There are some syscall numbers that are not known by auditctl.
When running on IX86,
/usr/include/asm-i386/unistd.h contains:
#define __NR_setfsuid32 215
But I am unable to audit this syscall number. Because when I add the rule:
auditctl -a entry,always -S 215
auditctl returns:
AUDIT_LIST: entry always syscall=(null)
No rules
This is true for other syscalls found in /usr/include/asm-i386/unistd.h that are not found in /usr/include/asm-x86_64/unistd.h
-debbie