Monitor file access with auditd

/etc/audit/rules.d/audit.conf

-D
-b 8192
-f 1
-e 1
-w /etc/passwd -p rwxa

-a always,exit -S all -F path=/data
-a always,exit -S all -F path=/data/dir2/f1

now take a look for the usage

# aditctl -R /etc/audit/rules.d/audit.conf 

# auditctl -l
-w /etc/passwd -p rwxa
-a always,exit -S all -F path=/data
-a always,exit -S all -F path=/data/dir2/f1

# tail -f /var/log/audit/audit.log


# vipw
 --> now we see logs in audit.log