Hi I have an audit question concerning echo "ThisIsATest" >>/tmp/test/file11 I have a rule: -w /tmp/test -p war -S all -k thekey It produces the following audit record. type=SYSCALL msg=audit(1444398577.247:1581): arch=c000003e syscall=2 success=yes exit=3 a0=1f5bca0 a1=441 a2=1b6 a3=20 items=2 ppid=17766 pid=17808 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="bash" exe="/bin/bash" key="thekey" type=CWD msg=audit(1444398577.247:1581): cwd="/tmp/test" type=PATH msg=audit(1444398577.247:1581): item=0 name="/tmp/test" inode=1436 dev=00:2e mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT type=PATH msg=audit(1444398577.247:1581): item=1 name="file11" inode=6797 dev=00:2e mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=CREATE I understand bash is the executable, because ">" is writing to the file via a file handle. Is there another switch or rule that would improve the audit record to capture echo as being the initiator of the command?? Thank you Boyd