[INFO] What package, script or process is creating /etc/cron.daily/auditd.cron?

PREFACE (EDIT): Please keep in mind 2 things before posting, as they have been visited several times and are not part of our issue.

1) Before we posted this, we had already done the following RPM commands: -qf (RPM [what]provides), -q --scripts (RPM scripts), -q --triggers (RPM triggers). We are trying to figure out what process is copying the file /usr/share/doc/audit-*/auditd.cron to /etc/cron.daily. It seems to be a post-installation process not in any RPM, file, script or trigger.

2) We are not using logrotate for audit, period. auditd.cron and logrotate are for different sets of files, as part of a greater solution reduce disk usage for logging and auditing. We use logrotate and its inherent (zip -9) compression for those files in logrotate which, again, does not include auditd's logs. We are also using other scripts -- cron.hourly/zlogs.cron (ORIGINAL) and cron.monthly/arclogs.cron (NEW) -- to rename/compress audit and other log files as well as move them to another file system. The latter, normally run monthly, even gets automatically kicked off, per audit/auditd.conf, when the file system drops to under 0.5GiB free.

LONGER INQUIRY (ORIGINAL): We are building an RPM to modify/rotate/compress logs on RHEL 6.

This includes the logrotate and auditd services. We wish to move /etc/cron.daily/logrotate and /etc/cron.daily/auditd.cron to /etc/cron.hourly/, so it rotates hourly. As part of our RPM SPEC, we are going to build a trigger that will re-move these files to /etc/cron.hourly/. in case they are updated in /etc/cron.daily/.

Although the package "logrotate" includes the /etc/cron.daily/logrotate file, the /etc/cron.daily/auditd.cron file is neither part of the package "audit" nor created as part of the scripts of package "audit". Using "rpm -q --whatprovides /etc/cron.daily/auditd.cron" and "rpm -qa --scripts" we are unable to determine how it is created at RPM install-time, or by any RPM/YUM action.

Searching Bugzilla only results in bz#811588 ( https://bugzilla.redhat.com/show_bug.cgi?id=811588 ), which shows this file is coped from /usr/share/doc/audit-*/, but not when this step occurs. Please advise on how this file is created, and how we may handle whenever it could be updated.

Something always creates /etc/cron.daily/auditd.conf, but it is neither a RPM managed file nor created as part of a RPM script, from what we can tell.

UPDATE: After several Kickstart tests and an overnight burn-in, I cannot track down what is copying this file from /usr/share/doc/audit-*/. I believe it may not be a Red Hat installed process, facility or other solution, but a site-specific process.