Similar idea to the prior email:

I need to monitor local user account creation, modification, deletion, suspension and locking.

I know that I can monitor: /etc/passwd, /etc/group, /etc/shadow and /etc/gshadow, but how do I monitor who modified wfrench inside /etc/passwd?

Is: -w /etc/passwd -k monitor_account_manipulations

Good enough?

--------------------------
Warron French