Hello,
To migrate, you don't need to know the syscalls. From the auditctl man page:
auditctl -w /etc/shadow -p wa # Note this slows the system
is the same as:
auditctl -a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa
The main difference is you need to tell it the architecture. There is a
lookup table in the kernel where the permission is used to select the
syscalls. You should see some system performance improvements by migrating.
-Steve
On Tue, Jul 1, 2025 at 2:50 AM Ede Wolf <lis...@nebelschwaden.de> wrote:
> Hi,
>
> we would like to convert out old style syntax, like
>
> -w /etc/crontab -p wa -l some_label
>
> to the newstyle
>
> -a exit,always. -S unlink...
>
> Just wondering, is there a table, that translates the permission
> (r,w,x,a) into their respective syscalls?
>
>
> Thanks
>
> Ede
> _______________________________________________
> Linux-audit mailing list -- linux-audit@lists.linux-audit.osci.io
> To unsubscribe send an email to
> linux-audit-le...@lists.linux-audit.osci.io
>
_______________________________________________
Linux-audit mailing list -- linux-audit@lists.linux-audit.osci.io
To unsubscribe send an email to linux-audit-le...@lists.linux-audit.osci.io
