I'm a noob and have some questions about viewing who accessed a file.

I found there are ways to see if a file was accessed (not modified/changed) through audit subsystem and inotify.

However, from what I have read online, according to here: http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html

it says to 'watch/monitor' file, I have to set a watch by using command like:

# auditctl -w /etc/passwd -p war -k password-file

So if I create a new file or directory, do I have to use audit/inotify command to 'set' watch first to 'watch' who accessed the new file?

Also is there a way to know if a directory is being 'watched' through audit subsystem or inotify? How/where can I check the log of a file?

edit:

from further googling, I found this page saying: http://www.kernel.org/doc/man-pages/online/pages/man7/inotify.7.html

The inotify API provides no information about the user or process that triggered the inotify event.

So I guess this means that I cant figure out which user accessed a file? Only audit subsystem can be used to figure out who accessed a file?