Audit will tell you when a "write" change occurs. Auditd has a plugin framework to let you write a custom code which consumes audit events.
You can use that to orchestrate a file copy to save the file. 

Something like:
https://github.com/karmab/audisp-simple

Farhan

On Wed, Mar 6, 2019 at 2:57 PM Wajih Ul Hassan <wajih.lums@gmail.com> wrote:
Hi All,
Can I use auditd to track content written to specific files? For example, in this case https://access.redhat.com/solutions/10107, how can I keep track of what string was written to `/etc/hosts` file over time and extract this information later from logs? 
The reason I asked this question is that I am trying to audit some simulated attack scenario and in this particular attack scenario I need to know the what content was written/changed to a sensitive file over time to fully understand the attack. Even if the attack deletes the contents of the sensitive file at time t_2, I need to extract what was written to file at time t_1.

Thanks,
Wajih
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit