Sorry for dropping out for a while.
"The drawback to this method is that you have 4 rules that get evaluated for
each and every syscall made to the kernel."
I absolutely agree. But it seems to be a case of consistent minor slowdown where I have tons of cores (usually) vs 'find /....' which KILLS my systems with slow disk I/O and misses things on NFS shares, etc...
"I would also switch out uid!=0 to auid>=500 auid!=4294967295"
I usually have my first rule be one that drops anything below 500 or equal to 4294967295 or the 32 bit equivalent on 32 bit systems since pretty much everything from that range is useless but, barring that, you should definitely do this.
"Does that actually happen? World writable dirs should have -noexec"
Of course it does. They *should* have -noexec indeed but many/most lovely commercial vendors out there tend to not like that setting very much on /tmp or /var/tmp since they expect to install things from there (or /home or something equally horrible). Or, someone drops something into NFS/AFS or...pick your annoying misconfiguration of the day. (http://www.moreajays.com/2013/03/createouiprocess-13-permission-denied.html)
Interestingly, looking through the latest STIG at stigviewer.com, I don't see the requirement for setting /tmp and /var to noexec or nosuid.
Honestly, I haven't really noticed that much in the way of system impact with the full CAPP profile enabled on systems. A lot of it comes down to tailoring your rules so that most of the chaff gets killed by the first few rules, just like iptables.
Thanks,
Trevor