The recent versions of the audit system ships with a stig.rules file that give
what I believe to be a correct rule set. What the official docs say to do is
another thing. :) Take a look at that file and see how I do the unauthorized
file access.

Excellent! I had simply changed to the following, in a minimalistic approach:

----------------------------------------------------
-w /etc/auditd.conf
-w /etc/audit.rules
-a exit,always -S open -F success=0
-a exit,always -S rmdir -S unlink -S chmod -S fchmod -S chown -S fchown -S lchown -F success!=0
-a exit,always -S settimeofday -S setrlimit -S setdomainname -S sched_setparam -S sched_setscheduler -S acct -S reboot -S swapon
-------------------------------------------------

Was grouping by failed, successful, and both. Did this due to reading that every audit rule is tested for every syscall, which...yeah, makes me want to group things.

That being said, stig.rules is extensive; any warning on what the performance impact will be?

Also, when looking for the newer builds on your site http://people.redhat.com/sgrubb/audit/ - I noticed "1.7 -> 1.8 Remote logging and finishing up IDS/IPS plugin." That would be wonderously fabulous, and I look forward to it. Any thoughts on whether it will be pulled into RHEL5, or whether I'd have to wait until RHEL6?

Brian