📅  最后修改于: 2022-03-11 14:50:58.106000             🧑  作者: Mango
# To see all syscalls made by a specific program:
sudo auditctl -a always,exit -S all -F pid=1005
#To watch a file for changes (2 ways to express):
sudo auditctl -w /etc/shadow -p wa
sudo auditctl -a always,exit -F path=/etc/shadow -F perm=wa