Hi - I'm trying to get a RHEL4u2 box security accredited. I believe auditd running with certain traps turned on will do the trick. Trouble is a can't make heads or tails of how to use the auditctl file to create those traps. The man page is not giving me enough guidance.

Has anyone ever set up auditd with auditctl and audit.rules?
Have any examples that would help me set up my own auditd?

Thanks,
Magothybob