CSP policy documentation is lacking to say the least. You may already be aware of this but if you open the Policy Rule set within the authoring environment, each rule has a comment field. Most Symantec rules have comments although its arguable how useful they are. The User_Configuration_Changed Rule monitors the CSP text log: %agentinstallroot%/IDS/log/user_log/user_monitor.log. The rule description is:
This rule monitors changes recorded by user configuration monitoring script user_monitor.sh in user_monitor.log file. New changes are reported to the console.
But you have to ask, what would execute the script user_monitor.sh? There are 3 previous rules that execute the script based on certain criteria. The first is a status rule monitoring the csp agent logs for *IA_0027:*;*IA_0023:*. These 2 codes are CSP management event codes that indicate the csp agent configuration on the agent has changed or the IDS service Started, respectively. Two other rules that may execute the user_monitor.sh are Filewatch rules. These 2 rule watch the following files for any changes via with or without a checksum:
/etc/passwd
/etc/group
/etc/shadow
/etc/user_attr
/etc/security/passwd
/etc/security/user
/etc/security/group
These files are specified under the System User Configuration, User Configuration System Files option group. Note that the majority of this policy monitors the user_monitor.log file in some shape or form looking for specific changes. So what does the user_monitor.sh script do? Well that's beyond my scripting ninja skills for me to elaborate. But its a bourne shell script residing on the agent that you can 'more' to view its contents. There are some comments but essentially I think it diffs the file changes and parses out certain strings, writes them to the log file for the other rules to monitor. Hope this helps.