Am 01.07.25 um 18:24 schrieb Christian, Mark:
On Tue, 2025-07-01 at 09:11 -0700, Casey Schaufler wrote:
On 6/30/2025 11:42 PM, Ede Wolf wrote:
Hi,
we would like to convert out old style syntax, like
-w /etc/crontab -p wa -l some_label
to the newstyle
-a exit,always. -S unlink...
Just wondering, is there a table, that translates the permission
(r,w,x,a) into their respective syscalls?
How about, $ ausyscall --dump ?
which will dump syscall names and numbers. Guessing the syscalls you
are looking for are, read, write, execve and setxattr, though you
might want to verify by reviewing your audit logs and verifying the
syscall numbers reported with your -p warx rules
Hello Mark,
thanks for the tip. However, list with syscalls are plenty, it is just,
that lots of those are not too detailed (and/or I am lacking knowledge).
So chown alone has 4 syscalls. Chances are, that one of the other is
missed or wrongly applied.
So my thought was, since the new syntax is recommended, maybe someone
has done a migration table, that we have not been able to find.
Just wondering
Thanks
Ede
_______________________________________________
Linux-audit mailing list -- linux-audit@lists.linux-audit.osci.io
To unsubscribe send an email to linux-audit-le...@lists.linux-audit.osci.io
