Hello everybody:
I have a critical file on my Tru64 system, I want to monitor which users are accessing this file, can I do it with some option for "audit", or I have to use some tool??

Thanks a lot.

ooops, this will sound so dummy.
It seems I overwrote some existing audit policy my system already has.
I issued the following command:

#auditmask -x /tmp/alaa

thought that will audit the file /tmp/alaa.

however I ended up finding such process running:

root 1291907 1048577 0.0 07:37:22 ?? 0:00.02 /usr/sbin/auditd -l /var/audit/auditlog -c syslog -o overwrite

so I killed this process, but when I checked the file /tmp/alaa
I fouond it full of auditing records, so now it is contains the auditing recoreds instead of being audited.

any advise??

Thanks

Do you have a backup?

Yes, I have full system Backup. what files you think I should restore??

Thanks

Generally the man page will show the files that are used by the command.
Check to see which of these files has been modified recently.

I checked the man pages, seems all files i need to restore.
but I have the following log message:

what do you think??

THX