCTITLE msg=audit(1721179984.474:650): proctitle="/bin/bash"
120---
121type=SYSCALL msg=audit(1721179984.481:651): arch=c000003e syscall=59 success=yes exit=0 a0=17d58e8 a1=17d5a68 a2=17d2e08 a3=598 items=2 ppid=3398 pid=3399 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="groups" exe="/usr/bin/groups" subj=system_u:system_r:spc_t:s0 key=(null)
122type=BPRM_FCAPS msg=audit(1721179984.481:651): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=00000000a80425fb old_pi=0000000000000000 old_pe=00000000a80425fb old_pa=0000000000000000 pp=00000000a80425fb pi=0000000000000000 pe=00000000a80425fb pa=0000000000000000
123type=EXECVE msg=audit(1721179984.481:651): argc=1 a0="groups"
124type=CWD msg=audit(1721179984.481:651): cwd="/"
125type=PATH msg=audit(1721179984.481:651): item=0 name="/usr/bin/groups" inode=36473 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
126type=PATH msg=audit(1721179984.481:651): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=38631 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
127type=PROCTITLE msg=audit(1721179984.481:651): proctitle="groups"
128---
129type=SYSCALL msg=audit(1721179984.483:652): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7ffd45ecd3c8 items=0 ppid=3398 pid=3399 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="groups" exe="/usr/bin/groups" subj=system_u:system_r:spc_t:s0 key=(null)
130type=PROCTITLE msg=audit(1721179984.483:652): proctitle="groups"
131---
132type=SYSCALL msg=audit(1721179984.484:653): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7ffc48ca6888 items=0 ppid=3378 pid=3398 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/bin/bash" subj=system_u:system_r:spc_t:s0 key=(null)
133type=PROCTITLE msg=audit(1721179984.484:653): proctitle="/bin/bash"
134---
135type=SYSCALL msg=audit(1721179984.486:654): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=4 items=0 ppid=2945 pid=3339 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="docker" exe="/usr/bin/docker" subj=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 key=(null)
136type=PROCTITLE msg=audit(1721179984.486:654): proctitle=646F636B6572007374617274007562756E7475
137---
138type=SYSCALL msg=audit(1721179984.486:655): arch=c000003e syscall=59 success=yes exit=0 a0=17d6dc8 a1=17d6988 a2=17d2e08 a3=598 items=2 ppid=3400 pid=3401 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="dircolors" exe="/usr/bin/dircolors" subj=system_u:system_r:spc_t:s0 key=(null)
139type=BPRM_FCAPS msg=audit(1721179984.486:655): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=00000000a80425fb old_pi=0000000000000000 old_pe=00000000a80425fb old_pa=0000000000000000 pp=00000000a80425fb pi=0000000000000000 pe=00000000a80425fb pa=0000000000000000
140type=EXECVE msg=audit(1721179984.486:655): argc=2 a0="dircolors" a1="-b"
141type=CWD msg=audit(1721179984.486:655): cwd="/"
142type=PATH msg=audit(1721179984.486:655): item=0 name="/usr/bin/dircolors" inode=36478 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
143type=PATH msg=audit(1721179984.486:655): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=38631 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
144type=PROCTITLE msg=audit(1721179984.486:655): proctitle=646972636F6C6F7273002D62
145---
146type=SYSCALL msg=audit(1721179984.488:656): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7ffe9820d8d8 items=0 ppid=3400 pid=3401 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="dircolors" exe="/usr/bin/dircolors" subj=system_u:system_r:spc_t:s0 key=(null)
147type=PROCTITLE msg=audit(1721179984.488:656): proctitle=646972636F6C6F7273002D62
148---
149type=SYSCALL msg=audit(1721179984.488:657): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7ffc48ca6278 items=0 ppid=3378 pid=3400 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/bin/bash" subj=system_u:system_r:spc_t:s0 key=(null)
150type=PROCTITLE msg=audit(1721179984.488:657): proctitle="/bin/bash"
151---
152type=SYSCALL msg=audit(1721179987.374:658): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=fffffffffffffe50 items=0 ppid=573 pid=3349 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/usr/lib/systemd/systemd-udevd" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
153type=PROCTITLE msg=audit(1721179987.374:658): proctitle="/usr/lib/systemd/systemd-udevd"
154---
155type=SYSCALL msg=audit(1721179987.374:659): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=fffffffffffffe50 items=0 ppid=573 pid=3345 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/usr/lib/systemd/systemd-udevd" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
156type=PROCTITLE msg=audit(1721179987.374:659): proctitle="/usr/lib/systemd/systemd-udevd"
157---
158type=SYSCALL msg=audit(1721179987.375:660): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=fffffffffffffe50 items=0 ppid=573 pid=3346 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/usr/lib/systemd/systemd-udevd" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
159type=PROCTITLE msg=audit(1721179987.375:660): proctitle="/usr/lib/systemd/systemd-udevd"
160---
161type=SYSCALL msg=audit(1721179998.082:661): arch=c000003e syscall=59 success=yes exit=0 a0=193ea90 a1=1a14dc0 a2=1a02870 a3=7ffcb50a1a20 items=2 ppid=2945 pid=3402 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="docker" exe="/usr/bin/docker" subj=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 key=(null)
162type=EXECVE msg=audit(1721179998.082:661): argc=5 a0="docker" a1="exec" a2="ubuntu" a3="echo" a4="hello"
163type=CWD msg=audit(1721179998.082:661): cwd="/home/player"
164type=PATH msg=audit(1721179998.082:661): item=0 name="/bin/docker" inode=103221779 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
165type=PATH msg=audit(1721179998.082:661): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
166type=PROCTITLE msg=audit(1721179998.082:661): proctitle=646F636B65720065786563007562756E7475006563686F0068656C6C6F
167---
168type=SYSCALL msg=audit(1721179998.133:662): arch=c000003e syscall=59 success=yes exit=0 a0=c0002f4110 a1=c000206780 a2=c0001bd950 a3=0 items=2 ppid=3357 pid=3409 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
169type=EXECVE msg=audit(1721179998.133:662): argc=14 a0="runc" a1="--root" a2="/var/run/docker/runtime-runc/moby" a3="--log" a4="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8/log.json" a5="--log-format" a6="json" a7="exec" a8="--process" a9="/tmp/runc-process2506901255" a10="--detach" a11="--pid-file" a12="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8/97c8f3af19ec98b9c452de78ce4da8c5dd864f6f0c4415a8b5ff3b5736044e68.pid" a13="a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
170type=CWD msg=audit(1721179998.133:662): cwd="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
171type=PATH msg=audit(1721179998.133:662): item=0 name="/usr/bin/runc" inode=100665601 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
172type=PATH msg=audit(1721179998.133:662): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
173type=PROCTITLE msg=audit(1721179998.133:662): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
174---
175type=SYSCALL msg=audit(1721179998.161:663): arch=c000003e syscall=59 success=yes exit=0 a0=c000162a00 a1=c000155770 a2=c000157700 a3=0 items=2 ppid=3409 pid=3417 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="exe" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
176type=EXECVE msg=audit(1721179998.161:663): argc=2 a0="runc" a1="init"
177type=CWD msg=audit(1721179998.161:663): cwd="/var/lib/docker/overlay2/2d28d3d7bbad8e0b6ceb33a57ad027faa3ea261ff2a5ada1a6d7adc886e81c0a/merged"
178type=PATH msg=audit(1721179998.161:663): item=0 name="/proc/self/exe" inode=100665601 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
179type=PATH msg=audit(1721179998.161:663): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
180type=PROCTITLE msg=audit(1721179998.161:663): proctitle=72756E6300696E6974
181---
182type=SYSCALL msg=audit(1721179998.186:664): arch=c000003e syscall=59 success=yes exit=0 a0=7ffc53fec590 a1=560e20a66030 a2=560e20a66050 a3=7ffc53fec0e0 items=2 ppid=3409 pid=3417 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="5" exe="/" subj=system_u:system_r:container_runtime_t:s0 key=(null)
183type=EXECVE msg=audit(1721179998.186:664): argc=2 a0="runc" a1="init"
184type=CWD msg=audit(1721179998.186:664): cwd="/var/lib/docker/overlay2/2d28d3d7bbad8e0b6ceb33a57ad027faa3ea261ff2a5ada1a6d7adc886e81c0a/merged"
185type=PATH msg=audit(1721179998.186:664): item=0 name="/proc/self/fd/5" inode=100665601 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
186type=PATH msg=audit(1721179998.186:664): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
187type=PROCTITLE msg=audit(1721179998.186:664): proctitle=72756E6300696E6974
188---
189type=SYSCALL msg=audit(1721179998.189:665): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=ffffffffffffff60 items=0 ppid=3409 pid=3418 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc:[1:CHILD]" exe="/" subj=system_u:system_r:container_runtime_t:s0 key=(null)
190type=PROCTITLE msg=audit(1721179998.189:665): proctitle=72756E6300696E6974
191---
192type=SYSCALL msg=audit(1721179998.190:666): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=ffffffffffffff60 items=0 ppid=3409 pid=3417 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc:[0:PARENT]" exe="/" subj=system_u:system_r:container_runtime_t:s0 key=(null)
193type=PROCTITLE msg=audit(1721179998.190:666): proctitle=72756E6300696E6974
194---
195type=SECCOMP msg=audit(1721179998.218:667): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 pid=3419 comm="runc:[2:INIT]" sig=0 arch=c000003e syscall=439 compat=0 ip=0x5601dc7be40e code=0x50000
196type=SYSCALL msg=audit(1721179998.218:668): arch=c000003e syscall=231 a0=0 a1=0 a2=c0000ef2e0 a3=c0002e0300 items=0 ppid=3357 pid=3409 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
197type=PROCTITLE msg=audit(1721179998.218:668): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
198---
199type=SYSCALL msg=audit(1721179998.218:669): arch=c000003e syscall=59 success=yes exit=0 a0=c0000f86b0 a1=c0001173b0 a2=c0000243c0 a3=0 items=2 ppid=3409 pid=3419 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="echo" exe="/bin/echo" subj=system_u:system_r:spc_t:s0 key=(null)
200type=BPRM_FCAPS msg=audit(1721179998.218:669): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=00000000a80425fb old_pi=0000000000000000 old_pe=00000000a80425fb old_pa=0000000000000000 pp=00000000a80425fb pi=0000000000000000 pe=00000000a80425fb pa=0000000000000000
201type=EXECVE msg=audit(1721179998.218:669): argc=2 a0="echo" a1="hello"
202type=CWD msg=audit(1721179998.218:669): cwd="/"
203type=PATH msg=audit(1721179998.218:669): item=0 name="/bin/echo" inode=36536 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
204type=PATH msg=audit(1721179998.218:669): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=38631 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
205type=PROCTITLE msg=audit(1721179998.218:669): proctitle=6563686F0068656C6C6F
206---
207type=SYSCALL msg=audit(1721179998.220:670): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7ffc7b282148 items=0 ppid=3357 pid=3419 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="echo" exe="/bin/echo" subj=system_u:system_r:spc_t:s0 key=(null)
208type=PROCTITLE msg=audit(1721179998.220:670): proctitle=6563686F0068656C6C6F
209---
210type=SYSCALL msg=audit(1721179998.223:671): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=4 items=0 ppid=2945 pid=3402 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="docker" exe="/usr/bin/docker" subj=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 key=(null)
211type=PROCTITLE msg=audit(1721179998.223:671): proctitle=646F636B65720065786563007562756E7475006563686F0068656C6C6F
212---
213type=SYSCALL msg=audit(1721180008.674:672): arch=c000003e syscall=59 success=yes exit=0 a0=1a1ce20 a1=1a14dc0 a2=1a02870 a3=7ffcb50a1a20 items=2 ppid=2945 pid=3425 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="docker" exe="/usr/bin/docker" subj=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 key=(null)
214type=EXECVE msg=audit(1721180008.674:672): argc=5 a0="docker" a1="exec" a2="-it" a3="ubuntu" a4="/bin/bash"
215type=CWD msg=audit(1721180008.674:672): cwd="/home/player"
216type=PATH msg=audit(1721180008.674:672): item=0 name="/bin/docker" inode=103221779 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
217type=PATH msg=audit(1721180008.674:672): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
218type=PROCTITLE msg=audit(1721180008.674:672): proctitle=646F636B65720065786563002D6974007562756E7475002F62696E2F62617368
219---
220type=SYSCALL msg=audit(1721180008.720:673): arch=c000003e syscall=59 success=yes exit=0 a0=c0002f42d0 a1=c000222240 a2=c0001bc6f0 a3=0 items=2 ppid=3357 pid=3432 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
221type=EXECVE msg=audit(1721180008.720:673): argc=16 a0="runc" a1="--root" a2="/var/run/docker/runtime-runc/moby" a3="--log" a4="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8/log.json" a5="--log-format" a6="json" a7="exec" a8="--process" a9="/tmp/runc-process201052328" a10="--console-socket" a11="/tmp/pty3160677574/pty.sock" a12="--detach" a13="--pid-file" a14="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8/69b39661224db9f9e941b75da99f144a31c3ffb06ec0ea57981d4fe325d499b5.pid" a15="a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
222type=CWD msg=audit(1721180008.720:673): cwd="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
223type=PATH msg=audit(1721180008.720:673): item=0 name="/usr/bin/runc" inode=100665601 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
224type=PATH msg=audit(1721180008.720:673): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
225type=PROCTITLE msg=audit(1721180008.720:673): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
226---
227type=SYSCALL msg=audit(1721180008.736:674): arch=c000003e syscall=59 success=yes exit=0 a0=c000194a00 a1=c000185770 a2=c000187780 a3=0 items=2 ppid=3432 pid=3440 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="exe" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
228type=EXECVE msg=audit(1721180008.736:674): argc=2 a0="runc" a1="init"
229type=CWD msg=audit(1721180008.736:674): cwd="/var/lib/docker/overlay2/2d28d3d7bbad8e0b6ceb33a57ad027faa3ea261ff2a5ada1a6d7adc886e81c0a/merged"
230type=PATH msg=audit(1721180008.736:674): item=0 name="/proc/self/exe" inode=100665601 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
231type=PATH msg=audit(1721180008.736:674): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
232type=PROCTITLE msg=audit(1721180008.736:674): proctitle=72756E6300696E6974
233---
234type=SYSCALL msg=audit(1721180008.749:675): arch=c000003e syscall=59 success=yes exit=0 a0=7ffcaa036920 a1=55a755913030 a2=55a755913050 a3=7ffcaa036460 items=2 ppid=3432 pid=3440 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="6" exe="/" subj=system_u:system_r:container_runtime_t:s0 key=(null)
235type=EXECVE msg=audit(1721180008.749:675): argc=2 a0="runc" a1="init"
236type=CWD msg=audit(1721180008.749:675): cwd="/var/lib/docker/overlay2/2d28d3d7bbad8e0b6ceb33a57ad027faa3ea261ff2a5ada1a6d7adc886e81c0a/merged"
237type=PATH msg=audit(1721180008.749:675): item=0 name="/proc/self/fd/6" inode=100665601 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
238type=PATH msg=audit(1721180008.749:675): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
239type=PROCTITLE msg=audit(1721180008.749:675): proctitle=72756E6300696E6974
240---
241type=SYSCALL msg=audit(1721180008.753:676): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=ffffffffffffff60 items=0 ppid=3432 pid=3441 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc:[1:CHILD]" exe="/" subj=system_u:system_r:container_runtime_t:s0 key=(null)
242type=PROCTITLE msg=audit(1721180008.753:676): proctitle=72756E6300696E6974
243---
244type=SYSCALL msg=audit(1721180008.755:677): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=ffffffffffffff60 items=0 ppid=3432 pid=3440 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc:[0:PARENT]" exe="/" subj=system_u:system_r:container_runtime_t:s0 key=(null)
245type=PROCTITLE msg=audit(1721180008.755:677): proctitle=72756E6300696E6974
246---
247type=SECCOMP msg=audit(1721180008.785:678): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 pid=3442 comm="runc:[2:INIT]" sig=0 arch=c000003e syscall=439 compat=0 ip=0x55595d8d340e code=0x50000
248type=SYSCALL msg=audit(1721180008.787:679): arch=c000003e syscall=231 a0=0 a1=1 a2=c00011f2e0 a3=14b0 items=0 ppid=3357 pid=3432 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
249type=PROCTITLE msg=audit(1721180008.787:679): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
250---
251type=SYSCALL msg=audit(1721180008.787:680): arch=c000003e syscall=59 success=yes exit=0 a0=c000188680 a1=c000140850 a2=c0001507b0 a3=0 items=2 ppid=3357 pid=3442 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="bash" exe="/bin/bash" subj=system_u:system_r:spc_t:s0 key=(null)
252type=BPRM_FCAPS msg=audit(1721180008.787:680): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=00000000a80425fb old_pi=0000000000000000 old_pe=00000000a80425fb old_pa=0000000000000000 pp=00000000a80425fb pi=0000000000000000 pe=00000000a80425fb pa=0000000000000000
253type=EXECVE msg=audit(1721180008.787:680): argc=1 a0="/bin/bash"
254type=CWD msg=audit(1721180008.787:680): cwd="/"
255type=PATH msg=audit(1721180008.787:680): item=0 name="/bin/bash" inode=38622 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
256type=PATH msg=audit(1721180008.787:680): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=38631 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
257type=PROCTITLE msg=audit(1721180008.787:680): proctitle="/bin/bash"
258---
259type=SYSCALL msg=audit(1721180008.794:681): arch=c000003e syscall=59 success=yes exit=0 a0=8fe8e8 a1=8fea68 a2=8fbe08 a3=598 items=2 ppid=3447 pid=3448 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="groups" exe="/usr/bin/groups" subj=system_u:system_r:spc_t:s0 key=(null)
260type=BPRM_FCAPS msg=audit(1721180008.794:681): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=00000000a80425fb old_pi=0000000000000000 old_pe=00000000a80425fb old_pa=0000000000000000 pp=00000000a80425fb pi=0000000000000000 pe=00000000a80425fb pa=0000000000000000
261type=EXECVE msg=audit(1721180008.794:681): argc=1 a0="groups"
262type=CWD msg=audit(1721180008.794:681): cwd="/"
263type=PATH msg=audit(1721180008.794:681): item=0 name="/usr/bin/groups" inode=36473 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
264type=PATH msg=audit(1721180008.794:681): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=38631 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
265type=PROCTITLE msg=audit(1721180008.794:681): proctitle="groups"
266---
267type=SYSCALL msg=audit(1721180008.796:682): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7ffd80931ef8 items=0 ppid=3447 pid=3448 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="groups" exe="/usr/bin/groups" subj=system_u:system_r:spc_t:s0 key=(null)
268type=PROCTITLE msg=audit(1721180008.796:682): proctitle="groups"
269---
270type=SYSCALL msg=audit(1721180008.796:683): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7ffe2dd07ff8 items=0 ppid=3442 pid=3447 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="bash" exe="/bin/bash" subj=system_u:system_r:spc_t:s0 key=(null)
271type=PROCTITLE msg=audit(1721180008.796:683): proctitle="/bin/bash"
272---
273type=SYSCALL msg=audit(1721180008.798:684): arch=c000003e syscall=59 success=yes exit=0 a0=8ffdc8 a1=8ff988 a2=8fbe08 a3=598 items=2 ppid=3449 pid=3450 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="dircolors" exe="/usr/bin/dircolors" subj=system_u:system_r:spc_t:s0 key=(null)
274type=BPRM_FCAPS msg=audit(1721180008.798:684): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=00000000a80425fb old_pi=0000000000000000 old_pe=00000000a80425fb old_pa=0000000000000000 pp=00000000a80425fb pi=0000000000000000 pe=00000000a80425fb pa=0000000000000000
275type=EXECVE msg=audit(1721180008.798:684): argc=2 a0="dircolors" a1="-b"
276type=CWD msg=audit(1721180008.798:684): cwd="/"
277type=PATH msg=audit(1721180008.798:684): item=0 name="/usr/bin/dircolors" inode=36478 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
278type=PATH msg=audit(1721180008.798:684): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=38631 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
279type=PROCTITLE msg=audit(1721180008.798:684): proctitle=646972636F6C6F7273002D62
280---
281type=SYSCALL msg=audit(1721180008.799:685): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7ffc18145518 items=0 ppid=3449 pid=3450 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="dircolors" exe="/usr/bin/dircolors" subj=system_u:system_r:spc_t:s0 key=(null)
282type=PROCTITLE msg=audit(1721180008.799:685): proctitle=646972636F6C6F7273002D62
283---
284type=SYSCALL msg=audit(1721180008.799:686): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7ffe2dd079e8 items=0 ppid=3442 pid=3449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="bash" exe="/bin/bash" subj=system_u:system_r:spc_t:s0 key=(null)
285type=PROCTITLE msg=audit(1721180008.799:686): proctitle="/bin/bash"
286---
287type=SYSCALL msg=audit(1721180010.254:687): arch=c000003e syscall=59 success=yes exit=0 a0=920488 a1=8fcb48 a2=8fbe08 a3=598 items=2 ppid=3442 pid=3451 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="ls" exe="/bin/ls" subj=system_u:system_r:spc_t:s0 key=(null)
288type=BPRM_FCAPS msg=audit(1721180010.254:687): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=00000000a80425fb old_pi=0000000000000000 old_pe=00000000a80425fb old_pa=0000000000000000 pp=00000000a80425fb pi=0000000000000000 pe=00000000a80425fb pa=0000000000000000
289type=EXECVE msg=audit(1721180010.254:687): argc=2 a0="ls" a1="--color=auto"
290type=CWD msg=audit(1721180010.254:687): cwd="/"
291type=PATH msg=audit(1721180010.254:687): item=0 name="/bin/ls" inode=39943 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
292type=PATH msg=audit(1721180010.254:687): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=38631 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
293type=PROCTITLE msg=audit(1721180010.254:687): proctitle=6C73002D2D636F6C6F723D6175746F
294---
295type=SYSCALL msg=audit(1721180010.260:688): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7f7cb1fcb250 items=0 ppid=3442 pid=3451 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="ls" exe="/bin/ls" subj=system_u:system_r:spc_t:s0 key=(null)
296type=PROCTITLE msg=audit(1721180010.260:688): proctitle=6C73002D2D636F6C6F723D6175746F
297---
298type=SYSCALL msg=audit(1721180016.276:689): arch=c000003e syscall=59 success=yes exit=0 a0=9205a8 a1=9206c8 a2=8fbe08 a3=598 items=2 ppid=3442 pid=3452 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="ls" exe="/bin/ls" subj=system_u:system_r:spc_t:s0 key=(null)
299type=BPRM_FCAPS msg=audit(1721180016.276:689): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=00000000a80425fb old_pi=0000000000000000 old_pe=00000000a80425fb old_pa=0000000000000000 pp=00000000a80425fb pi=0000000000000000 pe=00000000a80425fb pa=0000000000000000
300type=EXECVE msg=audit(1721180016.276:689): argc=3 a0="ls" a1="--color=auto" a2="-alF"
301type=CWD msg=audit(1721180016.276:689): cwd="/"
302type=PATH msg=audit(1721180016.276:689): item=0 name="/bin/ls" inode=39943 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
303type=PATH msg=audit(1721180016.276:689): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=38631 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
304type=PROCTITLE msg=audit(1721180016.276:689): proctitle=6C73002D2D636F6C6F723D6175746F002D616C46
305---
306type=SYSCALL msg=audit(1721180016.284:690): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7f80840d8140 items=0 ppid=3442 pid=3452 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="ls" exe="/bin/ls" subj=system_u:system_r:spc_t:s0 key=(null)
307type=PROCTITLE msg=audit(1721180016.284:690): proctitle=6C73002D2D636F6C6F723D6175746F002D616C46
308---
309type=SYSCALL msg=audit(1721180019.825:691): arch=c000003e syscall=59 success=yes exit=0 a0=920248 a1=920148 a2=8fbe08 a3=598 items=2 ppid=3442 pid=3453 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=system_u:system_r:spc_t:s0 key=(null)
310type=BPRM_FCAPS msg=audit(1721180019.825:691): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=00000000a80425fb old_pi=0000000000000000 old_pe=00000000a80425fb old_pa=0000000000000000 pp=00000000a80425fb pi=0000000000000000 pe=00000000a80425fb pa=0000000000000000
311type=EXECVE msg=audit(1721180019.825:691): argc=1 a0="vim"
312type=CWD msg=audit(1721180019.825:691): cwd="/"
313type=PATH msg=audit(1721180019.825:691): item=0 name="/usr/bin/vim" inode=36570 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
314type=PATH msg=audit(1721180019.825:691): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=38631 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
315type=PROCTITLE msg=audit(1721180019.825:691): proctitle="vim"
316---
317type=SYSCALL msg=audit(1721180023.165:692): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7f509814f140 items=0 ppid=3442 pid=3453 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=system_u:system_r:spc_t:s0 key=(null)
318type=PROCTITLE msg=audit(1721180023.165:692): proctitle="vim"
319---
320type=SYSCALL msg=audit(1721180025.784:693): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7ffe2dd08968 items=0 ppid=3357 pid=3442 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="bash" exe="/bin/bash" subj=system_u:system_r:spc_t:s0 key=(null)
321type=PROCTITLE msg=audit(1721180025.784:693): proctitle="/bin/bash"
322---
323type=SYSCALL msg=audit(1721180025.790:694): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=4 items=0 ppid=2945 pid=3425 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="docker" exe="/usr/bin/docker" subj=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 key=(null)
324type=PROCTITLE msg=audit(1721180025.790:694): proctitle=646F636B65720065786563002D6974007562756E7475002F62696E2F62617368
325---
326type=SYSCALL msg=audit(1721180030.377:695): arch=c000003e syscall=59 success=yes exit=0 a0=1945bb0 a1=1a16800 a2=1a02870 a3=7ffcb50a1a20 items=2 ppid=2945 pid=3454 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="docker" exe="/usr/bin/docker" subj=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 key=(null)
327type=EXECVE msg=audit(1721180030.377:695): argc=3 a0="docker" a1="stop" a2="ubuntu"
328type=CWD msg=audit(1721180030.377:695): cwd="/home/player"
329type=PATH msg=audit(1721180030.377:695): item=0 name="/bin/docker" inode=103221779 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
330type=PATH msg=audit(1721180030.377:695): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
331type=PROCTITLE msg=audit(1721180030.377:695): proctitle=646F636B65720073746F70007562756E7475
332---
333type=SYSCALL msg=audit(1721180030.417:696): arch=c000003e syscall=59 success=yes exit=0 a0=c0002f4080 a1=c000024a80 a2=c00009d890 a3=0 items=2 ppid=3357 pid=3461 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
334type=EXECVE msg=audit(1721180030.417:696): argc=10 a0="runc" a1="--root" a2="/var/run/docker/runtime-runc/moby" a3="--log" a4="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8/log.json" a5="--log-format" a6="json" a7="kill" a8="a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8" a9="15"
335type=CWD msg=audit(1721180030.417:696): cwd="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
336type=PATH msg=audit(1721180030.417:696): item=0 name="/usr/bin/runc" inode=100665601 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
337type=PATH msg=audit(1721180030.417:696): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
338type=PROCTITLE msg=audit(1721180030.417:696): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
339---
340type=SYSCALL msg=audit(1721180030.429:697): arch=c000003e syscall=231 a0=0 a1=1 a2=0 a3=0 items=0 ppid=3357 pid=3461 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
341type=PROCTITLE msg=audit(1721180030.429:697): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
342---
343type=SYSCALL msg=audit(1721180030.429:698): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7ffc48ca71f8 items=0 ppid=3357 pid=3378 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/bin/bash" subj=system_u:system_r:spc_t:s0 key=(null)
344type=PROCTITLE msg=audit(1721180030.429:698): proctitle="/bin/bash"
345---
346type=SYSCALL msg=audit(1721180030.451:699): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=ffffffffffffff60 items=0 ppid=57 pid=3467 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-cgroups" exe="/usr/lib/systemd/systemd-cgroups-agent" subj=system_u:system_r:init_t:s0 key=(null)
347type=PROCTITLE msg=audit(1721180030.451:699): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D6367726F7570732D6167656E74002F646F636B65722F61376332373634663566386435383464623766393033636365646632333336656666343031343531666231303936373865613336373635336662393265356238
348---
349type=SYSCALL msg=audit(1721180030.453:700): arch=c000003e syscall=59 success=yes exit=0 a0=c000012400 a1=c0001c2140 a2=c00007e9f0 a3=0 items=2 ppid=3357 pid=3468 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
350type=EXECVE msg=audit(1721180030.453:700): argc=9 a0="runc" a1="--root" a2="/var/run/docker/runtime-runc/moby" a3="--log" a4="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8/log.json" a5="--log-format" a6="json" a7="delete" a8="a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
351type=CWD msg=audit(1721180030.453:700): cwd="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
352type=PATH msg=audit(1721180030.453:700): item=0 name="/usr/bin/runc" inode=100665601 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
353type=PATH msg=audit(1721180030.453:700): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
354type=PROCTITLE msg=audit(1721180030.453:700): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
355---
356type=SYSCALL msg=audit(1721180030.485:701): arch=c000003e syscall=231 a0=0 a1=56455e45cce0 a2=0 a3=c000048890 items=0 ppid=3357 pid=3468 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
357type=PROCTITLE msg=audit(1721180030.485:701): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
358---
359type=SYSCALL msg=audit(1721180030.488:702): arch=c000003e syscall=231 a0=0 a1=c0001d0300 a2=0 a3=10 items=0 ppid=1 pid=3357 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="containerd-shim" exe="/usr/bin/containerd-shim-runc-v2" subj=system_u:system_r:container_runtime_t:s0 key=(null)
360type=PROCTITLE msg=audit(1721180030.488:702): proctitle=2F7573722F62696E2F636F6E7461696E6572642D7368696D2D72756E632D7632002D6E616D657370616365006D6F6279002D69640061376332373634663566386435383464623766393033636365646632333336656666343031343531666231303936373865613336373635336662393265356238002D61646472657373002F
361---
362type=SYSCALL msg=audit(1721180030.488:703): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=ffffffffffffff60 items=0 ppid=57 pid=3473 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-cgroups" exe="/usr/lib/systemd/systemd-cgroups-agent" subj=system_u:system_r:init_t:s0 key=(null)
363type=PROCTITLE msg=audit(1721180030.488:703): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D6367726F7570732D6167656E74002F646F636B6572
364---
365type=SYSCALL msg=audit(1721180030.490:704): arch=c000003e syscall=59 success=yes exit=0 a0=c00054a300 a1=c00030b260 a2=c000514400 a3=0 items=1 ppid=1139 pid=3474 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="containerd-shim" exe="/usr/bin/containerd-shim-runc-v2" subj=system_u:system_r:container_runtime_t:s0 key=(null)
366type=EXECVE msg=audit(1721180030.490:704): argc=12 a0="/usr/bin/containerd-shim-runc-v2" a1="-namespace" a2="moby" a3="-address" a4="/run/containerd/containerd.sock" a5="-publish-binary" a6="/usr/bin/containerd" a7="-id" a8="a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8" a9="-bundle" a10="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8" a11="delete"
367type=CWD msg=audit(1721180030.490:704): cwd="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
368type=PATH msg=audit(1721180030.490:704): item=0 name="/usr/bin/containerd-shim-runc-v2" inode=100665599 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
369type=PROCTITLE msg=audit(1721180030.490:704): proctitle=2F7573722F62696E2F636F6E7461696E6572642D7368696D2D72756E632D7632002D6E616D657370616365006D6F6279002D61646472657373002F72756E2F636F6E7461696E6572642F636F6E7461696E6572642E736F636B002D7075626C6973682D62696E617279002F7573722F62696E2F636F6E7461696E657264002D69
370---
371type=SYSCALL msg=audit(1721180030.497:705): arch=c000003e syscall=59 success=yes exit=0 a0=c0001ac3e0 a1=c000180480 a2=c00019c4b0 a3=0 items=2 ppid=3474 pid=3480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
372type=EXECVE msg=audit(1721180030.497:705): argc=10 a0="runc" a1="--root" a2="/var/run/docker/runtime-runc/moby" a3="--log" a4="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8/log.json" a5="--log-format" a6="json" a7="delete" a8="--force" a9="a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
373type=CWD msg=audit(1721180030.497:705): cwd="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
374type=PATH msg=audit(1721180030.497:705): item=0 name="/usr/bin/runc" inode=100665601 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
375type=PATH msg=audit(1721180030.497:705): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
376type=PROCTITLE msg=audit(1721180030.497:705): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
377---
378type=SYSCALL msg=audit(1721180030.504:706): arch=c000003e syscall=231 a0=0 a1=36 a2=0 a3=8c3 items=0 ppid=3474 pid=3480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
379type=PROCTITLE msg=audit(1721180030.504:706): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
380---
381type=SYSCALL msg=audit(1721180030.505:707): arch=c000003e syscall=231 a0=0 a1=1 a2=0 a3=0 items=0 ppid=1139 pid=3474 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="containerd-shim" exe="/usr/bin/containerd-shim-runc-v2" subj=system_u:system_r:container_runtime_t:s0 key=(null)
382type=PROCTITLE msg=audit(1721180030.505:707): proctitle=2F7573722F62696E2F636F6E7461696E6572642D7368696D2D72756E632D7632002D6E616D657370616365006D6F6279002D61646472657373002F72756E2F636F6E7461696E6572642F636F6E7461696E6572642E736F636B002D7075626C6973682D62696E617279002F7573722F62696E2F636F6E7461696E657264002D69
383---
384type=SYSCALL msg=audit(1721180030.539:708): arch=c000003e syscall=59 success=yes exit=0 a0=7ffdf0c1eda0 a1=7ffdf0c1e9a0 a2=55cdb4902ea0 a3=8 items=2 ppid=3486 pid=3487 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
385type=EXECVE msg=audit(1721180030.539:708): argc=5 a0="/usr/lib/systemd/systemd-sysctl" a1="--prefix=/net/ipv4/conf/vethee301d7" a2="--prefix=/net/ipv4/neigh/vethee301d7" a3="--prefix=/net/ipv6/conf/vethee301d7" a4="--prefix=/net/ipv6/neigh/vethee301d7"
386type=CWD msg=audit(1721180030.539:708): cwd="/"
387type=PATH msg=audit(1721180030.539:708): item=0 name="/usr/lib/systemd/systemd-sysctl" inode=355868 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:systemd_sysctl_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
388type=PATH msg=audit(1721180030.539:708): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
389type=PROCTITLE msg=audit(1721180030.539:708): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D73797363746C002D2D7072656669783D2F6E65742F697076342F636F6E662F7665746865653330316437002D2D7072656669783D2F6E65742F697076342F6E656967682F7665746865653330316437002D2D7072656669783D2F6E65742F697076362F636F6E66
390---
391type=SYSCALL msg=audit(1721180030.542:709): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=ffffffffffffff60 items=0 ppid=3486 pid=3487 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
392type=PROCTITLE msg=audit(1721180030.542:709): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D73797363746C002D2D7072656669783D2F6E65742F697076342F636F6E662F7665746865653330316437002D2D7072656669783D2F6E65742F697076342F6E656967682F7665746865653330316437002D2D7072656669783D2F6E65742F697076362F636F6E66
393---
394type=ANOM_PROMISCUOUS msg=audit(1721180030.543:710): dev=vethc3c7cd5 prom=0 old_prom=256 auid=4294967295 uid=0 gid=0 ses=4294967295
395type=SYSCALL msg=audit(1721180030.543:710): arch=c000003e syscall=44 success=yes exit=32 a0=e a1=c0012182a0 a2=20 a3=0 items=0 ppid=1 pid=1315 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dockerd" exe="/usr/bin/dockerd" subj=system_u:system_r:container_runtime_t:s0 key=(null)
396type=SOCKADDR msg=audit(1721180030.543:710): saddr=100000000000000000000000
397type=PROCTITLE msg=audit(1721180030.543:710): proctitle=2F7573722F62696E2F646F636B657264002D480066643A2F2F002D2D636F6E7461696E6572643D2F72756E2F636F6E7461696E6572642F636F6E7461696E6572642E736F636B
398---
399type=SYSCALL msg=audit(1721180030.598:711): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=4 items=0 ppid=2945 pid=3454 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="docker" exe="/usr/bin/docker" subj=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 key=(null)
400type=PROCTITLE msg=audit(1721180030.598:711): proctitle=646F636B65720073746F70007562756E7475
401---
diff --git a/old/audit.go b/old/audit.go
new file mode 100644
index 0000000..2b9faa5
--- /dev/null
+++ b/old/audit.go
@@ -0,0 +1,127 @@
1package main
2
3import (
4 "errors"
5 "flag"
6 "fmt"
7 "io"
8 "log"
9 "os"
10
11 "github.com/elastic/go-libaudit/v2"
12 "github.com/elastic/go-libaudit/v2/auparse"
13)
14
15var (
16 fs = flag.NewFlagSet("audit", flag.ExitOnError)
17 diag = fs.String("diag", "", "dump raw information from kernel to file")
18 rate = fs.Uint("rate", 0, "rate limit in kernel (default 0, no rate limit)")
19 backlog = fs.Uint("backlog", 8192, "backlog limit")
20 immutable = fs.Bool("immutable", false, "make kernel audit settings immutable (requires reboot to undo)")
21 receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+")
22)
23
24func main() {
25 if err := fs.Parse(os.Args[1:]); err != nil {
26 log.Fatal(err)
27 }
28
29 if err := read(); err != nil {
30 log.Fatalf("error: %v", err)
31 }
32}
33
34func read() error {
35 if os.Geteuid() != 0 {
36 return errors.New("you must be root to receive audit data")
37 }
38
39 // Write netlink response to a file for further analysis or for writing
40 // tests cases.
41 var diagWriter io.Writer
42 if *diag != "" {
43 f, err := os.OpenFile(*diag, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0o600)
44 if err != nil {
45 return err
46 }
47 defer f.Close()
48 diagWriter = f
49 }
50
51 log.Println("starting netlink client")
52
53 var err error
54 var client *libaudit.AuditClient
55 if *receiveOnly {
56 client, err = libaudit.NewMulticastAuditClient(diagWriter)
57 if err != nil {
58 return fmt.Errorf("failed to create receive-only audit client: %w", err)
59 }
60 defer client.Close()
61 } else {
62 client, err = libaudit.NewAuditClient(diagWriter)
63 if err != nil {
64 return fmt.Errorf("failed to create audit client: %w", err)
65 }
66 defer client.Close()
67
68 status, err := client.GetStatus()
69 if err != nil {
70 return fmt.Errorf("failed to get audit status: %w", err)
71 }
72 log.Printf("received audit status=%+v", status)
73
74 if status.Enabled == 0 {
75 log.Println("enabling auditing in the kernel")
76 if err = client.SetEnabled(true, libaudit.WaitForReply); err != nil {
77 return fmt.Errorf("failed to set enabled=true: %w", err)
78 }
79 }
80
81 if status.RateLimit != uint32(*rate) {
82 log.Printf("setting rate limit in kernel to %v", *rate)
83 if err = client.SetRateLimit(uint32(*rate), libaudit.NoWait); err != nil {
84 return fmt.Errorf("failed to set rate limit to unlimited: %w", err)
85 }
86 }
87
88 if status.BacklogLimit != uint32(*backlog) {
89 log.Printf("setting backlog limit in kernel to %v", *backlog)
90 if err = client.SetBacklogLimit(uint32(*backlog), libaudit.NoWait); err != nil {
91 return fmt.Errorf("failed to set backlog limit: %w", err)
92 }
93 }
94
95 if status.Enabled != 2 && *immutable {
96 log.Printf("setting kernel settings as immutable")
97 if err = client.SetImmutable(libaudit.NoWait); err != nil {
98 return fmt.Errorf("failed to set kernel as immutable: %w", err)
99 }
100 }
101
102 log.Printf("sending message to kernel registering our PID (%v) as the audit daemon", os.Getpid())
103 if err = client.SetPID(libaudit.NoWait); err != nil {
104 return fmt.Errorf("failed to set audit PID: %w", err)
105 }
106 }
107
108 return receive(client)
109}
110
111func receive(r *libaudit.AuditClient) error {
112 for {
113 rawEvent, err := r.Receive(false)
114 if err != nil {
115 return fmt.Errorf("receive failed: %w", err)
116 }
117
118 // Messages from 1300-2999 are valid audit messages.
119 if rawEvent.Type < auparse.AUDIT_USER_AUTH ||
120 rawEvent.Type > auparse.AUDIT_LAST_USER_MSG2 {
121 continue
122 }
123
124 fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data)
125 // fmt.Printf("type=%v\n", rawEvent.Type)
126 }
127}
diff --git a/old/auparse.go b/old/auparse.go
new file mode 100644
index 0000000..53b0c92
--- /dev/null
+++ b/old/auparse.go
@@ -0,0 +1,218 @@
1package main
2
3import (
4 "bufio"
5 "encoding/json"
6 "flag"
7 "fmt"
8 "io"
9 "log"
10 "os"
11 "time"
12
13 "gopkg.in/yaml.v3"
14
15 "github.com/elastic/go-libaudit/v2"
16 "github.com/elastic/go-libaudit/v2/aucoalesce"
17 "github.com/elastic/go-libaudit/v2/auparse"
18)
19
20var (
21 fs = flag.NewFlagSet("auparse", flag.ExitOnError)
22 in = fs.String("in", "-", "input file (defaults to stdin)")
23 out = fs.String("out", "-", "output file (defaults to stdout)")
24 interpret = fs.Bool("i", false, "interpret and normalize messages")
25 idLookup = fs.Bool("id", true, "lookup uid and gid values in messages (requires -i)")
26 format = fs.String("format", "", "output format, possible values - json, yaml, text (default)")
27)
28
29func main() {
30 if err := fs.Parse(os.Args[1:]); err != nil {
31 log.Fatal(err)
32 }
33
34 if err := processLogs(); err != nil {
35 log.Fatalf("error: %v", err)
36 }
37}
38
39func input() (io.ReadCloser, error) {
40 if *in == "-" {
41 return os.Stdin, nil
42 }
43
44 return os.Open(*in)
45}
46
47func output() (io.WriteCloser, error) {
48 if *out == "-" {
49 return os.Stdout, nil
50 }
51
52 return os.OpenFile(*out, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0o600)
53}
54
55func processLogs() error {
56 input, err := input()
57 if err != nil {
58 return err
59 }
60 defer input.Close()
61
62 output, err := output()
63 if err != nil {
64 return err
65 }
66 defer output.Close()
67
68 reassembler, err := libaudit.NewReassembler(5, 2*time.Second, &streamHandler{output})
69 if err != nil {
70 return fmt.Errorf("failed to create reassmbler: %w", err)
71 }
72 defer reassembler.Close()
73
74 // Start goroutine to periodically purge timed-out events.
75 go func() {
76 t := time.NewTicker(500 * time.Millisecond)
77 defer t.Stop()
78 for range t.C {
79 if reassembler.Maintain() != nil {
80 return
81 }
82 }
83 }()
84
85 // Process lines from the input.
86 s := bufio.NewScanner(input)
87 for s.Scan() {
88 line := s.Text()
89
90 auditMsg, err := auparse.ParseLogLine(line)
91 if err != nil {
92 log.Printf("failed to parse message header: %v", err)
93 }
94
95 reassembler.PushMessage(auditMsg)
96 }
97
98 return nil
99}
100
101type streamHandler struct {
102 output io.Writer
103}
104
105func (s *streamHandler) ReassemblyComplete(msgs []*auparse.AuditMessage) {
106 if err := s.outputMultipleMessages(msgs); err != nil {
107 log.Printf("[WARN] failed writing message to output: %v", err)
108 }
109}
110
111func (*streamHandler) EventsLost(count int) {
112 log.Printf("detected the loss of %v sequences.", count)
113}
114
115func (s *streamHandler) outputMultipleMessages(msgs []*auparse.AuditMessage) error {
116 var err error
117 if !*interpret {
118 if _, err = s.output.Write([]byte("---\n")); err != nil {
119 return err
120 }
121 for _, m := range msgs {
122 if err = s.outputSingleMessage(m); err != nil {
123 return err
124 }
125 }
126 return nil
127 }
128
129 event, err := aucoalesce.CoalesceMessages(msgs)
130 if err != nil {
131 log.Printf("failed to coalesce messages: %v", err)
132 return nil
133 }
134
135 if *idLookup {
136 aucoalesce.ResolveIDs(event)
137 }
138
139 switch *format {
140 case "json":
141 if err := s.printJSON(event); err != nil {
142 log.Printf("failed to marshal event to JSON: %v", err)
143 }
144 case "yaml":
145 if _, err := s.output.Write([]byte("---\n")); err != nil {
146 return err
147 }
148 if err := s.printYAML(event); err != nil {
149 log.Printf("failed to marshal message to YAML: %v", err)
150 }
151 default:
152 sm := event.Summary
153 if _, err := s.output.Write([]byte("---\n")); err != nil {
154 return err
155 }
156
157 _, err := fmt.Fprintf(
158 s.output,
159 `time="%v" sequence=%v category=%v type=%v actor=%v/%v action=%v thing=%v/%v how=%v tags=%v`+"\n",
160 event.Timestamp, event.Sequence, event.Category, event.Type, sm.Actor.Primary, sm.Actor.Secondary,
161 sm.Action, sm.Object.Primary, sm.Object.Secondary, sm.How, event.Tags,
162 )
163 if err != nil {
164 return err
165 }
166 }
167 return nil
168}
169
170func (s *streamHandler) outputSingleMessage(m *auparse.AuditMessage) error {
171 switch *format {
172 case "json":
173 if err := s.printJSON(m.ToMapStr()); err != nil {
174 log.Printf("failed to marshal message to JSON: %v", err)
175 }
176 case "yaml":
177 if err := s.printYAML(m.ToMapStr()); err != nil {
178 log.Printf("failed to marshal message to YAML: %v", err)
179 }
180 default:
181 if _, err := fmt.Fprintf(
182 s.output,
183 "type=%v msg=%v\n",
184 m.RecordType, m.RawData,
185 ); err != nil {
186 return err
187 }
188 }
189 return nil
190}
191
192func (s *streamHandler) printJSON(v interface{}) error {
193 jsonBytes, err := json.Marshal(v)
194 if err != nil {
195 return err
196 }
197 if _, err = s.output.Write(jsonBytes); err != nil {
198 return err
199 }
200 if _, err = s.output.Write([]byte("\n")); err != nil {
201 return err
202 }
203 return nil
204}
205
206func (s *streamHandler) printYAML(v interface{}) error {
207 yamlBytes, err := yaml.Marshal(v)
208 if err != nil {
209 return err
210 }
211 if _, err = s.output.Write(yamlBytes); err != nil {
212 return err
213 }
214 if _, err = s.output.Write([]byte("\n")); err != nil {
215 return err
216 }
217 return nil
218}
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2025-01-07 16:34:13 +0800