https://bugzilla.suse.com/show_bug.cgi?id=1196048 https://bugzilla.suse.com/show_bug.cgi?id=1196048#c8 --- Comment #8 from Enzo Matsumiya <ematsumiya@suse.com> --- (In reply to Marcus Meissner from comment #7)
Nice spotted with the symlink!
The shell builtin ... i still fail to understand why it is not audited.
the audit is for filewatch and this basically looks for file access system calls
Bash supposedly uses system calls to open the file, write to it and close it.
So bash builtin operations should be logged by the filewatch systemcall auditing the same way?
You're right and I agree. It seems my thoughts got stuck on a loop and doing isolated tests this whole time was not productive at all... I was doing the builtin tests with the symlink, but after changing the watch to a proper file I found this: - reading, writing, executing, and changing attributes will get logged, but just under the bash process (the builtin command used is not logged at all AFAICS) (ok-ish, but could log at least the builtin name as an argument maybe?) - reading and executing logs the openat and execve syscalls (ok) - writing logs openat,fchmod,and setxattr (with vim) and only openat with echo, but not the write syscall in neither (not ok IMHO) I have other tasks I need shift attention to, but I'll get back to check on this "write syscall not getting logged" issue later. -- You are receiving this mail because: You are on the CC list for the bug.