If your goal is to log file writes against a limited number of files, such as /etc/passwd and the files in the /etc/default directory, you use the auditreduce command to locate the files.
Audit the fw class.
Adding the class to the audit_user file generates fewer records than adding the class to the audit_control file.
To find the audit records for specific files, use the auditreduce command.
# /usr/sbin/auditreduce -o file=/etc/passwd,/etc/default -O filechg |
The auditreduce command searches the audit trail for all instances of the file argument. The command creates a binary file with the suffix filechg which contains all records that include the pathnames of the files of interest. See the auditreduce(1M) man page for the syntax of the -o file=pathname option.
To read the filechg file, use the praudit command.
# /usr/sbin/praudit *filechg |