## Executions.
-a always,exit -F arch=b32 -S execve,execveat -k exec

## External access (warning: these can be expensive to audit).
-a always,exit -F arch=b32 -S accept4,bind,connect -F key=external-access

## Identity changes.
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity

## Unauthorized access attempts.
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access