The /root/.ssh/authorized_keys file on the VMware vCenter Server Appliance (VCSA) is crucial as it manages the SSH public keys authorized for passwordless root login. Maintaining the integrity of this file is essential for system security.

However, tracking or monitoring changes to this file is not feasible using native tools within VCSA due to strict access and visibility restrictions. Only the root user account on the local OS has read/write permission to this file. Since any user with super admin privileges essentially has root access, multiple users can modify the file with no distinct audit trail.

This creates a significant audit and security challenge, as it is not possible to uniquely identify which individual made a change or the exact time of modification. The lack of user-level granularity in native logging means that any root-level user edits are effectively anonymous from a monitoring perspective.