# Ansible managed

# log executed commands on this server for admins (UID 10000 to 10999 inside containers)
-a always,exit -F arch=b64 -S execve -F auid>=10000 -F auid<=10999 -k exec_metal_admin

# log executed commands inside containers for admins (UID 10000 to 10999 inside containers)
-a always,exit -F arch=b64 -S execve -F auid>=1010000 -F auid<=1010999 -k exec_container_admin

# log executed commands inside containers for users (UID 12000 to 12999 inside containers)
-a always,exit -F arch=b64 -S execve -F auid>=1012000 -F auid<=1012999 -k exec_container_user

# Reduce the noise
-a exclude,always -F msgtype=CRED_ACQ
-a exclude,always -F msgtype=CRED_DISP
-a exclude,always -F msgtype=CRED_REFR
-a exclude,always -F msgtype=CWD
-a exclude,always -F msgtype=PATH
-a exclude,always -F msgtype=PROCTITLE
-a exclude,always -F msgtype=SERVICE_START
-a exclude,always -F msgtype=SERVICE_STOP
-a exclude,always -F msgtype=SOCKADDR
-a exclude,always -F msgtype=USER_ACCT
-a exclude,always -F msgtype=USER_AUTH
-a exclude,always -F msgtype=USER_END
-a exclude,always -F msgtype=USER_START
-a exclude,always -F auid=4294967295