Let's start by looking at the rule that we created that will alert us whenever a change is made to the /etc/passwd file:

sudo auditctl -w /etc/passwd -p wa -k passwd_changes

Now, let's make a change to the file and look for the alert message. Rather than add another user, since I'm running out of cats whose names I can use, I'll just use the chfn utility to  add contact information to the comment field for Cleopatra's entry:

[donnie@localhost etc]$ sudo chfn cleopatraChanging finger information for cleopatra.Name []: Cleopatra Tabby CatOffice []: Donnie's back yardOffice Phone []: 555-5555Home Phone []: 555-5556Finger information changed.[donnie@localhost etc]

I'll now use ausearch to look for any audit messages ...