How do I monitor which files have been changed after, say, I run the passwd command? (I know, depending on the options used, it changes /etc/shadow and/or /etc/passwd). But I would like to if there is any clever ways of monitoring this.
This is how I do it which is a bit crude, and I have to know which directory to monitor.
Before running the command, I run
for i in $(ls -A) do; md5sum $i >> /tmp/before; done
And after running the command, I run
for i in $(ls -A) do; md5sum $i >> /tmp/after; done
Then I do a diff to see if any file has been changed
But I believe there is a better way than this.