One issue that I haven't seen a good answer for is how to track the actual user who is performing the action that causes the FIM event. In auditd terms, this is the auid. Does such a thing exist for inotify? What about the new eBPF support?

You probably want

process_file_events

instead of

file_events

which has the uid/gid the process is running under.

I need the auid, which didn't exist.