How do I monitor which files have been changed after, say, I run the passwd command? (I know, depending on the options used, it changes /etc/shadow and/or /etc/passwd). But I would like to if there is any clever ways of monitoring this.
This is how I do it which is a bit crude, and I have to know which directory to monitor.
Before running the command, I run
Code:
for i in $(ls -A) do; md5sum $i >> /tmp/before; done
And after running the command, I run
Code:
for i in $(ls -A) do; md5sum $i >> /tmp/after; done
Then I do a diff to see if any file has been changed
Code:
diff /tmp/{before,after}
But I believe there is a better way than this.