hartmantis · September 28, 2015 22:00
diff --git a/auditd_vs_snoopy b/auditd_vs_snoopy
 A simple `ls` command.

 Auditd:

 type=SYSCALL msg=audit(1443472662.093:768): arch=c000003e syscall=59 success=yes exit=0 a0=100f788 a1=ef0688 a2=fe0808 a3=7fff2f4cc550 items=2 ppid=18368 pid=19531 auid=900 uid=900 gid=900 euid=900 suid=900 fsuid=900 egid=900 sgid=900 fsgid=900 ses=5 tty=pts1 comm="ls" exe="/bin/ls" key=(null)
 type=EXECVE msg=audit(1443472662.093:768): argc=2 a0="ls" a1="--color=auto"
 type=CWD msg=audit(1443472662.093:768):  cwd="/home/vagrant"
 type=PATH msg=audit(1443472662.093:768): item=0 name="/bin/ls" inode=1308212 dev=fc:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
 type=PATH msg=audit(1443472662.093:768): item=1 name=(null) inode=2093204 dev=fc:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
 </code>

 Snoopy:

 Sep 28 20:40:09 vagrant snoopy[19699]: [uid:900 sid:19684 tty:/dev/pts/1 cwd:/home/vagrant filename:/bin/ls]: ls --color=auto
	A simple `ls` command.

	Auditd:

	type=SYSCALL msg=audit(1443472662.093:768): arch=c000003e syscall=59 success=yes exit=0 a0=100f788 a1=ef0688 a2=fe0808 a3=7fff2f4cc550 items=2 ppid=18368 pid=19531 auid=900 uid=900 gid=900 euid=900 suid=900 fsuid=900 egid=900 sgid=900 fsgid=900 ses=5 tty=pts1 comm="ls" exe="/bin/ls" key=(null)
	type=EXECVE msg=audit(1443472662.093:768): argc=2 a0="ls" a1="--color=auto"
	type=CWD msg=audit(1443472662.093:768): cwd="/home/vagrant"
	type=PATH msg=audit(1443472662.093:768): item=0 name="/bin/ls" inode=1308212 dev=fc:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
	type=PATH msg=audit(1443472662.093:768): item=1 name=(null) inode=2093204 dev=fc:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
	</code>

	Snoopy:

	Sep 28 20:40:09 vagrant snoopy[19699]: [uid:900 sid:19684 tty:/dev/pts/1 cwd:/home/vagrant filename:/bin/ls]: ls --color=auto