sudo vim /etc/audit/audit.rules

	## This file is automatically generated from /etc/audit/rules.d
	-D
	-b 8192
	-f 1
	--backlog_wait_time 60000

	-w /etc/passwd -p wa -k identity_changes

-w /etc/passwd: This part specifies the file or directory to monitor. In this case, it specifies monitoring of the /etc/passwd file. The -w option is used to watch a specific file or directory for changes.

-p wa: This part specifies the permissions to monitor for the watched file. Here: w: Stands for write permission. It specifies that write (modification) operations on the file should be monitored.

a: Stands for attribute change. It specifies that changes to file attributes (such as permissions or ownership) should be monitored.

-k identity_changes: This part specifies the audit event key, which is a user-defined string used to categorize and filter audit events. In this case, the key is identity_changes, which suggests that the rule is related to changes in system identity or user information.)