I don't understand why the STIG audit rules have -F auid!=4294967295 in it. If auid is unset, why wouldn't you still want to see the events in the logs?
Curtis -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit