Re: oldstyle permission vs. newstyle syscalls
Hello,
To migrate, you don't need to know the syscalls. From the auditctl man page:
auditctl -w /etc/shadow -p wa # Note this slows the system
is the same as:
auditctl -a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa
The main difference is you need to tell it the architecture. There is a
lookup table in the kernel where the permission is used to select the
syscalls. You should see some system performance improvements by migrating.
-Steve
On Tue, Jul 1, 2025 at 2:50 AM Ede Wolf <listac(a)nebelschwaden.de> wrote:
Hi,
we would like to convert out old style syntax, like
-w /etc/crontab -p wa -l some_label
to the newstyle
-a exit,always. -S unlink...
Just wondering, is there a table, that translates the permission
(r,w,x,a) into their respective syscalls?
Thanks
Ede
_______________________________________________
Linux-audit mailing list -- linux-audit(a)lists.linux-audit.osci.io
To unsubscribe send an email to
linux-audit-leave(a)lists.linux-audit.osci.io
Attachments:
- attachment.html (text/html — 1.7 KB)