diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
index 9a97aaf2877..f9dce3432ec 100644
--- a/docs/templates/template_reference.md
+++ b/docs/templates/template_reference.md
@@ -172,6 +172,17 @@
 
 -   Languages: Ansible, Bash, OVAL
 
+#### audit_rules_watch
+-   Check if there are file system watches configured in audit rules for the given path.
+
+-   Parameters:
+
+    -   **path** - path that should be part of the audit watch rule as a value
+        of `-w` argument, eg. `/etc/group`.
+
+-   Languages: Ansible, Bash, OVAL
+
+
 #### argument_value_in_line
 -   Checks that `argument=value` pair is present in (optionally) the
     line started with line_prefix (and, optionally, ending with
diff --git a/shared/templates/audit_rules_watch/ansible.template b/shared/templates/audit_rules_watch/ansible.template
new file mode 100644
index 00000000000..637d100378f
--- /dev/null
+++ b/shared/templates/audit_rules_watch/ansible.template
@@ -0,0 +1,8 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_audit_augenrules_add_watch_rule(path=PATH, permissions="wa", key=rule_id) }}}
+{{{ ansible_audit_auditctl_add_watch_rule(path=PATH, permissions="wa", key=rule_id) }}}
diff --git a/shared/templates/audit_rules_watch/bash.template b/shared/templates/audit_rules_watch/bash.template
new file mode 100644
index 00000000000..cf637bbade1
--- /dev/null
+++ b/shared/templates/audit_rules_watch/bash.template
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+{{{ bash_fix_audit_watch_rule("auditctl", PATH, "wa", rule_id) }}}
+{{{ bash_fix_audit_watch_rule("augenrules", PATH, "wa", rule_id) }}}
diff --git a/shared/templates/audit_rules_watch/oval.template b/shared/templates/audit_rules_watch/oval.template
new file mode 100644
index 00000000000..8c0ec67c742
--- /dev/null
+++ b/shared/templates/audit_rules_watch/oval.template
@@ -0,0 +1,34 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("Check if actions on '" ~ PATH ~ "' are configured to be audited") }}}
+
+    <criteria operator="OR">
+      <!-- Test the augenrules case -->
+      <criterion comment="audit {{{ PATH }}} augenrules" test_ref="test_{{{ rule_id }}}_augenrules" />
+      <!-- Test the auditctl case -->
+      <criterion comment="audit {{{ PATH }}} auditctl" test_ref="test_{{{ rule_id }}}_auditctl" />
+    </criteria>
+
+  </definition>
+
+  <ind:textfilecontent54_test check="all" comment="audit {{{ PATH }}} augenrules" id="test_{{{ rule_id }}}_augenrules" version="1">
+    <ind:object object_ref="object_{{{ rule_id  }}}_augenrules" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_{{{ rule_id  }}}_augenrules" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+{{{ PATH }}}[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit {{{ PATH }}} auditctl" id="test_{{{ rule_id }}}_auditctl" version="1">
+    <ind:object object_ref="object_{{{ rule_id }}}_auditctl" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_auditctl" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+{{{ PATH }}}[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/shared/templates/audit_rules_watch/template.py b/shared/templates/audit_rules_watch/template.py
new file mode 100644
index 00000000000..8b645a6d4f9
--- /dev/null
+++ b/shared/templates/audit_rules_watch/template.py
@@ -0,0 +1,2 @@
+def preprocess(data, lang):
+    return data
diff --git a/shared/templates/audit_rules_watch/template.yml b/shared/templates/audit_rules_watch/template.yml
new file mode 100644
index 00000000000..b57de6fbb63
--- /dev/null
+++ b/shared/templates/audit_rules_watch/template.yml
@@ -0,0 +1,4 @@
+supported_languages:
+  - ansible
+  - bash
+  - oval
diff --git a/shared/templates/audit_rules_watch/tests/auditctl_correct_rules.pass.sh b/shared/templates/audit_rules_watch/tests/auditctl_correct_rules.pass.sh
new file mode 100644
index 00000000000..642cd9be36e
--- /dev/null
+++ b/shared/templates/audit_rules_watch/tests/auditctl_correct_rules.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# packages = audit
+
+# use auditctl
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+
+
+rm -rf /etc/audit/rules.d/*
+rm /etc/audit/audit.rules
+
+echo "-w {{{ PATH }}} -p wa -k {{{ rule_id }}}" >> /etc/audit/audit.rules
diff --git a/shared/templates/audit_rules_watch/tests/auditctl_correct_rules_watch_rules_without_key.pass.sh b/shared/templates/audit_rules_watch/tests/auditctl_correct_rules_watch_rules_without_key.pass.sh
new file mode 100644
index 00000000000..53212274a9d
--- /dev/null
+++ b/shared/templates/audit_rules_watch/tests/auditctl_correct_rules_watch_rules_without_key.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# packages = audit
+
+
+# use auditctl
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
+
+rm -rf /etc/audit/rules.d/*
+rm /etc/audit/audit.rules
+
+echo "-w {{{ PATH }}} -p wa" >> /etc/audit/audit.rules
diff --git a/shared/templates/audit_rules_watch/tests/augen_correct_rules.pass.sh b/shared/templates/audit_rules_watch/tests/augen_correct_rules.pass.sh
new file mode 100644
index 00000000000..cd89ac70421
--- /dev/null
+++ b/shared/templates/audit_rules_watch/tests/augen_correct_rules.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# packages = audit
+
+echo "-w {{{ PATH }}} -p wa -k audit_rules_networkconfig_modification" >> /etc/audit/rules.d/networkconfig.rules
diff --git a/shared/templates/audit_rules_watch/tests/augen_correct_rules_watch_rules_without_key.pass.sh b/shared/templates/audit_rules_watch/tests/augen_correct_rules_watch_rules_without_key.pass.sh
new file mode 100644
index 00000000000..391d156a638
--- /dev/null
+++ b/shared/templates/audit_rules_watch/tests/augen_correct_rules_watch_rules_without_key.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = audit
+
+
+echo "-w {{{ PATH }}} -p wa" >> /etc/audit/rules.d/networkconfig.rules
diff --git a/shared/templates/audit_rules_watch/tests/rules_not_there.fail.sh b/shared/templates/audit_rules_watch/tests/rules_not_there.fail.sh
new file mode 100644
index 00000000000..46629244c95
--- /dev/null
+++ b/shared/templates/audit_rules_watch/tests/rules_not_there.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# packages = audit
+
+
+rm -f /etc/audit/rules.d/*
+> /etc/audit/audit.rules
+true