Could anyone give me some suggestion about configure secure audit system

Note that this is written from the point of view of Solaris, but it still applies to Linux, but some commands and configurations will differ - the general principle is the same though.

The first step is to enable auditing, which is done by running /etc/security/bsmconv and answering y to the question, and then reboot to load the kernel module which is required for auditing to occur.

Next step is to configure what you should audit, which is done in /etc/security/audit_control. There you list what the classes of events which should be audited, and since you haven't provided a complete list, I'll give you a rough estimate of what you might need:

flags:lo,ex,fm,fd,ad
naflags:na,lo,ad

This will audit login and logout events, executions, file modifications and deletions, and administrative events. The complete list of audit classes can be found in /etc/security/audit_class. Which classes should be configured is determined by your company's security policy, so be sure to review it.

Finally tell the audit daemon to load the changes you just made using audit -s. This will generate an audit trail in /var/audit which can searched sorted using the auditreduce command and then be translated into human readable format by the praudit command.

You should also configure log rotation (in cron) using audit -n to prevent the audit file from becoming too large.

In this case they are using the word "audit" as the ability to detect this behavior. I am pretty sure that the only way to detect this behavior is with a kernel module. There maybe one already written, but I do not know of one.