This is an old revision of the document!
# apt-get install auditd
# auditctl -D # auditctl -w /etc/passwd -p rwa -k passwords-files # cat /etc/audit/audit.rules
... -w /etc/shadow -p rwa -k passwords-files
# /etc/init.d/auditd restart <code> ===== Генерация событий ===== <code> # touch /etc/passwd # cat /etc/shadow
# cat /var/log/audit/audit.log # ausearch -f /etc/passwd # ausearch -k passwords-files # ausearch -f /etc/passwd -i