summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.gitignore2
-rwxr-xr-xbuild.sh7
-rw-r--r--go.mod15
-rw-r--r--go.sum57
-rw-r--r--godo.go213
-rw-r--r--logs/fuck.log401
-rw-r--r--old/audit.go127
-rw-r--r--old/auparse.go218
8 files changed, 1040 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..6cff91d
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
1.vscode/*
2godo \ No newline at end of file
diff --git a/build.sh b/build.sh
new file mode 100755
index 0000000..8bdadb3
--- /dev/null
+++ b/build.sh
@@ -0,0 +1,7 @@
1#!/bin/bash
2
3set -e
4docker_api_version=$(docker version)
5docker_api_version=$(docker version | grep API | head -n 1 | awk '{print $3}')
6echo "Docker API version is $docker_api_version..."
7export DOCKER_API_VERSION=$docker_api_version \ No newline at end of file
diff --git a/go.mod b/go.mod
new file mode 100644
index 0000000..c73fc4f
--- /dev/null
+++ b/go.mod
@@ -0,0 +1,15 @@
1module godo
2
3go 1.21.5
4
5require (
6 github.com/elastic/go-libaudit/v2 v2.5.0
7 gopkg.in/yaml.v3 v3.0.1
8)
9
10require (
11 go.uber.org/atomic v1.7.0 // indirect
12 go.uber.org/multierr v1.7.0 // indirect
13 golang.org/x/sys v0.11.0 // indirect
14 gopkg.in/yaml.v2 v2.4.0 // indirect
15)
diff --git a/go.sum b/go.sum
new file mode 100644
index 0000000..6880c39
--- /dev/null
+++ b/go.sum
@@ -0,0 +1,57 @@
1github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
2github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
3github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
4github.com/elastic/go-libaudit/v2 v2.5.0 h1:5OK919QRnGtcjVBz3n/cs5F42im1mPlVTA9TyIn2K54=
5github.com/elastic/go-libaudit/v2 v2.5.0/go.mod h1:AjlnhinP+kKQuUJoXLVrqxBM8uyhQmkzoV6jjsCFP4Q=
6github.com/elastic/go-licenser v0.4.1 h1:1xDURsc8pL5zYT9R29425J3vkHdt4RT5TNEMeRN48x4=
7github.com/elastic/go-licenser v0.4.1/go.mod h1:V56wHMpmdURfibNBggaSBfqgPxyT1Tldns1i87iTEvU=
8github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
9github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
10github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
11github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
12github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
13github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
14github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
15github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
16github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
17go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
18go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
19go.uber.org/multierr v1.7.0 h1:zaiO/rmgFjbmCXdSYJWQcdvOCsthmdaHfr3Gm2Kx4Ec=
20go.uber.org/multierr v1.7.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak=
21golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
22golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
23golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
24golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
25golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
26golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
27golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
28golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
29golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
30golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
31golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
32golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
33golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
34golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
35golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
36golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
37golang.org/x/sys v0.0.0-20211102192858-4dd72447c267/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
38golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
39golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
40golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
41golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
42golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
43golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
44golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
45golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
46golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
47golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
48golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
49golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
50gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
51gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
52gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
53gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
54gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
55gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
56gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
57gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/godo.go b/godo.go
new file mode 100644
index 0000000..6b6f48f
--- /dev/null
+++ b/godo.go
@@ -0,0 +1,213 @@
1package main
2
3import (
4 "bufio"
5 "flag"
6 "fmt"
7 "io"
8 "log"
9 "os"
10 "os/exec"
11 "path/filepath"
12 "strconv"
13 "strings"
14 "sync"
15
16 "github.com/elastic/go-libaudit/v2"
17 "github.com/elastic/go-libaudit/v2/auparse"
18)
19
20var (
21 fs = flag.NewFlagSet("audit", flag.ExitOnError)
22 diag = fs.String("diag", "", "dump raw information from kernel to file")
23 rate = fs.Uint("rate", 0, "rate limit in kernel (default 0, no rate limit)")
24 backlog = fs.Uint("backlog", 8192, "backlog limit")
25 immutable = fs.Bool("immutable", false, "make kernel audit settings immutable (requires reboot to undo)")
26 receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+")
27)
28
29type process struct {
30 cmdline string
31 rootfs string
32 children []int
33}
34
35var pids map[int]*process //古希腊掌管进程的神
36var containers map[string]int // 古希腊掌管容器的神
37var wg sync.WaitGroup // 掌管协程
38
39func main() {
40 // 检查用户身份,并添加auditd规则,监听所有syscall
41 if os.Geteuid() != 0 {
42 fmt.Printf("Err: Please run me as root, %d!\n", os.Getegid())
43 return
44 }
45 syscall := [5]string{"fork", "vfork", "execve", "exit", "exit_group"}
46 var auditCmd *exec.Cmd
47 auditCmd = exec.Command("auditctl", "-D") // 清空所有规则
48 auditCmd.Run()
49 // 设置监听规则
50 for i := 0; i < 5; i++ {
51 auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", syscall[i])
52 auditCmd.Run()
53 }
54
55 // 查找pid
56 containerdPid, err := getPid()
57 if err != nil {
58 fmt.Printf("Error finding containerd: %v\n", err)
59 return
60 }
61
62 pids = make(map[int]*process)
63 containers = make(map[string]int)
64 pids[containerdPid] = &process{cmdline: "/usr/bin/cmdline", rootfs: "/", children: make([]int, 0)}
65
66 // 开始运行,解析命令行参数后监听
67 if err := fs.Parse(os.Args[1:]); err != nil {
68 log.Fatal(err)
69 }
70
71 if err := read(); err != nil {
72 log.Fatalf("error: %v", err)
73 }
74}
75
76func getPid() (int, error) {
77 // 指定要搜索的关键词
78 keyword := "/usr/bin/containerd"
79
80 // 获取/proc目录下的所有子目录
81 procDir, err := filepath.Glob("/proc/*")
82 if err != nil {
83 return 0, err
84 }
85
86 // 遍历子目录,查找包含关键词的进程
87 for _, dir := range procDir {
88 pid, err := strconv.Atoi(filepath.Base(dir))
89 if err != nil {
90 continue // 跳过非PID的目录
91 }
92
93 // 检查进程是否包含关键词
94 if containsKeyword(pid, keyword) {
95 return pid, nil
96 }
97 }
98 err = fmt.Errorf("Error: no containerd process found.\n")
99 return 0, err
100}
101
102func containsKeyword(pid int, keyword string) bool {
103 // 构造完整的进程命令路径
104 cmdPath := fmt.Sprintf("/proc/%d/cmdline", pid)
105
106 // 打开文件
107 file, err := os.Open(cmdPath)
108 if err != nil {
109 return false
110 }
111 defer file.Close()
112
113 // 读取文件内容
114 scanner := bufio.NewScanner(file)
115 scanner.Split(bufio.ScanLines)
116 for scanner.Scan() {
117 line := scanner.Text()
118 if strings.Contains(line, keyword) {
119 return true
120 }
121 }
122 return false
123}
124
125func read() error {
126 // Write netlink response to a file for further analysis or for writing
127 // tests cases.
128 var diagWriter io.Writer
129 if *diag != "" {
130 f, err := os.OpenFile(*diag, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0o600)
131 if err != nil {
132 return err
133 }
134 defer f.Close()
135 diagWriter = f
136 }
137
138 log.Println("starting netlink client")
139
140 var err error
141 var client *libaudit.AuditClient
142 if *receiveOnly {
143 client, err = libaudit.NewMulticastAuditClient(diagWriter)
144 if err != nil {
145 return fmt.Errorf("failed to create receive-only audit client: %w", err)
146 }
147 defer client.Close()
148 } else {
149 client, err = libaudit.NewAuditClient(diagWriter)
150 if err != nil {
151 return fmt.Errorf("failed to create audit client: %w", err)
152 }
153 defer client.Close()
154
155 status, err := client.GetStatus()
156 if err != nil {
157 return fmt.Errorf("failed to get audit status: %w", err)
158 }
159 log.Printf("received audit status=%+v", status)
160
161 if status.Enabled == 0 {
162 log.Println("enabling auditing in the kernel")
163 if err = client.SetEnabled(true, libaudit.WaitForReply); err != nil {
164 return fmt.Errorf("failed to set enabled=true: %w", err)
165 }
166 }
167
168 if status.RateLimit != uint32(*rate) {
169 log.Printf("setting rate limit in kernel to %v", *rate)
170 if err = client.SetRateLimit(uint32(*rate), libaudit.NoWait); err != nil {
171 return fmt.Errorf("failed to set rate limit to unlimited: %w", err)
172 }
173 }
174
175 if status.BacklogLimit != uint32(*backlog) {
176 log.Printf("setting backlog limit in kernel to %v", *backlog)
177 if err = client.SetBacklogLimit(uint32(*backlog), libaudit.NoWait); err != nil {
178 return fmt.Errorf("failed to set backlog limit: %w", err)
179 }
180 }
181
182 if status.Enabled != 2 && *immutable {
183 log.Printf("setting kernel settings as immutable")
184 if err = client.SetImmutable(libaudit.NoWait); err != nil {
185 return fmt.Errorf("failed to set kernel as immutable: %w", err)
186 }
187 }
188
189 log.Printf("sending message to kernel registering our PID (%v) as the audit daemon", os.Getpid())
190 if err = client.SetPID(libaudit.NoWait); err != nil {
191 return fmt.Errorf("failed to set audit PID: %w", err)
192 }
193 }
194
195 return receive(client)
196}
197
198func receive(r *libaudit.AuditClient) error {
199 for {
200 rawEvent, err := r.Receive(false)
201 if err != nil {
202 return fmt.Errorf("receive failed: %w", err)
203 }
204
205 // Messages from 1300-2999 are valid audit messages.
206 if rawEvent.Type < auparse.AUDIT_USER_AUTH ||
207 rawEvent.Type > auparse.AUDIT_LAST_USER_MSG2 {
208 continue
209 }
210
211 fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data)
212 }
213}
diff --git a/logs/fuck.log b/logs/fuck.log
new file mode 100644
index 0000000..4686a03
--- /dev/null
+++ b/logs/fuck.log
@@ -0,0 +1,401 @@
1type=SYSCALL msg=audit(1721179984.136:629): arch=c000003e syscall=59 success=yes exit=0 a0=1a16830 a1=193e6e0 a2=1a02870 a3=7ffcb50a1a20 items=2 ppid=2945 pid=3339 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="docker" exe="/usr/bin/docker" subj=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 key=(null)
2type=EXECVE msg=audit(1721179984.136:629): argc=3 a0="docker" a1="start" a2="ubuntu"
3type=CWD msg=audit(1721179984.136:629): cwd="/home/player"
4type=PATH msg=audit(1721179984.136:629): item=0 name="/bin/docker" inode=103221779 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
5type=PATH msg=audit(1721179984.136:629): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
6type=PROCTITLE msg=audit(1721179984.136:629): proctitle=646F636B6572007374617274007562756E7475
7---
8type=ANOM_PROMISCUOUS msg=audit(1721179984.167:630): dev=vethc3c7cd5 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
9type=SYSCALL msg=audit(1721179984.167:630): arch=c000003e syscall=44 success=yes exit=40 a0=e a1=c001190420 a2=28 a3=0 items=0 ppid=1 pid=1315 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dockerd" exe="/usr/bin/dockerd" subj=system_u:system_r:container_runtime_t:s0 key=(null)
10type=SOCKADDR msg=audit(1721179984.167:630): saddr=100000000000000000000000
11type=PROCTITLE msg=audit(1721179984.167:630): proctitle=2F7573722F62696E2F646F636B657264002D480066643A2F2F002D2D636F6E7461696E6572643D2F72756E2F636F6E7461696E6572642F636F6E7461696E6572642E736F636B
12---
13type=SYSCALL msg=audit(1721179984.170:631): arch=c000003e syscall=59 success=yes exit=0 a0=7ffdf0c1eda0 a1=7ffdf0c1e9a0 a2=55cdb48fd710 a3=8 items=2 ppid=3345 pid=3347 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
14type=EXECVE msg=audit(1721179984.170:631): argc=5 a0="/usr/lib/systemd/systemd-sysctl" a1="--prefix=/net/ipv4/conf/vethee301d7" a2="--prefix=/net/ipv4/neigh/vethee301d7" a3="--prefix=/net/ipv6/conf/vethee301d7" a4="--prefix=/net/ipv6/neigh/vethee301d7"
15type=CWD msg=audit(1721179984.170:631): cwd="/"
16type=PATH msg=audit(1721179984.170:631): item=0 name="/usr/lib/systemd/systemd-sysctl" inode=355868 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:systemd_sysctl_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
17type=PATH msg=audit(1721179984.170:631): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
18type=PROCTITLE msg=audit(1721179984.170:631): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D73797363746C002D2D7072656669783D2F6E65742F697076342F636F6E662F7665746865653330316437002D2D7072656669783D2F6E65742F697076342F6E656967682F7665746865653330316437002D2D7072656669783D2F6E65742F697076362F636F6E66
19---
20type=SYSCALL msg=audit(1721179984.172:632): arch=c000003e syscall=59 success=yes exit=0 a0=7ffdf0c1eda0 a1=7ffdf0c1e9a0 a2=55cdb4901330 a3=8 items=2 ppid=3346 pid=3348 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
21type=EXECVE msg=audit(1721179984.172:632): argc=5 a0="/usr/lib/systemd/systemd-sysctl" a1="--prefix=/net/ipv4/conf/vethc3c7cd5" a2="--prefix=/net/ipv4/neigh/vethc3c7cd5" a3="--prefix=/net/ipv6/conf/vethc3c7cd5" a4="--prefix=/net/ipv6/neigh/vethc3c7cd5"
22type=CWD msg=audit(1721179984.172:632): cwd="/"
23type=PATH msg=audit(1721179984.172:632): item=0 name="/usr/lib/systemd/systemd-sysctl" inode=355868 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:systemd_sysctl_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
24type=PATH msg=audit(1721179984.172:632): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
25type=PROCTITLE msg=audit(1721179984.172:632): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D73797363746C002D2D7072656669783D2F6E65742F697076342F636F6E662F7665746863336337636435002D2D7072656669783D2F6E65742F697076342F6E656967682F7665746863336337636435002D2D7072656669783D2F6E65742F697076362F636F6E66
26---
27type=SYSCALL msg=audit(1721179984.177:633): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=ffffffffffffff60 items=0 ppid=3345 pid=3347 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
28type=SYSCALL msg=audit(1721179984.177:634): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=ffffffffffffff60 items=0 ppid=3346 pid=3348 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
29type=PROCTITLE msg=audit(1721179984.177:634): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D73797363746C002D2D7072656669783D2F6E65742F697076342F636F6E662F7665746863336337636435002D2D7072656669783D2F6E65742F697076342F6E656967682F7665746863336337636435002D2D7072656669783D2F6E65742F697076362F636F6E66
30type=PROCTITLE msg=audit(1721179984.177:633): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D73797363746C002D2D7072656669783D2F6E65742F697076342F636F6E662F7665746865653330316437002D2D7072656669783D2F6E65742F697076342F6E656967682F7665746865653330316437002D2D7072656669783D2F6E65742F697076362F636F6E66
31---
32---
33---
34type=SYSCALL msg=audit(1721179984.200:635): arch=c000003e syscall=59 success=yes exit=0 a0=c00003a450 a1=c00071c840 a2=c00048fd80 a3=0 items=1 ppid=1139 pid=3350 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="containerd-shim" exe="/usr/bin/containerd-shim-runc-v2" subj=system_u:system_r:container_runtime_t:s0 key=(null)
35type=EXECVE msg=audit(1721179984.200:635): argc=10 a0="/usr/bin/containerd-shim-runc-v2" a1="-namespace" a2="moby" a3="-address" a4="/run/containerd/containerd.sock" a5="-publish-binary" a6="/usr/bin/containerd" a7="-id" a8="a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8" a9="start"
36type=CWD msg=audit(1721179984.200:635): cwd="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
37type=PATH msg=audit(1721179984.200:635): item=0 name="/usr/bin/containerd-shim-runc-v2" inode=100665599 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
38type=PROCTITLE msg=audit(1721179984.200:635): proctitle=2F7573722F62696E2F636F6E7461696E6572642D7368696D2D72756E632D7632002D6E616D657370616365006D6F6279002D61646472657373002F72756E2F636F6E7461696E6572642F636F6E7461696E6572642E736F636B002D7075626C6973682D62696E617279002F7573722F62696E2F636F6E7461696E657264002D69
39---
40type=SYSCALL msg=audit(1721179984.211:636): arch=c000003e syscall=59 success=yes exit=0 a0=c0000a69f0 a1=c00009f040 a2=c00009f080 a3=0 items=1 ppid=3350 pid=3357 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="containerd-shim" exe="/usr/bin/containerd-shim-runc-v2" subj=system_u:system_r:container_runtime_t:s0 key=(null)
41type=EXECVE msg=audit(1721179984.211:636): argc=7 a0="/usr/bin/containerd-shim-runc-v2" a1="-namespace" a2="moby" a3="-id" a4="a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8" a5="-address" a6="/run/containerd/containerd.sock"
42type=CWD msg=audit(1721179984.211:636): cwd="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
43type=PATH msg=audit(1721179984.211:636): item=0 name="/usr/bin/containerd-shim-runc-v2" inode=100665599 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
44type=PROCTITLE msg=audit(1721179984.211:636): proctitle=2F7573722F62696E2F636F6E7461696E6572642D7368696D2D72756E632D7632002D6E616D657370616365006D6F6279002D69640061376332373634663566386435383464623766393033636365646632333336656666343031343531666231303936373865613336373635336662393265356238002D61646472657373002F
45---
46type=SYSCALL msg=audit(1721179984.213:637): arch=c000003e syscall=231 a0=0 a1=1 a2=0 a3=4ec items=0 ppid=1139 pid=3350 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="containerd-shim" exe="/usr/bin/containerd-shim-runc-v2" subj=system_u:system_r:container_runtime_t:s0 key=(null)
47type=PROCTITLE msg=audit(1721179984.213:637): proctitle=2F7573722F62696E2F636F6E7461696E6572642D7368696D2D72756E632D7632002D6E616D657370616365006D6F6279002D61646472657373002F72756E2F636F6E7461696E6572642F636F6E7461696E6572642E736F636B002D7075626C6973682D62696E617279002F7573722F62696E2F636F6E7461696E657264002D69
48---
49type=SYSCALL msg=audit(1721179984.224:638): arch=c000003e syscall=59 success=yes exit=0 a0=c000199670 a1=c000133180 a2=c0001bc2d0 a3=0 items=2 ppid=3357 pid=3368 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
50type=EXECVE msg=audit(1721179984.224:638): argc=15 a0="runc" a1="--root" a2="/var/run/docker/runtime-runc/moby" a3="--log" a4="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8/log.json" a5="--log-format" a6="json" a7="create" a8="--bundle" a9="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8" a10="--pid-file" a11="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8/init.pid" a12="--console-socket" a13="/tmp/pty3849963645/pty.sock" a14="a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
51type=CWD msg=audit(1721179984.224:638): cwd="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
52type=PATH msg=audit(1721179984.224:638): item=0 name="/usr/bin/runc" inode=100665601 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
53type=PATH msg=audit(1721179984.224:638): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
54type=PROCTITLE msg=audit(1721179984.224:638): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
55---
56type=SYSCALL msg=audit(1721179984.239:639): arch=c000003e syscall=59 success=yes exit=0 a0=c000180a10 a1=c00009d8a8 a2=c0000a67d0 a3=0 items=2 ppid=3368 pid=3375 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="exe" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
57type=EXECVE msg=audit(1721179984.239:639): argc=2 a0="runc" a1="init"
58type=CWD msg=audit(1721179984.239:639): cwd="/var/lib/docker/overlay2/2d28d3d7bbad8e0b6ceb33a57ad027faa3ea261ff2a5ada1a6d7adc886e81c0a/merged"
59type=PATH msg=audit(1721179984.239:639): item=0 name="/proc/self/exe" inode=100665601 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
60type=PATH msg=audit(1721179984.239:639): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
61type=PROCTITLE msg=audit(1721179984.239:639): proctitle=72756E6300696E6974
62---
63type=SYSCALL msg=audit(1721179984.250:640): arch=c000003e syscall=59 success=yes exit=0 a0=7ffd5ec41570 a1=558546109030 a2=558546109050 a3=7ffd5ec410a0 items=2 ppid=3368 pid=3375 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="7" exe="/" subj=system_u:system_r:container_runtime_t:s0 key=(null)
64type=EXECVE msg=audit(1721179984.250:640): argc=2 a0="runc" a1="init"
65type=CWD msg=audit(1721179984.250:640): cwd="/var/lib/docker/overlay2/2d28d3d7bbad8e0b6ceb33a57ad027faa3ea261ff2a5ada1a6d7adc886e81c0a/merged"
66type=PATH msg=audit(1721179984.250:640): item=0 name="/proc/self/fd/7" inode=100665601 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
67type=PATH msg=audit(1721179984.250:640): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
68type=PROCTITLE msg=audit(1721179984.250:640): proctitle=72756E6300696E6974
69---
70type=NETFILTER_CFG msg=audit(1721179984.252:641): table=filter family=2 entries=0
71type=NETFILTER_CFG msg=audit(1721179984.252:641): table=filter family=10 entries=0
72type=NETFILTER_CFG msg=audit(1721179984.252:641): table=raw family=2 entries=0
73type=NETFILTER_CFG msg=audit(1721179984.252:641): table=security family=2 entries=0
74type=NETFILTER_CFG msg=audit(1721179984.252:641): table=mangle family=2 entries=0
75type=NETFILTER_CFG msg=audit(1721179984.252:641): table=nat family=2 entries=0
76type=NETFILTER_CFG msg=audit(1721179984.252:641): table=raw family=10 entries=0
77type=NETFILTER_CFG msg=audit(1721179984.252:641): table=security family=10 entries=0
78type=NETFILTER_CFG msg=audit(1721179984.252:641): table=mangle family=10 entries=0
79type=NETFILTER_CFG msg=audit(1721179984.252:641): table=nat family=10 entries=0
80type=SYSCALL msg=audit(1721179984.252:641): arch=c000003e syscall=272 success=yes exit=0 a0=6c020000 a1=5623ec5cf373 a2=5623ec5d1460 a3=7ffe2c25ba20 items=0 ppid=3368 pid=3377 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc:[1:CHILD]" exe="/" subj=system_u:system_r:container_runtime_t:s0 key=(null)
81type=PROCTITLE msg=audit(1721179984.252:641): proctitle=72756E6300696E6974
82---
83type=SYSCALL msg=audit(1721179984.258:642): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=ffffffffffffff60 items=0 ppid=3368 pid=3377 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc:[1:CHILD]" exe="/" subj=system_u:system_r:container_runtime_t:s0 key=(null)
84type=PROCTITLE msg=audit(1721179984.258:642): proctitle=72756E6300696E6974
85---
86type=SYSCALL msg=audit(1721179984.260:643): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=ffffffffffffff60 items=0 ppid=3368 pid=3375 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc:[0:PARENT]" exe="/" subj=system_u:system_r:container_runtime_t:s0 key=(null)
87type=PROCTITLE msg=audit(1721179984.260:643): proctitle=72756E6300696E6974
88---
89type=SYSCALL msg=audit(1721179984.276:644): arch=c000003e syscall=59 success=yes exit=0 a0=c0001cd230 a1=c0001c1c80 a2=c0001c1cb0 a3=0 items=2 ppid=3368 pid=3383 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="exe" exe="/usr/bin/dockerd" subj=system_u:system_r:container_runtime_t:s0 key=(null)
90type=EXECVE msg=audit(1721179984.276:644): argc=4 a0="libnetwork-setkey" a1="-exec-root=/var/run/docker" a2="a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8" a3="d6ff75a08de6"
91type=CWD msg=audit(1721179984.276:644): cwd="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
92type=PATH msg=audit(1721179984.276:644): item=0 name="/proc/1315/exe" inode=100665603 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
93type=PATH msg=audit(1721179984.276:644): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
94type=PROCTITLE msg=audit(1721179984.276:644): proctitle=6C69626E6574776F726B2D7365746B6579002D657865632D726F6F743D2F7661722F72756E2F646F636B6572006137633237363466356638643538346462376639303363636564663233333665666634303134353166623130393637386561333637363533666239326535623800643666663735613038646536
95---
96type=SYSCALL msg=audit(1721179984.384:645): arch=c000003e syscall=231 a0=0 a1=12 a2=0 a3=558c5cbdb700 items=0 ppid=3368 pid=3383 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="exe" exe="/usr/bin/dockerd" subj=system_u:system_r:container_runtime_t:s0 key=(null)
97type=PROCTITLE msg=audit(1721179984.384:645): proctitle=6C69626E6574776F726B2D7365746B6579002D657865632D726F6F743D2F7661722F72756E2F646F636B6572006137633237363466356638643538346462376639303363636564663233333665666634303134353166623130393637386561333637363533666239326535623800643666663735613038646536
98---
99type=SECCOMP msg=audit(1721179984.454:646): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 pid=3378 comm="runc:[2:INIT]" sig=0 arch=c000003e syscall=439 compat=0 ip=0x5623ec13e40e code=0x50000
100type=SYSCALL msg=audit(1721179984.455:647): arch=c000003e syscall=231 a0=0 a1=1 a2=c00011f2e0 a3=1500 items=0 ppid=3357 pid=3368 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
101type=PROCTITLE msg=audit(1721179984.455:647): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
102---
103type=SYSCALL msg=audit(1721179984.464:648): arch=c000003e syscall=59 success=yes exit=0 a0=c0002ca180 a1=c0002cc2d0 a2=c0002984b0 a3=0 items=2 ppid=3357 pid=3392 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
104type=EXECVE msg=audit(1721179984.464:648): argc=9 a0="runc" a1="--root" a2="/var/run/docker/runtime-runc/moby" a3="--log" a4="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8/log.json" a5="--log-format" a6="json" a7="start" a8="a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
105type=CWD msg=audit(1721179984.464:648): cwd="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
106type=PATH msg=audit(1721179984.464:648): item=0 name="/usr/bin/runc" inode=100665601 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
107type=PATH msg=audit(1721179984.464:648): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
108type=PROCTITLE msg=audit(1721179984.464:648): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
109---
110type=SYSCALL msg=audit(1721179984.474:649): arch=c000003e syscall=231 a0=0 a1=1 a2=0 a3=563955c730e0 items=0 ppid=3357 pid=3392 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
111type=PROCTITLE msg=audit(1721179984.474:649): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
112---
113type=SYSCALL msg=audit(1721179984.474:650): arch=c000003e syscall=59 success=yes exit=0 a0=c0001e1bd0 a1=c00013cb40 a2=c0001a2840 a3=0 items=2 ppid=3357 pid=3378 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/bin/bash" subj=system_u:system_r:spc_t:s0 key=(null)
114type=BPRM_FCAPS msg=audit(1721179984.474:650): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=00000000a80425fb old_pi=0000000000000000 old_pe=00000000a80425fb old_pa=0000000000000000 pp=00000000a80425fb pi=0000000000000000 pe=00000000a80425fb pa=0000000000000000
115type=EXECVE msg=audit(1721179984.474:650): argc=1 a0="/bin/bash"
116type=CWD msg=audit(1721179984.474:650): cwd="/"
117type=PATH msg=audit(1721179984.474:650): item=0 name="/bin/bash" inode=38622 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
118type=PATH msg=audit(1721179984.474:650): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=38631 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
119type=PROCTITLE msg=audit(1721179984.474:650): proctitle="/bin/bash"
120---
121type=SYSCALL msg=audit(1721179984.481:651): arch=c000003e syscall=59 success=yes exit=0 a0=17d58e8 a1=17d5a68 a2=17d2e08 a3=598 items=2 ppid=3398 pid=3399 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="groups" exe="/usr/bin/groups" subj=system_u:system_r:spc_t:s0 key=(null)
122type=BPRM_FCAPS msg=audit(1721179984.481:651): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=00000000a80425fb old_pi=0000000000000000 old_pe=00000000a80425fb old_pa=0000000000000000 pp=00000000a80425fb pi=0000000000000000 pe=00000000a80425fb pa=0000000000000000
123type=EXECVE msg=audit(1721179984.481:651): argc=1 a0="groups"
124type=CWD msg=audit(1721179984.481:651): cwd="/"
125type=PATH msg=audit(1721179984.481:651): item=0 name="/usr/bin/groups" inode=36473 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
126type=PATH msg=audit(1721179984.481:651): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=38631 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
127type=PROCTITLE msg=audit(1721179984.481:651): proctitle="groups"
128---
129type=SYSCALL msg=audit(1721179984.483:652): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7ffd45ecd3c8 items=0 ppid=3398 pid=3399 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="groups" exe="/usr/bin/groups" subj=system_u:system_r:spc_t:s0 key=(null)
130type=PROCTITLE msg=audit(1721179984.483:652): proctitle="groups"
131---
132type=SYSCALL msg=audit(1721179984.484:653): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7ffc48ca6888 items=0 ppid=3378 pid=3398 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/bin/bash" subj=system_u:system_r:spc_t:s0 key=(null)
133type=PROCTITLE msg=audit(1721179984.484:653): proctitle="/bin/bash"
134---
135type=SYSCALL msg=audit(1721179984.486:654): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=4 items=0 ppid=2945 pid=3339 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="docker" exe="/usr/bin/docker" subj=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 key=(null)
136type=PROCTITLE msg=audit(1721179984.486:654): proctitle=646F636B6572007374617274007562756E7475
137---
138type=SYSCALL msg=audit(1721179984.486:655): arch=c000003e syscall=59 success=yes exit=0 a0=17d6dc8 a1=17d6988 a2=17d2e08 a3=598 items=2 ppid=3400 pid=3401 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="dircolors" exe="/usr/bin/dircolors" subj=system_u:system_r:spc_t:s0 key=(null)
139type=BPRM_FCAPS msg=audit(1721179984.486:655): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=00000000a80425fb old_pi=0000000000000000 old_pe=00000000a80425fb old_pa=0000000000000000 pp=00000000a80425fb pi=0000000000000000 pe=00000000a80425fb pa=0000000000000000
140type=EXECVE msg=audit(1721179984.486:655): argc=2 a0="dircolors" a1="-b"
141type=CWD msg=audit(1721179984.486:655): cwd="/"
142type=PATH msg=audit(1721179984.486:655): item=0 name="/usr/bin/dircolors" inode=36478 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
143type=PATH msg=audit(1721179984.486:655): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=38631 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
144type=PROCTITLE msg=audit(1721179984.486:655): proctitle=646972636F6C6F7273002D62
145---
146type=SYSCALL msg=audit(1721179984.488:656): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7ffe9820d8d8 items=0 ppid=3400 pid=3401 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="dircolors" exe="/usr/bin/dircolors" subj=system_u:system_r:spc_t:s0 key=(null)
147type=PROCTITLE msg=audit(1721179984.488:656): proctitle=646972636F6C6F7273002D62
148---
149type=SYSCALL msg=audit(1721179984.488:657): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7ffc48ca6278 items=0 ppid=3378 pid=3400 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/bin/bash" subj=system_u:system_r:spc_t:s0 key=(null)
150type=PROCTITLE msg=audit(1721179984.488:657): proctitle="/bin/bash"
151---
152type=SYSCALL msg=audit(1721179987.374:658): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=fffffffffffffe50 items=0 ppid=573 pid=3349 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/usr/lib/systemd/systemd-udevd" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
153type=PROCTITLE msg=audit(1721179987.374:658): proctitle="/usr/lib/systemd/systemd-udevd"
154---
155type=SYSCALL msg=audit(1721179987.374:659): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=fffffffffffffe50 items=0 ppid=573 pid=3345 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/usr/lib/systemd/systemd-udevd" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
156type=PROCTITLE msg=audit(1721179987.374:659): proctitle="/usr/lib/systemd/systemd-udevd"
157---
158type=SYSCALL msg=audit(1721179987.375:660): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=fffffffffffffe50 items=0 ppid=573 pid=3346 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/usr/lib/systemd/systemd-udevd" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
159type=PROCTITLE msg=audit(1721179987.375:660): proctitle="/usr/lib/systemd/systemd-udevd"
160---
161type=SYSCALL msg=audit(1721179998.082:661): arch=c000003e syscall=59 success=yes exit=0 a0=193ea90 a1=1a14dc0 a2=1a02870 a3=7ffcb50a1a20 items=2 ppid=2945 pid=3402 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="docker" exe="/usr/bin/docker" subj=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 key=(null)
162type=EXECVE msg=audit(1721179998.082:661): argc=5 a0="docker" a1="exec" a2="ubuntu" a3="echo" a4="hello"
163type=CWD msg=audit(1721179998.082:661): cwd="/home/player"
164type=PATH msg=audit(1721179998.082:661): item=0 name="/bin/docker" inode=103221779 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
165type=PATH msg=audit(1721179998.082:661): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
166type=PROCTITLE msg=audit(1721179998.082:661): proctitle=646F636B65720065786563007562756E7475006563686F0068656C6C6F
167---
168type=SYSCALL msg=audit(1721179998.133:662): arch=c000003e syscall=59 success=yes exit=0 a0=c0002f4110 a1=c000206780 a2=c0001bd950 a3=0 items=2 ppid=3357 pid=3409 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
169type=EXECVE msg=audit(1721179998.133:662): argc=14 a0="runc" a1="--root" a2="/var/run/docker/runtime-runc/moby" a3="--log" a4="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8/log.json" a5="--log-format" a6="json" a7="exec" a8="--process" a9="/tmp/runc-process2506901255" a10="--detach" a11="--pid-file" a12="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8/97c8f3af19ec98b9c452de78ce4da8c5dd864f6f0c4415a8b5ff3b5736044e68.pid" a13="a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
170type=CWD msg=audit(1721179998.133:662): cwd="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
171type=PATH msg=audit(1721179998.133:662): item=0 name="/usr/bin/runc" inode=100665601 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
172type=PATH msg=audit(1721179998.133:662): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
173type=PROCTITLE msg=audit(1721179998.133:662): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
174---
175type=SYSCALL msg=audit(1721179998.161:663): arch=c000003e syscall=59 success=yes exit=0 a0=c000162a00 a1=c000155770 a2=c000157700 a3=0 items=2 ppid=3409 pid=3417 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="exe" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
176type=EXECVE msg=audit(1721179998.161:663): argc=2 a0="runc" a1="init"
177type=CWD msg=audit(1721179998.161:663): cwd="/var/lib/docker/overlay2/2d28d3d7bbad8e0b6ceb33a57ad027faa3ea261ff2a5ada1a6d7adc886e81c0a/merged"
178type=PATH msg=audit(1721179998.161:663): item=0 name="/proc/self/exe" inode=100665601 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
179type=PATH msg=audit(1721179998.161:663): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
180type=PROCTITLE msg=audit(1721179998.161:663): proctitle=72756E6300696E6974
181---
182type=SYSCALL msg=audit(1721179998.186:664): arch=c000003e syscall=59 success=yes exit=0 a0=7ffc53fec590 a1=560e20a66030 a2=560e20a66050 a3=7ffc53fec0e0 items=2 ppid=3409 pid=3417 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="5" exe="/" subj=system_u:system_r:container_runtime_t:s0 key=(null)
183type=EXECVE msg=audit(1721179998.186:664): argc=2 a0="runc" a1="init"
184type=CWD msg=audit(1721179998.186:664): cwd="/var/lib/docker/overlay2/2d28d3d7bbad8e0b6ceb33a57ad027faa3ea261ff2a5ada1a6d7adc886e81c0a/merged"
185type=PATH msg=audit(1721179998.186:664): item=0 name="/proc/self/fd/5" inode=100665601 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
186type=PATH msg=audit(1721179998.186:664): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
187type=PROCTITLE msg=audit(1721179998.186:664): proctitle=72756E6300696E6974
188---
189type=SYSCALL msg=audit(1721179998.189:665): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=ffffffffffffff60 items=0 ppid=3409 pid=3418 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc:[1:CHILD]" exe="/" subj=system_u:system_r:container_runtime_t:s0 key=(null)
190type=PROCTITLE msg=audit(1721179998.189:665): proctitle=72756E6300696E6974
191---
192type=SYSCALL msg=audit(1721179998.190:666): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=ffffffffffffff60 items=0 ppid=3409 pid=3417 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc:[0:PARENT]" exe="/" subj=system_u:system_r:container_runtime_t:s0 key=(null)
193type=PROCTITLE msg=audit(1721179998.190:666): proctitle=72756E6300696E6974
194---
195type=SECCOMP msg=audit(1721179998.218:667): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 pid=3419 comm="runc:[2:INIT]" sig=0 arch=c000003e syscall=439 compat=0 ip=0x5601dc7be40e code=0x50000
196type=SYSCALL msg=audit(1721179998.218:668): arch=c000003e syscall=231 a0=0 a1=0 a2=c0000ef2e0 a3=c0002e0300 items=0 ppid=3357 pid=3409 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
197type=PROCTITLE msg=audit(1721179998.218:668): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
198---
199type=SYSCALL msg=audit(1721179998.218:669): arch=c000003e syscall=59 success=yes exit=0 a0=c0000f86b0 a1=c0001173b0 a2=c0000243c0 a3=0 items=2 ppid=3409 pid=3419 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="echo" exe="/bin/echo" subj=system_u:system_r:spc_t:s0 key=(null)
200type=BPRM_FCAPS msg=audit(1721179998.218:669): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=00000000a80425fb old_pi=0000000000000000 old_pe=00000000a80425fb old_pa=0000000000000000 pp=00000000a80425fb pi=0000000000000000 pe=00000000a80425fb pa=0000000000000000
201type=EXECVE msg=audit(1721179998.218:669): argc=2 a0="echo" a1="hello"
202type=CWD msg=audit(1721179998.218:669): cwd="/"
203type=PATH msg=audit(1721179998.218:669): item=0 name="/bin/echo" inode=36536 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
204type=PATH msg=audit(1721179998.218:669): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=38631 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
205type=PROCTITLE msg=audit(1721179998.218:669): proctitle=6563686F0068656C6C6F
206---
207type=SYSCALL msg=audit(1721179998.220:670): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7ffc7b282148 items=0 ppid=3357 pid=3419 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="echo" exe="/bin/echo" subj=system_u:system_r:spc_t:s0 key=(null)
208type=PROCTITLE msg=audit(1721179998.220:670): proctitle=6563686F0068656C6C6F
209---
210type=SYSCALL msg=audit(1721179998.223:671): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=4 items=0 ppid=2945 pid=3402 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="docker" exe="/usr/bin/docker" subj=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 key=(null)
211type=PROCTITLE msg=audit(1721179998.223:671): proctitle=646F636B65720065786563007562756E7475006563686F0068656C6C6F
212---
213type=SYSCALL msg=audit(1721180008.674:672): arch=c000003e syscall=59 success=yes exit=0 a0=1a1ce20 a1=1a14dc0 a2=1a02870 a3=7ffcb50a1a20 items=2 ppid=2945 pid=3425 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="docker" exe="/usr/bin/docker" subj=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 key=(null)
214type=EXECVE msg=audit(1721180008.674:672): argc=5 a0="docker" a1="exec" a2="-it" a3="ubuntu" a4="/bin/bash"
215type=CWD msg=audit(1721180008.674:672): cwd="/home/player"
216type=PATH msg=audit(1721180008.674:672): item=0 name="/bin/docker" inode=103221779 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
217type=PATH msg=audit(1721180008.674:672): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
218type=PROCTITLE msg=audit(1721180008.674:672): proctitle=646F636B65720065786563002D6974007562756E7475002F62696E2F62617368
219---
220type=SYSCALL msg=audit(1721180008.720:673): arch=c000003e syscall=59 success=yes exit=0 a0=c0002f42d0 a1=c000222240 a2=c0001bc6f0 a3=0 items=2 ppid=3357 pid=3432 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
221type=EXECVE msg=audit(1721180008.720:673): argc=16 a0="runc" a1="--root" a2="/var/run/docker/runtime-runc/moby" a3="--log" a4="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8/log.json" a5="--log-format" a6="json" a7="exec" a8="--process" a9="/tmp/runc-process201052328" a10="--console-socket" a11="/tmp/pty3160677574/pty.sock" a12="--detach" a13="--pid-file" a14="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8/69b39661224db9f9e941b75da99f144a31c3ffb06ec0ea57981d4fe325d499b5.pid" a15="a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
222type=CWD msg=audit(1721180008.720:673): cwd="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
223type=PATH msg=audit(1721180008.720:673): item=0 name="/usr/bin/runc" inode=100665601 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
224type=PATH msg=audit(1721180008.720:673): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
225type=PROCTITLE msg=audit(1721180008.720:673): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
226---
227type=SYSCALL msg=audit(1721180008.736:674): arch=c000003e syscall=59 success=yes exit=0 a0=c000194a00 a1=c000185770 a2=c000187780 a3=0 items=2 ppid=3432 pid=3440 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="exe" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
228type=EXECVE msg=audit(1721180008.736:674): argc=2 a0="runc" a1="init"
229type=CWD msg=audit(1721180008.736:674): cwd="/var/lib/docker/overlay2/2d28d3d7bbad8e0b6ceb33a57ad027faa3ea261ff2a5ada1a6d7adc886e81c0a/merged"
230type=PATH msg=audit(1721180008.736:674): item=0 name="/proc/self/exe" inode=100665601 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
231type=PATH msg=audit(1721180008.736:674): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
232type=PROCTITLE msg=audit(1721180008.736:674): proctitle=72756E6300696E6974
233---
234type=SYSCALL msg=audit(1721180008.749:675): arch=c000003e syscall=59 success=yes exit=0 a0=7ffcaa036920 a1=55a755913030 a2=55a755913050 a3=7ffcaa036460 items=2 ppid=3432 pid=3440 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="6" exe="/" subj=system_u:system_r:container_runtime_t:s0 key=(null)
235type=EXECVE msg=audit(1721180008.749:675): argc=2 a0="runc" a1="init"
236type=CWD msg=audit(1721180008.749:675): cwd="/var/lib/docker/overlay2/2d28d3d7bbad8e0b6ceb33a57ad027faa3ea261ff2a5ada1a6d7adc886e81c0a/merged"
237type=PATH msg=audit(1721180008.749:675): item=0 name="/proc/self/fd/6" inode=100665601 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
238type=PATH msg=audit(1721180008.749:675): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
239type=PROCTITLE msg=audit(1721180008.749:675): proctitle=72756E6300696E6974
240---
241type=SYSCALL msg=audit(1721180008.753:676): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=ffffffffffffff60 items=0 ppid=3432 pid=3441 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc:[1:CHILD]" exe="/" subj=system_u:system_r:container_runtime_t:s0 key=(null)
242type=PROCTITLE msg=audit(1721180008.753:676): proctitle=72756E6300696E6974
243---
244type=SYSCALL msg=audit(1721180008.755:677): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=ffffffffffffff60 items=0 ppid=3432 pid=3440 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc:[0:PARENT]" exe="/" subj=system_u:system_r:container_runtime_t:s0 key=(null)
245type=PROCTITLE msg=audit(1721180008.755:677): proctitle=72756E6300696E6974
246---
247type=SECCOMP msg=audit(1721180008.785:678): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 pid=3442 comm="runc:[2:INIT]" sig=0 arch=c000003e syscall=439 compat=0 ip=0x55595d8d340e code=0x50000
248type=SYSCALL msg=audit(1721180008.787:679): arch=c000003e syscall=231 a0=0 a1=1 a2=c00011f2e0 a3=14b0 items=0 ppid=3357 pid=3432 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
249type=PROCTITLE msg=audit(1721180008.787:679): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
250---
251type=SYSCALL msg=audit(1721180008.787:680): arch=c000003e syscall=59 success=yes exit=0 a0=c000188680 a1=c000140850 a2=c0001507b0 a3=0 items=2 ppid=3357 pid=3442 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="bash" exe="/bin/bash" subj=system_u:system_r:spc_t:s0 key=(null)
252type=BPRM_FCAPS msg=audit(1721180008.787:680): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=00000000a80425fb old_pi=0000000000000000 old_pe=00000000a80425fb old_pa=0000000000000000 pp=00000000a80425fb pi=0000000000000000 pe=00000000a80425fb pa=0000000000000000
253type=EXECVE msg=audit(1721180008.787:680): argc=1 a0="/bin/bash"
254type=CWD msg=audit(1721180008.787:680): cwd="/"
255type=PATH msg=audit(1721180008.787:680): item=0 name="/bin/bash" inode=38622 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
256type=PATH msg=audit(1721180008.787:680): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=38631 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
257type=PROCTITLE msg=audit(1721180008.787:680): proctitle="/bin/bash"
258---
259type=SYSCALL msg=audit(1721180008.794:681): arch=c000003e syscall=59 success=yes exit=0 a0=8fe8e8 a1=8fea68 a2=8fbe08 a3=598 items=2 ppid=3447 pid=3448 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="groups" exe="/usr/bin/groups" subj=system_u:system_r:spc_t:s0 key=(null)
260type=BPRM_FCAPS msg=audit(1721180008.794:681): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=00000000a80425fb old_pi=0000000000000000 old_pe=00000000a80425fb old_pa=0000000000000000 pp=00000000a80425fb pi=0000000000000000 pe=00000000a80425fb pa=0000000000000000
261type=EXECVE msg=audit(1721180008.794:681): argc=1 a0="groups"
262type=CWD msg=audit(1721180008.794:681): cwd="/"
263type=PATH msg=audit(1721180008.794:681): item=0 name="/usr/bin/groups" inode=36473 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
264type=PATH msg=audit(1721180008.794:681): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=38631 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
265type=PROCTITLE msg=audit(1721180008.794:681): proctitle="groups"
266---
267type=SYSCALL msg=audit(1721180008.796:682): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7ffd80931ef8 items=0 ppid=3447 pid=3448 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="groups" exe="/usr/bin/groups" subj=system_u:system_r:spc_t:s0 key=(null)
268type=PROCTITLE msg=audit(1721180008.796:682): proctitle="groups"
269---
270type=SYSCALL msg=audit(1721180008.796:683): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7ffe2dd07ff8 items=0 ppid=3442 pid=3447 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="bash" exe="/bin/bash" subj=system_u:system_r:spc_t:s0 key=(null)
271type=PROCTITLE msg=audit(1721180008.796:683): proctitle="/bin/bash"
272---
273type=SYSCALL msg=audit(1721180008.798:684): arch=c000003e syscall=59 success=yes exit=0 a0=8ffdc8 a1=8ff988 a2=8fbe08 a3=598 items=2 ppid=3449 pid=3450 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="dircolors" exe="/usr/bin/dircolors" subj=system_u:system_r:spc_t:s0 key=(null)
274type=BPRM_FCAPS msg=audit(1721180008.798:684): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=00000000a80425fb old_pi=0000000000000000 old_pe=00000000a80425fb old_pa=0000000000000000 pp=00000000a80425fb pi=0000000000000000 pe=00000000a80425fb pa=0000000000000000
275type=EXECVE msg=audit(1721180008.798:684): argc=2 a0="dircolors" a1="-b"
276type=CWD msg=audit(1721180008.798:684): cwd="/"
277type=PATH msg=audit(1721180008.798:684): item=0 name="/usr/bin/dircolors" inode=36478 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
278type=PATH msg=audit(1721180008.798:684): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=38631 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
279type=PROCTITLE msg=audit(1721180008.798:684): proctitle=646972636F6C6F7273002D62
280---
281type=SYSCALL msg=audit(1721180008.799:685): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7ffc18145518 items=0 ppid=3449 pid=3450 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="dircolors" exe="/usr/bin/dircolors" subj=system_u:system_r:spc_t:s0 key=(null)
282type=PROCTITLE msg=audit(1721180008.799:685): proctitle=646972636F6C6F7273002D62
283---
284type=SYSCALL msg=audit(1721180008.799:686): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7ffe2dd079e8 items=0 ppid=3442 pid=3449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="bash" exe="/bin/bash" subj=system_u:system_r:spc_t:s0 key=(null)
285type=PROCTITLE msg=audit(1721180008.799:686): proctitle="/bin/bash"
286---
287type=SYSCALL msg=audit(1721180010.254:687): arch=c000003e syscall=59 success=yes exit=0 a0=920488 a1=8fcb48 a2=8fbe08 a3=598 items=2 ppid=3442 pid=3451 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="ls" exe="/bin/ls" subj=system_u:system_r:spc_t:s0 key=(null)
288type=BPRM_FCAPS msg=audit(1721180010.254:687): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=00000000a80425fb old_pi=0000000000000000 old_pe=00000000a80425fb old_pa=0000000000000000 pp=00000000a80425fb pi=0000000000000000 pe=00000000a80425fb pa=0000000000000000
289type=EXECVE msg=audit(1721180010.254:687): argc=2 a0="ls" a1="--color=auto"
290type=CWD msg=audit(1721180010.254:687): cwd="/"
291type=PATH msg=audit(1721180010.254:687): item=0 name="/bin/ls" inode=39943 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
292type=PATH msg=audit(1721180010.254:687): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=38631 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
293type=PROCTITLE msg=audit(1721180010.254:687): proctitle=6C73002D2D636F6C6F723D6175746F
294---
295type=SYSCALL msg=audit(1721180010.260:688): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7f7cb1fcb250 items=0 ppid=3442 pid=3451 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="ls" exe="/bin/ls" subj=system_u:system_r:spc_t:s0 key=(null)
296type=PROCTITLE msg=audit(1721180010.260:688): proctitle=6C73002D2D636F6C6F723D6175746F
297---
298type=SYSCALL msg=audit(1721180016.276:689): arch=c000003e syscall=59 success=yes exit=0 a0=9205a8 a1=9206c8 a2=8fbe08 a3=598 items=2 ppid=3442 pid=3452 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="ls" exe="/bin/ls" subj=system_u:system_r:spc_t:s0 key=(null)
299type=BPRM_FCAPS msg=audit(1721180016.276:689): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=00000000a80425fb old_pi=0000000000000000 old_pe=00000000a80425fb old_pa=0000000000000000 pp=00000000a80425fb pi=0000000000000000 pe=00000000a80425fb pa=0000000000000000
300type=EXECVE msg=audit(1721180016.276:689): argc=3 a0="ls" a1="--color=auto" a2="-alF"
301type=CWD msg=audit(1721180016.276:689): cwd="/"
302type=PATH msg=audit(1721180016.276:689): item=0 name="/bin/ls" inode=39943 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
303type=PATH msg=audit(1721180016.276:689): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=38631 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
304type=PROCTITLE msg=audit(1721180016.276:689): proctitle=6C73002D2D636F6C6F723D6175746F002D616C46
305---
306type=SYSCALL msg=audit(1721180016.284:690): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7f80840d8140 items=0 ppid=3442 pid=3452 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="ls" exe="/bin/ls" subj=system_u:system_r:spc_t:s0 key=(null)
307type=PROCTITLE msg=audit(1721180016.284:690): proctitle=6C73002D2D636F6C6F723D6175746F002D616C46
308---
309type=SYSCALL msg=audit(1721180019.825:691): arch=c000003e syscall=59 success=yes exit=0 a0=920248 a1=920148 a2=8fbe08 a3=598 items=2 ppid=3442 pid=3453 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=system_u:system_r:spc_t:s0 key=(null)
310type=BPRM_FCAPS msg=audit(1721180019.825:691): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=00000000a80425fb old_pi=0000000000000000 old_pe=00000000a80425fb old_pa=0000000000000000 pp=00000000a80425fb pi=0000000000000000 pe=00000000a80425fb pa=0000000000000000
311type=EXECVE msg=audit(1721180019.825:691): argc=1 a0="vim"
312type=CWD msg=audit(1721180019.825:691): cwd="/"
313type=PATH msg=audit(1721180019.825:691): item=0 name="/usr/bin/vim" inode=36570 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
314type=PATH msg=audit(1721180019.825:691): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=38631 dev=00:29 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_share_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
315type=PROCTITLE msg=audit(1721180019.825:691): proctitle="vim"
316---
317type=SYSCALL msg=audit(1721180023.165:692): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7f509814f140 items=0 ppid=3442 pid=3453 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=system_u:system_r:spc_t:s0 key=(null)
318type=PROCTITLE msg=audit(1721180023.165:692): proctitle="vim"
319---
320type=SYSCALL msg=audit(1721180025.784:693): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7ffe2dd08968 items=0 ppid=3357 pid=3442 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="bash" exe="/bin/bash" subj=system_u:system_r:spc_t:s0 key=(null)
321type=PROCTITLE msg=audit(1721180025.784:693): proctitle="/bin/bash"
322---
323type=SYSCALL msg=audit(1721180025.790:694): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=4 items=0 ppid=2945 pid=3425 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="docker" exe="/usr/bin/docker" subj=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 key=(null)
324type=PROCTITLE msg=audit(1721180025.790:694): proctitle=646F636B65720065786563002D6974007562756E7475002F62696E2F62617368
325---
326type=SYSCALL msg=audit(1721180030.377:695): arch=c000003e syscall=59 success=yes exit=0 a0=1945bb0 a1=1a16800 a2=1a02870 a3=7ffcb50a1a20 items=2 ppid=2945 pid=3454 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="docker" exe="/usr/bin/docker" subj=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 key=(null)
327type=EXECVE msg=audit(1721180030.377:695): argc=3 a0="docker" a1="stop" a2="ubuntu"
328type=CWD msg=audit(1721180030.377:695): cwd="/home/player"
329type=PATH msg=audit(1721180030.377:695): item=0 name="/bin/docker" inode=103221779 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
330type=PATH msg=audit(1721180030.377:695): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
331type=PROCTITLE msg=audit(1721180030.377:695): proctitle=646F636B65720073746F70007562756E7475
332---
333type=SYSCALL msg=audit(1721180030.417:696): arch=c000003e syscall=59 success=yes exit=0 a0=c0002f4080 a1=c000024a80 a2=c00009d890 a3=0 items=2 ppid=3357 pid=3461 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
334type=EXECVE msg=audit(1721180030.417:696): argc=10 a0="runc" a1="--root" a2="/var/run/docker/runtime-runc/moby" a3="--log" a4="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8/log.json" a5="--log-format" a6="json" a7="kill" a8="a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8" a9="15"
335type=CWD msg=audit(1721180030.417:696): cwd="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
336type=PATH msg=audit(1721180030.417:696): item=0 name="/usr/bin/runc" inode=100665601 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
337type=PATH msg=audit(1721180030.417:696): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
338type=PROCTITLE msg=audit(1721180030.417:696): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
339---
340type=SYSCALL msg=audit(1721180030.429:697): arch=c000003e syscall=231 a0=0 a1=1 a2=0 a3=0 items=0 ppid=3357 pid=3461 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
341type=PROCTITLE msg=audit(1721180030.429:697): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
342---
343type=SYSCALL msg=audit(1721180030.429:698): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7ffc48ca71f8 items=0 ppid=3357 pid=3378 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/bin/bash" subj=system_u:system_r:spc_t:s0 key=(null)
344type=PROCTITLE msg=audit(1721180030.429:698): proctitle="/bin/bash"
345---
346type=SYSCALL msg=audit(1721180030.451:699): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=ffffffffffffff60 items=0 ppid=57 pid=3467 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-cgroups" exe="/usr/lib/systemd/systemd-cgroups-agent" subj=system_u:system_r:init_t:s0 key=(null)
347type=PROCTITLE msg=audit(1721180030.451:699): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D6367726F7570732D6167656E74002F646F636B65722F61376332373634663566386435383464623766393033636365646632333336656666343031343531666231303936373865613336373635336662393265356238
348---
349type=SYSCALL msg=audit(1721180030.453:700): arch=c000003e syscall=59 success=yes exit=0 a0=c000012400 a1=c0001c2140 a2=c00007e9f0 a3=0 items=2 ppid=3357 pid=3468 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
350type=EXECVE msg=audit(1721180030.453:700): argc=9 a0="runc" a1="--root" a2="/var/run/docker/runtime-runc/moby" a3="--log" a4="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8/log.json" a5="--log-format" a6="json" a7="delete" a8="a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
351type=CWD msg=audit(1721180030.453:700): cwd="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
352type=PATH msg=audit(1721180030.453:700): item=0 name="/usr/bin/runc" inode=100665601 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
353type=PATH msg=audit(1721180030.453:700): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
354type=PROCTITLE msg=audit(1721180030.453:700): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
355---
356type=SYSCALL msg=audit(1721180030.485:701): arch=c000003e syscall=231 a0=0 a1=56455e45cce0 a2=0 a3=c000048890 items=0 ppid=3357 pid=3468 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
357type=PROCTITLE msg=audit(1721180030.485:701): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
358---
359type=SYSCALL msg=audit(1721180030.488:702): arch=c000003e syscall=231 a0=0 a1=c0001d0300 a2=0 a3=10 items=0 ppid=1 pid=3357 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="containerd-shim" exe="/usr/bin/containerd-shim-runc-v2" subj=system_u:system_r:container_runtime_t:s0 key=(null)
360type=PROCTITLE msg=audit(1721180030.488:702): proctitle=2F7573722F62696E2F636F6E7461696E6572642D7368696D2D72756E632D7632002D6E616D657370616365006D6F6279002D69640061376332373634663566386435383464623766393033636365646632333336656666343031343531666231303936373865613336373635336662393265356238002D61646472657373002F
361---
362type=SYSCALL msg=audit(1721180030.488:703): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=ffffffffffffff60 items=0 ppid=57 pid=3473 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-cgroups" exe="/usr/lib/systemd/systemd-cgroups-agent" subj=system_u:system_r:init_t:s0 key=(null)
363type=PROCTITLE msg=audit(1721180030.488:703): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D6367726F7570732D6167656E74002F646F636B6572
364---
365type=SYSCALL msg=audit(1721180030.490:704): arch=c000003e syscall=59 success=yes exit=0 a0=c00054a300 a1=c00030b260 a2=c000514400 a3=0 items=1 ppid=1139 pid=3474 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="containerd-shim" exe="/usr/bin/containerd-shim-runc-v2" subj=system_u:system_r:container_runtime_t:s0 key=(null)
366type=EXECVE msg=audit(1721180030.490:704): argc=12 a0="/usr/bin/containerd-shim-runc-v2" a1="-namespace" a2="moby" a3="-address" a4="/run/containerd/containerd.sock" a5="-publish-binary" a6="/usr/bin/containerd" a7="-id" a8="a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8" a9="-bundle" a10="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8" a11="delete"
367type=CWD msg=audit(1721180030.490:704): cwd="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
368type=PATH msg=audit(1721180030.490:704): item=0 name="/usr/bin/containerd-shim-runc-v2" inode=100665599 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
369type=PROCTITLE msg=audit(1721180030.490:704): proctitle=2F7573722F62696E2F636F6E7461696E6572642D7368696D2D72756E632D7632002D6E616D657370616365006D6F6279002D61646472657373002F72756E2F636F6E7461696E6572642F636F6E7461696E6572642E736F636B002D7075626C6973682D62696E617279002F7573722F62696E2F636F6E7461696E657264002D69
370---
371type=SYSCALL msg=audit(1721180030.497:705): arch=c000003e syscall=59 success=yes exit=0 a0=c0001ac3e0 a1=c000180480 a2=c00019c4b0 a3=0 items=2 ppid=3474 pid=3480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
372type=EXECVE msg=audit(1721180030.497:705): argc=10 a0="runc" a1="--root" a2="/var/run/docker/runtime-runc/moby" a3="--log" a4="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8/log.json" a5="--log-format" a6="json" a7="delete" a8="--force" a9="a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
373type=CWD msg=audit(1721180030.497:705): cwd="/run/containerd/io.containerd.runtime.v2.task/moby/a7c2764f5f8d584db7f903ccedf2336eff401451fb109678ea367653fb92e5b8"
374type=PATH msg=audit(1721180030.497:705): item=0 name="/usr/bin/runc" inode=100665601 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
375type=PATH msg=audit(1721180030.497:705): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
376type=PROCTITLE msg=audit(1721180030.497:705): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
377---
378type=SYSCALL msg=audit(1721180030.504:706): arch=c000003e syscall=231 a0=0 a1=36 a2=0 a3=8c3 items=0 ppid=3474 pid=3480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runc" exe="/usr/bin/runc" subj=system_u:system_r:container_runtime_t:s0 key=(null)
379type=PROCTITLE msg=audit(1721180030.504:706): proctitle=72756E63002D2D726F6F74002F7661722F72756E2F646F636B65722F72756E74696D652D72756E632F6D6F6279002D2D6C6F67002F72756E2F636F6E7461696E6572642F696F2E636F6E7461696E6572642E72756E74696D652E76322E7461736B2F6D6F62792F61376332373634663566386435383464623766393033636365
380---
381type=SYSCALL msg=audit(1721180030.505:707): arch=c000003e syscall=231 a0=0 a1=1 a2=0 a3=0 items=0 ppid=1139 pid=3474 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="containerd-shim" exe="/usr/bin/containerd-shim-runc-v2" subj=system_u:system_r:container_runtime_t:s0 key=(null)
382type=PROCTITLE msg=audit(1721180030.505:707): proctitle=2F7573722F62696E2F636F6E7461696E6572642D7368696D2D72756E632D7632002D6E616D657370616365006D6F6279002D61646472657373002F72756E2F636F6E7461696E6572642F636F6E7461696E6572642E736F636B002D7075626C6973682D62696E617279002F7573722F62696E2F636F6E7461696E657264002D69
383---
384type=SYSCALL msg=audit(1721180030.539:708): arch=c000003e syscall=59 success=yes exit=0 a0=7ffdf0c1eda0 a1=7ffdf0c1e9a0 a2=55cdb4902ea0 a3=8 items=2 ppid=3486 pid=3487 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
385type=EXECVE msg=audit(1721180030.539:708): argc=5 a0="/usr/lib/systemd/systemd-sysctl" a1="--prefix=/net/ipv4/conf/vethee301d7" a2="--prefix=/net/ipv4/neigh/vethee301d7" a3="--prefix=/net/ipv6/conf/vethee301d7" a4="--prefix=/net/ipv6/neigh/vethee301d7"
386type=CWD msg=audit(1721180030.539:708): cwd="/"
387type=PATH msg=audit(1721180030.539:708): item=0 name="/usr/lib/systemd/systemd-sysctl" inode=355868 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:systemd_sysctl_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
388type=PATH msg=audit(1721180030.539:708): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=65140 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
389type=PROCTITLE msg=audit(1721180030.539:708): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D73797363746C002D2D7072656669783D2F6E65742F697076342F636F6E662F7665746865653330316437002D2D7072656669783D2F6E65742F697076342F6E656967682F7665746865653330316437002D2D7072656669783D2F6E65742F697076362F636F6E66
390---
391type=SYSCALL msg=audit(1721180030.542:709): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=ffffffffffffff60 items=0 ppid=3486 pid=3487 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
392type=PROCTITLE msg=audit(1721180030.542:709): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D73797363746C002D2D7072656669783D2F6E65742F697076342F636F6E662F7665746865653330316437002D2D7072656669783D2F6E65742F697076342F6E656967682F7665746865653330316437002D2D7072656669783D2F6E65742F697076362F636F6E66
393---
394type=ANOM_PROMISCUOUS msg=audit(1721180030.543:710): dev=vethc3c7cd5 prom=0 old_prom=256 auid=4294967295 uid=0 gid=0 ses=4294967295
395type=SYSCALL msg=audit(1721180030.543:710): arch=c000003e syscall=44 success=yes exit=32 a0=e a1=c0012182a0 a2=20 a3=0 items=0 ppid=1 pid=1315 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dockerd" exe="/usr/bin/dockerd" subj=system_u:system_r:container_runtime_t:s0 key=(null)
396type=SOCKADDR msg=audit(1721180030.543:710): saddr=100000000000000000000000
397type=PROCTITLE msg=audit(1721180030.543:710): proctitle=2F7573722F62696E2F646F636B657264002D480066643A2F2F002D2D636F6E7461696E6572643D2F72756E2F636F6E7461696E6572642F636F6E7461696E6572642E736F636B
398---
399type=SYSCALL msg=audit(1721180030.598:711): arch=c000003e syscall=231 a0=0 a1=0 a2=0 a3=4 items=0 ppid=2945 pid=3454 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="docker" exe="/usr/bin/docker" subj=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 key=(null)
400type=PROCTITLE msg=audit(1721180030.598:711): proctitle=646F636B65720073746F70007562756E7475
401---
diff --git a/old/audit.go b/old/audit.go
new file mode 100644
index 0000000..2b9faa5
--- /dev/null
+++ b/old/audit.go
@@ -0,0 +1,127 @@
1package main
2
3import (
4 "errors"
5 "flag"
6 "fmt"
7 "io"
8 "log"
9 "os"
10
11 "github.com/elastic/go-libaudit/v2"
12 "github.com/elastic/go-libaudit/v2/auparse"
13)
14
15var (
16 fs = flag.NewFlagSet("audit", flag.ExitOnError)
17 diag = fs.String("diag", "", "dump raw information from kernel to file")
18 rate = fs.Uint("rate", 0, "rate limit in kernel (default 0, no rate limit)")
19 backlog = fs.Uint("backlog", 8192, "backlog limit")
20 immutable = fs.Bool("immutable", false, "make kernel audit settings immutable (requires reboot to undo)")
21 receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+")
22)
23
24func main() {
25 if err := fs.Parse(os.Args[1:]); err != nil {
26 log.Fatal(err)
27 }
28
29 if err := read(); err != nil {
30 log.Fatalf("error: %v", err)
31 }
32}
33
34func read() error {
35 if os.Geteuid() != 0 {
36 return errors.New("you must be root to receive audit data")
37 }
38
39 // Write netlink response to a file for further analysis or for writing
40 // tests cases.
41 var diagWriter io.Writer
42 if *diag != "" {
43 f, err := os.OpenFile(*diag, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0o600)
44 if err != nil {
45 return err
46 }
47 defer f.Close()
48 diagWriter = f
49 }
50
51 log.Println("starting netlink client")
52
53 var err error
54 var client *libaudit.AuditClient
55 if *receiveOnly {
56 client, err = libaudit.NewMulticastAuditClient(diagWriter)
57 if err != nil {
58 return fmt.Errorf("failed to create receive-only audit client: %w", err)
59 }
60 defer client.Close()
61 } else {
62 client, err = libaudit.NewAuditClient(diagWriter)
63 if err != nil {
64 return fmt.Errorf("failed to create audit client: %w", err)
65 }
66 defer client.Close()
67
68 status, err := client.GetStatus()
69 if err != nil {
70 return fmt.Errorf("failed to get audit status: %w", err)
71 }
72 log.Printf("received audit status=%+v", status)
73
74 if status.Enabled == 0 {
75 log.Println("enabling auditing in the kernel")
76 if err = client.SetEnabled(true, libaudit.WaitForReply); err != nil {
77 return fmt.Errorf("failed to set enabled=true: %w", err)
78 }
79 }
80
81 if status.RateLimit != uint32(*rate) {
82 log.Printf("setting rate limit in kernel to %v", *rate)
83 if err = client.SetRateLimit(uint32(*rate), libaudit.NoWait); err != nil {
84 return fmt.Errorf("failed to set rate limit to unlimited: %w", err)
85 }
86 }
87
88 if status.BacklogLimit != uint32(*backlog) {
89 log.Printf("setting backlog limit in kernel to %v", *backlog)
90 if err = client.SetBacklogLimit(uint32(*backlog), libaudit.NoWait); err != nil {
91 return fmt.Errorf("failed to set backlog limit: %w", err)
92 }
93 }
94
95 if status.Enabled != 2 && *immutable {
96 log.Printf("setting kernel settings as immutable")
97 if err = client.SetImmutable(libaudit.NoWait); err != nil {
98 return fmt.Errorf("failed to set kernel as immutable: %w", err)
99 }
100 }
101
102 log.Printf("sending message to kernel registering our PID (%v) as the audit daemon", os.Getpid())
103 if err = client.SetPID(libaudit.NoWait); err != nil {
104 return fmt.Errorf("failed to set audit PID: %w", err)
105 }
106 }
107
108 return receive(client)
109}
110
111func receive(r *libaudit.AuditClient) error {
112 for {
113 rawEvent, err := r.Receive(false)
114 if err != nil {
115 return fmt.Errorf("receive failed: %w", err)
116 }
117
118 // Messages from 1300-2999 are valid audit messages.
119 if rawEvent.Type < auparse.AUDIT_USER_AUTH ||
120 rawEvent.Type > auparse.AUDIT_LAST_USER_MSG2 {
121 continue
122 }
123
124 fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data)
125 // fmt.Printf("type=%v\n", rawEvent.Type)
126 }
127}
diff --git a/old/auparse.go b/old/auparse.go
new file mode 100644
index 0000000..53b0c92
--- /dev/null
+++ b/old/auparse.go
@@ -0,0 +1,218 @@
1package main
2
3import (
4 "bufio"
5 "encoding/json"
6 "flag"
7 "fmt"
8 "io"
9 "log"
10 "os"
11 "time"
12
13 "gopkg.in/yaml.v3"
14
15 "github.com/elastic/go-libaudit/v2"
16 "github.com/elastic/go-libaudit/v2/aucoalesce"
17 "github.com/elastic/go-libaudit/v2/auparse"
18)
19
20var (
21 fs = flag.NewFlagSet("auparse", flag.ExitOnError)
22 in = fs.String("in", "-", "input file (defaults to stdin)")
23 out = fs.String("out", "-", "output file (defaults to stdout)")
24 interpret = fs.Bool("i", false, "interpret and normalize messages")
25 idLookup = fs.Bool("id", true, "lookup uid and gid values in messages (requires -i)")
26 format = fs.String("format", "", "output format, possible values - json, yaml, text (default)")
27)
28
29func main() {
30 if err := fs.Parse(os.Args[1:]); err != nil {
31 log.Fatal(err)
32 }
33
34 if err := processLogs(); err != nil {
35 log.Fatalf("error: %v", err)
36 }
37}
38
39func input() (io.ReadCloser, error) {
40 if *in == "-" {
41 return os.Stdin, nil
42 }
43
44 return os.Open(*in)
45}
46
47func output() (io.WriteCloser, error) {
48 if *out == "-" {
49 return os.Stdout, nil
50 }
51
52 return os.OpenFile(*out, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0o600)
53}
54
55func processLogs() error {
56 input, err := input()
57 if err != nil {
58 return err
59 }
60 defer input.Close()
61
62 output, err := output()
63 if err != nil {
64 return err
65 }
66 defer output.Close()
67
68 reassembler, err := libaudit.NewReassembler(5, 2*time.Second, &streamHandler{output})
69 if err != nil {
70 return fmt.Errorf("failed to create reassmbler: %w", err)
71 }
72 defer reassembler.Close()
73
74 // Start goroutine to periodically purge timed-out events.
75 go func() {
76 t := time.NewTicker(500 * time.Millisecond)
77 defer t.Stop()
78 for range t.C {
79 if reassembler.Maintain() != nil {
80 return
81 }
82 }
83 }()
84
85 // Process lines from the input.
86 s := bufio.NewScanner(input)
87 for s.Scan() {
88 line := s.Text()
89
90 auditMsg, err := auparse.ParseLogLine(line)
91 if err != nil {
92 log.Printf("failed to parse message header: %v", err)
93 }
94
95 reassembler.PushMessage(auditMsg)
96 }
97
98 return nil
99}
100
101type streamHandler struct {
102 output io.Writer
103}
104
105func (s *streamHandler) ReassemblyComplete(msgs []*auparse.AuditMessage) {
106 if err := s.outputMultipleMessages(msgs); err != nil {
107 log.Printf("[WARN] failed writing message to output: %v", err)
108 }
109}
110
111func (*streamHandler) EventsLost(count int) {
112 log.Printf("detected the loss of %v sequences.", count)
113}
114
115func (s *streamHandler) outputMultipleMessages(msgs []*auparse.AuditMessage) error {
116 var err error
117 if !*interpret {
118 if _, err = s.output.Write([]byte("---\n")); err != nil {
119 return err
120 }
121 for _, m := range msgs {
122 if err = s.outputSingleMessage(m); err != nil {
123 return err
124 }
125 }
126 return nil
127 }
128
129 event, err := aucoalesce.CoalesceMessages(msgs)
130 if err != nil {
131 log.Printf("failed to coalesce messages: %v", err)
132 return nil
133 }
134
135 if *idLookup {
136 aucoalesce.ResolveIDs(event)
137 }
138
139 switch *format {
140 case "json":
141 if err := s.printJSON(event); err != nil {
142 log.Printf("failed to marshal event to JSON: %v", err)
143 }
144 case "yaml":
145 if _, err := s.output.Write([]byte("---\n")); err != nil {
146 return err
147 }
148 if err := s.printYAML(event); err != nil {
149 log.Printf("failed to marshal message to YAML: %v", err)
150 }
151 default:
152 sm := event.Summary
153 if _, err := s.output.Write([]byte("---\n")); err != nil {
154 return err
155 }
156
157 _, err := fmt.Fprintf(
158 s.output,
159 `time="%v" sequence=%v category=%v type=%v actor=%v/%v action=%v thing=%v/%v how=%v tags=%v`+"\n",
160 event.Timestamp, event.Sequence, event.Category, event.Type, sm.Actor.Primary, sm.Actor.Secondary,
161 sm.Action, sm.Object.Primary, sm.Object.Secondary, sm.How, event.Tags,
162 )
163 if err != nil {
164 return err
165 }
166 }
167 return nil
168}
169
170func (s *streamHandler) outputSingleMessage(m *auparse.AuditMessage) error {
171 switch *format {
172 case "json":
173 if err := s.printJSON(m.ToMapStr()); err != nil {
174 log.Printf("failed to marshal message to JSON: %v", err)
175 }
176 case "yaml":
177 if err := s.printYAML(m.ToMapStr()); err != nil {
178 log.Printf("failed to marshal message to YAML: %v", err)
179 }
180 default:
181 if _, err := fmt.Fprintf(
182 s.output,
183 "type=%v msg=%v\n",
184 m.RecordType, m.RawData,
185 ); err != nil {
186 return err
187 }
188 }
189 return nil
190}
191
192func (s *streamHandler) printJSON(v interface{}) error {
193 jsonBytes, err := json.Marshal(v)
194 if err != nil {
195 return err
196 }
197 if _, err = s.output.Write(jsonBytes); err != nil {
198 return err
199 }
200 if _, err = s.output.Write([]byte("\n")); err != nil {
201 return err
202 }
203 return nil
204}
205
206func (s *streamHandler) printYAML(v interface{}) error {
207 yamlBytes, err := yaml.Marshal(v)
208 if err != nil {
209 return err
210 }
211 if _, err = s.output.Write(yamlBytes); err != nil {
212 return err
213 }
214 if _, err = s.output.Write([]byte("\n")); err != nil {
215 return err
216 }
217 return nil
218}
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2025-01-08 17:31:04 +0800