On AIX 6100-05-02-1034, something is frequently changing the permissions of the `/etc/passwd` file to 640. That's bad...

How could I trace that what is chmoding the file? There is no `history 1000 | fgrep -i chown`, I think a process is chmoding the file, but which one? `dtrace` can do this? it's not on AIX