I found the following bug:
OS version = Red Hat Enterprise Linux release 8.6 (Ootpa) Kernel version = 4.18.0-425.3.1.el8.x86_64 auditctl version = 3.0.7 Scenario 1: When I load the configurations : *auditctl -a always,exit -S all -F dir=/ -F perm=w -F success=1* And run the command: *cp /tmp/1 /tmp/2* No new log is created in: /var/log/audit/audit.log But the file is indeed copied. Scenario 2: When I load the configurations : *auditctl -a always,exit -S all -F dir=/ -F perm=w -F success=0* And run the command: *cp /tmp/1 /tmp/2* No new log is created in: /var/log/audit/audit.log But the file is indeed copied. Scenario 3: When I load the configurations : *auditctl -a always,exit -S all -F dir=/ -F perm=w* And run the command: *cp /tmp/1 /tmp/2* Yes new log is created in: /var/log/audit/audit.log File was indeed copied. Conclusion: Only when I don't use the -F success new logs are created. Why is that? Any alternative ?
-- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
