As well as auditing file system related system calls, as described in Section 31.3, “Monitoring File System Objects”, you can also track various other system calls. Tracking task creation helps you understand your applications' behavior. Auditing the umask system call lets you track how processes modify permissions. Tracking any attempts to change the system time helps you identify anyone or any process trying to manipulate the system time.
-a entry,always -S clone -S fork -S vfork ## For ia64 architecture, disable fork and vfork rules above, and ## enable the following: #-a entry,always -S clone2
-a entry,always -S umask
-a entry,always -S adjtimex -S settimeofday