On AIX 6100-05-02-1034, something is frequently changing the permissions of the /etc/passwd file to 640. That's bad...

How could I trace that what is chmoding the file? There is no history 1000 | fgrep -i chown, I think a process is chmoding the file, but which one? dtrace can do this? it's not on AIX

On AIX 6100-05-02-1034, something is frequently changing the permissions of the /etc/passwd file to 640. That's bad...

How could I trace that what is chmoding the file? There is no history 1000 | fgrep -i chmod, I think a process is chmoding the file, but which one? dtrace can do this? it's not on AIX

On AIX 6100-05-02-1034, something is frequently changing the permissions of the /etc/passwd file to 640. That's bad... :\

How could I trace that what is chmoding the file? There is no "history 1000 | fgrep -i chown", I think a process is chmoding the file, but which one?? dtrace can do this? it's not on AIX :\

On AIX 6100-05-02-1034, something is frequently changing the permissions of the /etc/passwd file to 640. That's bad...

How could I trace that what is chmoding the file? There is no history 1000 | fgrep -i chown, I think a process is chmoding the file, but which one? dtrace can do this? it's not on AIX