Before setting out to create your own audit configuration, determine to which degree you want to use it. Check the following rules of thumb to determine which use case best applies to you and your requirements:
If you require a full security audit for CAPP/EAL certification, enable full audit for system calls and configure watches on various configuration files and directories, similar to the rule set featured in Section 31.0, Introducing an Audit Rule Set. Proceed to Section 30.3, Enabling Audit for System Calls.
If you require an occasional audit of a system call instead of a permanent audit for system calls, use autrace. Proceed to Section 30.3, Enabling Audit for System Calls.
If you require file and directory watches to track access to important or security-sensitive data, create a rule set matching these requirements. Enable audit as described in Section 30.3, Enabling Audit for System Calls and proceed to Section 30.4, Setting Up Audit Rules.