"echo" not logged in auditd

"echo" not logged in auditd

[杨海]

[-- Attachment #1.1: Type: text/plain, Size: 336 bytes --]

Hi 


We are experiencing the same issue below, that "echo" cannot be logged in auditd. Would like to know some detailed explanation here, and understand in general what would NOT be in the scope of auditd log.


https://serverfault.com/questions/871343/why-does-auditd-only-log-echo-when-i-use-the-absolute-path


Regards
Hai

[-- Attachment #1.2: Type: text/html, Size: 421 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: "echo" not logged in auditd

[Richard Guy Briggs]

On 2019-10-29 11:27, 杨海 wrote:
> Hi 
> 
> We are experiencing the same issue below, that "echo" cannot be logged in auditd. Would like to know some detailed explanation here, and understand in general what would NOT be in the scope of auditd log.
> 
> https://serverfault.com/questions/871343/why-does-auditd-only-log-echo-when-i-use-the-absolute-path

This explanation is pretty clear.

The "shell builtin" means that whatever shell you are already using
(bash, sh, ash, dash, zsh, ...) is the one running this command in the
already-executing shell rather than starting a new kernel-tracked
process (task).  This would be similar to running python or perl in
interactive mode and typing commands to one of those prompts.  Once you
have seen python or perl started as a new task, any commands native to
either of those two interpreters would not start a new kernel-tracked
task.

To try to solve your issue you would need to track the invocation of
every shell but not know what's running inside it, or use pam_tty_audit
to track the keystrokes of that shell.  You might also be able to
monitor .bash_history for that account, but since the user is able to
influence the configuration of bash history, it would not be reliable.

> Regards
> Hai

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: "echo" not logged in auditd

[Steve Grubb]

Hello,

On Monday, October 28, 2019 11:27:44 PM EDT 杨海 wrote:
> We are experiencing the same issue below, that "echo" cannot be logged in
> auditd. Would like to know some detailed explanation here, and understand
> in general what would NOT be in the scope of auditd log.

If the rule is on execve, then it only triggers on execve. If the shell 
handles it internally and never calls execve, then it cannot be audited by an 
execve rule.

Note that strace will always call execve and thus search for /usr/bin/echo. 
Whereas bash will see it as an internal function and handle it all by itself. 
So, be aware strace can lie to you. There are a couple other commands like 
"kill" which bash will handle instead of using the app.

-Steve



--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit