To satisfy a site security requirement to monitor and audit for changes to core Oracle Solaris system files, consider configuring security features in addition to the audit service. For example:
Use the immutable zones feature – Enables you to configure system files to be read-only. You can set the immutable zones feature in the global zone.
Create and use rights profiles – Enables you to limit who can make configuration changes, and puts those changes in the audit record.
Use the pfedit command – Enables you to put the differences from an original system file and its edited version in the audit record.
Use the Stop rights profile – Enables you to limit the commands a user or role can use to just those commands in the assigned rights profiles.
Use the zfs diff command – Enables you to view the differences between a ZFS dataset from one snapshot to the next snapshot.
Use the bart command – Enables you to track differences in files between an initial bart report and subsequent bart reports.