I have some Solaris 9 systems and I'm interested in using the "fm" audit class to track changes to sensitive files but it's too verbose for it to be auditing to that level for EVERY file, so I was wondering if there were a way of restricting the audit of those events to particular files.
I thought about using Host-based IDS but I think that would lose information we need about the who of the change.