Similar to os.system (which is already raising auditing event), the following functions are also capable of command execution, so they also need auditing:

• os.execl
• os.execle
• os.execlp
• os.execlpe
• os.execv
• os.execve
• os.execvp
• os.execvpe
• os.posix_spawn
• os.posix_spawnp
• os.spawnl
• os.spawnle
• os.spawnlp
• os.spawnlpe
• os.spawnv
• os.spawnve
• os.spawnvp
• os.spawnvpe
• os.startfile
• pty.spawn

By the way, since os.listdir, shutil.copytree and shutil.rmtree are already being audited, is it necessary to audit file operations in the os module like os.remove?

Agreed, we should add events for all of these. They can go into the next 3.8 release.

Ideally, the lowest level operations (typically os module) should raise events. Where it's convenient to also audit operations at a higher level (shutil, subprocess, etc.) then we can do that too, as it provides helpful context for *why* the lower-level operation ran.

Contributions welcome :) I'll likely get to them eventually, but no reason it has to be me adding everything.

I have made PR 17824 to add auditing events for the command execution functions mentioned above.

After a review on other related Python modules, I think maybe the following functions can also be audited, but a discussion may be required to determine whether they are necessary (whether these actions are sensitive enough to record, and performance trade off).

• os.getenv/putenv/unsetenv
• os.getcwd/chdir
• os.chown/chmod
• os.stat/access
• os.link/symlink
• os.rename/renames/replace
• os.mkdir/mkdirs
• os.remove/removedirs/rmdir/unlink (shutil.rmtree is already audited)
• os.add_dll_directory
• os.fork
• os.kill/killpg
• os.path.exists/isfile/isdir/...
• signal.pthread_kill
• shutil.copy* (shutil.copytree is already audited)
• shutil.move
• shutil.chown
• shutil.unpack_archive (shutil.make_archive is already audited)
• resource.prlimit
• file operations in msvcrt
• functions in fcntl, syslog
• many high level networking modules such as http.client/server, socketserver, xmlrpc (the low-level socket calls are already audited)

New changeset 95f6001 by Saiyang Gou in branch 'master':
bpo-39184: Add audit events to command execution functions in os and pty modules (GH-17824)
95f6001

Thanks for the spawn patch, I've merged it.

On the second list, I'd say go for it. The only one I'd skip are the stat() calls (and those that just do a stat call, such as exists/isfile, etc.), and getcwd() (which has many other ways to implicitly use the information). Maybe skip getenv as well, but modifying the environment is worth collecting.

New changeset 3498ac5 by Miss Islington (bot) in branch '3.8':
bpo-39184: Add audit events to command execution functions in os and pty modules (GH-17824)
3498ac5

Thanks for your review! PR 18407 is for the second list. For now I haven't added audit hooks for the http, socketserver and xmlrpc modules because they look a bit complex. There seems to be so many classes and methods to hook, we may need to find good places to hook (similar to what has been done on ftplib, imaplib, nntplib, poplib, smtplib, telnetlib and urllib).

New changeset 7514f4f by Saiyang Gou in branch 'master':
bpo-39184: Add audit events to functions in fcntl, msvcrt, os, resource, shutil, signal, syslog (GH-18407)
7514f4f

New changeset a00b5be by Steve Dower in branch '3.8':
bpo-39184: Add audit events to functions in fcntl, msvcrt, os, resource, shutil, signal, syslog (GH-18407)
a00b5be

New changeset 6c444d0 by Steve Dower in branch 'master':
bpo-39184: Fix incorrect return value (GH-18580)
6c444d0

New changeset d0a464e by Miss Islington (bot) in branch '3.8':
bpo-39184: Fix incorrect return value (GH-18580)
d0a464e

Since the original problem (command execution functions missing audit events) is already solved, we can close this issue now. Further discussions on additional audit hooks (e.g. for the networking modules) could go to bpo-37363.