Let us say you would like to audit a /etc/passwd file. You need to type command as follows: # auditctl -w /etc/passwd -p war -k password-file
Where, -w /etc/passwd : Insert a watch for the file system object at given path i.e. watch file called /etc/passwd -p war : Set permissions filter for a file system watch. It can be r for read, w for write, x for execute, a for append. -k password-file : Set a filter key on a /etc/passwd file (watch). The password-file is a filterkey (string of text that can be up to 31 bytes long). It can uniquely identify the audit records produced by the watch. You need to use password-file string or phrase while searching audit logs.
In short you are monitoring (read as watching) a /etc/passwd file for anyone (including syscall) that may perform a write, append or read operation on a file.
Wait for some time or as a normal user run command as follows: $ grep 'something' /etc/passwd $ vi /etc/passwd
Following are more examples: File System audit rules
Add a watch on "/etc/shadow" with the arbitrary filterkey "shadow-file" that generates records for "reads, writes, executes, and appends" on "shadow" # auditctl -w /etc/shadow -k shadow-file -p rwxa syscall audit rule
The next rule suppresses auditing for mount syscall exits # auditctl -a exit,never -S mount File system audit rule
Add a watch "tmp" with a NULL filterkey that generates records "executes" on "/tmp" (good for a webserver) # auditctl -w /tmp -p e -k webserver-watch-tmp syscall audit rule using pid
To see all syscalls made by a program called sshd (pid - 1005): # auditctl -a entry,always -S all -F pid=1005