# Add a watch to the /etc/hosts file watching for (-p) reads, writes, executions,
# and appends named (-k) hosts-file which can be uniquely used to identify the
# audit records produced by this rule. Check the /var/log/audit/audit.log file
# for matching events.
sudo auditctl -w /etc/hosts -p rwxa -k hosts-file

# To remove the rule later change the -w to -W with the rest of the command being
# the same. If you want to list all rules auditctl -l will show you all rules
# currently loaded.