rule {
     rule_name = "open-etc-passwd"
     syscall_name = open
     filter_expression = { PARAMS[1] == "/etc/passwd" } 
     when = after
     action { 
	    type = LOG 
	    log_format {%pid[%comm] opened /etc/passwd, params: (%params) fd: %retval} 
     }	     
}

rule {
     rule_name = "write-etc-passwd"
     syscall_name = write
     filter_expression = { PARAMS[1] == 3 && COMM =~ "vi" } 
     when = before
     action { type = LOG }	     
}