Audit config for NISPOM req's

Hello all, I've been a linux sysadmin for a while for a small network of systems under the oversight of the Defense Security Service (DSS). They have always given us grief over Linux's inability to log certain events. A year ago, I implemented Snare with good results, but lack of a Kernel panic on audit failure always had them second guessing our setup. So I'm encouraged to see the progress made here and am preparing to try again. Basically, the requirements are to log improper read access to certain files (audit logs, shadow) and write access to many others (most of /etc), and in some cases attempts to execute programs like stunnel and su. My main confusion on getting started is the difference between syscalls and watches. It seems watches can do almost all of what I need, but they seem to be less "configurable" than the syscalls (like ignoring if root changes anything). Can someone explain the difference and where one is more appropriate than the other. I have the CAPP documents from HP and IBM, which seem to be a good starting point (especially the conf files) - but I'm trying to understand it all before implementation in case I need to tweak it. Thanks in advance for any help, Anthony _____________ Anthony Curtas SAIC, Division 35