❶ Enable an audit context for system calls related to changing file ownership andpermissions. Depending on the hardware architecture of your system, enable ordisable the *32 rules. 64-bit systems, like x86_64 and ia64, require the *32 rulesto be removed.❷ Enable an audit context for system calls related to file content modification. De-pending on the hardware architecture of your system, enable or disable the *64rules. 64-bit systems, like x86_64 and ia64, require the *64 rules to be removed.❸ Enable an audit context for any directory operation, like creating or removing adirectory.❹ Enable an audit context for any linking operation, such as symlink, link, unlink,or rename.❺ Enable an audit context for any operation related to extended file system attributes.❻ Enable an audit context for the mknod system call, which creates special (device)files.❼ Enable an audit context for any mount or umount operation. For the x64_64 archi-tecture, disable the umount rule. For the ia64 architecture, disable the umount2rule.32.4 Monitoring SecurityConfiguration Files andDatabasesTo make sure that your system is not made to do undesired things, track any attemptsto change the cron and at configurations or the lists of scheduled jobs. Tracking anywrite access to the user, group, password and login databases and logs helps you iden-tify any attempts to manipulate your system's user database.Tracking changes to your system configuration (kernel, services, time, etc.) helps youspot any attempts of others to manipulate essential functionality of your system. Changesto the PAM configuration should also be monitored in a secure environment, becausechanges in the authentication stack should not be made by anyone other than the admin-istrator and it should be logged which applications are using PAM and how it is used.Introducing an Audit Rule Set 427