Monitor file access with auditd
/etc/audit/rules.d/audit.conf
-D
-b 8192
-f 1
-e 1
-w /etc/passwd -p rwxa
-a always,exit -S all -F path=/data
-a always,exit -S all -F path=/data/dir2/f1
now take a look for the usage
# aditctl -R /etc/audit/rules.d/audit.conf
# auditctl -l
-w /etc/passwd -p rwxa
-a always,exit -S all -F path=/data
-a always,exit -S all -F path=/data/dir2/f1
# tail -f /var/log/audit/audit.log
# vipw
--> now we see logs in audit.log