From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: "echo" not logged in auditd
Date: Tue, 29 Oct 2019 21:04:19 -0400 [thread overview]
Message-ID: <2357109.mxJeOg4E2H@x2> (raw)
In-Reply-To: <tencent_0693B7A4459F8B8652881558@qq.com>
Hello,
On Monday, October 28, 2019 11:27:44 PM EDT 杨海 wrote:
> We are experiencing the same issue below, that "echo" cannot be logged in
> auditd. Would like to know some detailed explanation here, and understand
> in general what would NOT be in the scope of auditd log.
If the rule is on execve, then it only triggers on execve. If the shell
handles it internally and never calls execve, then it cannot be audited by an
execve rule.
Note that strace will always call execve and thus search for /usr/bin/echo.
Whereas bash will see it as an internal function and handle it all by itself.
So, be aware strace can lie to you. There are a couple other commands like
"kill" which bash will handle instead of using the app.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
prev parent reply other threads:[~2019-10-30 1:04 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-29 3:27 "echo" not logged in auditd 杨海
2019-10-29 12:29 ` Richard Guy Briggs
2019-10-30 1:04 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2357109.mxJeOg4E2H@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox