I found the following bug:


OS version = Red Hat Enterprise Linux release 8.6 (Ootpa)
Kernel version = 4.18.0-425.3.1.el8.x86_64
auditctl version = 3.0.7

Scenario 1:
When I load the configurations :
auditctl -a always,exit -S all -F dir=/ -F perm=w -F success=1
And run the command:
cp /tmp/1  /tmp/2
No new log is created in: /var/log/audit/audit.log
But the file is indeed copied.

Scenario 2:
When I load the configurations :
auditctl -a always,exit -S all -F dir=/ -F perm=w -F success=0
And run the command:
cp /tmp/1  /tmp/2
No new log is created in: /var/log/audit/audit.log
But the file is indeed copied.

Scenario 3:
When I load the configurations :
auditctl -a always,exit -S all -F dir=/ -F perm=w
And run the command:
cp /tmp/1  /tmp/2
Yes new log is created in: /var/log/audit/audit.log
File was indeed copied.

Conclusion:
Only when I don't use the -F success  new logs are created.
Why is that?
Any alternative ?