Using the audit subsystem for a quick security check
To monitor a single suspicious program without setting up the audit subsystem, the watch command can be used. It will record either the requested or all events that are generated by the specified program.
For example, to see all FILE_Open events when running vi /etc/hosts, type the following:
watch -eFILE_Open -o /tmp/vi.watch vi /etc/hostsThe /tmp/vi.watch file displays all FILE_Open events for the editor session.