sudo auditctl -w /etc/passwd -p rwxa

• -w path ; this parameter will insert a watch for the file system object at path. On the example above, auditd will watch the /etc/passwd file.
• -p ; this parameter describes the permission access type that a file system watch will trigger on.
• rwxa ; are the attributes which bind to -p parameter above. r is read, w is write, x is execute and a is attribute.