Hello Steve!
OK, the last puzzle peace was loginuid=0 !! -.-
My current audit rules for the use-case "logging root user actions, without
too much noise"
#
# delete all rules
-D
# set backlog_limit, default=320
-b 8192
# do not audit cron jobs
-a user,never -F subj_type=crond_t
-a exit,never -F subj_type=crond_t
# audit root actions from users switching to root
-a always,exit -F arch=x86_64 -S execve -F auid>=500 -F auid!=-1 -F uid=0
-k root-commands
-a always,exit -F arch=i386 -S execve -F auid>=500 -F auid!=-1 -F uid=0 -k
root-commands
# audit root actions with loginuid root
-a always,exit -F arch=x86_64 -S execve -F auid=0 -F uid=0 -k root-commands
-a always,exit -F arch=x86_64 -S execve -F auid=0 -F uid=0 -k root-commands
#EOF
Thank you for the tips. I wonder how you manage doing all that great stuff
and still be able to find time supporting people. Great job!
Best regards,
Orhan