On Friday, July 14, 2017 4:52:36 PM EDT warron.french wrote: > Same as AUDIT(B) only for roles and groups? Also hardwired. See the user account specification. -Steve > Simply put a watch rule on /etc/group and /etc/gshadow? > > Is that really enough? Do I also monitor the executables for /bin/passwd, > /sbin/{groupadd, groupdel, groupmod, usermod}? > > Usermod, because technically, you can affect memberships of a user with > this command and also useradd? > > > Is *that *suitable? > > Is there an appropriate syscall for AUDIT(C)? > > > > -------------------------- > Warron French