What process has modified the Linux monitor file

Installation: apt-get install auditd.

1.auditd is the background daemon responsible for monitoring records
2.auditctl configuration rule tool
3.auditsearch search view
4.aureport generates reports based on monitoring records

For example, monitor whether the file /root/.ssh /authorized_keys has been modified:

aditctl -w /root/.ssh/authorized_keys -p war -k auth_key

The & # 8226; -w specifies the file to monitor
The & # 8226; - types of operations to be monitored by p awrx, append, write, read, execute
The & # 8226; -k gives the current monitoring rule a name to facilitate search filtering

View modification records: ausearch-i-k auth_key, generate report aureport.