"echo" not logged in auditd
Steve Grubb
sgrubb at redhat.com
Wed Oct 30 01:04:19 UTC 2019
Hello,
On Monday, October 28, 2019 11:27:44 PM EDT 杨海 wrote:
> We are experiencing the same issue below, that "echo" cannot be logged in
> auditd. Would like to know some detailed explanation here, and understand
> in general what would NOT be in the scope of auditd log.
If the rule is on execve, then it only triggers on execve. If the shell
handles it internally and never calls execve, then it cannot be audited by an
execve rule.
Note that strace will always call execve and thus search for /usr/bin/echo.
Whereas bash will see it as an internal function and handle it all by itself.
So, be aware strace can lie to you. There are a couple other commands like
"kill" which bash will handle instead of using the app.
-Steve
More information about the Linux-audit
mailing list