On Friday, July 14, 2017 4:48:11 PM EDT warron.french wrote:
> Similar idea to the prior email:
>
> I need to monitor local user account
>
>
> *creation, modification, deletion, suspension and locking.*
These events are all hardwired too. The events that you are looking for are
part of this specification:
https://github.com/linux-audit/audit-documentation/ wiki/SPEC-User-Account- Lifecycle-Events
As long as audit is enabled, you will get the events.
-Steve
> I know that I can monitor: */etc/passwd, /etc/group, /etc/shadow* and
> */etc/gshadow*, but how do I monitor who modified wfrench inside
> /etc/passwd?
>
> Is:
>
>
> *-w /etc/passwd -k monitor_account_manipulations*
> Good enough?
>
> --------------------------
> Warron French