AUDIT(C) - Group/Role addition, deletion modification

Same as AUDIT(B) only for roles and groups? Simply put a watch rule on /etc/group and /etc/gshadow? Is that really enough? Do I also monitor the executables for /bin/passwd, /sbin/{groupadd, groupdel, groupmod, usermod}? Usermod, because technically, you can affect memberships of a user with this command and also useradd? Is *that *suitable? Is there an appropriate syscall for AUDIT(C)? -------------------------- Warron French