sudo vim /etc/audit/audit.rules

	## This file is automatically generated from /etc/audit/rules.d
	-D
	-b 8192
	-f 1
	--backlog_wait_time 60000

	-w /etc/passwd -p wa -k identity_changes

-w /etc/passwd: This part specifies the file or directory to monitor.  In this
case, it specifies monitoring of the /etc/passwd file.  The -w option is used to
watch a specific file or directory for changes.

-p wa: This part specifies the permissions to monitor for the watched file.  Here:
w: Stands for write permission.  It specifies that write (modification) operations
on the file should be monitored.

a: Stands for attribute change.  It specifies that changes to file attributes
(such as permissions or ownership) should be monitored.

-k identity_changes: This part specifies the audit event key, which is a
user-defined string used to categorize and filter audit events.  In this case, the
key is identity_changes, which suggests that the rule is related to changes in
system identity or user information.)