Status: IN
`auditctl -w <path> -p <perms> -k <key>` creates file watch rules; permission flags are `w` (write), `a` (attribute), `r` (read), `x` (execute).
Source: repo:entries/2026/03/04/en-documentation-red_hat_enterprise_linux-9-html-security_hardening-auditing-the.md