auditctl -w /etc/hosts -p war -k hosts-file

-w /etc/hosts -p war -k hosts-file

# auditctl -l
w /etc/hosts -p rwa -k hosts-file

-a Action, List -S Systemcall -F Field=Value -k Key

-a exit,always -S open -F auid=1000 -k user-actions

-a exclude,always -F msgtype=SYSTEM_BOOT

ausearch -m 2>&1 | tr ' ' '\n' | grep '[A-Z]$' | sort