Comment # 2 on bug 1196048 from Enzo Matsumiya

Quoting from my comment #4, bug 1196053:

The behaviour is expected by design.

auditd works "only" on syscalls level; filesystem watches and auditd
daemon/config changes are more of an abstraction implemented on top of the
syscall monitoring.

I belive it _might_ be possible to monitor shell built-ins, but there's no
audit built-in way, nor I can't think of an easy way of doing so.

[Using /usr/bin/echo] would work, but the problem is not echo, but rather ">>"
which is a shell built-in, and AFAIK, there doesn't exist a separate binary for
that.

IOW:

# /usr/bin/echo "test" >> /etc/issue

would also log "/bin/bash" in audit.log