We want to use Linux audit type SERVICE_START/STOP for our application running as service.
 But I am not able to find example on how to use auditctl to define the rule.  It seems to me that
 all the examples are of rules defined for system_calls.  Questions:
 1.  Can I use audit type SERVICE_START/STOP for my application runs as service?  or would it
      be considered as type USR_CMD?
 2.  How do I use auditctl to define rule for SERVICE_START/STOP?  Can you direct/point me
      to URL/documentation where it is documented?

 Thanks.

Gisela Cheng  
giselac@us.ibm.com