Here at IBM we have found that if you create an audit rule which uses "task", then the -S flag has no affect. Rather than only auditing the specified syscalls, all syscalls will generate an audit message. fyi, the -F flag seems to work as expected. If this behavior is acceptable and it doesn't make sense to use the "-S" flag with "task" rules, then auditctl needs to be changed to not accept the -S flag in conjunction with "task", or at least return a warning that the -S flag will be ignored. The man page will also need to be changed in order to state the limitation.