SHELL

ubuntu auditd rule for PID process

# To see all syscalls made by a specific program:
sudo auditctl -a always,exit -S all -F pid=1005

#To watch a file for changes (2 ways to express):

sudo auditctl -w /etc/shadow -p wa
sudo auditctl -a always,exit -F path=/etc/shadow -F perm=wa