System Administration Guide: Security Services

ProcedureHow to Find Audit Records of Changes to Specific Files

If your goal is to log file writes against a limited number of files, such as /etc/passwd and the files in the /etc/default directory, you use the auditreduce command to locate the files.

  1. Audit the fw class.

    Adding the class to the audit_user file generates fewer records than adding the class to the audit_control file.

    • Add the fw class to the audit_user file.

      ## audit_user file
    • Add the fw class to the audit_control file.

      ## audit_control file
  2. To find the audit records for specific files, use the auditreduce command.

    # /usr/sbin/auditreduce -o file=/etc/passwd,/etc/default -O filechg

    The auditreduce command searches the audit trail for all instances of the file argument. The command creates a binary file with the suffix filechg which contains all records that include the pathnames of the files of interest. See the auditreduce(1M) man page for the syntax of the -o file=pathname option.

  3. To read the filechg file, use the praudit command.

    # /usr/sbin/praudit *filechg