type=EXECVE msg=audit(02/20/2025 13:08:23.630:145876) : argc=3 a0=grep a1=-Ev a2=.Xauthority|.bashrc|.bluemix|.boto|.cer|.cloudflared|.credentials.json|.crt|.csr|.db|.der|.docker|.env|.erlang.cookie|.flyrc|.ftpconfig|.git|.git-credentials|.gitconfig|.github|.gnupg|.google_authenticator|.gpg|.htpasswd|.irssi|.jks|.k5login|.kdbx|.key|.keyring|.keystore|.keytab|.kube|.ldaprc|.lesshst|.mozilla|.msmtprc|.ovpn|.p12|.password-store|.pem|.pfx|.pgp|.plan|.profile|.psk|.pub|.pypirc|.rdg|.recently-used.xbel|.rhosts|.roadtools_auth|.secrets.mkey|.service|.socket|.sqlite|.sqlite3|.sudo_as_admin_successful|.svn|.swp|.tf|.tfstate|.timer|.vault-token|.vhd|.vhdx|.viminfo|.vmdk|.vnc|.wgetrc 
type=EXECVE msg=audit(02/20/2025 13:08:23.630:145876) : argc=3 a0=grep a1=-Ev a2=.Xauthority|.bashrc|.bluemix|.boto|.cer|.cloudflared|.credentials.json|.crt|.csr|.db|.der|.docker|.env|.erlang.cookie|.flyrc|.ftpconfig|.git|.git-credentials|.gitconfig|.github|.gnupg|.google_authenticator|.gpg|.htpasswd|.irssi|.jks|.k5login|.kdbx|.key|.keyring|.keystore|.keytab|.kube|.ldaprc|.lesshst|.mozilla|.msmtprc|.ovpn|.p12|.password-store|.pem|.pfx|.pgp|.plan|.profile|.psk|.pub|.pypirc|.rdg|.recently-used.xbel|.rhosts|.roadtools_auth|.secrets.mkey|.service|.socket|.sqlite|.sqlite3|.sudo_as_admin_successful|.svn|.swp|.tf|.tfstate|.timer|.vault-token|.vhd|.vhdx|.viminfo|.vmdk|.vnc|.wgetrc 
type=EXECVE msg=audit(02/20/2025 13:07:05.734:110423) : argc=3 a0=grep a1=-E a2=authorized_keys$ 
type=EXECVE msg=audit(02/20/2025 13:07:05.731:110422) : argc=3 a0=grep a1=-E a2=authorized_keys$ 
type=EXECVE msg=audit(02/20/2025 13:07:05.711:110417) : argc=3 a0=grep a1=-E a2=id_rsa.*$ 
type=EXECVE msg=audit(02/20/2025 13:07:05.707:110416) : argc=3 a0=grep a1=-E a2=id_rsa.*$ 
type=EXECVE msg=audit(02/20/2025 13:07:05.704:110415) : argc=3 a0=grep a1=-E a2=id_dsa.*$ 
type=EXECVE msg=audit(02/20/2025 13:07:05.701:110414) : argc=3 a0=grep a1=-E a2=id_dsa.*$ 
type=EXECVE msg=audit(02/20/2025 13:07:04.048:110165) : argc=3 a0=grep a1=-E a2=master\.key$ 
type=EXECVE msg=audit(02/20/2025 13:07:04.045:110164) : argc=3 a0=grep a1=-E a2=master\.key$ 
type=EXECVE msg=audit(02/20/2025 13:07:03.932:110153) : argc=3 a0=grep a1=-E a2=\.keystore$ 
type=EXECVE msg=audit(02/20/2025 13:07:03.928:110152) : argc=3 a0=grep a1=-E a2=\.keystore$ 
type=EXECVE msg=audit(02/20/2025 13:07:03.925:110151) : argc=3 a0=grep a1=-E a2=\.keyring$ 
type=EXECVE msg=audit(02/20/2025 13:07:03.922:110150) : argc=3 a0=grep a1=-E a2=\.keyring$ 
type=EXECVE msg=audit(02/20/2025 13:06:41.102:105926) : argc=3 a0=grep a1=-E a2=.*password.*$|.*credential.*$|creds.*$|.*\.key$ 
type=EXECVE msg=audit(02/20/2025 13:06:41.017:105911) : argc=3 a0=grep a1=-E a2=master\.key$|hudson\.util\.Secret$|credentials\.xml$|config\.xml$|.*jenkins$ 
type=EXECVE msg=audit(02/20/2025 13:06:40.273:105807) : argc=3 a0=grep a1=-E a2=keyrings$|.*\.keyring$|.*\.keystore$|.*\.jks$ 
type=EXECVE msg=audit(02/20/2025 13:06:40.024:105769) : argc=3 a0=grep a1=-E a2=krb5\.conf$|.*\.keytab$|\.k5login$|krb5cc_.*$|kadm5\.acl$|secrets\.ldb$|\.secrets\.mkey$|sssd\.conf$ 
type=EXECVE msg=audit(02/20/2025 13:06:39.895:105745) : argc=3 a0=grep a1=-E a2=id_dsa.*$|id_rsa.*$|known_hosts$|authorized_hosts$|authorized_keys$|.*\.pub$ 
type=EXECVE msg=audit(02/20/2025 13:06:39.796:105727) : argc=3 a0=grep a1=-E a2=glusterfs\.pem$|glusterfs\.ca$|glusterfs\.key$ 
type=EXECVE msg=audit(02/20/2025 10:02:49.268:88345) : argc=3 a0=grep a1=-Ev a2=.Xauthority|.bashrc|.bluemix|.boto|.cer|.cloudflared|.credentials.json|.crt|.csr|.db|.der|.docker|.env|.erlang.cookie|.flyrc|.ftpconfig|.git|.git-credentials|.gitconfig|.github|.gnupg|.google_authenticator|.gpg|.htpasswd|.irssi|.jks|.k5login|.kdbx|.key|.keyring|.keystore|.keytab|.kube|.ldaprc|.lesshst|.mozilla|.msmtprc|.ovpn|.p12|.password-store|.pem|.pfx|.pgp|.plan|.profile|.psk|.pub|.pypirc|.rdg|.recently-used.xbel|.rhosts|.roadtools_auth|.secrets.mkey|.service|.socket|.sqlite|.sqlite3|.sudo_as_admin_successful|.svn|.swp|.tf|.tfstate|.timer|.vault-token|.vhd|.vhdx|.viminfo|.vmdk|.vnc|.wgetrc 
type=EXECVE msg=audit(02/20/2025 10:01:26.986:51651) : argc=3 a0=grep a1=-E a2=authorized_keys$ 
type=EXECVE msg=audit(02/20/2025 10:01:26.983:51650) : argc=3 a0=grep a1=-E a2=authorized_keys$ 
type=EXECVE msg=audit(02/20/2025 10:01:26.970:51645) : argc=3 a0=grep a1=-E a2=id_rsa.*$ 
type=EXECVE msg=audit(02/20/2025 10:01:26.967:51644) : argc=3 a0=grep a1=-E a2=id_rsa.*$ 
type=EXECVE msg=audit(02/20/2025 10:01:26.964:51643) : argc=3 a0=grep a1=-E a2=id_dsa.*$ 
type=EXECVE msg=audit(02/20/2025 10:01:26.961:51642) : argc=3 a0=grep a1=-E a2=id_dsa.*$ 
type=EXECVE msg=audit(02/20/2025 10:01:25.134:51389) : argc=3 a0=grep a1=-E a2=master\.key$ 
type=EXECVE msg=audit(02/20/2025 10:01:25.131:51388) : argc=3 a0=grep a1=-E a2=master\.key$ 
type=EXECVE msg=audit(02/20/2025 10:01:25.036:51381) : argc=3 a0=grep a1=-E a2=\.keystore$ 
type=EXECVE msg=audit(02/20/2025 10:01:25.033:51380) : argc=3 a0=grep a1=-E a2=\.keystore$ 
type=EXECVE msg=audit(02/20/2025 10:01:25.029:51379) : argc=3 a0=grep a1=-E a2=\.keyring$ 
type=EXECVE msg=audit(02/20/2025 10:01:25.024:51378) : argc=3 a0=grep a1=-E a2=\.keyring$ 
type=EXECVE msg=audit(02/20/2025 10:00:50.848:46941) : argc=3 a0=grep a1=-E a2=.*password.*$|.*credential.*$|creds.*$|.*\.key$ 
type=EXECVE msg=audit(02/20/2025 10:00:50.736:46925) : argc=3 a0=grep a1=-E a2=master\.key$|hudson\.util\.Secret$|credentials\.xml$|config\.xml$|.*jenkins$ 
type=EXECVE msg=audit(02/20/2025 10:00:50.146:46822) : argc=3 a0=grep a1=-E a2=keyrings$|.*\.keyring$|.*\.keystore$|.*\.jks$ 
type=EXECVE msg=audit(02/20/2025 10:00:49.927:46786) : argc=3 a0=grep a1=-E a2=krb5\.conf$|.*\.keytab$|\.k5login$|krb5cc_.*$|kadm5\.acl$|secrets\.ldb$|\.secrets\.mkey$|sssd\.conf$ 
type=EXECVE msg=audit(02/20/2025 10:00:49.711:46761) : argc=3 a0=grep a1=-E a2=id_dsa.*$|id_rsa.*$|known_hosts$|authorized_hosts$|authorized_keys$|.*\.pub$ 
type=EXECVE msg=audit(02/20/2025 10:00:49.572:46743) : argc=3 a0=grep a1=-E a2=glusterfs\.pem$|glusterfs\.ca$|glusterfs\.key$