Same as AUDIT(B) only for roles and groups?

Simply put a watch rule on /etc/group and /etc/gshadow?

Is that really enough? Do I also monitor the executables for /bin/passwd, /sbin/{groupadd, groupdel, groupmod, usermod}?

Usermod, because technically, you can affect memberships of a user with this command and also useradd?

Is that suitable?

Is there an appropriate syscall for AUDIT(C)?

--------------------------
Warron French