To determine which events to audit, start by auditing all events for a reasonable period of time (a few days, for example). At the end of that time, examine the audit event log files in detail to see the following:
The corresponding events are bad_auth, cron, login and passwd. The set_uid event, though not in the set of user identification and authentication events, also provides information on the identity of the user executing a process.
The corresponding events are acct_off, acct_on, acct_sw, file_priv, lp_admin, mk_node, mount, sched_lk, sched_fp, sched_fc, sched_rt, sched_ts, setrlimit, tfadmin, ulimit, and umount. In addition, all the fixed events provide information in this area.
The corresponding event is prt_job; the cancel_job event also provides useful information in this area.
The corresponding events are the interprocess communication events and the create, link, mk_dir, open_rd, open_wr, and sym_create events.
The corresponding events are unlink and rm_dir.
The definition of a security-relevant event varies, depending on the needs of a site. Of the events not listed above, the pm_denied event and the events associated with DAC will probably be relevant to the security of most sites.
Even if you need to minimize the amount of data recorded, consider auditing the following set of events: