"echo" not logged in auditd

Richard Guy Briggs rgb at redhat.com
Tue Oct 29 12:29:58 UTC 2019


On 2019-10-29 11:27, 杨海 wrote:
> Hi 
> 
> We are experiencing the same issue below, that "echo" cannot be logged in auditd. Would like to know some detailed explanation here, and understand in general what would NOT be in the scope of auditd log.
> 
> https://serverfault.com/questions/871343/why-does-auditd-only-log-echo-when-i-use-the-absolute-path

This explanation is pretty clear.

The "shell builtin" means that whatever shell you are already using
(bash, sh, ash, dash, zsh, ...) is the one running this command in the
already-executing shell rather than starting a new kernel-tracked
process (task).  This would be similar to running python or perl in
interactive mode and typing commands to one of those prompts.  Once you
have seen python or perl started as a new task, any commands native to
either of those two interpreters would not start a new kernel-tracked
task.

To try to solve your issue you would need to track the invocation of
every shell but not know what's running inside it, or use pam_tty_audit
to track the keystrokes of that shell.  You might also be able to
monitor .bash_history for that account, but since the user is able to
influence the configuration of bash history, it would not be reliable.

> Regards
> Hai

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635




More information about the Linux-audit mailing list