Audit-2-8-4, augenrules and Stigs in OSCAP

The example stig.rule and privileged.rules in /usr/share/doc/audit-2.8.4/rules don't match the separated rules checked for the oscap DISA stig tests. They generate incorrectly failing matches. Either the rules should match when the augenrules is run or the STIG should be updated in RHEL documents to pattern match the /usr/share/doc/audit-2-8-4 .
E:ample of chown.

This won't pass from 30-stig.rules
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_
mod
-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_
mod

This does work since "
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:"

-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod

If the system is 64 bit then also add the following line:

-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
The augenrules should generate passing patterns, or the advisory STIG guidance should match audit.

Thanks
Joe