To satisfy a site security requirement to monitor and audit for changes to core Oracle Solaris system files, consider configuring security features in addition to the audit service. For example:
Use the immutable zones feature – Enables you to configure system files to be read-only. You can set the immutable zones feature in the global zone.
See Chapter 11, Configuring and Administering Immutable Zones in Creating and Using Oracle Solaris Zones.
Create and use rights profiles – Enables you to limit who can make configuration changes, and puts those changes in the audit record.
See Creating Rights Profiles and Authorizations in Securing Users and Processes in Oracle Solaris 11.3.
Use the pfedit command – Enables you to put the differences from an original system file and its edited version in the audit record.
Use the Stop rights profile – Enables you to limit the commands a user or role can use to just those commands in the assigned rights profiles.
See Order of Search for Assigned Rights in Securing Users and Processes in Oracle Solaris 11.3.
Use the zfs diff command – Enables you to view the differences between a ZFS dataset from one snapshot to the next snapshot.
See Identifying ZFS Snapshot Differences (zfs diff) in Managing ZFS File Systems in Oracle Solaris 11.3.
Use the bart command – Enables you to track differences in files between an initial bart report and subsequent bart reports.