Syscalls to use

I apologize, but I am not sure how to go about determining the appropriate syscalls to use for various audit goals. I know that recently I learned to use the ausyscall --dump command to list the ausyscalls; but apparently I mis-understood/interpreted the purpose of 1 or 2 of the syscalls and had to be corrected (thanks Steve). Anyway, my organization has a goal to audit several things; of which I know how to manage most, for examples: 1. File & Object - Creation (Success/Failure) | w - Access (Success/Failure) | r - Deletion (Success/Failure) | w - Content Modification (Success/Failure) | a - Permission Modification (Success/Failure) | a - Ownership Modification (Success/Failure) | a For these I would have used a watch (*-w*) rule and set the -p flags to *r, w* or *a* as shown above. From what I understand though, correct me if I am wrong Steve, we should be getting away from the watch rules and move towards Syscalls and using *-F path=/path/to/file*, or *-F path=/path/to/several_files/* -- is this correct, both for RHEL6 and RHEL7? Also, I need to audit (Success/Failure) for the following sort of things: *Authentications* Logons Logoffs *Writes/downloads to external devices/media* *Uploads from external devices/media *( *such as DvD, thumbdrive, etc)* *User & Group* *events* User: Creation, deletion, Modification, suspending/locking Group/Role: Creation, deletion, modification *Use of Privileged/Special Rights events* ( *such as sudo, su, etc..)* *Printing to a print-device* *Printing to a file* Thanks in advance for any steering someone could provide to get me moving in the correct direction. -------------------------- Warron French