How to Find Audit Records of Changes <meta http-equiv="refresh" content="0;url='http://www.oracle.com/pls/topic/lookup?ctx=solaris11'"> to Specific Files (System Administration Guide: Security Services)

System Administration Guide: Security Services

How to Find Audit Records of Changes to Specific Files

If your goal is to log file writes against a limited number of files, such as /etc/passwd and the files in the /etc/default directory, you use the auditreduce command to locate the files.

Audit the fw class.

Adding the class to the audit_user file generates fewer records than adding the class to the audit_control file.
- Add the fw class to the audit_user file.
  ## audit_user file root:fw:no sysadm:fw:no auditadm:fw:no netadm:fw:no
- Add the fw class to the audit_control file.
  ## audit_control file flags:lo,fw ...

To find the audit records for specific files, use the auditreduce command.
# /usr/sbin/auditreduce -o file=/etc/passwd,/etc/default -O filechg
The auditreduce command searches the audit trail for all instances of the file argument. The command creates a binary file with the suffix filechg which contains all records that include the pathnames of the files of interest. See the auditreduce(1M) man page for the syntax of the -o file=pathname option.

To read the filechg file, use the praudit command.
# /usr/sbin/praudit *filechg