Acasă Explorează Ajutor
Autentificare
Troglodyne
/
audit-log-perl
2
0
Bifurcare 0
Fisiere Probleme 0 Trageți solicitările 0 Wiki
Răsfoiți Sursa

Fix #3, also add the cwd for #1

George Baugh 3 ani în urmă
părinte
f3cfc93233
comite
c7a057e347
3 a modificat fișierele cu 73 adăugiri și 42 ștergeri
Vedere unificată Arată Statisticile Diff
  1. 37 8
      lib/Audit/Log.pm
  2. 5 3
      t/Audit-Log.t
  3. 31 31
      t/audit.log

+ 37 - 8
lib/Audit/Log.pm
Vizualizați fișierul 

@@ -22,7 +22,8 @@ You can use auditd for a number of other interesting purposes, which this should
 
     my $parser = Audit::Log->new();
 
     my $parser = Audit::Log->new();
 
     my $rows = $parser->search(
 
     my $rows = $parser->search(
 
         type     => qr/path/i,
 
         type     => qr/path/i,
 
-        nametype => qr/delete|create/i,
 
+        nametype => qr/delete|create|normal/i,
 
+        name     => qr/somefile.txt/i,
 
     );
 
     );
 
 
 
 =head1 CONSTRUCTOR
 
 =head1 CONSTRUCTOR
 
@@ -37,6 +38,17 @@ if none is provided.
 
 
 
 Also can filter returned keys by the provided array to not allocate unnecesarily in low mem situations.
 
 Also can filter returned keys by the provided array to not allocate unnecesarily in low mem situations.
 
 
 
+=head3 using with ausearch
 
+
 
+It's common to have the audit log be quite verbose, and log-rotated.
 
+To get around that you can dump pieces of the audit log as appropriate with ausearch.
 
+Here's an example of dumping keyed events for the last day, which you could then load into new().
 
+
 
+    ausearch --raw --key backupwatch -ts `date --date yesterday '+%x'` > yesterdays-audit.log
 
+
 
+Even then the audit log is quite likely to only have a few days of retention.
 
+Be sure to stash results appropriately.
 
+
 
 =cut
 
 =cut
 
 
 
 sub new {
 
 sub new {
 
@@ -55,7 +67,7 @@ If no constraints are provided, all matching rows will be returned.
 
 
 
 Example:
 
 Example:
 
 
 
-    my $rows = $parser->search( type => qr/path/i, nametype=qr/delete|create/i );
 
+    my $rows = $parser->search( type => qr/path/i, nametype=qr/delete|create|normal/i );
 
 
 
 The above effectively will get you a list of all file modifications/creations/deletions in watched directories.
 
 The above effectively will get you a list of all file modifications/creations/deletions in watched directories.
 
 
 
@@ -69,7 +81,7 @@ We can speed up processing by ignoring events of the incorrect key.
 
 
 
 Example:
 
 Example:
 
 
 
-    my $rows = $parser->search( type => qr/path/i, nametype=qr/delete|create/i, key => qr/backup_watch/i );
 
+    my $rows = $parser->search( type => qr/path/i, nametype=qr/delete|create|normal/i, key => qr/backup_watch/i );
 
 
 
 The above will ignore events from all rules save those from the "backup_watch" rule.
 
 The above will ignore events from all rules save those from the "backup_watch" rule.
 
 
 
@@ -81,9 +93,17 @@ Pass in 'older' and 'newer', and we can filter out things appropriately.
 
 Example:
 
 Example:
 
 
 
     # Get all records that are from the last 24 hours
 
     # Get all records that are from the last 24 hours
 
-    my $rows = $parser->search( type => qr/path/i, nametype=qr/delete|create/i, newer => ( time - 86400 ) );
 
+    my $rows = $parser->search( type => qr/path/i, nametype=qr/delete|create|normal/i, newer => ( time - 86400 ) );
 
 
 
-Handling rotated logs is left as an exercise for the reader.
 
+=head3 Getting full paths with CWDs
 
+
 
+PATH records don't actually store the full path to what is acted upon unless the process acting upon it used an absolute path.
 
+Thankfully, SYSCALL records are are always followed by a CWD record.  As such we add the 'cwd' field to all subsequent records.
 
+As such, you can build full paths like so:
 
+
 
+    my $parser = Audit::Log->new(undef, 'name', 'cwd');
 
+    my $rows = $parser->search( type => qr/path/i, nametype=qr/delete|create|normal/i );
 
+    my @full_paths = map { "$_->{cwd}/$_->{name}" } @$rows;
 
 
 
 =cut
 
 =cut
 
 
 
@@ -93,6 +113,7 @@ sub search {
 
     my $ret = [];
 
     my $ret = [];
 
     my $in_block = 1;
 
     my $in_block = 1;
 
     my $line = -1;
 
     my $line = -1;
 
+    my $cwd = '';
 
     open(my $fh, '<', $self->{path});
 
     open(my $fh, '<', $self->{path});
 
     LINE: while (<$fh>) {
 
     LINE: while (<$fh>) {
 
         next if index( $_, 'SYSCALL') < 0 && !$in_block;
 
         next if index( $_, 'SYSCALL') < 0 && !$in_block;
 
@@ -100,10 +121,17 @@ sub search {
 
         # I am trying to cheat here to snag the timestamp.
 
         # I am trying to cheat here to snag the timestamp.
 
         my $msg_start = index($_, 'msg=audit(') + 10;
 
         my $msg_start = index($_, 'msg=audit(') + 10;
 
         my $msg_end   = index($_, ':');
 
         my $msg_end   = index($_, ':');
 
-        my $timestamp = substr($_, $msg_start, $msg_end - $msg_start)."\n";
 
+        my $timestamp = substr($_, $msg_start, $msg_end - $msg_start);
 
         next if $options{older} && $timestamp > $options{older};
 
         next if $options{older} && $timestamp > $options{older};
 
         next if $options{newer} && $timestamp < $options{newer};
 
         next if $options{newer} && $timestamp < $options{newer};
 
 
 
+        # Snag CWDs
 
+        if ( index( $_, 'type=CWD') == 0) {
 
+            my $cwd_start = index($_, 'cwd="') + 5;
 
+            my $cwd_end   = index($_, "\n") - 1;
 
+            $cwd = substr($_, $cwd_start, $cwd_end - $cwd_start);
 
+        }
 
+
 
         # Replace GROUP SEPARATOR usage with simple spaces
 
         # Replace GROUP SEPARATOR usage with simple spaces
 
         s/[\x1D]/ /g;
 
         s/[\x1D]/ /g;
 
 
 
@@ -118,12 +146,13 @@ sub search {
 
         } split(/ /,$_);
 
         } split(/ /,$_);
 
 
 
         $line++;
 
         $line++;
 
-        $parsed{line} = $line;
 
-        chomp $timestamp;
 
+        $parsed{line}      = $line;
 
         $parsed{timestamp} = $timestamp;
 
         $parsed{timestamp} = $timestamp;
 
+        $parsed{cwd}       = $cwd;
 
 
 
         if (exists $options{key} && $parsed{type} eq 'SYSCALL') {
 
         if (exists $options{key} && $parsed{type} eq 'SYSCALL') {
 
             $in_block = $parsed{key} =~ $options{key};
 
             $in_block = $parsed{key} =~ $options{key};
 
+            $cwd = '';
 
             next unless $in_block;
 
             next unless $in_block;
 
         }
 
         }

+ 5 - 3
t/Audit-Log.t
Vizualizați fișierul 

@@ -8,7 +8,7 @@ use Test::Deep;
 
 use Audit::Log;
 
 use Audit::Log;
 
 use List::Util 1.45 qw{uniq};
 
 use List::Util 1.45 qw{uniq};
 
 
 
-my $parser = Audit::Log->new('t/audit.log','name','type','nametype','line','timestamp');
 
+my $parser = Audit::Log->new('t/audit.log','name','type','nametype','line','timestamp', 'cwd');
 
 my $rows = $parser->search( type => qr/path/i, nametype => qr/create|delete/i, name => qr/^backups\/[^\.]/, key => qr/backupwatch/, older => 1642448670, newer => 1642441403 );
 
 my $rows = $parser->search( type => qr/path/i, nametype => qr/create|delete/i, name => qr/^backups\/[^\.]/, key => qr/backupwatch/, older => 1642448670, newer => 1642441403 );
 
 
 
 my $expected = [
 
 my $expected = [
 
@@ -17,14 +17,16 @@ my $expected = [
 
     'timestamp' => '1642441406.575',
 
     'timestamp' => '1642441406.575',
 
     'type' => 'PATH',
 
     'type' => 'PATH',
 
     'nametype' => 'CREATE',
 
     'nametype' => 'CREATE',
 
-    'name' => 'backups/test.txt'
 
+    'name' => 'backups/test.txt',
 
+    'cwd'  => '/testpath',
 
   },
 
   },
 
   {
 
   {
 
     'type' => 'PATH',
 
     'type' => 'PATH',
 
     'timestamp' => '1642441412.975',
 
     'timestamp' => '1642441412.975',
 
     'line' => 8,
 
     'line' => 8,
 
     'name' => 'backups/testme.txt',
 
     'name' => 'backups/testme.txt',
 
-    'nametype' => 'DELETE'
 
+    'nametype' => 'DELETE',
 
+    'cwd'      => '/testpath',
 
   }
 
   }
 
 ];
 
 ];

+ 31 - 31
t/audit.log
Vizualizați fișierul 

@@ -13,13 +13,13 @@ type=SERVICE_START msg=audit(1642441165.947:64): pid=1 uid=0 auid=4294967295 ses
 
 type=USER_END msg=audit(1642441166.771:65): pid=11275 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_close grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=USER_END msg=audit(1642441166.771:65): pid=11275 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_close grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=CRED_DISP msg=audit(1642441166.771:66): pid=11275 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=CRED_DISP msg=audit(1642441166.771:66): pid=11275 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=USER_ACCT msg=audit(1642441188.763:67): pid=11909 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="doge" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=USER_ACCT msg=audit(1642441188.763:67): pid=11909 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="doge" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
-type=USER_CMD msg=audit(1642441188.763:68): pid=11909 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='cwd="/home/doge/Code/client-scripts/holophrastic" cmd=736572766963652061756469746420737461747573 exe="/usr/bin/sudo" terminal=pts/1 res=success'UID="doge" AUID="unset"
 
+type=USER_CMD msg=audit(1642441188.763:68): pid=11909 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='cwd="/testpath" cmd=736572766963652061756469746420737461747573 exe="/usr/bin/sudo" terminal=pts/1 res=success'UID="doge" AUID="unset"
 
 type=CRED_REFR msg=audit(1642441188.763:69): pid=11909 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=CRED_REFR msg=audit(1642441188.763:69): pid=11909 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=USER_START msg=audit(1642441188.763:70): pid=11909 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_open grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=USER_START msg=audit(1642441188.763:70): pid=11909 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_open grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=USER_END msg=audit(1642441188.815:71): pid=11909 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_close grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=USER_END msg=audit(1642441188.815:71): pid=11909 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_close grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=CRED_DISP msg=audit(1642441188.815:72): pid=11909 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=CRED_DISP msg=audit(1642441188.815:72): pid=11909 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=USER_ACCT msg=audit(1642441381.779:73): pid=12068 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="doge" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=USER_ACCT msg=audit(1642441381.779:73): pid=12068 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="doge" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
-type=USER_CMD msg=audit(1642441381.779:74): pid=12068 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='cwd="/home/doge/Code/client-scripts/holophrastic" cmd=617564697463746C202D77202F686F6D652F646F67652F436F64652F636C69656E742D736372697074732F686F6C6F70687261737469632F6261636B757073202D702077617278202D6B206261636B75707761746368 exe="/usr/bin/sudo" terminal=pts/1 res=success'UID="doge" AUID="unset"
 
+type=USER_CMD msg=audit(1642441381.779:74): pid=12068 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='cwd="/testpath" cmd=617564697463746C202D77202F686F6D652F646F67652F436F64652F636C69656E742D736372697074732F686F6C6F70687261737469632F6261636B757073202D702077617278202D6B206261636B75707761746368 exe="/usr/bin/sudo" terminal=pts/1 res=success'UID="doge" AUID="unset"
 
 type=CRED_REFR msg=audit(1642441381.779:75): pid=12068 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=CRED_REFR msg=audit(1642441381.779:75): pid=12068 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=USER_START msg=audit(1642441381.779:76): pid=12068 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_open grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=USER_START msg=audit(1642441381.779:76): pid=12068 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_open grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=CONFIG_CHANGE msg=audit(1642441381.779:77): auid=4294967295 ses=4294967295 subj=unconfined op=add_rule key="backupwatch" list=4 res=1AUID="unset"
 
 type=CONFIG_CHANGE msg=audit(1642441381.779:77): auid=4294967295 ses=4294967295 subj=unconfined op=add_rule key="backupwatch" list=4 res=1AUID="unset"
 
@@ -28,39 +28,39 @@ type=PROCTITLE msg=audit(1642441381.779:77): proctitle=617564697463746C002D77002
 
 type=USER_END msg=audit(1642441381.783:78): pid=12068 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_close grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=USER_END msg=audit(1642441381.783:78): pid=12068 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_close grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=CRED_DISP msg=audit(1642441381.783:79): pid=12068 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=CRED_DISP msg=audit(1642441381.783:79): pid=12068 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=SYSCALL msg=audit(1642441391.567:80): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffe41a5b831 a2=941 a3=1b6 items=2 ppid=3354 pid=12075 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4294967295 comm="touch" exe="/usr/bin/touch" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=openat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
 type=SYSCALL msg=audit(1642441391.567:80): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffe41a5b831 a2=941 a3=1b6 items=2 ppid=3354 pid=12075 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4294967295 comm="touch" exe="/usr/bin/touch" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=openat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
-type=CWD msg=audit(1642441391.567:80): cwd="/home/doge/Code/client-scripts/holophrastic"
 
+type=CWD msg=audit(1642441391.567:80): cwd="/testpath"
 
 type=PATH msg=audit(1642441391.567:80): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642441391.567:80): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642441391.567:80): item=1 name="backups/test.txt" inode=10881960 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642441391.567:80): item=1 name="backups/test.txt" inode=10881960 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PROCTITLE msg=audit(1642441391.567:80): proctitle=746F756368006261636B7570732F746573742E747874
 
 type=PROCTITLE msg=audit(1642441391.567:80): proctitle=746F756368006261636B7570732F746573742E747874
 
 type=SYSCALL msg=audit(1642441402.623:81): arch=c000003e syscall=316 success=yes exit=0 a0=ffffff9c a1=7ffe4b295824 a2=ffffff9c a3=7ffe4b295835 items=4 ppid=3354 pid=12083 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4294967295 comm="mv" exe="/usr/bin/mv" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=renameat2 AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
 type=SYSCALL msg=audit(1642441402.623:81): arch=c000003e syscall=316 success=yes exit=0 a0=ffffff9c a1=7ffe4b295824 a2=ffffff9c a3=7ffe4b295835 items=4 ppid=3354 pid=12083 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4294967295 comm="mv" exe="/usr/bin/mv" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=renameat2 AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
-type=CWD msg=audit(1642441402.623:81): cwd="/home/doge/Code/client-scripts/holophrastic"
 
+type=CWD msg=audit(1642441402.623:81): cwd="/testpath"
 
 type=PATH msg=audit(1642441402.623:81): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642441402.623:81): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642441402.623:81): item=1 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642441402.623:81): item=1 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642441402.623:81): item=2 name="backups/test.txt" inode=10881960 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642441402.623:81): item=2 name="backups/test.txt" inode=10881960 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642441402.623:81): item=3 name="backups/testme.txt" inode=10881960 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642441402.623:81): item=3 name="backups/testme.txt" inode=10881960 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PROCTITLE msg=audit(1642441402.623:81): proctitle=6D76006261636B7570732F746573742E747874006261636B7570732F746573746D652E747874
 
 type=PROCTITLE msg=audit(1642441402.623:81): proctitle=6D76006261636B7570732F746573742E747874006261636B7570732F746573746D652E747874
 
 type=SYSCALL msg=audit(1642441406.575:82): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7fffb180d831 a2=941 a3=1b6 items=2 ppid=3354 pid=12087 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4294967295 comm="touch" exe="/usr/bin/touch" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=openat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
 type=SYSCALL msg=audit(1642441406.575:82): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7fffb180d831 a2=941 a3=1b6 items=2 ppid=3354 pid=12087 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4294967295 comm="touch" exe="/usr/bin/touch" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=openat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
-type=CWD msg=audit(1642441406.575:82): cwd="/home/doge/Code/client-scripts/holophrastic"
 
+type=CWD msg=audit(1642441406.575:82): cwd="/testpath"
 
 type=PATH msg=audit(1642441406.575:82): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642441406.575:82): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642441406.575:82): item=1 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642441406.575:82): item=1 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PROCTITLE msg=audit(1642441406.575:82): proctitle=746F756368006261636B7570732F746573742E747874
 
 type=PROCTITLE msg=audit(1642441406.575:82): proctitle=746F756368006261636B7570732F746573742E747874
 
 type=SYSCALL msg=audit(1642441412.975:83): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=55ca3d8054d0 a2=0 a3=0 items=2 ppid=3354 pid=12093 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4294967295 comm="rm" exe="/usr/bin/rm" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=unlinkat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
 type=SYSCALL msg=audit(1642441412.975:83): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=55ca3d8054d0 a2=0 a3=0 items=2 ppid=3354 pid=12093 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4294967295 comm="rm" exe="/usr/bin/rm" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=unlinkat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
-type=CWD msg=audit(1642441412.975:83): cwd="/home/doge/Code/client-scripts/holophrastic"
 
+type=CWD msg=audit(1642441412.975:83): cwd="/testpath"
 
 type=PATH msg=audit(1642441412.975:83): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642441412.975:83): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642441412.975:83): item=1 name="backups/testme.txt" inode=10881960 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642441412.975:83): item=1 name="backups/testme.txt" inode=10881960 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PROCTITLE msg=audit(1642441412.975:83): proctitle=726D006261636B7570732F746573746D652E747874
 
 type=PROCTITLE msg=audit(1642441412.975:83): proctitle=726D006261636B7570732F746573746D652E747874
 
 type=SYSCALL msg=audit(1642441419.063:84): arch=c000003e syscall=268 success=yes exit=0 a0=ffffff9c a1=55b8e9c09500 a2=1fd a3=49 items=1 ppid=3354 pid=12097 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4294967295 comm="chmod" exe="/usr/bin/chmod" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=fchmodat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
 type=SYSCALL msg=audit(1642441419.063:84): arch=c000003e syscall=268 success=yes exit=0 a0=ffffff9c a1=55b8e9c09500 a2=1fd a3=49 items=1 ppid=3354 pid=12097 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4294967295 comm="chmod" exe="/usr/bin/chmod" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=fchmodat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
-type=CWD msg=audit(1642441419.063:84): cwd="/home/doge/Code/client-scripts/holophrastic"
 
+type=CWD msg=audit(1642441419.063:84): cwd="/testpath"
 
 type=PATH msg=audit(1642441419.063:84): item=0 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642441419.063:84): item=0 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PROCTITLE msg=audit(1642441419.063:84): proctitle=63686D6F64002B78006261636B7570732F746573742E747874
 
 type=PROCTITLE msg=audit(1642441419.063:84): proctitle=63686D6F64002B78006261636B7570732F746573742E747874
 
 type=USER_ACCT msg=audit(1642441428.163:85): pid=12106 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="doge" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=USER_ACCT msg=audit(1642441428.163:85): pid=12106 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="doge" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
-type=USER_CMD msg=audit(1642441428.163:86): pid=12106 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='cwd="/home/doge/Code/client-scripts/holophrastic" cmd="aureport" exe="/usr/bin/sudo" terminal=pts/1 res=success'UID="doge" AUID="unset"
 
+type=USER_CMD msg=audit(1642441428.163:86): pid=12106 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='cwd="/testpath" cmd="aureport" exe="/usr/bin/sudo" terminal=pts/1 res=success'UID="doge" AUID="unset"
 
 type=CRED_REFR msg=audit(1642441428.163:87): pid=12106 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=CRED_REFR msg=audit(1642441428.163:87): pid=12106 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=USER_START msg=audit(1642441428.163:88): pid=12106 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_open grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=USER_START msg=audit(1642441428.163:88): pid=12106 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_open grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=USER_END msg=audit(1642441428.167:89): pid=12106 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_close grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=USER_END msg=audit(1642441428.167:89): pid=12106 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_close grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=CRED_DISP msg=audit(1642441428.167:90): pid=12106 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=CRED_DISP msg=audit(1642441428.167:90): pid=12106 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=USER_ACCT msg=audit(1642441461.555:91): pid=12157 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="doge" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=USER_ACCT msg=audit(1642441461.555:91): pid=12157 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="doge" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
-type=USER_CMD msg=audit(1642441461.555:92): pid=12157 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='cwd="/home/doge/Code/client-scripts/holophrastic" cmd=6C657373202F7661722F6C6F672F61756469742F61756469742E6C6F67 exe="/usr/bin/sudo" terminal=pts/1 res=success'UID="doge" AUID="unset"
 
+type=USER_CMD msg=audit(1642441461.555:92): pid=12157 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='cwd="/testpath" cmd=6C657373202F7661722F6C6F672F61756469742F61756469742E6C6F67 exe="/usr/bin/sudo" terminal=pts/1 res=success'UID="doge" AUID="unset"
 
 type=CRED_REFR msg=audit(1642441461.555:93): pid=12157 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=CRED_REFR msg=audit(1642441461.555:93): pid=12157 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=USER_START msg=audit(1642441461.555:94): pid=12157 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_open grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=USER_START msg=audit(1642441461.555:94): pid=12157 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:session_open grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=USER_ACCT msg=audit(1642441501.679:95): pid=12164 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'UID="root" AUID="unset"
 
 type=USER_ACCT msg=audit(1642441501.679:95): pid=12164 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'UID="root" AUID="unset"
 
@@ -228,97 +228,97 @@ type=USER_END msg=audit(1642448701.856:222): pid=14711 uid=0 auid=0 ses=37 subj=
 
 type=SERVICE_START msg=audit(1642448992.440:223): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
 
 type=SERVICE_START msg=audit(1642448992.440:223): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
 
 type=SERVICE_STOP msg=audit(1642449003.084:224): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
 
 type=SERVICE_STOP msg=audit(1642449003.084:224): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
 
 type=SYSCALL msg=audit(1642449025.700:225): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=556754f22ce0 a2=0 a3=0 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=openat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
 type=SYSCALL msg=audit(1642449025.700:225): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=556754f22ce0 a2=0 a3=0 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=openat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
-type=CWD msg=audit(1642449025.700:225): cwd="/home/doge/Code/client-scripts/holophrastic"
 
+type=CWD msg=audit(1642449025.700:225): cwd="/testpath"
 
 type=PATH msg=audit(1642449025.700:225): item=0 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449025.700:225): item=0 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PROCTITLE msg=audit(1642449025.700:225): proctitle=76696D006261636B7570732F746573742E747874
 
 type=PROCTITLE msg=audit(1642449025.700:225): proctitle=76696D006261636B7570732F746573742E747874
 
 type=SYSCALL msg=audit(1642449025.700:226): arch=c000003e syscall=89 success=no exit=-22 a0=7ffc7917e020 a1=7ffc7917f080 a2=fff a3=21 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=readlink AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
 type=SYSCALL msg=audit(1642449025.700:226): arch=c000003e syscall=89 success=no exit=-22 a0=7ffc7917e020 a1=7ffc7917f080 a2=fff a3=21 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=readlink AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
-type=CWD msg=audit(1642449025.700:226): cwd="/home/doge/Code/client-scripts/holophrastic"
 
+type=CWD msg=audit(1642449025.700:226): cwd="/testpath"
 
 type=PATH msg=audit(1642449025.700:226): item=0 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449025.700:226): item=0 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PROCTITLE msg=audit(1642449025.700:226): proctitle=76696D006261636B7570732F746573742E747874
 
 type=PROCTITLE msg=audit(1642449025.700:226): proctitle=76696D006261636B7570732F746573742E747874
 
 type=SYSCALL msg=audit(1642449025.700:227): arch=c000003e syscall=257 success=yes exit=4 a0=ffffff9c a1=5567551b4090 a2=c2 a3=180 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=openat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
 type=SYSCALL msg=audit(1642449025.700:227): arch=c000003e syscall=257 success=yes exit=4 a0=ffffff9c a1=5567551b4090 a2=c2 a3=180 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=openat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
-type=CWD msg=audit(1642449025.700:227): cwd="/home/doge/Code/client-scripts/holophrastic"
 
+type=CWD msg=audit(1642449025.700:227): cwd="/testpath"
 
 type=PATH msg=audit(1642449025.700:227): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449025.700:227): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449025.700:227): item=1 name="backups/.test.txt.swp" inode=10881809 dev=103:02 mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449025.700:227): item=1 name="backups/.test.txt.swp" inode=10881809 dev=103:02 mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PROCTITLE msg=audit(1642449025.700:227): proctitle=76696D006261636B7570732F746573742E747874
 
 type=PROCTITLE msg=audit(1642449025.700:227): proctitle=76696D006261636B7570732F746573742E747874
 
 type=SYSCALL msg=audit(1642449025.700:228): arch=c000003e syscall=257 success=yes exit=5 a0=ffffff9c a1=556754f238b0 a2=c2 a3=180 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=openat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
 type=SYSCALL msg=audit(1642449025.700:228): arch=c000003e syscall=257 success=yes exit=5 a0=ffffff9c a1=556754f238b0 a2=c2 a3=180 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=openat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
-type=CWD msg=audit(1642449025.700:228): cwd="/home/doge/Code/client-scripts/holophrastic"
 
+type=CWD msg=audit(1642449025.700:228): cwd="/testpath"
 
 type=PATH msg=audit(1642449025.700:228): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449025.700:228): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449025.700:228): item=1 name="backups/.test.txt.swx" inode=10881889 dev=103:02 mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449025.700:228): item=1 name="backups/.test.txt.swx" inode=10881889 dev=103:02 mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PROCTITLE msg=audit(1642449025.700:228): proctitle=76696D006261636B7570732F746573742E747874
 
 type=PROCTITLE msg=audit(1642449025.700:228): proctitle=76696D006261636B7570732F746573742E747874
 
 type=SYSCALL msg=audit(1642449025.700:229): arch=c000003e syscall=87 success=yes exit=0 a0=556754f238b0 a1=7f0a20d2ccd6 a2=0 a3=1000 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=unlink AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
 type=SYSCALL msg=audit(1642449025.700:229): arch=c000003e syscall=87 success=yes exit=0 a0=556754f238b0 a1=7f0a20d2ccd6 a2=0 a3=1000 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=unlink AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
-type=CWD msg=audit(1642449025.700:229): cwd="/home/doge/Code/client-scripts/holophrastic"
 
+type=CWD msg=audit(1642449025.700:229): cwd="/testpath"
 
 type=PATH msg=audit(1642449025.700:229): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449025.700:229): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449025.700:229): item=1 name="backups/.test.txt.swx" inode=10881889 dev=103:02 mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449025.700:229): item=1 name="backups/.test.txt.swx" inode=10881889 dev=103:02 mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PROCTITLE msg=audit(1642449025.700:229): proctitle=76696D006261636B7570732F746573742E747874
 
 type=PROCTITLE msg=audit(1642449025.700:229): proctitle=76696D006261636B7570732F746573742E747874
 
 type=SYSCALL msg=audit(1642449025.700:230): arch=c000003e syscall=87 success=yes exit=0 a0=5567551b4090 a1=7f0a20d2ccd6 a2=0 a3=1000 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=unlink AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
 type=SYSCALL msg=audit(1642449025.700:230): arch=c000003e syscall=87 success=yes exit=0 a0=5567551b4090 a1=7f0a20d2ccd6 a2=0 a3=1000 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=unlink AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
-type=CWD msg=audit(1642449025.700:230): cwd="/home/doge/Code/client-scripts/holophrastic"
 
+type=CWD msg=audit(1642449025.700:230): cwd="/testpath"
 
 type=PATH msg=audit(1642449025.700:230): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449025.700:230): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449025.700:230): item=1 name="backups/.test.txt.swp" inode=10881809 dev=103:02 mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449025.700:230): item=1 name="backups/.test.txt.swp" inode=10881809 dev=103:02 mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PROCTITLE msg=audit(1642449025.700:230): proctitle=76696D006261636B7570732F746573742E747874
 
 type=PROCTITLE msg=audit(1642449025.700:230): proctitle=76696D006261636B7570732F746573742E747874
 
 type=SYSCALL msg=audit(1642449025.700:231): arch=c000003e syscall=257 success=yes exit=4 a0=ffffff9c a1=5567551b4090 a2=200c2 a3=180 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=openat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
 type=SYSCALL msg=audit(1642449025.700:231): arch=c000003e syscall=257 success=yes exit=4 a0=ffffff9c a1=5567551b4090 a2=200c2 a3=180 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=openat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
-type=CWD msg=audit(1642449025.700:231): cwd="/home/doge/Code/client-scripts/holophrastic"
 
+type=CWD msg=audit(1642449025.700:231): cwd="/testpath"
 
 type=PATH msg=audit(1642449025.700:231): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449025.700:231): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449025.700:231): item=1 name="backups/.test.txt.swp" inode=10881809 dev=103:02 mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449025.700:231): item=1 name="backups/.test.txt.swp" inode=10881809 dev=103:02 mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PROCTITLE msg=audit(1642449025.700:231): proctitle=76696D006261636B7570732F746573742E747874
 
 type=PROCTITLE msg=audit(1642449025.700:231): proctitle=76696D006261636B7570732F746573742E747874
 
 type=SYSCALL msg=audit(1642449025.700:232): arch=c000003e syscall=90 success=yes exit=0 a0=5567551b4090 a1=1a4 a2=556754576420 a3=5567545763a0 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=chmod AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
 type=SYSCALL msg=audit(1642449025.700:232): arch=c000003e syscall=90 success=yes exit=0 a0=5567551b4090 a1=1a4 a2=556754576420 a3=5567545763a0 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=chmod AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
-type=CWD msg=audit(1642449025.700:232): cwd="/home/doge/Code/client-scripts/holophrastic"
 
+type=CWD msg=audit(1642449025.700:232): cwd="/testpath"
 
 type=PATH msg=audit(1642449025.700:232): item=0 name="backups/.test.txt.swp" inode=10881809 dev=103:02 mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449025.700:232): item=0 name="backups/.test.txt.swp" inode=10881809 dev=103:02 mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PROCTITLE msg=audit(1642449025.700:232): proctitle=76696D006261636B7570732F746573742E747874
 
 type=PROCTITLE msg=audit(1642449025.700:232): proctitle=76696D006261636B7570732F746573742E747874
 
 type=SYSCALL msg=audit(1642449025.700:233): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=556754f22ce0 a2=0 a3=0 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=openat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
 type=SYSCALL msg=audit(1642449025.700:233): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=556754f22ce0 a2=0 a3=0 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=openat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
-type=CWD msg=audit(1642449025.700:233): cwd="/home/doge/Code/client-scripts/holophrastic"
 
+type=CWD msg=audit(1642449025.700:233): cwd="/testpath"
 
 type=PATH msg=audit(1642449025.700:233): item=0 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449025.700:233): item=0 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PROCTITLE msg=audit(1642449025.700:233): proctitle=76696D006261636B7570732F746573742E747874
 
 type=PROCTITLE msg=audit(1642449025.700:233): proctitle=76696D006261636B7570732F746573742E747874
 
 type=SYSCALL msg=audit(1642449028.256:234): arch=c000003e syscall=191 success=no exit=-61 a0=556754f22ce0 a1=7f0a21316000 a2=7ffc7917fd80 a3=84 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=getxattr AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
 type=SYSCALL msg=audit(1642449028.256:234): arch=c000003e syscall=191 success=no exit=-61 a0=556754f22ce0 a1=7f0a21316000 a2=7ffc7917fd80 a3=84 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=getxattr AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
-type=CWD msg=audit(1642449028.256:234): cwd="/home/doge/Code/client-scripts/holophrastic"
 
+type=CWD msg=audit(1642449028.256:234): cwd="/testpath"
 
 type=PATH msg=audit(1642449028.256:234): item=0 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449028.256:234): item=0 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PROCTITLE msg=audit(1642449028.256:234): proctitle=76696D006261636B7570732F746573742E747874
 
 type=PROCTITLE msg=audit(1642449028.256:234): proctitle=76696D006261636B7570732F746573742E747874
 
 type=SYSCALL msg=audit(1642449028.256:235): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=556754f17500 a2=200c1 a3=81fd items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=openat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
 type=SYSCALL msg=audit(1642449028.256:235): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=556754f17500 a2=200c1 a3=81fd items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=openat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
-type=CWD msg=audit(1642449028.256:235): cwd="/home/doge/Code/client-scripts/holophrastic"
 
+type=CWD msg=audit(1642449028.256:235): cwd="/testpath"
 
 type=PATH msg=audit(1642449028.256:235): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449028.256:235): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449028.256:235): item=1 name="backups/4913" inode=10881889 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449028.256:235): item=1 name="backups/4913" inode=10881889 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PROCTITLE msg=audit(1642449028.256:235): proctitle=76696D006261636B7570732F746573742E747874
 
 type=PROCTITLE msg=audit(1642449028.256:235): proctitle=76696D006261636B7570732F746573742E747874
 
 type=SYSCALL msg=audit(1642449028.256:236): arch=c000003e syscall=93 success=yes exit=0 a0=3 a1=3e8 a2=3e8 a3=81fd items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=fchown AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
 type=SYSCALL msg=audit(1642449028.256:236): arch=c000003e syscall=93 success=yes exit=0 a0=3 a1=3e8 a2=3e8 a3=81fd items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=fchown AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
-type=CWD msg=audit(1642449028.256:236): cwd="/home/doge/Code/client-scripts/holophrastic"
 
+type=CWD msg=audit(1642449028.256:236): cwd="/testpath"
 
 type=PATH msg=audit(1642449028.256:236): item=0 name=(null) inode=10881889 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449028.256:236): item=0 name=(null) inode=10881889 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PROCTITLE msg=audit(1642449028.256:236): proctitle=76696D006261636B7570732F746573742E747874
 
 type=PROCTITLE msg=audit(1642449028.256:236): proctitle=76696D006261636B7570732F746573742E747874
 
 type=SYSCALL msg=audit(1642449028.256:237): arch=c000003e syscall=87 success=yes exit=0 a0=556754f17500 a1=556754f17500 a2=7ffc79180110 a3=0 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=unlink AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
 type=SYSCALL msg=audit(1642449028.256:237): arch=c000003e syscall=87 success=yes exit=0 a0=556754f17500 a1=556754f17500 a2=7ffc79180110 a3=0 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=unlink AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
-type=CWD msg=audit(1642449028.256:237): cwd="/home/doge/Code/client-scripts/holophrastic"
 
+type=CWD msg=audit(1642449028.256:237): cwd="/testpath"
 
 type=PATH msg=audit(1642449028.256:237): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449028.256:237): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449028.256:237): item=1 name="backups/4913" inode=10881889 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449028.256:237): item=1 name="backups/4913" inode=10881889 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PROCTITLE msg=audit(1642449028.256:237): proctitle=76696D006261636B7570732F746573742E747874
 
 type=PROCTITLE msg=audit(1642449028.256:237): proctitle=76696D006261636B7570732F746573742E747874
 
 type=SYSCALL msg=audit(1642449028.256:238): arch=c000003e syscall=87 success=no exit=-2 a0=556754f8a530 a1=556754f8a530 a2=fffffffffffffea0 a3=0 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=unlink AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
 type=SYSCALL msg=audit(1642449028.256:238): arch=c000003e syscall=87 success=no exit=-2 a0=556754f8a530 a1=556754f8a530 a2=fffffffffffffea0 a3=0 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=unlink AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
-type=CWD msg=audit(1642449028.256:238): cwd="/home/doge/Code/client-scripts/holophrastic"
 
+type=CWD msg=audit(1642449028.256:238): cwd="/testpath"
 
 type=PATH msg=audit(1642449028.256:238): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449028.256:238): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PROCTITLE msg=audit(1642449028.256:238): proctitle=76696D006261636B7570732F746573742E747874
 
 type=PROCTITLE msg=audit(1642449028.256:238): proctitle=76696D006261636B7570732F746573742E747874
 
 type=SYSCALL msg=audit(1642449028.256:239): arch=c000003e syscall=82 success=yes exit=0 a0=556754f22ce0 a1=556754f8a530 a2=fffffffffffffea0 a3=0 items=4 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=rename AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
 type=SYSCALL msg=audit(1642449028.256:239): arch=c000003e syscall=82 success=yes exit=0 a0=556754f22ce0 a1=556754f8a530 a2=fffffffffffffea0 a3=0 items=4 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=rename AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
-type=CWD msg=audit(1642449028.256:239): cwd="/home/doge/Code/client-scripts/holophrastic"
 
+type=CWD msg=audit(1642449028.256:239): cwd="/testpath"
 
 type=PATH msg=audit(1642449028.256:239): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449028.256:239): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449028.256:239): item=1 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449028.256:239): item=1 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449028.256:239): item=2 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449028.256:239): item=2 name="backups/test.txt" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449028.256:239): item=3 name="backups/test.txt~" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449028.256:239): item=3 name="backups/test.txt~" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PROCTITLE msg=audit(1642449028.256:239): proctitle=76696D006261636B7570732F746573742E747874
 
 type=PROCTITLE msg=audit(1642449028.256:239): proctitle=76696D006261636B7570732F746573742E747874
 
 type=SYSCALL msg=audit(1642449028.256:240): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=556754f22ce0 a2=41 a3=1fd items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=openat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
 type=SYSCALL msg=audit(1642449028.256:240): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=556754f22ce0 a2=41 a3=1fd items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=openat AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
-type=CWD msg=audit(1642449028.256:240): cwd="/home/doge/Code/client-scripts/holophrastic"
 
+type=CWD msg=audit(1642449028.256:240): cwd="/testpath"
 
 type=PATH msg=audit(1642449028.256:240): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449028.256:240): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449028.256:240): item=1 name="backups/test.txt" inode=10881889 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449028.256:240): item=1 name="backups/test.txt" inode=10881889 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PROCTITLE msg=audit(1642449028.256:240): proctitle=76696D006261636B7570732F746573742E747874
 
 type=PROCTITLE msg=audit(1642449028.256:240): proctitle=76696D006261636B7570732F746573742E747874
 
 type=SYSCALL msg=audit(1642449028.264:241): arch=c000003e syscall=91 success=yes exit=0 a0=3 a1=81fd a2=7ffc7917fe30 a3=0 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=fchmod AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
 type=SYSCALL msg=audit(1642449028.264:241): arch=c000003e syscall=91 success=yes exit=0 a0=3 a1=81fd a2=7ffc7917fe30 a3=0 items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=fchmod AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
-type=CWD msg=audit(1642449028.264:241): cwd="/home/doge/Code/client-scripts/holophrastic"
 
+type=CWD msg=audit(1642449028.264:241): cwd="/testpath"
 
 type=PATH msg=audit(1642449028.264:241): item=0 name=(null) inode=10881889 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449028.264:241): item=0 name=(null) inode=10881889 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PROCTITLE msg=audit(1642449028.264:241): proctitle=76696D006261636B7570732F746573742E747874
 
 type=PROCTITLE msg=audit(1642449028.264:241): proctitle=76696D006261636B7570732F746573742E747874
 
 type=SYSCALL msg=audit(1642449028.264:242): arch=c000003e syscall=188 success=yes exit=0 a0=556754f22ce0 a1=7f0a21316000 a2=5567551ce620 a3=1c items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=setxattr AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
 type=SYSCALL msg=audit(1642449028.264:242): arch=c000003e syscall=188 success=yes exit=0 a0=556754f22ce0 a1=7f0a21316000 a2=5567551ce620 a3=1c items=1 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=setxattr AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
-type=CWD msg=audit(1642449028.264:242): cwd="/home/doge/Code/client-scripts/holophrastic"
 
+type=CWD msg=audit(1642449028.264:242): cwd="/testpath"
 
 type=PATH msg=audit(1642449028.264:242): item=0 name="backups/test.txt" inode=10881889 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449028.264:242): item=0 name="backups/test.txt" inode=10881889 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PROCTITLE msg=audit(1642449028.264:242): proctitle=76696D006261636B7570732F746573742E747874
 
 type=PROCTITLE msg=audit(1642449028.264:242): proctitle=76696D006261636B7570732F746573742E747874
 
 type=SYSCALL msg=audit(1642449028.264:243): arch=c000003e syscall=87 success=yes exit=0 a0=556754f8a530 a1=2d667475 a2=5567544e476b a3=0 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=unlink AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
 type=SYSCALL msg=audit(1642449028.264:243): arch=c000003e syscall=87 success=yes exit=0 a0=556754f8a530 a1=2d667475 a2=5567544e476b a3=0 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=unlink AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
-type=CWD msg=audit(1642449028.264:243): cwd="/home/doge/Code/client-scripts/holophrastic"
 
+type=CWD msg=audit(1642449028.264:243): cwd="/testpath"
 
 type=PATH msg=audit(1642449028.264:243): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449028.264:243): item=0 name="backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449028.264:243): item=1 name="backups/test.txt~" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PATH msg=audit(1642449028.264:243): item=1 name="backups/test.txt~" inode=10881995 dev=103:02 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PROCTITLE msg=audit(1642449028.264:243): proctitle=76696D006261636B7570732F746573742E747874
 
 type=PROCTITLE msg=audit(1642449028.264:243): proctitle=76696D006261636B7570732F746573742E747874
 
 type=SYSCALL msg=audit(1642449028.264:244): arch=c000003e syscall=87 success=yes exit=0 a0=5567551ca560 a1=1 a2=1d a3=1 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=unlink AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
 type=SYSCALL msg=audit(1642449028.264:244): arch=c000003e syscall=87 success=yes exit=0 a0=5567551ca560 a1=1 a2=1d a3=1 items=2 ppid=3386 pid=14813 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" subj=unconfined key="backupwatch"ARCH=x86_64 SYSCALL=unlink AUID="unset" UID="doge" GID="doge" EUID="doge" SUID="doge" FSUID="doge" EGID="doge" SGID="doge" FSGID="doge"
 
-type=CWD msg=audit(1642449028.264:244): cwd="/home/doge/Code/client-scripts/holophrastic"
 
-type=PATH msg=audit(1642449028.264:244): item=0 name="/home/doge/Code/client-scripts/holophrastic/backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
-type=PATH msg=audit(1642449028.264:244): item=1 name="/home/doge/Code/client-scripts/holophrastic/backups/.test.txt.swp" inode=10881809 dev=103:02 mode=0100644 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
+type=CWD msg=audit(1642449028.264:244): cwd="/testpath"
 
+type=PATH msg=audit(1642449028.264:244): item=0 name="/testpath/backups/" inode=10879922 dev=103:02 mode=040775 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
+type=PATH msg=audit(1642449028.264:244): item=1 name="/testpath/backups/.test.txt.swp" inode=10881809 dev=103:02 mode=0100644 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="doge" OGID="doge"
 
 type=PROCTITLE msg=audit(1642449028.264:244): proctitle=76696D006261636B7570732F746573742E747874
 
 type=PROCTITLE msg=audit(1642449028.264:244): proctitle=76696D006261636B7570732F746573742E747874
 
 type=USER_AUTH msg=audit(1642449044.180:245): pid=14821 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:authentication grantors=pam_permit,pam_cap acct="doge" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=USER_AUTH msg=audit(1642449044.180:245): pid=14821 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:authentication grantors=pam_permit,pam_cap acct="doge" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=USER_ACCT msg=audit(1642449044.180:246): pid=14821 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="doge" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"
 
 type=USER_ACCT msg=audit(1642449044.180:246): pid=14821 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="doge" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'UID="doge" AUID="unset"