Solaris 9 system:
I'm trying to get BSM to record to the point where additional files being put into /etc/opt/csw/sudoers.d will be recorded but thus far all I'm able to get are when files are deleted (via unlink). I've even tried auditing based on the "all" audit flag temporarily (thinking I just was filtering it out unintentionally), but nowhere in the audit file did I find a record of a test touch command I executed.
I noticed that there is an AUE_CREAT audit event listed in /etc/security/audit_event (which is part of the fc class that I'm bringing in) but it looks like touch uses creat64 so I'm unsure if there's a 64 bit version of the audit event that should be in there but isn't. It looks like the same is true for the Solaris 10 boxes.
Is this by design or should I be doing something different in order to catch additional files being created?