Creating rules to monitor when someone performs a certain action isn't hard, but the command syntax is a bit trickier than what we've seen so far. With this rule, we're going to be alerted every time that Charlie either tries to open a file or tries to create a file:

[donnie@localhost ~]$ sudo auditctl -a always,exit -F arch=b64 -S openat -F auid=1006[sudo] password for donnie:[donnie@localhost ~]$ sudo auditctl -l-w /etc/passwd -p wa -k passwd_changes-w /secretcats -p rwxa -k secretcats_watch-a always,exit -F arch=b64 -S openat -F auid=1006[donnie@localhost ~]$

Here's the breakdown:

• -a always,exit: Here, we have the action and the list. The exit part means that this rule will be added to the system call exit list. ...