Sorry, I failed to Reply-All on the first email thread too.

But it looks I might be onto something, yes? (I will look for your reply in the other thread and make sure I Reply-All on it).

--------------------------
Warron French

On Fri, Jul 14, 2017 at 4:56 PM, Steve Grubb <sgrubb@redhat.com> wrote:

On Friday, July 14, 2017 4:48:11 PM EDT warron.french wrote:
> Similar idea to the prior email:
>
> I need to monitor local user account
>
>
> *creation, modification, deletion, suspension and locking.*

These events are all hardwired too. The events that you are looking for are
part of this specification:

https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Account-Lifecycle-Events

As long as audit is enabled, you will get the events.

-Steve

> I know that I can monitor: */etc/passwd, /etc/group, /etc/shadow* and
> */etc/gshadow*, but how do I monitor who modified wfrench inside
> /etc/passwd?
>
> Is:
>
>
> *-w /etc/passwd -k monitor_account_manipulations*

> Good enough?
>
> --------------------------
> Warron French