Hello Steve!

OK, the last puzzle peace was loginuid=0 !! -.-

My current audit rules for the use-case "logging root user actions, without too much noise"
#
# delete all rules
-D
# set backlog_limit, default=320
-b 8192

# do not audit cron jobs
-a user,never -F subj_type=crond_t
-a exit,never -F subj_type=crond_t

# audit root actions from users switching to root
-a always,exit -F arch=x86_64 -S execve -F auid>=500 -F auid!=-1 -F uid=0 -k root-commands
-a always,exit -F arch=i386 -S execve -F auid>=500 -F auid!=-1 -F uid=0 -k root-commands

# audit root actions with loginuid root
-a always,exit -F arch=x86_64 -S execve -F auid=0 -F uid=0 -k root-commands
-a always,exit -F arch=x86_64 -S execve -F auid=0 -F uid=0 -k root-commands
#EOF

Thank you for the tips. I wonder how you manage doing all that great stuff and still be able to find time supporting people. Great job!

Best regards,
Orhan