Tracing web shell attack with Linux audit system

I tried to trace web shell attack using Linux audit system. Following is the rule I appended.

-a exit,always -F arch=b64 -F gid=nginx -S execve

(using nginx)

With this setting, I can trace commands not 'pwd', but 'ls', 'cat'.

What are differences those had? And how can I trace all commands thoroughly?

Solution

Things like pwd are shell built-ins and do not involve the creation of another process, and thus no call to execve. The built-in commands supported depend on the shell you're using. Here are the built-ins supported by bash.

I would recommend that you either run a modified version of the shell or that you trace something else, such as network traffic, if you really wish to capture all activity. Without more details on why you wish to capture this information, it is difficult to recommend an approach.

Getting an error that states "printf.c: No such file or directory" while using GDB on a very basic C program for temperature conversion
When a user process swaps out a page, is the virtual address of the page in user space or kernel space?
X11 compositing: how to manually update redirected window
Linux uptime history
Python at Synology, how to get Python3 modules installed and where is Python2.7 installed?
WARNING: erroneous pipeline: no element "rtspclientsink"
Why no call fstab64 after read? And can this be a problem?
How can I force changing the keyboard layout in Linux in IDE?
ExecStart in systemd service does not support file names containing *
How to list first level directories only in C?
Using the passwd command from within a shell script
confused by sys_stat, sys_statfs syscall works
How do you normalize a file path in Bash?
How can I recall the argument of the previous bash command?
Getting code 2 while building with dockerfile
How to determine pid of process started via os.system
How would I use strings inside a for loop?
Add a prefix string to beginning of each line
Using awk to print all columns from the nth to the last
Reading data from PDF files into R
Add New Kernel Parameter To Custom Linux Image Generated By Yocto
Installing GCC from source on Alpine
Cannot find /lib64/ld-linux-x86-64.so.2
How can I install libstdc++6 for my app on Heroku?
how can i change the venv of my current shell from within a python script
Linux mint drag & drop files on my program's desktop icon
mkdir -p fails when directory exists
Unable to start postgresql service on CentOS 7
Git - how to remove branch from checkout autocomplete
Getting a "-bash: [: : integer expression expected" error on bash shell startup in arch