1. Well if you read man page of auditd, a lot information will be gathered.
2. In order to be specific read fifth section of man page i,e man 5 auditd.conf
3. After this stage you will be able to configure auditd rule to monitor file or directory.
4. 'ausearch' is a command to view the output of auditd. Again you need to refer man page for it.
5. Some examples are as follows:
make sure auditd is up and running.
Suppose you want to monitor/audit /etc/passwd file then issue following command:
root#auditctl -w /etc/passwd -p war -k Change_bit
What does above command means? -->
'-w' is for file to be watched.;
'-p' is for permissions such as read,write,execute,attribute.
'-k' is for the filter/tag which you can specify on your own.this filter/tag comes handy while reading the report of the auditd.
Please go through the man pages for further examples, it has quite a lot.
If you like or find it useful do click on 'like button'.
"Linux for humanity."