(In reply to Marcus Meissner from comment #7) > Nice spotted with the symlink! > > The shell builtin ... i still fail to understand why it is not audited. > > the audit is for filewatch and this basically looks for file access system > calls > > Bash supposedly uses system calls to open the file, write to it and close it. > > So bash builtin operations should be logged by the filewatch systemcall > auditing the same way? You're right and I agree. It seems my thoughts got stuck on a loop and doing isolated tests this whole time was not productive at all... I was doing the builtin tests with the symlink, but after changing the watch to a proper file I found this: - reading, writing, executing, and changing attributes will get logged, but just under the bash process (the builtin command used is not logged at all AFAICS) (ok-ish, but could log at least the builtin name as an argument maybe?) - reading and executing logs the openat and execve syscalls (ok) - writing logs openat,fchmod,and setxattr (with vim) and only openat with echo, but not the write syscall in neither (not ok IMHO) I have other tasks I need shift attention to, but I'll get back to check on this "write syscall not getting logged" issue later.