Fix #3, also add the cwd for #1

lib/Audit/Log.pm

@@ -22,7 +22,8 @@ You can use auditd for a number of other interesting purposes, which this should
     my $parser = Audit::Log->new();
     my $rows = $parser->search(
         type     => qr/path/i,
-        nametype => qr/delete|create/i,
+        nametype => qr/delete|create|normal/i,
+        name     => qr/somefile.txt/i,
     );
 
 =head1 CONSTRUCTOR
@@ -37,6 +38,17 @@ if none is provided.
 
 Also can filter returned keys by the provided array to not allocate unnecesarily in low mem situations.
 
+=head3 using with ausearch
+
+It's common to have the audit log be quite verbose, and log-rotated.
+To get around that you can dump pieces of the audit log as appropriate with ausearch.
+Here's an example of dumping keyed events for the last day, which you could then load into new().
+
+    ausearch --raw --key backupwatch -ts `date --date yesterday '+%x'` > yesterdays-audit.log
+
+Even then the audit log is quite likely to only have a few days of retention.
+Be sure to stash results appropriately.
+
 =cut
 
 sub new {
@@ -55,7 +67,7 @@ If no constraints are provided, all matching rows will be returned.
 
 Example:
 
-    my $rows = $parser->search( type => qr/path/i, nametype=qr/delete|create/i );
+    my $rows = $parser->search( type => qr/path/i, nametype=qr/delete|create|normal/i );
 
 The above effectively will get you a list of all file modifications/creations/deletions in watched directories.
 
@@ -69,7 +81,7 @@ We can speed up processing by ignoring events of the incorrect key.
 
 Example:
 
-    my $rows = $parser->search( type => qr/path/i, nametype=qr/delete|create/i, key => qr/backup_watch/i );
+    my $rows = $parser->search( type => qr/path/i, nametype=qr/delete|create|normal/i, key => qr/backup_watch/i );
 
 The above will ignore events from all rules save those from the "backup_watch" rule.
 
@@ -81,9 +93,17 @@ Pass in 'older' and 'newer', and we can filter out things appropriately.
 Example:
 
     # Get all records that are from the last 24 hours
-    my $rows = $parser->search( type => qr/path/i, nametype=qr/delete|create/i, newer => ( time - 86400 ) );
+    my $rows = $parser->search( type => qr/path/i, nametype=qr/delete|create|normal/i, newer => ( time - 86400 ) );
 
-Handling rotated logs is left as an exercise for the reader.
+=head3 Getting full paths with CWDs
+
+PATH records don't actually store the full path to what is acted upon unless the process acting upon it used an absolute path.
+Thankfully, SYSCALL records are are always followed by a CWD record.  As such we add the 'cwd' field to all subsequent records.
+As such, you can build full paths like so:
+
+    my $parser = Audit::Log->new(undef, 'name', 'cwd');
+    my $rows = $parser->search( type => qr/path/i, nametype=qr/delete|create|normal/i );
+    my @full_paths = map { "$_->{cwd}/$_->{name}" } @$rows;
 
 =cut
 
@@ -93,6 +113,7 @@ sub search {
     my $ret = [];
     my $in_block = 1;
     my $line = -1;
+    my $cwd = '';
     open(my $fh, '<', $self->{path});
     LINE: while (<$fh>) {
         next if index( $_, 'SYSCALL') < 0 && !$in_block;
@@ -100,10 +121,17 @@ sub search {
         # I am trying to cheat here to snag the timestamp.
         my $msg_start = index($_, 'msg=audit(') + 10;
         my $msg_end   = index($_, ':');
-        my $timestamp = substr($_, $msg_start, $msg_end - $msg_start)."\n";
+        my $timestamp = substr($_, $msg_start, $msg_end - $msg_start);
         next if $options{older} && $timestamp > $options{older};
         next if $options{newer} && $timestamp < $options{newer};
 
+        # Snag CWDs
+        if ( index( $_, 'type=CWD') == 0) {
+            my $cwd_start = index($_, 'cwd="') + 5;
+            my $cwd_end   = index($_, "\n") - 1;
+            $cwd = substr($_, $cwd_start, $cwd_end - $cwd_start);
+        }
+
         # Replace GROUP SEPARATOR usage with simple spaces
         s/[\x1D]/ /g;
 
@@ -118,12 +146,13 @@ sub search {
         } split(/ /,$_);
 
         $line++;
-        $parsed{line} = $line;
-        chomp $timestamp;
+        $parsed{line}      = $line;
         $parsed{timestamp} = $timestamp;
+        $parsed{cwd}       = $cwd;
 
         if (exists $options{key} && $parsed{type} eq 'SYSCALL') {
             $in_block = $parsed{key} =~ $options{key};
+            $cwd = '';
             next unless $in_block;
         }
 

t/Audit-Log.t

@@ -8,7 +8,7 @@ use Test::Deep;
 use Audit::Log;
 use List::Util 1.45 qw{uniq};
 
-my $parser = Audit::Log->new('t/audit.log','name','type','nametype','line','timestamp');
+my $parser = Audit::Log->new('t/audit.log','name','type','nametype','line','timestamp', 'cwd');
 my $rows = $parser->search( type => qr/path/i, nametype => qr/create|delete/i, name => qr/^backups\/[^\.]/, key => qr/backupwatch/, older => 1642448670, newer => 1642441403 );
 
 my $expected = [
@@ -17,14 +17,16 @@ my $expected = [
     'timestamp' => '1642441406.575',
     'type' => 'PATH',
     'nametype' => 'CREATE',
-    'name' => 'backups/test.txt'
+    'name' => 'backups/test.txt',
+    'cwd'  => '/testpath',
   },
   {
     'type' => 'PATH',
     'timestamp' => '1642441412.975',
     'line' => 8,
     'name' => 'backups/testme.txt',
-    'nametype' => 'DELETE'
+    'nametype' => 'DELETE',
+    'cwd'      => '/testpath',
   }
 ];
 

t/audit.log

@@ -13,13 +13,13 @@ type=SERVICE_START msg=audit(1642441165.947:64): pid=1 uid=0 auid=4294967295 ses
 type=USER_END msg=audit(1642441166.771:65): pid=11275 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_close grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 type=CRED_DISP msg=audit(1642441166.771:66): pid=11275 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 type=USER_ACCT msg=audit(1642441188.763:67): pid=11909 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="doge" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
-type=USER_CMD msg=audit(1642441188.763:68): pid=11909 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='cwd="/home/doge/Code/client-scripts/holophrastic" cmd=736572766963652061756469746420737461747573 exe="/usr/bin/sudo" terminal=pts/1 res=success'UID="doge" AUID="unset"
+type=USER_CMD msg=audit(1642441188.763:68): pid=11909 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='cwd="/testpath" cmd=736572766963652061756469746420737461747573 exe="/usr/bin/sudo" terminal=pts/1 res=success'UID="doge" AUID="unset"
 type=CRED_REFR msg=audit(1642441188.763:69): pid=11909 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 type=USER_START msg=audit(1642441188.763:70): pid=11909 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_open grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 type=USER_END msg=audit(1642441188.815:71): pid=11909 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_close grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 type=CRED_DISP msg=audit(1642441188.815:72): pid=11909 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 type=USER_ACCT msg=audit(1642441381.779:73): pid=12068 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="doge" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
-type=USER_CMD msg=audit(1642441381.779:74): pid=12068 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='cwd="/home/doge/Code/client-scripts/holophrastic" cmd=617564697463746C202D77202F686F6D652F646F67652F436F64652F636C69656E742D736372697074732F686F6C6F70687261737469632F6261636B757073202D702077617278202D6B206261636B75707761746368 exe="/usr/bin/sudo" terminal=pts/1 res=success'UID="doge" AUID="unset"
+type=USER_CMD msg=audit(1642441381.779:74): pid=12068 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='cwd="/testpath" cmd=617564697463746C202D77202F686F6D652F646F67652F436F64652F636C69656E742D736372697074732F686F6C6F70687261737469632F6261636B757073202D702077617278202D6B206261636B75707761746368 exe="/usr/bin/sudo" terminal=pts/1 res=success'UID="doge" AUID="unset"
 type=CRED_REFR msg=audit(1642441381.779:75): pid=12068 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 type=USER_START msg=audit(1642441381.779:76): pid=12068 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_open grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 type=CONFIG_CHANGE msg=audit(1642441381.779:77): auid=4294967295 ses=4294967295 subj=unconfined op=add_rule key="backupwatch" list=4 res=1AUID="unset"
@@ -28,39 +28,39 @@ type=PROCTITLE msg=audit(1642441381.779:77): proctitle=617564697463746C002D77002
 type=USER_END msg=audit(1642441381.783:78): pid=12068 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_close grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 type=CRED_DISP msg=audit(1642441381.783:79): pid=12068 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 type=SYSCALL msg=audit(1642441391.567:80): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffe41a5b831 a2=941 a3=1b6 items=2 ppid=3354 pid=12075 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4294967295 comm="touch" exe="/usr/bin/touch" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=openat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
-type=CWD msg=audit(1642441391.567:80): cwd="/home/doge/Code/client-scripts/holophrastic"
+type=CWD msg=audit(1642441391.567:80): cwd="/testpath"
 type=PATH msg=audit(1642441391.567:80): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PATH msg=audit(1642441391.567:80): item=1 name="backups/test.txt" inode=10881960 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PROCTITLE msg=audit(1642441391.567:80): proctitle=746F756368006261636B7570732F746573742E747874
 type=SYSCALL msg=audit(1642441402.623:81): arch=c000003e syscall=316 success=yes exit=0 a0=ffffff9c a1=7ffe4b295824 a2=ffffff9c a3=7ffe4b295835 items=4 ppid=3354 pid=12083 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4294967295 comm="mv" exe="/usr/bin/mv" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=renameat2 AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
-type=CWD msg=audit(1642441402.623:81): cwd="/home/doge/Code/client-scripts/holophrastic"
+type=CWD msg=audit(1642441402.623:81): cwd="/testpath"
 type=PATH msg=audit(1642441402.623:81): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PATH msg=audit(1642441402.623:81): item=1 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PATH msg=audit(1642441402.623:81): item=2 name="backups/test.txt" inode=10881960 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PATH msg=audit(1642441402.623:81): item=3 name="backups/testme.txt" inode=10881960 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PROCTITLE msg=audit(1642441402.623:81): proctitle=6D76006261636B7570732F746573742E747874006261636B7570732F746573746D652E747874
 type=SYSCALL msg=audit(1642441406.575:82): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7fffb180d831 a2=941 a3=1b6 items=2 ppid=3354 pid=12087 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4294967295 comm="touch" exe="/usr/bin/touch" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=openat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
-type=CWD msg=audit(1642441406.575:82): cwd="/home/doge/Code/client-scripts/holophrastic"
+type=CWD msg=audit(1642441406.575:82): cwd="/testpath"
 type=PATH msg=audit(1642441406.575:82): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PATH msg=audit(1642441406.575:82): item=1 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PROCTITLE msg=audit(1642441406.575:82): proctitle=746F756368006261636B7570732F746573742E747874
 type=SYSCALL msg=audit(1642441412.975:83): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=55ca3d8054d0 a2=0 a3=0 items=2 ppid=3354 pid=12093 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4294967295 comm="rm" exe="/usr/bin/rm" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=unlinkat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
-type=CWD msg=audit(1642441412.975:83): cwd="/home/doge/Code/client-scripts/holophrastic"
+type=CWD msg=audit(1642441412.975:83): cwd="/testpath"
 type=PATH msg=audit(1642441412.975:83): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PATH msg=audit(1642441412.975:83): item=1 name="backups/testme.txt" inode=10881960 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PROCTITLE msg=audit(1642441412.975:83): proctitle=726D006261636B7570732F746573746D652E747874
 type=SYSCALL msg=audit(1642441419.063:84): arch=c000003e syscall=268 success=yes exit=0 a0=ffffff9c a1=55b8e9c09500 a2=1fd a3=49 items=1 ppid=3354 pid=12097 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4294967295 comm="chmod" exe="/usr/bin/chmod" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=fchmodat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
-type=CWD msg=audit(1642441419.063:84): cwd="/home/doge/Code/client-scripts/holophrastic"
+type=CWD msg=audit(1642441419.063:84): cwd="/testpath"
 type=PATH msg=audit(1642441419.063:84): item=0 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PROCTITLE msg=audit(1642441419.063:84): proctitle=63686D6F64002B78006261636B7570732F746573742E747874
 type=USER_ACCT msg=audit(1642441428.163:85): pid=12106 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="doge" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
-type=USER_CMD msg=audit(1642441428.163:86): pid=12106 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='cwd="/home/doge/Code/client-scripts/holophrastic" cmd="aureport" exe="/usr/bin/sudo" terminal=pts/1 res=success'UID="doge" AUID="unset"
+type=USER_CMD msg=audit(1642441428.163:86): pid=12106 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='cwd="/testpath" cmd="aureport" exe="/usr/bin/sudo" terminal=pts/1 res=success'UID="doge" AUID="unset"
 type=CRED_REFR msg=audit(1642441428.163:87): pid=12106 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 type=USER_START msg=audit(1642441428.163:88): pid=12106 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_open grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 type=USER_END msg=audit(1642441428.167:89): pid=12106 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_close grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 type=CRED_DISP msg=audit(1642441428.167:90): pid=12106 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 type=USER_ACCT msg=audit(1642441461.555:91): pid=12157 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="doge" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
-type=USER_CMD msg=audit(1642441461.555:92): pid=12157 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='cwd="/home/doge/Code/client-scripts/holophrastic" cmd=6C657373202F7661722F6C6F672F61756469742F61756469742E6C6F67 exe="/usr/bin/sudo" terminal=pts/1 res=success'UID="doge" AUID="unset"
+type=USER_CMD msg=audit(1642441461.555:92): pid=12157 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='cwd="/testpath" cmd=6C657373202F7661722F6C6F672F61756469742F61756469742E6C6F67 exe="/usr/bin/sudo" terminal=pts/1 res=success'UID="doge" AUID="unset"
 type=CRED_REFR msg=audit(1642441461.555:93): pid=12157 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 type=USER_START msg=audit(1642441461.555:94): pid=12157 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_open grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 type=USER_ACCT msg=audit(1642441501.679:95): pid=12164 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'UID="root" AUID="unset"
@@ -228,97 +228,97 @@ type=USER_END msg=audit(1642448701.856:222): pid=14711 uid=0 auid=0 ses=37 subj=
 type=SERVICE_START msg=audit(1642448992.440:223): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
 type=SERVICE_STOP msg=audit(1642449003.084:224): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
 type=SYSCALL msg=audit(1642449025.700:225): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=556754f22ce0 a2=0 a3=0 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=openat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
-type=CWD msg=audit(1642449025.700:225): cwd="/home/doge/Code/client-scripts/holophrastic"
+type=CWD msg=audit(1642449025.700:225): cwd="/testpath"
 type=PATH msg=audit(1642449025.700:225): item=0 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PROCTITLE msg=audit(1642449025.700:225): proctitle=76696D006261636B7570732F746573742E747874
 type=SYSCALL msg=audit(1642449025.700:226): arch=c000003e syscall=89 success=no exit=-22 a0=7ffc7917e020 a1=7ffc7917f080 a2=fff a3=21 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=readlink AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
-type=CWD msg=audit(1642449025.700:226): cwd="/home/doge/Code/client-scripts/holophrastic"
+type=CWD msg=audit(1642449025.700:226): cwd="/testpath"
 type=PATH msg=audit(1642449025.700:226): item=0 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PROCTITLE msg=audit(1642449025.700:226): proctitle=76696D006261636B7570732F746573742E747874
 type=SYSCALL msg=audit(1642449025.700:227): arch=c000003e syscall=257 success=yes exit=4 a0=ffffff9c a1=5567551b4090 a2=c2 a3=180 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=openat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
-type=CWD msg=audit(1642449025.700:227): cwd="/home/doge/Code/client-scripts/holophrastic"
+type=CWD msg=audit(1642449025.700:227): cwd="/testpath"
 type=PATH msg=audit(1642449025.700:227): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PATH msg=audit(1642449025.700:227): item=1 name="backups/.test.txt.swp" inode=10881809 dev=103:02 mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PROCTITLE msg=audit(1642449025.700:227): proctitle=76696D006261636B7570732F746573742E747874
 type=SYSCALL msg=audit(1642449025.700:228): arch=c000003e syscall=257 success=yes exit=5 a0=ffffff9c a1=556754f238b0 a2=c2 a3=180 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=openat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
-type=CWD msg=audit(1642449025.700:228): cwd="/home/doge/Code/client-scripts/holophrastic"
+type=CWD msg=audit(1642449025.700:228): cwd="/testpath"
 type=PATH msg=audit(1642449025.700:228): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PATH msg=audit(1642449025.700:228): item=1 name="backups/.test.txt.swx" inode=10881889 dev=103:02 mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PROCTITLE msg=audit(1642449025.700:228): proctitle=76696D006261636B7570732F746573742E747874
 type=SYSCALL msg=audit(1642449025.700:229): arch=c000003e syscall=87 success=yes exit=0 a0=556754f238b0 a1=7f0a20d2ccd6 a2=0 a3=1000 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=unlink AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
-type=CWD msg=audit(1642449025.700:229): cwd="/home/doge/Code/client-scripts/holophrastic"
+type=CWD msg=audit(1642449025.700:229): cwd="/testpath"
 type=PATH msg=audit(1642449025.700:229): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PATH msg=audit(1642449025.700:229): item=1 name="backups/.test.txt.swx" inode=10881889 dev=103:02 mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PROCTITLE msg=audit(1642449025.700:229): proctitle=76696D006261636B7570732F746573742E747874
 type=SYSCALL msg=audit(1642449025.700:230): arch=c000003e syscall=87 success=yes exit=0 a0=5567551b4090 a1=7f0a20d2ccd6 a2=0 a3=1000 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=unlink AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
-type=CWD msg=audit(1642449025.700:230): cwd="/home/doge/Code/client-scripts/holophrastic"
+type=CWD msg=audit(1642449025.700:230): cwd="/testpath"
 type=PATH msg=audit(1642449025.700:230): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PATH msg=audit(1642449025.700:230): item=1 name="backups/.test.txt.swp" inode=10881809 dev=103:02 mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PROCTITLE msg=audit(1642449025.700:230): proctitle=76696D006261636B7570732F746573742E747874
 type=SYSCALL msg=audit(1642449025.700:231): arch=c000003e syscall=257 success=yes exit=4 a0=ffffff9c a1=5567551b4090 a2=200c2 a3=180 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=openat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
-type=CWD msg=audit(1642449025.700:231): cwd="/home/doge/Code/client-scripts/holophrastic"
+type=CWD msg=audit(1642449025.700:231): cwd="/testpath"
 type=PATH msg=audit(1642449025.700:231): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PATH msg=audit(1642449025.700:231): item=1 name="backups/.test.txt.swp" inode=10881809 dev=103:02 mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PROCTITLE msg=audit(1642449025.700:231): proctitle=76696D006261636B7570732F746573742E747874
 type=SYSCALL msg=audit(1642449025.700:232): arch=c000003e syscall=90 success=yes exit=0 a0=5567551b4090 a1=1a4 a2=556754576420 a3=5567545763a0 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=chmod AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
-type=CWD msg=audit(1642449025.700:232): cwd="/home/doge/Code/client-scripts/holophrastic"
+type=CWD msg=audit(1642449025.700:232): cwd="/testpath"
 type=PATH msg=audit(1642449025.700:232): item=0 name="backups/.test.txt.swp" inode=10881809 dev=103:02 mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PROCTITLE msg=audit(1642449025.700:232): proctitle=76696D006261636B7570732F746573742E747874
 type=SYSCALL msg=audit(1642449025.700:233): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=556754f22ce0 a2=0 a3=0 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=openat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
-type=CWD msg=audit(1642449025.700:233): cwd="/home/doge/Code/client-scripts/holophrastic"
+type=CWD msg=audit(1642449025.700:233): cwd="/testpath"
 type=PATH msg=audit(1642449025.700:233): item=0 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PROCTITLE msg=audit(1642449025.700:233): proctitle=76696D006261636B7570732F746573742E747874
 type=SYSCALL msg=audit(1642449028.256:234): arch=c000003e syscall=191 success=no exit=-61 a0=556754f22ce0 a1=7f0a21316000 a2=7ffc7917fd80 a3=84 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=getxattr AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
-type=CWD msg=audit(1642449028.256:234): cwd="/home/doge/Code/client-scripts/holophrastic"
+type=CWD msg=audit(1642449028.256:234): cwd="/testpath"
 type=PATH msg=audit(1642449028.256:234): item=0 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PROCTITLE msg=audit(1642449028.256:234): proctitle=76696D006261636B7570732F746573742E747874
 type=SYSCALL msg=audit(1642449028.256:235): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=556754f17500 a2=200c1 a3=81fd items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=openat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
-type=CWD msg=audit(1642449028.256:235): cwd="/home/doge/Code/client-scripts/holophrastic"
+type=CWD msg=audit(1642449028.256:235): cwd="/testpath"
 type=PATH msg=audit(1642449028.256:235): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PATH msg=audit(1642449028.256:235): item=1 name="backups/4913" inode=10881889 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PROCTITLE msg=audit(1642449028.256:235): proctitle=76696D006261636B7570732F746573742E747874
 type=SYSCALL msg=audit(1642449028.256:236): arch=c000003e syscall=93 success=yes exit=0 a0=3 a1=3e8 a2=3e8 a3=81fd items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=fchown AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
-type=CWD msg=audit(1642449028.256:236): cwd="/home/doge/Code/client-scripts/holophrastic"
+type=CWD msg=audit(1642449028.256:236): cwd="/testpath"
 type=PATH msg=audit(1642449028.256:236): item=0 name=(null) inode=10881889 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PROCTITLE msg=audit(1642449028.256:236): proctitle=76696D006261636B7570732F746573742E747874
 type=SYSCALL msg=audit(1642449028.256:237): arch=c000003e syscall=87 success=yes exit=0 a0=556754f17500 a1=556754f17500 a2=7ffc79180110 a3=0 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=unlink AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
-type=CWD msg=audit(1642449028.256:237): cwd="/home/doge/Code/client-scripts/holophrastic"
+type=CWD msg=audit(1642449028.256:237): cwd="/testpath"
 type=PATH msg=audit(1642449028.256:237): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PATH msg=audit(1642449028.256:237): item=1 name="backups/4913" inode=10881889 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PROCTITLE msg=audit(1642449028.256:237): proctitle=76696D006261636B7570732F746573742E747874
 type=SYSCALL msg=audit(1642449028.256:238): arch=c000003e syscall=87 success=no exit=-2 a0=556754f8a530 a1=556754f8a530 a2=fffffffffffffea0 a3=0 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=unlink AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
-type=CWD msg=audit(1642449028.256:238): cwd="/home/doge/Code/client-scripts/holophrastic"
+type=CWD msg=audit(1642449028.256:238): cwd="/testpath"
 type=PATH msg=audit(1642449028.256:238): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PROCTITLE msg=audit(1642449028.256:238): proctitle=76696D006261636B7570732F746573742E747874
 type=SYSCALL msg=audit(1642449028.256:239): arch=c000003e syscall=82 success=yes exit=0 a0=556754f22ce0 a1=556754f8a530 a2=fffffffffffffea0 a3=0 items=4 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=rename AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
-type=CWD msg=audit(1642449028.256:239): cwd="/home/doge/Code/client-scripts/holophrastic"
+type=CWD msg=audit(1642449028.256:239): cwd="/testpath"
 type=PATH msg=audit(1642449028.256:239): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PATH msg=audit(1642449028.256:239): item=1 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PATH msg=audit(1642449028.256:239): item=2 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PATH msg=audit(1642449028.256:239): item=3 name="backups/test.txt~" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PROCTITLE msg=audit(1642449028.256:239): proctitle=76696D006261636B7570732F746573742E747874
 type=SYSCALL msg=audit(1642449028.256:240): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=556754f22ce0 a2=41 a3=1fd items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=openat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
-type=CWD msg=audit(1642449028.256:240): cwd="/home/doge/Code/client-scripts/holophrastic"
+type=CWD msg=audit(1642449028.256:240): cwd="/testpath"
 type=PATH msg=audit(1642449028.256:240): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PATH msg=audit(1642449028.256:240): item=1 name="backups/test.txt" inode=10881889 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PROCTITLE msg=audit(1642449028.256:240): proctitle=76696D006261636B7570732F746573742E747874
 type=SYSCALL msg=audit(1642449028.264:241): arch=c000003e syscall=91 success=yes exit=0 a0=3 a1=81fd a2=7ffc7917fe30 a3=0 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=fchmod AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
-type=CWD msg=audit(1642449028.264:241): cwd="/home/doge/Code/client-scripts/holophrastic"
+type=CWD msg=audit(1642449028.264:241): cwd="/testpath"
 type=PATH msg=audit(1642449028.264:241): item=0 name=(null) inode=10881889 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PROCTITLE msg=audit(1642449028.264:241): proctitle=76696D006261636B7570732F746573742E747874
 type=SYSCALL msg=audit(1642449028.264:242): arch=c000003e syscall=188 success=yes exit=0 a0=556754f22ce0 a1=7f0a21316000 a2=5567551ce620 a3=1c items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=setxattr AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
-type=CWD msg=audit(1642449028.264:242): cwd="/home/doge/Code/client-scripts/holophrastic"
+type=CWD msg=audit(1642449028.264:242): cwd="/testpath"
 type=PATH msg=audit(1642449028.264:242): item=0 name="backups/test.txt" inode=10881889 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PROCTITLE msg=audit(1642449028.264:242): proctitle=76696D006261636B7570732F746573742E747874
 type=SYSCALL msg=audit(1642449028.264:243): arch=c000003e syscall=87 success=yes exit=0 a0=556754f8a530 a1=2d667475 a2=5567544e476b a3=0 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=unlink AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
-type=CWD msg=audit(1642449028.264:243): cwd="/home/doge/Code/client-scripts/holophrastic"
+type=CWD msg=audit(1642449028.264:243): cwd="/testpath"
 type=PATH msg=audit(1642449028.264:243): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PATH msg=audit(1642449028.264:243): item=1 name="backups/test.txt~" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PROCTITLE msg=audit(1642449028.264:243): proctitle=76696D006261636B7570732F746573742E747874
 type=SYSCALL msg=audit(1642449028.264:244): arch=c000003e syscall=87 success=yes exit=0 a0=5567551ca560 a1=1 a2=1d a3=1 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=unlink AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
-type=CWD msg=audit(1642449028.264:244): cwd="/home/doge/Code/client-scripts/holophrastic"
-type=PATH msg=audit(1642449028.264:244): item=0 name="/home/doge/Code/client-scripts/holophrastic/backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
-type=PATH msg=audit(1642449028.264:244): item=1 name="/home/doge/Code/client-scripts/holophrastic/backups/.test.txt.swp" inode=10881809 dev=103:02 mode=0100644 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
+type=CWD msg=audit(1642449028.264:244): cwd="/testpath"
+type=PATH msg=audit(1642449028.264:244): item=0 name="/testpath/backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
+type=PATH msg=audit(1642449028.264:244): item=1 name="/testpath/backups/.test.txt.swp" inode=10881809 dev=103:02 mode=0100644 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 type=PROCTITLE msg=audit(1642449028.264:244): proctitle=76696D006261636B7570732F746573742E747874
 type=USER_AUTH msg=audit(1642449044.180:245): pid=14821 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:authentication grantors=pam_permit,pam_cap acct="doge" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 type=USER_ACCT msg=audit(1642449044.180:246): pid=14821 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="doge" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"