What | Removed | Added |
---|---|---|
Status | NEW | CONFIRMED |
Quoting from my comment #4, bug 1196053: The behaviour is expected by design. auditd works "only" on syscalls level; filesystem watches and auditd daemon/config changes are more of an abstraction implemented on top of the syscall monitoring. I belive it _might_ be possible to monitor shell built-ins, but there's no audit built-in way, nor I can't think of an easy way of doing so. [Using /usr/bin/echo] would work, but the problem is not echo, but rather ">>" which is a shell built-in, and AFAIK, there doesn't exist a separate binary for that. IOW: # /usr/bin/echo "test" >> /etc/issue would also log "/bin/bash" in audit.log