I am an auditor and we are currently trying to identify the "Key" files in the AIX OS that we would want to be notified about if changed. I'm looking for some advice on critical files that should not change unless specifically requested by the admin. Then checksum those files and review them as part of a vulnerability/server hardening review.
If I were you, I would check for the whole partition (eg /etc, /sbin, /usr/sbin...) then exclude some files and/or directory based on specific patterns. Of course using an appropriate tool to avoid checksumming them manualy ...