====== Ubuntu - Auditing - Audit a file ======

<WRAP important>
**WARNING**:  Please be careful before creating rules. 

It will increase your log file size significantly if too much information to record.
</WRAP>

----

===== Audit file access =====

<code bash>
sudo auditctl -w /etc/passwd -p rwxa
</code>

  * -w path ; this parameter will insert a watch for the file system object at path.  On the example above, auditd will watch the /etc/passwd file.
  * -p ; this parameter describes the permission access type that a file system watch will trigger on.
  * rwxa ; are the attributes which bind to -p parameter above. r is read, w is write, x is execute and a is attribute.