27 lines
1.1 KiB
Text
27 lines
1.1 KiB
Text
|
# Ansible managed
|
||
|
|
|
||
|
|
# log executed commands on this server for admins (UID 10000 to 10999 inside containers)
|
||
|
|
-a always,exit -F arch=b64 -S execve -F auid>=10000 -F auid<=10999 -k exec_metal_admin
|
||
|
|
|
||
|
|
# log executed commands inside containers for admins (UID 10000 to 10999 inside containers)
|
||
|
|
-a always,exit -F arch=b64 -S execve -F auid>=1010000 -F auid<=1010999 -k exec_container_admin
|
||
|
|
|
||
|
|
# log executed commands inside containers for users (UID 12000 to 12999 inside containers)
|
||
|
|
-a always,exit -F arch=b64 -S execve -F auid>=1012000 -F auid<=1012999 -k exec_container_user
|
||
|
|
|
||
|
|
# Reduce the noise
|
||
|
|
-a exclude,always -F msgtype=CRED_ACQ
|
||
|
|
-a exclude,always -F msgtype=CRED_DISP
|
||
|
|
-a exclude,always -F msgtype=CRED_REFR
|
||
|
|
-a exclude,always -F msgtype=CWD
|
||
|
|
-a exclude,always -F msgtype=PATH
|
||
|
|
-a exclude,always -F msgtype=PROCTITLE
|
||
|
|
-a exclude,always -F msgtype=SERVICE_START
|
||
|
|
-a exclude,always -F msgtype=SERVICE_STOP
|
||
|
|
-a exclude,always -F msgtype=SOCKADDR
|
||
|
|
-a exclude,always -F msgtype=USER_ACCT
|
||
|
|
-a exclude,always -F msgtype=USER_AUTH
|
||
|
|
-a exclude,always -F msgtype=USER_END
|
||
|
|
-a exclude,always -F msgtype=USER_START
|
||
|
|
-a exclude,always -F auid=4294967295
|