I found the following bug:
OS version = Red Hat Enterprise Linux release 8.6 (Ootpa)
Kernel version = 4.18.0-425.3.1.el8.x86_64
auditctl version = 3.0.7
Scenario 1:
When I load the configurations :
auditctl -a always,exit -S all -F dir=/ -F perm=w -F success=1
And run the command:
cp /tmp/1 /tmp/2
No new log is created in: /var/log/audit/audit.log
But the file is indeed copied.
Scenario 2:
When I load the configurations :
auditctl -a always,exit -S all -F dir=/ -F perm=w -F success=0
And run the command:
cp /tmp/1 /tmp/2
No new log is created in: /var/log/audit/audit.log
But the file is indeed copied.
Scenario 3:
When I load the configurations :
auditctl -a always,exit -S all -F dir=/ -F perm=w
And run the command:
cp /tmp/1 /tmp/2
Yes new log is created in: /var/log/audit/audit.log
File was indeed copied.
Conclusion:
Only when I don't use the -F success new logs are created.
Why is that?
Any alternative ?