On 2019-10-29 11:27, 杨海 wrote: This explanation is pretty clear. The "shell builtin" means that whatever shell you are already using (bash, sh, ash, dash, zsh, ...) is the one running this command in the already-executing shell rather than starting a new kernel-tracked process (task). This would be similar to running python or perl in interactive mode and typing commands to one of those prompts. Once you have seen python or perl started as a new task, any commands native to either of those two interpreters would not start a new kernel-tracked task. To try to solve your issue you would need to track the invocation of every shell but not know what's running inside it, or use pam_tty_audit to track the keystrokes of that shell. You might also be able to monitor .bash_history for that account, but since the user is able to influence the configuration of bash history, it would not be reliable. - RGB -- Richard Guy Briggs <rgb(a)redhat.com&gt; Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635