Verify the audit daemon is configured for full-text recording of privileged commands: The log file can be set by the "trail" variable in /etc/security/audit/config. # grep trail /etc/security/audit/config trail = /audit/trail Note: The default log file is /audit/trail. Use the following command to display the audit events: # /usr/sbin/auditpr -i <audit log file> -v event login status time command wpar name --------------- -------- ----------- ------------------------ ------------------ ------------- ------------------------- S_PASSWD_READ root OK Sat Aug 26 19:35:00 2017 cron Global audit object read event detected /etc/security/passwd S_PASSWD_READ root OK Sat Aug 26 19:35:00 2017 cron Global audit object read event detected /etc/security/passwd CRON_Start root OK Sat Aug 26 19:35:00 2017 cron Global event = start cron job cmd = /usr/sbin/dumpctrl -k >/dev/null 2>/dev/nul l time = Sat Aug 26 19:35:00 2017 FS_Chdir root OK Sat Aug 26 19:35:00 2017 cron Global change current directory to: / If the full-text recording of privileged command is not displayed, this is a finding. More information on the command options used above: - v detailed information for the event