diff -ur audit-2.4.1.orig/contrib/stig.rules audit-2.4.1/contrib/stig.rules

--- audit-2.4.1.orig/contrib/stig.rules	2014-10-27 16:54:03.000000000 -0400

+++ audit-2.4.1/contrib/stig.rules	2014-10-28 14:21:39.896827577 -0400

@@ -19,7 +19,7 @@

 ## NOTE:

 ## 1) if this is being used on a 32 bit machine, comment out the b64 lines

 ## 2) These rules assume that login under the root account is not allowed.

-## 3) It is also assumed that 500 represents the first usable user account. To

+## 3) It is also assumed that 1000 represents the first usable user account. To

 ##    be sure, look at UID_MIN in /etc/login.defs.

 ## 4) If these rules generate too much spurious data for your tastes, limit the

 ## the syscall file rules with a directory, like -F dir=/etc

@@ -106,22 +106,22 @@

 ##- Discretionary access control permission modification (unsuccessful

 ## and successful use of chown/chmod)

--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod

--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod

--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod

--a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod

--a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod

--a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod

+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

+-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

+-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

+-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

 ##- Unauthorized access attempts to files (unsuccessful) 

--a always,exit -F arch=b32 -S open,creat,truncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -F key=access

--a always,exit -F arch=b32 -S open,creat,truncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -F key=access

--a always,exit -F arch=b64 -S open,truncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -F key=access

--a always,exit -F arch=b64 -S open,truncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -F key=access

+-a always,exit -F arch=b32 -S open,creat,truncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

+-a always,exit -F arch=b32 -S open,creat,truncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

+-a always,exit -F arch=b64 -S open,truncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

+-a always,exit -F arch=b64 -S open,truncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

 ##- Use of privileged commands (unsuccessful and successful)

 ## use find /bin -type f -perm -04000 2>/dev/null and put all those files in a rule like this

--a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -F key=privileged

+-a always,exit -F path=/bin/ping -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

 ##- Use of print command (unsuccessful and successful) 

@@ -129,14 +129,14 @@

 ## You have to mount media before using it. You must disable all automounting

 ## so that its done manually in order to get the correct user requesting the

 ## export

--a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -F key=export

--a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -F key=export

+-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -F key=export

+-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -F key=export

 ##- System startup and shutdown (unsuccessful and successful)

 ##- Files and programs deleted by the user (successful and unsuccessful)

--a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=500 -F auid!=4294967295 -F key=delete

--a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=500 -F auid!=4294967295 -F key=delete

+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete

+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete

 ##- All system administration actions 

 ##- All security personnel actions

@@ -175,7 +175,7 @@

 #-a always,exit -F arch=b64 -S delete_module -F key=module-unload

 ## Optional - admin may be abusing power by looking in user's home dir

-#-a always,exit -F dir=/home -F uid=0 -F auid>=500 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse

+#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse

 ## Optional - log container creation  

 #-a always,exit -F arch=b32 -S clone -F a0&0x7C020000 -F key=container-create

diff -ur audit-2.4.1.orig/docs/audit.rules.7 audit-2.4.1/docs/audit.rules.7

--- audit-2.4.1.orig/docs/audit.rules.7	2014-10-27 16:54:03.000000000 -0400

+++ audit-2.4.1/docs/audit.rules.7	2014-10-28 14:23:00.014833616 -0400

@@ -76,10 +76,10 @@

 .B \-F

 options that fine tune what to match against. Rather than list all the valid field types here, the reader should look at the auditctl man page which has a full listing of each field and what it means. But its worth mentioning a couple things.

-The audit system considers uids to be unsigned numbers. The audit system uses the number \-1 to indicate that a loginuid is not set. This means that when its printed out, it looks like 4294967295. If you write a rule that you wanted try to get the valid users of the system, you need to look in /etc/login.defs to see where user accounts start. For example, if UID_MIN is  500, then you would also need to take into account that the unsigned representation of \-1 is higher than 500. So you would address this with the following piece of a rule:

+The audit system considers uids to be unsigned numbers. The audit system uses the number \-1 to indicate that a loginuid is not set. This means that when its printed out, it looks like 4294967295. If you write a rule that you wanted try to get the valid users of the system, you need to look in /etc/login.defs to see where user accounts start. For example, if UID_MIN is  1000, then you would also need to take into account that the unsigned representation of \-1 is higher than 1000. So you would address this with the following piece of a rule:

 .nf

-\-F auid>=500 \-F auid!=4294967295

+\-F auid>=1000 \-F auid!=4294967295

 .fi

 These individual checks are "anded" and both have to be true.