Using ausearch and aureport
The auditd daemon logs events to the /var/log/audit/audit.log file. Although you could directly read the file with something like less, you really don't want to. The ausearch and aureport utilities will help you translate the file into a language that makes some sort of sense.
Searching for file change alerts
Let's start by looking at the rule that we created that will alert us whenever a change is made to the /etc/passwd file:
sudo auditctl -w /etc/passwd -p wa -k passwd_changesNow, let's make a change to the file and look for the alert message. Rather than add another user, since I'm running out of cats whose names I can use, I'll just use the chfn utility to add contact information to the comment field for Cleopatra's entry:
[donnie@localhost etc]$ sudo chfn cleopatra Changing finger information for cleopatra. Name []: Cleopatra Tabby Cat Office []: Donnie's back yard Office Phone []: 555-5555 Home Phone []: 555-5556 Finger information changed. [donnie@localhost...
