Why audit rules with "exit" filter do not generate any audit events?
Issue
- Why audit rules with "exit" filter do not generate any audit events?
- The issue can be reproduced using below rule.
# auditctl -D
# auditctl -a always,exit -F arch=b64 -F success=1 -S sync -k key-sync
# sync
# ausearch -sc sync
<no logs printed>
Environment
- Red Hat Enterprise Linux 9.1
- Red Hat Enterprise Linux 8.7
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.