What the low-level access audit does get you is that it shows when someone bypasses the official interface. If you see an audit message saying that admin X updated the /etc/shadow file but there was no corresponding high-level message about the change, you know that this admin wasn't following the rules, and that the system may be in an unknown state after this point.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds