auditctl -w /etc/hosts -p war -k hosts-file -w /etc/hosts -p war -k hosts-file # auditctl -l w /etc/hosts -p rwa -k hosts-file -a Action, List -S Systemcall -F Field=Value -k Key -a exit,always -S open -F auid=1000 -k user-actions -a exclude,always -F msgtype=SYSTEM_BOOT ausearch -m 2>&1 | tr ' ' '\n' | grep '[A-Z]$' | sort