type=DAEMON_START msg=audit(1175763155.077:1928) auditd start, ver=1.3.1, format=raw, auid=500 pid=30441 res=success, auditd pid=30441
type=SYSCALL msg=audit(1175763155.131:66873): arch=c000003e syscall=4 success=no exit=-13 a0=1f849b20 a1=7fff97a49840 a2=7fff97a49840 a3=1f849b20 items=1 ppid=30441 pid=30443 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=user_u:system_r:auditd_t:s0 key=(null)
type=CONFIG_CHANGE msg=audit(1175763155.132:66874): audit_enabled=1 old=1 by auid=500 subj=user_u:system_r:auditd_t:s0
type=AVC_PATH msg=audit(1175763155.131:66873):  path="/var/run/audit_events"
type=CWD msg=audit(1175763155.131:66873):  cwd="/"
type=PATH msg=audit(1175763155.131:66873): item=0 name="/var/run/audit_events" inode=2097204 dev=fd:00 mode=0140755 ouid=0 ogid=0 rdev=00:00 obj=user_u:object_r:var_run_t:s0
type=CONFIG_CHANGE msg=audit(1175763155.139:66875): audit_backlog_limit=256 old=256 by auid=500 subj=user_u:system_r:auditctl_t:s0
type=CONFIG_CHANGE msg=audit(1175763157.149:66876): auid=500 subj=user_u:system_r:auditctl_t:s0 op=add rule key=(null) list=5 res=1
type=CONFIG_CHANGE msg=audit(1175763157.155:66877): auid=500 subj=user_u:system_r:auditctl_t:s0 op=add rule key="ausearch_test_rule" list=2 res=1
type=USER_AUTH msg=audit(1175763159.167:66878): user pid=30452 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: authentication acct=ausrch_u : exe="/bin/su" (hostname=?, addr=?, terminal=pts/2 res=success)'
type=USER_ACCT msg=audit(1175763159.167:66879): user pid=30452 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: accounting acct=ausrch_u : exe="/bin/su" (hostname=?, addr=?, terminal=pts/2 res=success)'
type=USER_START msg=audit(1175763159.168:66880): user pid=30452 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session open acct=ausrch_u : exe="/bin/su" (hostname=?, addr=?, terminal=pts/2 res=success)'
type=CRED_ACQ msg=audit(1175763159.168:66881): user pid=30452 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: setcred acct=ausrch_u : exe="/bin/su" (hostname=?, addr=?, terminal=pts/2 res=success)'
type=SYSCALL msg=audit(1175763159.174:66882): arch=c000003e syscall=90 success=yes exit=0 a0=113d90b0 a1=1ff a2=1ff a3=0 items=1 ppid=30452 pid=30453 auid=500 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503 sgid=503 fsgid=503 tty=(none) comm="chmod" exe="/bin/chmod" subj=user_u:system_r:unconfined_t:s0 key="ausearch_test_rule"
type=CWD msg=audit(1175763159.174:66882):  cwd="/rhcc/lspp/tests/LTP/ltp-merged/testcases/audit/audit_tools"
type=PATH msg=audit(1175763159.174:66882): item=0 name="/tmp/ausearch_foo" inode=2195460 dev=fd:00 mode=0100644 ouid=503 ogid=0 rdev=00:00 obj=user_u:object_r:tmp_t:s0
type=CRED_DISP msg=audit(1175763159.174:66883): user pid=30452 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: setcred acct=ausrch_u : exe="/bin/su" (hostname=?, addr=?, terminal=pts/2 res=success)'
type=USER_END msg=audit(1175763159.175:66884): user pid=30452 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session close acct=ausrch_u : exe="/bin/su" (hostname=?, addr=?, terminal=pts/2 res=success)'
type=SYSCALL msg=audit(1175763159.178:66885): arch=c000003e syscall=90 success=yes exit=0 a0=117150b0 a1=1ed a2=1ed a3=0 items=1 ppid=30371 pid=30454 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="chmod" exe="/bin/chmod" subj=user_u:system_r:unconfined_t:s0 key="ausearch_test_rule"
type=CWD msg=audit(1175763159.178:66885):  cwd="/rhcc/lspp/tests/LTP/ltp-merged/testcases/audit/audit_tools"
type=PATH msg=audit(1175763159.178:66885): item=0 name="do_login" inode=689275 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=user_u:object_r:bin_t:s0
type=USER_AUTH msg=audit(1175763172.204:66886): user pid=30463 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct=ausrch_u : exe="/usr/sbin/sshd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh res=success)'
type=USER_ACCT msg=audit(1175763172.205:66887): user pid=30463 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: accounting acct=ausrch_u : exe="/usr/sbin/sshd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh res=success)'
type=CRED_ACQ msg=audit(1175763172.267:66888): user pid=30461 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: setcred acct=ausrch_u : exe="/usr/sbin/sshd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh res=success)'
type=LOGIN msg=audit(1175763172.268:66889): login pid=30461 uid=0 old auid=4294967295 new auid=503
type=USER_START msg=audit(1175763172.269:66890): user pid=30461 uid=0 auid=503 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: session open acct=ausrch_u : exe="/usr/sbin/sshd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh res=success)'
type=CRED_REFR msg=audit(1175763172.271:66891): user pid=30464 uid=0 auid=503 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: setcred acct=ausrch_u : exe="/usr/sbin/sshd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh res=success)'
type=USER_LOGIN msg=audit(1175763172.275:66892): user pid=30461 uid=0 auid=503 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='uid=503: exe="/usr/sbin/sshd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=/dev/pts/4 res=success)'
type=CRED_DISP msg=audit(1175763183.363:66893): user pid=30461 uid=0 auid=503 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: setcred acct=ausrch_u : exe="/usr/sbin/sshd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh res=success)'
type=USER_END msg=audit(1175763183.364:66894): user pid=30461 uid=0 auid=503 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: session close acct=ausrch_u : exe="/usr/sbin/sshd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh res=failed)'
type=SYSCALL msg=audit(1175763183.365:66895): arch=c000003e syscall=90 success=yes exit=0 a0=5555557b5764 a1=1b6 a2=0 a3=0 items=1 ppid=2231 pid=30461 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 key="ausearch_test_rule"
type=CWD msg=audit(1175763183.365:66895):  cwd="/"
type=PATH msg=audit(1175763183.365:66895): item=0 name="/dev/pts/4" inode=6 dev=00:0b mode=020620 ouid=0 ogid=0 rdev=88:04 obj=user_u:object_r:devpts_t:s0
type=DAEMON_END msg=audit(1175763186.410:1929) auditd normal halt, sending auid=500 pid=30505 subj=user_u:system_r:initrc_t:s0 res=success, auditd pid=30441
type=DAEMON_START msg=audit(1175763188.810:1366) auditd start, ver=1.3.1, format=raw, auid=500 pid=30558 res=success, auditd pid=30558
type=SYSCALL msg=audit(1175763188.865:66904): arch=c000003e syscall=4 success=no exit=-13 a0=2de5b20 a1=7ffffb336130 a2=7ffffb336130 a3=2de5b20 items=1 ppid=30558 pid=30560 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=user_u:system_r:auditd_t:s0 key=(null)
type=CONFIG_CHANGE msg=audit(1175763188.865:66905): audit_enabled=1 old=1 by auid=500 subj=user_u:system_r:auditd_t:s0
type=AVC_PATH msg=audit(1175763188.865:66904):  path="/var/run/audit_events"
type=CWD msg=audit(1175763188.865:66904):  cwd="/"
type=PATH msg=audit(1175763188.865:66904): item=0 name="/var/run/audit_events" inode=2097204 dev=fd:00 mode=0140755 ouid=0 ogid=0 rdev=00:00 obj=user_u:object_r:var_run_t:s0
type=CONFIG_CHANGE msg=audit(1175763188.873:66906): audit_backlog_limit=256 old=256 by auid=500 subj=user_u:system_r:auditctl_t:s0