@pvirani if I understand correctly you only want to monitor changes to sudoers and passwd but your query is looking at the recursive contents of your

etc

folder or your

root

folder and all contents of your

~/.ssh

folder.

yes this is the intent @fritz because we want to collect all the info from our potentially sensitive directories. but, only want to alert on selected things

Cool, sounds good. I take it you got your answer regarding the churn from @8p8c in terms of

atime

and other values that are subject to frequent change.

yes