I have yet to find a truly comprehensive solution to auditing Linux to meet NISPOM or DCID government requirements.I have a Red Hat Enterprise 4 WS with SElinux enabled. When I tweak the /etc/audit.rules file using auditctl, I get "invalid argument" for "-w" and "-pa" even though the man pages say this should work. I even tried using the /usr/share/doc/audit-1.2.1/capp.rules file, same problems. not to mention my audit log gets so full so fast on garbage.I then installed Snare. Not impressed, glorified GUI which just regurgitates the raw audit log. How can I configure auditing to only look at FAILED executable access/run attempts?How can I configure auditing to look for FAILED attempts to access specific files?Am I missing a piece to this puzzle? Any help is appreciated.