https://bugzilla.suse.com/show_bug.cgi?id=1196048 https://bugzilla.suse.com/show_bug.cgi?id=1196048#c2 Enzo Matsumiya <ematsumiya@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED --- Comment #2 from Enzo Matsumiya <ematsumiya@suse.com> --- Quoting from my comment #4, bug 1196053: The behaviour is expected by design. auditd works "only" on syscalls level; filesystem watches and auditd daemon/config changes are more of an abstraction implemented on top of the syscall monitoring. I belive it _might_ be possible to monitor shell built-ins, but there's no audit built-in way, nor I can't think of an easy way of doing so. [Using /usr/bin/echo] would work, but the problem is not echo, but rather ">>" which is a shell built-in, and AFAIK, there doesn't exist a separate binary for that. IOW: # /usr/bin/echo "test" >> /etc/issue would also log "/bin/bash" in audit.log -- You are receiving this mail because: You are on the CC list for the bug.