Aster89/gist:f71f5945522f98165210008d1c9a19c1

## gistfile1.txt
$ sudo ausearch -k delete_x11_tmp
----
time->Thu May 20 09:42:39 2021
type=PROCTITLE msg=audit(1621500159.585:133): proctitle=617564697463746C002D6100657869742C616C77617973002D4600646972002F746D702F2E5831312D756E6978002D5300756E6C696E6B2C756E6C696E6B61742C726D646972002D6B0064656C6574655F7831315F746D70
type=SOCKADDR msg=audit(1621500159.585:133): saddr=100000000000000000000000
type=SYSCALL msg=audit(1621500159.585:133): arch=c000003e syscall=44 success=yes exit=1084 a0=4 a1=7ffcd37abac0 a2=43c a3=0 items=0 ppid=103860 pid=103861 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="auditctl" exe="/usr/bin/auditctl" key=(null)
type=CONFIG_CHANGE msg=audit(1621500159.585:133): auid=1000 ses=1 op=add_rule key="delete_x11_tmp" list=4 res=0
	$ sudo ausearch -k delete_x11_tmp
	----
	time->Thu May 20 09:42:39 2021
	type=PROCTITLE msg=audit(1621500159.585:133): proctitle=617564697463746C002D6100657869742C616C77617973002D4600646972002F746D702F2E5831312D756E6978002D5300756E6C696E6B2C756E6C696E6B61742C726D646972002D6B0064656C6574655F7831315F746D70
	type=SOCKADDR msg=audit(1621500159.585:133): saddr=100000000000000000000000
	type=SYSCALL msg=audit(1621500159.585:133): arch=c000003e syscall=44 success=yes exit=1084 a0=4 a1=7ffcd37abac0 a2=43c a3=0 items=0 ppid=103860 pid=103861 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="auditctl" exe="/usr/bin/auditctl" key=(null)
	type=CONFIG_CHANGE msg=audit(1621500159.585:133): auid=1000 ses=1 op=add_rule key="delete_x11_tmp" list=4 res=0