You're best off using auditd for the actual auditing of permission changes, see http://serverfault.com/questions/434483/monitor-or-log-directory-permission-changes for an example. This writes a log file, which - you guessed it - can easily be collected and reported/alerted upon by Splunk.
Building your own auditing is pointless - you'll never be as accurate as a kernel-level well-matured Linux tool built for exactly this purpose. Why re-invent the wheel? Connect Splunk to the wheel for added horsepower 😄
... View more