type=EXECVE msg=audit(1723206727.842:85222): argc=3 a0="grep" a1="-Ev" a2=".Xauthority|.bashrc|.bluemix|.boto|.cer|.cloudflared|.credentials.json|.crt|.csr|.db|.der|.docker|.env|.erlang.cookie|.flyrc|.ftpconfig|.git|.git-credentials|.gitconfig|.github|.gnupg|.google_authenticator|.gpg|.htpasswd|.irssi|.jks|.k5login|.kdbx|.key|.keyring|.keystore|.keytab|.kube|.ldaprc|.lesshst|.mozilla|.msmtprc|.ovpn|.p12|.password-store|.pem|.pfx|.pgp|.plan|.profile|.psk|.pub|.pypirc|.rdg|.recently-used.xbel|.rhosts|.roadtools_auth|.secrets.mkey|.service|.socket|.sqlite|.sqlite3|.sudo_as_admin_successful|.svn|.swp|.tf|.tfstate|.timer|.vault-token|.vhd|.vhdx|.viminfo|.vmdk|.vnc|.wgetrc"
type=EXECVE msg=audit(1723206646.394:49276): argc=3 a0="grep" a1="-E" a2="\.gnupg$"
type=EXECVE msg=audit(1723206646.386:49275): argc=3 a0="grep" a1="-E" a2="\.gnupg$"
type=EXECVE msg=audit(1723206645.922:49235): argc=3 a0="grep" a1="-E" a2="\.gpg$"
type=EXECVE msg=audit(1723206645.918:49234): argc=3 a0="grep" a1="-E" a2="\.gpg$"
type=EXECVE msg=audit(1723206645.914:49233): argc=3 a0="grep" a1="-E" a2="\.pgp$"
type=EXECVE msg=audit(1723206645.910:49232): argc=3 a0="grep" a1="-E" a2="\.pgp$"
type=EXECVE msg=audit(1723206618.358:45040): argc=3 a0="grep" a1="-E" a2=".*\.pgp$|.*\.gpg$|.*\.gnupg$"
type=EXECVE msg=audit(1723206618.354:45038): argc=4 a0="grep" a1="-v" a2="-E" a3="README.gnupg"