Comment # 8 on bug 1196048 from
(In reply to Marcus Meissner from comment #7)
> Nice spotted with the symlink!
> 
> The shell builtin ... i still fail to understand why it is not audited.
> 
> the audit is for filewatch and this basically looks for file access system
> calls
> 
> Bash supposedly uses system calls to open the file, write to it and close it.
> 
> So bash builtin operations should be logged by the filewatch systemcall
> auditing the same way?

You're right and I agree.

It seems my thoughts got stuck on a loop and doing isolated tests this whole
time was not productive at all... I was doing the builtin tests with the
symlink, but after changing the watch to a proper file I found this:

- reading, writing, executing, and changing attributes will get logged, but
just under the bash process (the builtin command used is not logged at all
AFAICS) (ok-ish, but could log at least the builtin name as an argument maybe?)
- reading and executing logs the openat and execve syscalls (ok)
- writing logs openat,fchmod,and setxattr (with vim) and only openat with echo,
but not the write syscall in neither (not ok IMHO)

I have other tasks I need shift attention to, but I'll get back to check on
this "write syscall not getting logged" issue later.


You are receiving this mail because: