Comandos
<code bash>
apt install auditd

systemctl status auditd

tree /etc/audit/

</code>

Uso
<code bash>
echo "-w /etc/hosts -p rwxa -k archivo_hosts" > /etc/audit/rules.d/my.rules

cat /var/log/audit/audit.log |grep host_changes

type=SYSCALL msg=audit(1612138352.609:94): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7fff09c297ae a2=0 a3=0 items=1 ppid=5404 pid=5414 auid=1000 uid=2000 gid=2000 euid=2000 suid=2000 fsuid=2000 egid=2000 sgid=2000 fsgid=2000 tty=pts0 ses=1 comm="cat" exe="/bin/cat" key="host_changes"

auditctl -w /etc/hostname -p rwxa -k archivo_hostname 

</code>

Reportes
<code bash>
aureport
aureport -au 
aureport -au -i --success
aureport -k


</code>

====== Referencias ======
  * https://www.tecmint.com/linux-system-auditing-with-auditd-tool-on-centos-rhel/
  * https://www.golinuxhub.com/2013/05/using-audit-in-linux-to-track-system/